Malware Analysis Report

2025-08-05 16:44

Sample ID 240204-xs9t7agga8
Target 8fecd0dd91d9d0811d67e18db275c126
SHA256 89377e06e411db8fa2e76c586b549099c339d3d4ed6f4bc3b14888204c50a373
Tags
adware persistence stealer discovery upx
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

89377e06e411db8fa2e76c586b549099c339d3d4ed6f4bc3b14888204c50a373

Threat Level: Shows suspicious behavior

The file 8fecd0dd91d9d0811d67e18db275c126 was found to be: Shows suspicious behavior.

Malicious Activity Summary

adware persistence stealer discovery upx

Executes dropped EXE

Checks computer location settings

Deletes itself

Loads dropped DLL

ACProtect 1.3x - 1.4x DLL software

UPX packed file

Checks installed software on the system

Installs/modifies Browser Helper Object

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in Program Files directory

Unsigned PE

Program crash

Enumerates physical storage devices

NSIS installer

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious use of SetWindowsHookEx

Modifies Internet Explorer settings

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-04 19:08

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-02-04 19:08

Reported

2024-02-04 19:10

Platform

win7-20231129-en

Max time kernel

121s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UAC.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UAC.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 224

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UAC.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-02-04 19:08

Reported

2024-02-04 19:10

Platform

win10v2004-20231222-en

Max time kernel

92s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UAC.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1432 wrote to memory of 1412 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1432 wrote to memory of 1412 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1432 wrote to memory of 1412 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UAC.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UAC.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1412 -ip 1412

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1412 -s 624

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 195.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 3.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 138.91.171.81:80 tcp
US 8.8.8.8:53 186.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 190.178.17.96.in-addr.arpa udp

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-02-04 19:08

Reported

2024-02-04 19:10

Platform

win10v2004-20231215-en

Max time kernel

151s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\FineTop.exe"

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FineTop = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FineTop.exe" C:\Users\Admin\AppData\Local\Temp\FineTop.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CBF53489-AD8D-4637-965A-413861EEC7CF} C:\Windows\SysWOW64\regsvr32.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Internet Explorer\Main\TabProcGrowth = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\TabProcGrowth = "0" C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\FineTop.TopBand C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CBF53489-AD8D-4637-965A-413861EEC7CF}\VersionIndependentProgID\ = "FineTop.TopBand" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3E54C6DC-A2C6-404C-A36F-DE346281B3A7}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3E54C6DC-A2C6-404C-A36F-DE346281B3A7}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F1AACA8D-4899-4D6C-B360-403A5A20B5D2} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F1AACA8D-4899-4D6C-B360-403A5A20B5D2}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F1AACA8D-4899-4D6C-B360-403A5A20B5D2}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\FineTop.TopBand.1\ = "TopBand Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\FineTop.TopBand\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CBF53489-AD8D-4637-965A-413861EEC7CF}\ = "FineTop" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CBF53489-AD8D-4637-965A-413861EEC7CF}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CBF53489-AD8D-4637-965A-413861EEC7CF}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CBF53489-AD8D-4637-965A-413861EEC7CF}\TypeLib\ = "{3E54C6DC-A2C6-404C-A36F-DE346281B3A7}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F1AACA8D-4899-4D6C-B360-403A5A20B5D2}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F1AACA8D-4899-4D6C-B360-403A5A20B5D2}\TypeLib\ = "{3E54C6DC-A2C6-404C-A36F-DE346281B3A7}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F1AACA8D-4899-4D6C-B360-403A5A20B5D2}\TypeLib\ = "{3E54C6DC-A2C6-404C-A36F-DE346281B3A7}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\FineTop.TopBand\ = "TopBand Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3E54C6DC-A2C6-404C-A36F-DE346281B3A7}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3E54C6DC-A2C6-404C-A36F-DE346281B3A7}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3E54C6DC-A2C6-404C-A36F-DE346281B3A7}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FineTop.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F1AACA8D-4899-4D6C-B360-403A5A20B5D2}\ = "ITopBand" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\FineTop.TopBand\CLSID\ = "{CBF53489-AD8D-4637-965A-413861EEC7CF}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\FineTop.TopBand\CurVer\ = "FineTop.TopBand.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CBF53489-AD8D-4637-965A-413861EEC7CF}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CBF53489-AD8D-4637-965A-413861EEC7CF}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F1AACA8D-4899-4D6C-B360-403A5A20B5D2}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F1AACA8D-4899-4D6C-B360-403A5A20B5D2}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\FineTop.TopBand.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3E54C6DC-A2C6-404C-A36F-DE346281B3A7}\1.0\ = "FineTop 1.0 Type Library" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3E54C6DC-A2C6-404C-A36F-DE346281B3A7}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F1AACA8D-4899-4D6C-B360-403A5A20B5D2}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CBF53489-AD8D-4637-965A-413861EEC7CF} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3E54C6DC-A2C6-404C-A36F-DE346281B3A7}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F1AACA8D-4899-4D6C-B360-403A5A20B5D2}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\FineTop.TopBand.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\FineTop.TopBand.1\CLSID\ = "{CBF53489-AD8D-4637-965A-413861EEC7CF}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CBF53489-AD8D-4637-965A-413861EEC7CF}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F1AACA8D-4899-4D6C-B360-403A5A20B5D2}\ = "ITopBand" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F1AACA8D-4899-4D6C-B360-403A5A20B5D2}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\FineTop.TopBand\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CBF53489-AD8D-4637-965A-413861EEC7CF}\ProgID\ = "FineTop.TopBand.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CBF53489-AD8D-4637-965A-413861EEC7CF}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FineTop.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CBF53489-AD8D-4637-965A-413861EEC7CF}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3E54C6DC-A2C6-404C-A36F-DE346281B3A7} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3E54C6DC-A2C6-404C-A36F-DE346281B3A7}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F1AACA8D-4899-4D6C-B360-403A5A20B5D2} C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\FineTop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FineTop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FineTop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FineTop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FineTop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FineTop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FineTop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FineTop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FineTop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FineTop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FineTop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FineTop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FineTop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FineTop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FineTop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FineTop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FineTop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FineTop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FineTop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FineTop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FineTop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FineTop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FineTop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FineTop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FineTop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FineTop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FineTop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FineTop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FineTop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FineTop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FineTop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FineTop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FineTop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FineTop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FineTop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FineTop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FineTop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FineTop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FineTop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FineTop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FineTop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FineTop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FineTop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FineTop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FineTop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FineTop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FineTop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FineTop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FineTop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FineTop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FineTop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FineTop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FineTop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FineTop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FineTop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FineTop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FineTop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FineTop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FineTop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FineTop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FineTop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FineTop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FineTop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FineTop.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3644 wrote to memory of 3952 N/A C:\Users\Admin\AppData\Local\Temp\FineTop.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3644 wrote to memory of 3952 N/A C:\Users\Admin\AppData\Local\Temp\FineTop.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3644 wrote to memory of 3952 N/A C:\Users\Admin\AppData\Local\Temp\FineTop.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\FineTop.exe

"C:\Users\Admin\AppData\Local\Temp\FineTop.exe"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\FineTop.dll"

Network

Country Destination Domain Proto
US 8.8.8.8:53 210.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 finetop.topguide.co.kr udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 1.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-02-04 19:08

Reported

2024-02-04 19:10

Platform

win7-20231215-en

Max time kernel

121s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\adc.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2008 wrote to memory of 1540 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2008 wrote to memory of 1540 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2008 wrote to memory of 1540 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2008 wrote to memory of 1540 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2008 wrote to memory of 1540 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2008 wrote to memory of 1540 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2008 wrote to memory of 1540 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\adc.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\adc.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-04 19:08

Reported

2024-02-04 19:10

Platform

win10v2004-20231215-en

Max time kernel

151s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8fecd0dd91d9d0811d67e18db275c126.exe"

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\8fecd0dd91d9d0811d67e18db275c126.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\FineTop\FineTop.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FineTop = "C:\\Program Files (x86)\\FineTop\\FineTop.exe" C:\Program Files (x86)\FineTop\FineTop.exe N/A

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{CBF53489-AD8D-4637-965A-413861EEC7CF} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CBF53489-AD8D-4637-965A-413861EEC7CF} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CBF53489-AD8D-4637-965A-413861EEC7CF} C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4012 set thread context of 3840 N/A C:\Users\Admin\AppData\Local\Temp\8fecd0dd91d9d0811d67e18db275c126.exe C:\Windows\SysWOW64\explorer.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\FineTop\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\8fecd0dd91d9d0811d67e18db275c126.exe N/A
File created C:\Program Files (x86)\FineTop\FineTop.dll C:\Users\Admin\AppData\Local\Temp\8fecd0dd91d9d0811d67e18db275c126.exe N/A
File created C:\Program Files (x86)\FineTop\FineTop.exe C:\Users\Admin\AppData\Local\Temp\8fecd0dd91d9d0811d67e18db275c126.exe N/A
File created C:\Program Files (x86)\FineTop\adc.acc C:\Users\Admin\AppData\Local\Temp\8fecd0dd91d9d0811d67e18db275c126.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\TabProcGrowth = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Internet Explorer\Main\TabProcGrowth = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\TabProcGrowth = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Internet Explorer\Main\TabProcGrowth = "0" C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F1AACA8D-4899-4D6C-B360-403A5A20B5D2}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F1AACA8D-4899-4D6C-B360-403A5A20B5D2}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\FineTop.TopBand\CurVer\ = "FineTop.TopBand.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CBF53489-AD8D-4637-965A-413861EEC7CF}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3E54C6DC-A2C6-404C-A36F-DE346281B3A7}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3E54C6DC-A2C6-404C-A36F-DE346281B3A7}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\FineTop.TopBand.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\FineTop.TopBand.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\FineTop.TopBand\ = "TopBand Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CBF53489-AD8D-4637-965A-413861EEC7CF}\ProgID\ = "FineTop.TopBand.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CBF53489-AD8D-4637-965A-413861EEC7CF}\VersionIndependentProgID\ = "FineTop.TopBand" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3E54C6DC-A2C6-404C-A36F-DE346281B3A7}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\FineTop\\" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F1AACA8D-4899-4D6C-B360-403A5A20B5D2} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F1AACA8D-4899-4D6C-B360-403A5A20B5D2}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CBF53489-AD8D-4637-965A-413861EEC7CF}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CBF53489-AD8D-4637-965A-413861EEC7CF}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\FineTop.TopBand.1\CLSID\ = "{CBF53489-AD8D-4637-965A-413861EEC7CF}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CBF53489-AD8D-4637-965A-413861EEC7CF}\ = "FineTop" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CBF53489-AD8D-4637-965A-413861EEC7CF}\VersionIndependentProgID\ = "FineTop.TopBand" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F1AACA8D-4899-4D6C-B360-403A5A20B5D2}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\FineTop.TopBand.1\ = "TopBand Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\FineTop.TopBand.1\CLSID\ = "{CBF53489-AD8D-4637-965A-413861EEC7CF}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CBF53489-AD8D-4637-965A-413861EEC7CF}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3E54C6DC-A2C6-404C-A36F-DE346281B3A7}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F1AACA8D-4899-4D6C-B360-403A5A20B5D2}\ = "ITopBand" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CBF53489-AD8D-4637-965A-413861EEC7CF}\TypeLib\ = "{3E54C6DC-A2C6-404C-A36F-DE346281B3A7}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\FineTop.TopBand.1\ = "TopBand Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\FineTop.TopBand\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F1AACA8D-4899-4D6C-B360-403A5A20B5D2}\TypeLib\ = "{3E54C6DC-A2C6-404C-A36F-DE346281B3A7}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F1AACA8D-4899-4D6C-B360-403A5A20B5D2}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CBF53489-AD8D-4637-965A-413861EEC7CF}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CBF53489-AD8D-4637-965A-413861EEC7CF} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CBF53489-AD8D-4637-965A-413861EEC7CF}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CBF53489-AD8D-4637-965A-413861EEC7CF} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CBF53489-AD8D-4637-965A-413861EEC7CF}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CBF53489-AD8D-4637-965A-413861EEC7CF}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CBF53489-AD8D-4637-965A-413861EEC7CF}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F1AACA8D-4899-4D6C-B360-403A5A20B5D2} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\FineTop.TopBand\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F1AACA8D-4899-4D6C-B360-403A5A20B5D2}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F1AACA8D-4899-4D6C-B360-403A5A20B5D2}\TypeLib\ = "{3E54C6DC-A2C6-404C-A36F-DE346281B3A7}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CBF53489-AD8D-4637-965A-413861EEC7CF}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CBF53489-AD8D-4637-965A-413861EEC7CF}\TypeLib\ = "{3E54C6DC-A2C6-404C-A36F-DE346281B3A7}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3E54C6DC-A2C6-404C-A36F-DE346281B3A7}\1.0\0\win32\ = "C:\\Program Files (x86)\\FineTop\\FineTop.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F1AACA8D-4899-4D6C-B360-403A5A20B5D2}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\FineTop.TopBand\ = "TopBand Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\FineTop.TopBand\CLSID\ = "{CBF53489-AD8D-4637-965A-413861EEC7CF}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CBF53489-AD8D-4637-965A-413861EEC7CF} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CBF53489-AD8D-4637-965A-413861EEC7CF}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\FineTop.TopBand C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\FineTop.TopBand\CurVer\ = "FineTop.TopBand.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CBF53489-AD8D-4637-965A-413861EEC7CF}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CBF53489-AD8D-4637-965A-413861EEC7CF}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3E54C6DC-A2C6-404C-A36F-DE346281B3A7}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3E54C6DC-A2C6-404C-A36F-DE346281B3A7}\1.0\ = "FineTop 1.0 Type Library" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3E54C6DC-A2C6-404C-A36F-DE346281B3A7}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CBF53489-AD8D-4637-965A-413861EEC7CF}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CBF53489-AD8D-4637-965A-413861EEC7CF}\InprocServer32\ = "C:\\Program Files (x86)\\FineTop\\FineTop.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CBF53489-AD8D-4637-965A-413861EEC7CF}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CBF53489-AD8D-4637-965A-413861EEC7CF}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CBF53489-AD8D-4637-965A-413861EEC7CF}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CBF53489-AD8D-4637-965A-413861EEC7CF}\InprocServer32\ = "C:\\Program Files (x86)\\FineTop\\FineTop.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\FineTop.TopBand\CLSID\ = "{CBF53489-AD8D-4637-965A-413861EEC7CF}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3E54C6DC-A2C6-404C-A36F-DE346281B3A7} C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8fecd0dd91d9d0811d67e18db275c126.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8fecd0dd91d9d0811d67e18db275c126.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8fecd0dd91d9d0811d67e18db275c126.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8fecd0dd91d9d0811d67e18db275c126.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8fecd0dd91d9d0811d67e18db275c126.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8fecd0dd91d9d0811d67e18db275c126.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8fecd0dd91d9d0811d67e18db275c126.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8fecd0dd91d9d0811d67e18db275c126.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8fecd0dd91d9d0811d67e18db275c126.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8fecd0dd91d9d0811d67e18db275c126.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8fecd0dd91d9d0811d67e18db275c126.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8fecd0dd91d9d0811d67e18db275c126.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8fecd0dd91d9d0811d67e18db275c126.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8fecd0dd91d9d0811d67e18db275c126.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8fecd0dd91d9d0811d67e18db275c126.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8fecd0dd91d9d0811d67e18db275c126.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8fecd0dd91d9d0811d67e18db275c126.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8fecd0dd91d9d0811d67e18db275c126.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8fecd0dd91d9d0811d67e18db275c126.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8fecd0dd91d9d0811d67e18db275c126.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8fecd0dd91d9d0811d67e18db275c126.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8fecd0dd91d9d0811d67e18db275c126.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8fecd0dd91d9d0811d67e18db275c126.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8fecd0dd91d9d0811d67e18db275c126.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8fecd0dd91d9d0811d67e18db275c126.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8fecd0dd91d9d0811d67e18db275c126.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8fecd0dd91d9d0811d67e18db275c126.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8fecd0dd91d9d0811d67e18db275c126.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\FineTop\FineTop.exe N/A
N/A N/A C:\Program Files (x86)\FineTop\FineTop.exe N/A
N/A N/A C:\Program Files (x86)\FineTop\FineTop.exe N/A
N/A N/A C:\Program Files (x86)\FineTop\FineTop.exe N/A
N/A N/A C:\Program Files (x86)\FineTop\FineTop.exe N/A
N/A N/A C:\Program Files (x86)\FineTop\FineTop.exe N/A
N/A N/A C:\Program Files (x86)\FineTop\FineTop.exe N/A
N/A N/A C:\Program Files (x86)\FineTop\FineTop.exe N/A
N/A N/A C:\Program Files (x86)\FineTop\FineTop.exe N/A
N/A N/A C:\Program Files (x86)\FineTop\FineTop.exe N/A
N/A N/A C:\Program Files (x86)\FineTop\FineTop.exe N/A
N/A N/A C:\Program Files (x86)\FineTop\FineTop.exe N/A
N/A N/A C:\Program Files (x86)\FineTop\FineTop.exe N/A
N/A N/A C:\Program Files (x86)\FineTop\FineTop.exe N/A
N/A N/A C:\Program Files (x86)\FineTop\FineTop.exe N/A
N/A N/A C:\Program Files (x86)\FineTop\FineTop.exe N/A
N/A N/A C:\Program Files (x86)\FineTop\FineTop.exe N/A
N/A N/A C:\Program Files (x86)\FineTop\FineTop.exe N/A
N/A N/A C:\Program Files (x86)\FineTop\FineTop.exe N/A
N/A N/A C:\Program Files (x86)\FineTop\FineTop.exe N/A
N/A N/A C:\Program Files (x86)\FineTop\FineTop.exe N/A
N/A N/A C:\Program Files (x86)\FineTop\FineTop.exe N/A
N/A N/A C:\Program Files (x86)\FineTop\FineTop.exe N/A
N/A N/A C:\Program Files (x86)\FineTop\FineTop.exe N/A
N/A N/A C:\Program Files (x86)\FineTop\FineTop.exe N/A
N/A N/A C:\Program Files (x86)\FineTop\FineTop.exe N/A
N/A N/A C:\Program Files (x86)\FineTop\FineTop.exe N/A
N/A N/A C:\Program Files (x86)\FineTop\FineTop.exe N/A
N/A N/A C:\Program Files (x86)\FineTop\FineTop.exe N/A
N/A N/A C:\Program Files (x86)\FineTop\FineTop.exe N/A
N/A N/A C:\Program Files (x86)\FineTop\FineTop.exe N/A
N/A N/A C:\Program Files (x86)\FineTop\FineTop.exe N/A
N/A N/A C:\Program Files (x86)\FineTop\FineTop.exe N/A
N/A N/A C:\Program Files (x86)\FineTop\FineTop.exe N/A
N/A N/A C:\Program Files (x86)\FineTop\FineTop.exe N/A
N/A N/A C:\Program Files (x86)\FineTop\FineTop.exe N/A
N/A N/A C:\Program Files (x86)\FineTop\FineTop.exe N/A
N/A N/A C:\Program Files (x86)\FineTop\FineTop.exe N/A
N/A N/A C:\Program Files (x86)\FineTop\FineTop.exe N/A
N/A N/A C:\Program Files (x86)\FineTop\FineTop.exe N/A
N/A N/A C:\Program Files (x86)\FineTop\FineTop.exe N/A
N/A N/A C:\Program Files (x86)\FineTop\FineTop.exe N/A
N/A N/A C:\Program Files (x86)\FineTop\FineTop.exe N/A
N/A N/A C:\Program Files (x86)\FineTop\FineTop.exe N/A
N/A N/A C:\Program Files (x86)\FineTop\FineTop.exe N/A
N/A N/A C:\Program Files (x86)\FineTop\FineTop.exe N/A
N/A N/A C:\Program Files (x86)\FineTop\FineTop.exe N/A
N/A N/A C:\Program Files (x86)\FineTop\FineTop.exe N/A
N/A N/A C:\Program Files (x86)\FineTop\FineTop.exe N/A
N/A N/A C:\Program Files (x86)\FineTop\FineTop.exe N/A
N/A N/A C:\Program Files (x86)\FineTop\FineTop.exe N/A
N/A N/A C:\Program Files (x86)\FineTop\FineTop.exe N/A
N/A N/A C:\Program Files (x86)\FineTop\FineTop.exe N/A
N/A N/A C:\Program Files (x86)\FineTop\FineTop.exe N/A
N/A N/A C:\Program Files (x86)\FineTop\FineTop.exe N/A
N/A N/A C:\Program Files (x86)\FineTop\FineTop.exe N/A
N/A N/A C:\Program Files (x86)\FineTop\FineTop.exe N/A
N/A N/A C:\Program Files (x86)\FineTop\FineTop.exe N/A
N/A N/A C:\Program Files (x86)\FineTop\FineTop.exe N/A
N/A N/A C:\Program Files (x86)\FineTop\FineTop.exe N/A
N/A N/A C:\Program Files (x86)\FineTop\FineTop.exe N/A
N/A N/A C:\Program Files (x86)\FineTop\FineTop.exe N/A
N/A N/A C:\Program Files (x86)\FineTop\FineTop.exe N/A
N/A N/A C:\Program Files (x86)\FineTop\FineTop.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4012 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\8fecd0dd91d9d0811d67e18db275c126.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4012 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\8fecd0dd91d9d0811d67e18db275c126.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4012 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\8fecd0dd91d9d0811d67e18db275c126.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4012 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\8fecd0dd91d9d0811d67e18db275c126.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4012 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\8fecd0dd91d9d0811d67e18db275c126.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4012 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\8fecd0dd91d9d0811d67e18db275c126.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4012 wrote to memory of 3632 N/A C:\Users\Admin\AppData\Local\Temp\8fecd0dd91d9d0811d67e18db275c126.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4012 wrote to memory of 3632 N/A C:\Users\Admin\AppData\Local\Temp\8fecd0dd91d9d0811d67e18db275c126.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4012 wrote to memory of 3632 N/A C:\Users\Admin\AppData\Local\Temp\8fecd0dd91d9d0811d67e18db275c126.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4012 wrote to memory of 404 N/A C:\Users\Admin\AppData\Local\Temp\8fecd0dd91d9d0811d67e18db275c126.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4012 wrote to memory of 404 N/A C:\Users\Admin\AppData\Local\Temp\8fecd0dd91d9d0811d67e18db275c126.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4012 wrote to memory of 404 N/A C:\Users\Admin\AppData\Local\Temp\8fecd0dd91d9d0811d67e18db275c126.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4012 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\8fecd0dd91d9d0811d67e18db275c126.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4012 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\8fecd0dd91d9d0811d67e18db275c126.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4012 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\8fecd0dd91d9d0811d67e18db275c126.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4012 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\8fecd0dd91d9d0811d67e18db275c126.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4012 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\8fecd0dd91d9d0811d67e18db275c126.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4012 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\8fecd0dd91d9d0811d67e18db275c126.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4012 wrote to memory of 4216 N/A C:\Users\Admin\AppData\Local\Temp\8fecd0dd91d9d0811d67e18db275c126.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4012 wrote to memory of 4216 N/A C:\Users\Admin\AppData\Local\Temp\8fecd0dd91d9d0811d67e18db275c126.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4012 wrote to memory of 4216 N/A C:\Users\Admin\AppData\Local\Temp\8fecd0dd91d9d0811d67e18db275c126.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4012 wrote to memory of 3608 N/A C:\Users\Admin\AppData\Local\Temp\8fecd0dd91d9d0811d67e18db275c126.exe C:\Program Files (x86)\FineTop\FineTop.exe
PID 4012 wrote to memory of 3608 N/A C:\Users\Admin\AppData\Local\Temp\8fecd0dd91d9d0811d67e18db275c126.exe C:\Program Files (x86)\FineTop\FineTop.exe
PID 4012 wrote to memory of 3608 N/A C:\Users\Admin\AppData\Local\Temp\8fecd0dd91d9d0811d67e18db275c126.exe C:\Program Files (x86)\FineTop\FineTop.exe
PID 3608 wrote to memory of 2200 N/A C:\Program Files (x86)\FineTop\FineTop.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3608 wrote to memory of 2200 N/A C:\Program Files (x86)\FineTop\FineTop.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3608 wrote to memory of 2200 N/A C:\Program Files (x86)\FineTop\FineTop.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4012 wrote to memory of 3840 N/A C:\Users\Admin\AppData\Local\Temp\8fecd0dd91d9d0811d67e18db275c126.exe C:\Windows\SysWOW64\explorer.exe
PID 4012 wrote to memory of 3840 N/A C:\Users\Admin\AppData\Local\Temp\8fecd0dd91d9d0811d67e18db275c126.exe C:\Windows\SysWOW64\explorer.exe
PID 4012 wrote to memory of 3840 N/A C:\Users\Admin\AppData\Local\Temp\8fecd0dd91d9d0811d67e18db275c126.exe C:\Windows\SysWOW64\explorer.exe
PID 4012 wrote to memory of 3840 N/A C:\Users\Admin\AppData\Local\Temp\8fecd0dd91d9d0811d67e18db275c126.exe C:\Windows\SysWOW64\explorer.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8fecd0dd91d9d0811d67e18db275c126.exe

"C:\Users\Admin\AppData\Local\Temp\8fecd0dd91d9d0811d67e18db275c126.exe"

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\system32\regsvr32.exe /u /s "C:\Program Files (x86)\InfoTab\InfoTab.dll"

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\system32\regsvr32.exe /u /s "C:\Program Files (x86)\PlusTab\PlusTab.dll"

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\system32\regsvr32.exe /u /s "C:\Program Files (x86)\SmartTool\SmartTool.dll"

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\system32\regsvr32.exe /u /s "C:\Program Files (x86)\TopGuide\TopGuide.dll"

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\system32\regsvr32.exe /u /s "C:\Program Files (x86)\InfoWise\InfoWise.dll"

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\system32\regsvr32.exe /u /s "C:\Program Files (x86)\WiseBar\WiseBar.dll"

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\system32\regsvr32.exe /s "C:\Program Files (x86)\FineTop\FineTop.dll"

C:\Program Files (x86)\FineTop\FineTop.exe

"C:\Program Files (x86)\FineTop\FineTop.exe"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32 /s "C:\Program Files (x86)\FineTop\FineTop.dll"

C:\Windows\SysWOW64\explorer.exe

C:\Windows\system32\explorer.exe

Network

Country Destination Domain Proto
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 183.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 finetop.topguide.co.kr udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 179.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 190.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 16.234.44.23.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsj695A.tmp\nsProcess.dll

MD5 05450face243b3a7472407b999b03a72
SHA1 ffd88af2e338ae606c444390f7eaaf5f4aef2cd9
SHA256 95fe9d92512ff2318cc2520311ef9145b2cee01209ab0e1b6e45c7ce1d4d0e89
SHA512 f4cbe30166aff20a226a7150d93a876873ba699d80d7e9f46f32a9b4753fa7966c3113a3124340b39ca67a13205463a413e740e541e742903e3f89af5a53ad3b

C:\Users\Admin\AppData\Local\Temp\nsj695A.tmp\UAC.dll

MD5 29858669d7da388d1e62b4fd5337af12
SHA1 756b94898429a9025a04ae227f060952f1149a5f
SHA256 c24c005daa7f5578c4372b38d1be6be5e27ef3ba2cdb9b67fee15cac406eba62
SHA512 6f4d538f2fe0681f357bab73f633943c539ddc1451efa1d1bb76d70bb47aa68a05849e36ae405cc4664598a8194227fa7053de6dbce7d6c52a20301293b3c85f

C:\Program Files (x86)\FineTop\FineTop.dll

MD5 82a6904974f4f20c147fce776663b1b0
SHA1 eee8e0a93cb1be3dcfef2699f154f0881e68dda4
SHA256 407a5ed628dbd6f1c2cea2276b4ea98f053160dd6f5ee3007dcbad02382a1a77
SHA512 50dfb3c8e67e1ef794f3dd1b4caaa515bfe342e17e4bb73dd2b1e58a2ac61e327bed2395c1f36d8f2a69de8c5a73ce03eda03a9c0c5515b5965191edfb22c005

C:\Program Files (x86)\FineTop\FineTop.exe

MD5 61c81941b91b1d502971bd42a29806a1
SHA1 72ee7b2fb665f01415a00267cbc1a5d385d1f0cf
SHA256 6e0d4e65b147d69b249c40c1f9cc5ea82ae3179777bd25462eef3449d3bbbdb8
SHA512 0583df8495ed3c252713bfa2b0b38b9a2aac8ce22ed5e50e42cf5a7d94e903e605614a5ab507a0b10497f434759c945eec7ae1f124f530fe3d488f4ec661de7f

C:\Users\Admin\AppData\Local\Temp\nsj695A.tmp\IpConfig.dll

MD5 a3ed6f7ea493b9644125d494fbf9a1e6
SHA1 ebeee67fb0b5b3302c69f47c5e7fca62e1a809d8
SHA256 ec0f85f8a9d6b77081ba0103f967ef6705b547bf27bcd866d77ac909d21a1e08
SHA512 7099e1bc78ba5727661aa49f75523126563a5ebccdff10cabf868ce5335821118384825f037fbf1408c416c0212aa702a5974bc54d1b63c9d0bcade140f9aae1

C:\Program Files (x86)\FineTop\adc.acc

MD5 72b966950a0f53df4ce2fdb19679c3c6
SHA1 ccfff4ecc68608a6231e75e175d2aeba62d37fa5
SHA256 aa3c21a88e93709f149284cc17a37439d3f7f90b785119fee5ef330902718b65
SHA512 84149a210748bc45f02d7f5e12b37e91eba44500d7222efaa46228b1330ffe0dfc1efbb612a67a562ddffc3048ba5d67426b739ac950e8da27f0ee9e86707e33

C:\Users\Admin\AppData\Local\Temp\nsj695A.tmp\NSISdl.dll

MD5 a5f8399a743ab7f9c88c645c35b1ebb5
SHA1 168f3c158913b0367bf79fa413357fbe97018191
SHA256 dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9
SHA512 824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977

C:\Users\Admin\AppData\Local\Temp\nsj695A.tmp\SelfDel.dll

MD5 7cff7fe2caea5184d98c147e7e263132
SHA1 21f39d3d0dd5f7198d67ef30e95d10ae3460093e
SHA256 281c39b733579e031c62bdd247b41543ece1fe3bd6eda26fc8ad474b10f33101
SHA512 fb1161b8571d1d0c67e2df0d571b08f5e7a73f81409aed847344154d02406910629181bcce4e18e998ec472f51a6a1b40d956a010abdd10e850413aafa87808a

memory/4012-69-0x0000000073560000-0x0000000073569000-memory.dmp

Analysis: behavioral12

Detonation Overview

Submitted

2024-02-04 19:08

Reported

2024-02-04 19:10

Platform

win10v2004-20231222-en

Max time kernel

145s

Max time network

148s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcess.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4516 wrote to memory of 1968 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4516 wrote to memory of 1968 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4516 wrote to memory of 1968 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcess.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcess.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1968 -ip 1968

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 604

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 187.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 186.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 190.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 137.71.105.51.in-addr.arpa udp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-02-04 19:08

Reported

2024-02-04 19:10

Platform

win7-20231215-en

Max time kernel

117s

Max time network

121s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\FineTop.dll

Signatures

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{CBF53489-AD8D-4637-965A-413861EEC7CF} C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\TabProcGrowth = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\TabProcGrowth = "0" C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F1AACA8D-4899-4D6C-B360-403A5A20B5D2}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\FineTop.TopBand.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CBF53489-AD8D-4637-965A-413861EEC7CF}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3E54C6DC-A2C6-404C-A36F-DE346281B3A7}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CBF53489-AD8D-4637-965A-413861EEC7CF} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CBF53489-AD8D-4637-965A-413861EEC7CF}\TypeLib\ = "{3E54C6DC-A2C6-404C-A36F-DE346281B3A7}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3E54C6DC-A2C6-404C-A36F-DE346281B3A7}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3E54C6DC-A2C6-404C-A36F-DE346281B3A7}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F1AACA8D-4899-4D6C-B360-403A5A20B5D2}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\FineTop.TopBand.1\ = "TopBand Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\FineTop.TopBand\CLSID\ = "{CBF53489-AD8D-4637-965A-413861EEC7CF}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\FineTop.TopBand\CurVer\ = "FineTop.TopBand.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F1AACA8D-4899-4D6C-B360-403A5A20B5D2} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F1AACA8D-4899-4D6C-B360-403A5A20B5D2}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3E54C6DC-A2C6-404C-A36F-DE346281B3A7}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FineTop.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3E54C6DC-A2C6-404C-A36F-DE346281B3A7}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F1AACA8D-4899-4D6C-B360-403A5A20B5D2}\TypeLib\ = "{3E54C6DC-A2C6-404C-A36F-DE346281B3A7}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F1AACA8D-4899-4D6C-B360-403A5A20B5D2}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F1AACA8D-4899-4D6C-B360-403A5A20B5D2}\TypeLib\ = "{3E54C6DC-A2C6-404C-A36F-DE346281B3A7}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\FineTop.TopBand.1\CLSID\ = "{CBF53489-AD8D-4637-965A-413861EEC7CF}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3E54C6DC-A2C6-404C-A36F-DE346281B3A7}\1.0\ = "FineTop 1.0 Type Library" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3E54C6DC-A2C6-404C-A36F-DE346281B3A7}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CBF53489-AD8D-4637-965A-413861EEC7CF}\ProgID\ = "FineTop.TopBand.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F1AACA8D-4899-4D6C-B360-403A5A20B5D2}\ = "ITopBand" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CBF53489-AD8D-4637-965A-413861EEC7CF}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CBF53489-AD8D-4637-965A-413861EEC7CF}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CBF53489-AD8D-4637-965A-413861EEC7CF}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F1AACA8D-4899-4D6C-B360-403A5A20B5D2}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\FineTop.TopBand.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\FineTop.TopBand\ = "TopBand Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\FineTop.TopBand\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3E54C6DC-A2C6-404C-A36F-DE346281B3A7} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3E54C6DC-A2C6-404C-A36F-DE346281B3A7}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F1AACA8D-4899-4D6C-B360-403A5A20B5D2}\ = "ITopBand" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\FineTop.TopBand C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CBF53489-AD8D-4637-965A-413861EEC7CF}\ = "FineTop" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CBF53489-AD8D-4637-965A-413861EEC7CF}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\FineTop.TopBand\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CBF53489-AD8D-4637-965A-413861EEC7CF}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F1AACA8D-4899-4D6C-B360-403A5A20B5D2} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F1AACA8D-4899-4D6C-B360-403A5A20B5D2}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F1AACA8D-4899-4D6C-B360-403A5A20B5D2}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F1AACA8D-4899-4D6C-B360-403A5A20B5D2}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CBF53489-AD8D-4637-965A-413861EEC7CF}\VersionIndependentProgID\ = "FineTop.TopBand" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CBF53489-AD8D-4637-965A-413861EEC7CF}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FineTop.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3E54C6DC-A2C6-404C-A36F-DE346281B3A7}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3000 wrote to memory of 3048 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3000 wrote to memory of 3048 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3000 wrote to memory of 3048 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3000 wrote to memory of 3048 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3000 wrote to memory of 3048 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3000 wrote to memory of 3048 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3000 wrote to memory of 3048 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\FineTop.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\FineTop.dll

Network

N/A

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-04 19:08

Reported

2024-02-04 19:10

Platform

win7-20231215-en

Max time kernel

150s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8fecd0dd91d9d0811d67e18db275c126.exe"

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\FineTop\FineTop.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FineTop = "C:\\Program Files (x86)\\FineTop\\FineTop.exe" C:\Program Files (x86)\FineTop\FineTop.exe N/A

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{CBF53489-AD8D-4637-965A-413861EEC7CF} C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{CBF53489-AD8D-4637-965A-413861EEC7CF} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{CBF53489-AD8D-4637-965A-413861EEC7CF} C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2524 set thread context of 1560 N/A C:\Users\Admin\AppData\Local\Temp\8fecd0dd91d9d0811d67e18db275c126.exe C:\Windows\SysWOW64\explorer.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\FineTop\adc.acc C:\Users\Admin\AppData\Local\Temp\8fecd0dd91d9d0811d67e18db275c126.exe N/A
File created C:\Program Files (x86)\FineTop\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\8fecd0dd91d9d0811d67e18db275c126.exe N/A
File created C:\Program Files (x86)\FineTop\FineTop.dll C:\Users\Admin\AppData\Local\Temp\8fecd0dd91d9d0811d67e18db275c126.exe N/A
File created C:\Program Files (x86)\FineTop\FineTop.exe C:\Users\Admin\AppData\Local\Temp\8fecd0dd91d9d0811d67e18db275c126.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main\TabProcGrowth = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\TabProcGrowth = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main\TabProcGrowth = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\TabProcGrowth = "0" C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\FineTop.TopBand\CurVer\ = "FineTop.TopBand.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3E54C6DC-A2C6-404C-A36F-DE346281B3A7}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\FineTop\\" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F1AACA8D-4899-4D6C-B360-403A5A20B5D2}\ = "ITopBand" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F1AACA8D-4899-4D6C-B360-403A5A20B5D2} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\FineTop.TopBand.1\ = "TopBand Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\FineTop.TopBand\ = "TopBand Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CBF53489-AD8D-4637-965A-413861EEC7CF}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3E54C6DC-A2C6-404C-A36F-DE346281B3A7}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3E54C6DC-A2C6-404C-A36F-DE346281B3A7}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F1AACA8D-4899-4D6C-B360-403A5A20B5D2}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3E54C6DC-A2C6-404C-A36F-DE346281B3A7}\1.0\ = "FineTop 1.0 Type Library" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F1AACA8D-4899-4D6C-B360-403A5A20B5D2}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CBF53489-AD8D-4637-965A-413861EEC7CF}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CBF53489-AD8D-4637-965A-413861EEC7CF} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CBF53489-AD8D-4637-965A-413861EEC7CF}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F1AACA8D-4899-4D6C-B360-403A5A20B5D2}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CBF53489-AD8D-4637-965A-413861EEC7CF}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3E54C6DC-A2C6-404C-A36F-DE346281B3A7}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CBF53489-AD8D-4637-965A-413861EEC7CF}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\FineTop.TopBand.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\FineTop.TopBand\ = "TopBand Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3E54C6DC-A2C6-404C-A36F-DE346281B3A7}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CBF53489-AD8D-4637-965A-413861EEC7CF}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CBF53489-AD8D-4637-965A-413861EEC7CF}\ProgID\ = "FineTop.TopBand.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CBF53489-AD8D-4637-965A-413861EEC7CF}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\FineTop.TopBand.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CBF53489-AD8D-4637-965A-413861EEC7CF}\InprocServer32\ = "C:\\Program Files (x86)\\FineTop\\FineTop.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F1AACA8D-4899-4D6C-B360-403A5A20B5D2}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F1AACA8D-4899-4D6C-B360-403A5A20B5D2}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CBF53489-AD8D-4637-965A-413861EEC7CF}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CBF53489-AD8D-4637-965A-413861EEC7CF}\VersionIndependentProgID\ = "FineTop.TopBand" C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CBF53489-AD8D-4637-965A-413861EEC7CF}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F1AACA8D-4899-4D6C-B360-403A5A20B5D2}\TypeLib\ = "{3E54C6DC-A2C6-404C-A36F-DE346281B3A7}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3E54C6DC-A2C6-404C-A36F-DE346281B3A7}\1.0\0\win32\ = "C:\\Program Files (x86)\\FineTop\\FineTop.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\FineTop.TopBand\CurVer\ = "FineTop.TopBand.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CBF53489-AD8D-4637-965A-413861EEC7CF}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CBF53489-AD8D-4637-965A-413861EEC7CF}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\FineTop.TopBand\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CBF53489-AD8D-4637-965A-413861EEC7CF}\ProgID\ = "FineTop.TopBand.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3E54C6DC-A2C6-404C-A36F-DE346281B3A7}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F1AACA8D-4899-4D6C-B360-403A5A20B5D2} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F1AACA8D-4899-4D6C-B360-403A5A20B5D2}\TypeLib\ = "{3E54C6DC-A2C6-404C-A36F-DE346281B3A7}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F1AACA8D-4899-4D6C-B360-403A5A20B5D2}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F1AACA8D-4899-4D6C-B360-403A5A20B5D2}\ = "ITopBand" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\FineTop.TopBand C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CBF53489-AD8D-4637-965A-413861EEC7CF}\ = "FineTop" C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CBF53489-AD8D-4637-965A-413861EEC7CF}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CBF53489-AD8D-4637-965A-413861EEC7CF}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CBF53489-AD8D-4637-965A-413861EEC7CF}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3E54C6DC-A2C6-404C-A36F-DE346281B3A7} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CBF53489-AD8D-4637-965A-413861EEC7CF}\VersionIndependentProgID\ = "FineTop.TopBand" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\FineTop.TopBand\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CBF53489-AD8D-4637-965A-413861EEC7CF}\ = "FineTop" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\FineTop.TopBand.1\CLSID\ = "{CBF53489-AD8D-4637-965A-413861EEC7CF}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\FineTop.TopBand.1\CLSID\ = "{CBF53489-AD8D-4637-965A-413861EEC7CF}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F1AACA8D-4899-4D6C-B360-403A5A20B5D2}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F1AACA8D-4899-4D6C-B360-403A5A20B5D2}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\FineTop.TopBand\CLSID\ = "{CBF53489-AD8D-4637-965A-413861EEC7CF}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CBF53489-AD8D-4637-965A-413861EEC7CF} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CBF53489-AD8D-4637-965A-413861EEC7CF}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CBF53489-AD8D-4637-965A-413861EEC7CF}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CBF53489-AD8D-4637-965A-413861EEC7CF}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CBF53489-AD8D-4637-965A-413861EEC7CF}\TypeLib\ = "{3E54C6DC-A2C6-404C-A36F-DE346281B3A7}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CBF53489-AD8D-4637-965A-413861EEC7CF} C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\FineTop\FineTop.exe N/A
N/A N/A C:\Program Files (x86)\FineTop\FineTop.exe N/A
N/A N/A C:\Program Files (x86)\FineTop\FineTop.exe N/A
N/A N/A C:\Program Files (x86)\FineTop\FineTop.exe N/A
N/A N/A C:\Program Files (x86)\FineTop\FineTop.exe N/A
N/A N/A C:\Program Files (x86)\FineTop\FineTop.exe N/A
N/A N/A C:\Program Files (x86)\FineTop\FineTop.exe N/A
N/A N/A C:\Program Files (x86)\FineTop\FineTop.exe N/A
N/A N/A C:\Program Files (x86)\FineTop\FineTop.exe N/A
N/A N/A C:\Program Files (x86)\FineTop\FineTop.exe N/A
N/A N/A C:\Program Files (x86)\FineTop\FineTop.exe N/A
N/A N/A C:\Program Files (x86)\FineTop\FineTop.exe N/A
N/A N/A C:\Program Files (x86)\FineTop\FineTop.exe N/A
N/A N/A C:\Program Files (x86)\FineTop\FineTop.exe N/A
N/A N/A C:\Program Files (x86)\FineTop\FineTop.exe N/A
N/A N/A C:\Program Files (x86)\FineTop\FineTop.exe N/A
N/A N/A C:\Program Files (x86)\FineTop\FineTop.exe N/A
N/A N/A C:\Program Files (x86)\FineTop\FineTop.exe N/A
N/A N/A C:\Program Files (x86)\FineTop\FineTop.exe N/A
N/A N/A C:\Program Files (x86)\FineTop\FineTop.exe N/A
N/A N/A C:\Program Files (x86)\FineTop\FineTop.exe N/A
N/A N/A C:\Program Files (x86)\FineTop\FineTop.exe N/A
N/A N/A C:\Program Files (x86)\FineTop\FineTop.exe N/A
N/A N/A C:\Program Files (x86)\FineTop\FineTop.exe N/A
N/A N/A C:\Program Files (x86)\FineTop\FineTop.exe N/A
N/A N/A C:\Program Files (x86)\FineTop\FineTop.exe N/A
N/A N/A C:\Program Files (x86)\FineTop\FineTop.exe N/A
N/A N/A C:\Program Files (x86)\FineTop\FineTop.exe N/A
N/A N/A C:\Program Files (x86)\FineTop\FineTop.exe N/A
N/A N/A C:\Program Files (x86)\FineTop\FineTop.exe N/A
N/A N/A C:\Program Files (x86)\FineTop\FineTop.exe N/A
N/A N/A C:\Program Files (x86)\FineTop\FineTop.exe N/A
N/A N/A C:\Program Files (x86)\FineTop\FineTop.exe N/A
N/A N/A C:\Program Files (x86)\FineTop\FineTop.exe N/A
N/A N/A C:\Program Files (x86)\FineTop\FineTop.exe N/A
N/A N/A C:\Program Files (x86)\FineTop\FineTop.exe N/A
N/A N/A C:\Program Files (x86)\FineTop\FineTop.exe N/A
N/A N/A C:\Program Files (x86)\FineTop\FineTop.exe N/A
N/A N/A C:\Program Files (x86)\FineTop\FineTop.exe N/A
N/A N/A C:\Program Files (x86)\FineTop\FineTop.exe N/A
N/A N/A C:\Program Files (x86)\FineTop\FineTop.exe N/A
N/A N/A C:\Program Files (x86)\FineTop\FineTop.exe N/A
N/A N/A C:\Program Files (x86)\FineTop\FineTop.exe N/A
N/A N/A C:\Program Files (x86)\FineTop\FineTop.exe N/A
N/A N/A C:\Program Files (x86)\FineTop\FineTop.exe N/A
N/A N/A C:\Program Files (x86)\FineTop\FineTop.exe N/A
N/A N/A C:\Program Files (x86)\FineTop\FineTop.exe N/A
N/A N/A C:\Program Files (x86)\FineTop\FineTop.exe N/A
N/A N/A C:\Program Files (x86)\FineTop\FineTop.exe N/A
N/A N/A C:\Program Files (x86)\FineTop\FineTop.exe N/A
N/A N/A C:\Program Files (x86)\FineTop\FineTop.exe N/A
N/A N/A C:\Program Files (x86)\FineTop\FineTop.exe N/A
N/A N/A C:\Program Files (x86)\FineTop\FineTop.exe N/A
N/A N/A C:\Program Files (x86)\FineTop\FineTop.exe N/A
N/A N/A C:\Program Files (x86)\FineTop\FineTop.exe N/A
N/A N/A C:\Program Files (x86)\FineTop\FineTop.exe N/A
N/A N/A C:\Program Files (x86)\FineTop\FineTop.exe N/A
N/A N/A C:\Program Files (x86)\FineTop\FineTop.exe N/A
N/A N/A C:\Program Files (x86)\FineTop\FineTop.exe N/A
N/A N/A C:\Program Files (x86)\FineTop\FineTop.exe N/A
N/A N/A C:\Program Files (x86)\FineTop\FineTop.exe N/A
N/A N/A C:\Program Files (x86)\FineTop\FineTop.exe N/A
N/A N/A C:\Program Files (x86)\FineTop\FineTop.exe N/A
N/A N/A C:\Program Files (x86)\FineTop\FineTop.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2524 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\8fecd0dd91d9d0811d67e18db275c126.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2524 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\8fecd0dd91d9d0811d67e18db275c126.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2524 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\8fecd0dd91d9d0811d67e18db275c126.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2524 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\8fecd0dd91d9d0811d67e18db275c126.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2524 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\8fecd0dd91d9d0811d67e18db275c126.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2524 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\8fecd0dd91d9d0811d67e18db275c126.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2524 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\8fecd0dd91d9d0811d67e18db275c126.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2524 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\8fecd0dd91d9d0811d67e18db275c126.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2524 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\8fecd0dd91d9d0811d67e18db275c126.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2524 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\8fecd0dd91d9d0811d67e18db275c126.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2524 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\8fecd0dd91d9d0811d67e18db275c126.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2524 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\8fecd0dd91d9d0811d67e18db275c126.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2524 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\8fecd0dd91d9d0811d67e18db275c126.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2524 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\8fecd0dd91d9d0811d67e18db275c126.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2524 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\8fecd0dd91d9d0811d67e18db275c126.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2524 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\8fecd0dd91d9d0811d67e18db275c126.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2524 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\8fecd0dd91d9d0811d67e18db275c126.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2524 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\8fecd0dd91d9d0811d67e18db275c126.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2524 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\8fecd0dd91d9d0811d67e18db275c126.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2524 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\8fecd0dd91d9d0811d67e18db275c126.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2524 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\8fecd0dd91d9d0811d67e18db275c126.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2524 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\8fecd0dd91d9d0811d67e18db275c126.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2524 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\8fecd0dd91d9d0811d67e18db275c126.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2524 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\8fecd0dd91d9d0811d67e18db275c126.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2524 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\8fecd0dd91d9d0811d67e18db275c126.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2524 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\8fecd0dd91d9d0811d67e18db275c126.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2524 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\8fecd0dd91d9d0811d67e18db275c126.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2524 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\8fecd0dd91d9d0811d67e18db275c126.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2524 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\8fecd0dd91d9d0811d67e18db275c126.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2524 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\8fecd0dd91d9d0811d67e18db275c126.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2524 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\8fecd0dd91d9d0811d67e18db275c126.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2524 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\8fecd0dd91d9d0811d67e18db275c126.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2524 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\8fecd0dd91d9d0811d67e18db275c126.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2524 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\8fecd0dd91d9d0811d67e18db275c126.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2524 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\8fecd0dd91d9d0811d67e18db275c126.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2524 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\8fecd0dd91d9d0811d67e18db275c126.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2524 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\8fecd0dd91d9d0811d67e18db275c126.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2524 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\8fecd0dd91d9d0811d67e18db275c126.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2524 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\8fecd0dd91d9d0811d67e18db275c126.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2524 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\8fecd0dd91d9d0811d67e18db275c126.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2524 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\8fecd0dd91d9d0811d67e18db275c126.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2524 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\8fecd0dd91d9d0811d67e18db275c126.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2524 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\8fecd0dd91d9d0811d67e18db275c126.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2524 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\8fecd0dd91d9d0811d67e18db275c126.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2524 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\8fecd0dd91d9d0811d67e18db275c126.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2524 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\8fecd0dd91d9d0811d67e18db275c126.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2524 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\8fecd0dd91d9d0811d67e18db275c126.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2524 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\8fecd0dd91d9d0811d67e18db275c126.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2524 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\8fecd0dd91d9d0811d67e18db275c126.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2524 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\8fecd0dd91d9d0811d67e18db275c126.exe C:\Program Files (x86)\FineTop\FineTop.exe
PID 2524 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\8fecd0dd91d9d0811d67e18db275c126.exe C:\Program Files (x86)\FineTop\FineTop.exe
PID 2524 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\8fecd0dd91d9d0811d67e18db275c126.exe C:\Program Files (x86)\FineTop\FineTop.exe
PID 2524 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\8fecd0dd91d9d0811d67e18db275c126.exe C:\Program Files (x86)\FineTop\FineTop.exe
PID 2840 wrote to memory of 2672 N/A C:\Program Files (x86)\FineTop\FineTop.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2840 wrote to memory of 2672 N/A C:\Program Files (x86)\FineTop\FineTop.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2840 wrote to memory of 2672 N/A C:\Program Files (x86)\FineTop\FineTop.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2840 wrote to memory of 2672 N/A C:\Program Files (x86)\FineTop\FineTop.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2840 wrote to memory of 2672 N/A C:\Program Files (x86)\FineTop\FineTop.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2840 wrote to memory of 2672 N/A C:\Program Files (x86)\FineTop\FineTop.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2840 wrote to memory of 2672 N/A C:\Program Files (x86)\FineTop\FineTop.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2524 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\8fecd0dd91d9d0811d67e18db275c126.exe C:\Windows\SysWOW64\explorer.exe
PID 2524 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\8fecd0dd91d9d0811d67e18db275c126.exe C:\Windows\SysWOW64\explorer.exe
PID 2524 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\8fecd0dd91d9d0811d67e18db275c126.exe C:\Windows\SysWOW64\explorer.exe
PID 2524 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\8fecd0dd91d9d0811d67e18db275c126.exe C:\Windows\SysWOW64\explorer.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8fecd0dd91d9d0811d67e18db275c126.exe

"C:\Users\Admin\AppData\Local\Temp\8fecd0dd91d9d0811d67e18db275c126.exe"

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\system32\regsvr32.exe /u /s "C:\Program Files (x86)\InfoTab\InfoTab.dll"

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\system32\regsvr32.exe /u /s "C:\Program Files (x86)\PlusTab\PlusTab.dll"

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\system32\regsvr32.exe /u /s "C:\Program Files (x86)\SmartTool\SmartTool.dll"

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\system32\regsvr32.exe /u /s "C:\Program Files (x86)\TopGuide\TopGuide.dll"

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\system32\regsvr32.exe /u /s "C:\Program Files (x86)\InfoWise\InfoWise.dll"

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\system32\regsvr32.exe /u /s "C:\Program Files (x86)\WiseBar\WiseBar.dll"

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\system32\regsvr32.exe /s "C:\Program Files (x86)\FineTop\FineTop.dll"

C:\Program Files (x86)\FineTop\FineTop.exe

"C:\Program Files (x86)\FineTop\FineTop.exe"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32 /s "C:\Program Files (x86)\FineTop\FineTop.dll"

C:\Windows\SysWOW64\explorer.exe

C:\Windows\system32\explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 finetop.topguide.co.kr udp
US 8.8.8.8:53 finetop.topguide.co.kr udp

Files

\Users\Admin\AppData\Local\Temp\nsi3563.tmp\nsProcess.dll

MD5 05450face243b3a7472407b999b03a72
SHA1 ffd88af2e338ae606c444390f7eaaf5f4aef2cd9
SHA256 95fe9d92512ff2318cc2520311ef9145b2cee01209ab0e1b6e45c7ce1d4d0e89
SHA512 f4cbe30166aff20a226a7150d93a876873ba699d80d7e9f46f32a9b4753fa7966c3113a3124340b39ca67a13205463a413e740e541e742903e3f89af5a53ad3b

\Users\Admin\AppData\Local\Temp\nsi3563.tmp\UAC.dll

MD5 29858669d7da388d1e62b4fd5337af12
SHA1 756b94898429a9025a04ae227f060952f1149a5f
SHA256 c24c005daa7f5578c4372b38d1be6be5e27ef3ba2cdb9b67fee15cac406eba62
SHA512 6f4d538f2fe0681f357bab73f633943c539ddc1451efa1d1bb76d70bb47aa68a05849e36ae405cc4664598a8194227fa7053de6dbce7d6c52a20301293b3c85f

C:\Program Files (x86)\FineTop\FineTop.dll

MD5 82a6904974f4f20c147fce776663b1b0
SHA1 eee8e0a93cb1be3dcfef2699f154f0881e68dda4
SHA256 407a5ed628dbd6f1c2cea2276b4ea98f053160dd6f5ee3007dcbad02382a1a77
SHA512 50dfb3c8e67e1ef794f3dd1b4caaa515bfe342e17e4bb73dd2b1e58a2ac61e327bed2395c1f36d8f2a69de8c5a73ce03eda03a9c0c5515b5965191edfb22c005

\Program Files (x86)\FineTop\FineTop.exe

MD5 61c81941b91b1d502971bd42a29806a1
SHA1 72ee7b2fb665f01415a00267cbc1a5d385d1f0cf
SHA256 6e0d4e65b147d69b249c40c1f9cc5ea82ae3179777bd25462eef3449d3bbbdb8
SHA512 0583df8495ed3c252713bfa2b0b38b9a2aac8ce22ed5e50e42cf5a7d94e903e605614a5ab507a0b10497f434759c945eec7ae1f124f530fe3d488f4ec661de7f

\Users\Admin\AppData\Local\Temp\nsi3563.tmp\IpConfig.dll

MD5 a3ed6f7ea493b9644125d494fbf9a1e6
SHA1 ebeee67fb0b5b3302c69f47c5e7fca62e1a809d8
SHA256 ec0f85f8a9d6b77081ba0103f967ef6705b547bf27bcd866d77ac909d21a1e08
SHA512 7099e1bc78ba5727661aa49f75523126563a5ebccdff10cabf868ce5335821118384825f037fbf1408c416c0212aa702a5974bc54d1b63c9d0bcade140f9aae1

C:\Program Files (x86)\FineTop\adc.acc

MD5 72b966950a0f53df4ce2fdb19679c3c6
SHA1 ccfff4ecc68608a6231e75e175d2aeba62d37fa5
SHA256 aa3c21a88e93709f149284cc17a37439d3f7f90b785119fee5ef330902718b65
SHA512 84149a210748bc45f02d7f5e12b37e91eba44500d7222efaa46228b1330ffe0dfc1efbb612a67a562ddffc3048ba5d67426b739ac950e8da27f0ee9e86707e33

\Users\Admin\AppData\Local\Temp\nsi3563.tmp\NSISdl.dll

MD5 a5f8399a743ab7f9c88c645c35b1ebb5
SHA1 168f3c158913b0367bf79fa413357fbe97018191
SHA256 dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9
SHA512 824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977

\Users\Admin\AppData\Local\Temp\nsi3563.tmp\SelfDel.dll

MD5 7cff7fe2caea5184d98c147e7e263132
SHA1 21f39d3d0dd5f7198d67ef30e95d10ae3460093e
SHA256 281c39b733579e031c62bdd247b41543ece1fe3bd6eda26fc8ad474b10f33101
SHA512 fb1161b8571d1d0c67e2df0d571b08f5e7a73f81409aed847344154d02406910629181bcce4e18e998ec472f51a6a1b40d956a010abdd10e850413aafa87808a

memory/2524-63-0x0000000074DF0000-0x0000000074DF9000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-02-04 19:08

Reported

2024-02-04 19:10

Platform

win7-20231129-en

Max time kernel

121s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IpConfig.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IpConfig.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IpConfig.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2104 -s 224

Network

N/A

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-02-04 19:08

Reported

2024-02-04 19:10

Platform

win7-20231215-en

Max time kernel

122s

Max time network

126s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2072 -s 228

Network

N/A

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-02-04 19:08

Reported

2024-02-04 19:10

Platform

win10v2004-20231215-en

Max time kernel

102s

Max time network

106s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\SelfDel.dll,#1

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4116 wrote to memory of 1096 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4116 wrote to memory of 1096 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4116 wrote to memory of 1096 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\SelfDel.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\SelfDel.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1096 -ip 1096

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1096 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 187.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 138.91.171.81:80 tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 186.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 190.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 16.234.44.23.in-addr.arpa udp

Files

memory/1096-0-0x0000000074D90000-0x0000000074D99000-memory.dmp

memory/1096-1-0x0000000074D90000-0x0000000074D99000-memory.dmp

Analysis: behavioral14

Detonation Overview

Submitted

2024-02-04 19:08

Reported

2024-02-04 19:10

Platform

win10v2004-20231215-en

Max time kernel

150s

Max time network

155s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\FineTop.dll

Signatures

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CBF53489-AD8D-4637-965A-413861EEC7CF} C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Internet Explorer\Main\TabProcGrowth = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\TabProcGrowth = "0" C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\FineTop.TopBand.1\ = "TopBand Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\FineTop.TopBand C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CBF53489-AD8D-4637-965A-413861EEC7CF} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3E54C6DC-A2C6-404C-A36F-DE346281B3A7}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3E54C6DC-A2C6-404C-A36F-DE346281B3A7}\1.0\ = "FineTop 1.0 Type Library" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3E54C6DC-A2C6-404C-A36F-DE346281B3A7}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3E54C6DC-A2C6-404C-A36F-DE346281B3A7}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F1AACA8D-4899-4D6C-B360-403A5A20B5D2} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F1AACA8D-4899-4D6C-B360-403A5A20B5D2}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F1AACA8D-4899-4D6C-B360-403A5A20B5D2}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\FineTop.TopBand.1\CLSID\ = "{CBF53489-AD8D-4637-965A-413861EEC7CF}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CBF53489-AD8D-4637-965A-413861EEC7CF}\VersionIndependentProgID\ = "FineTop.TopBand" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CBF53489-AD8D-4637-965A-413861EEC7CF}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3E54C6DC-A2C6-404C-A36F-DE346281B3A7}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F1AACA8D-4899-4D6C-B360-403A5A20B5D2} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F1AACA8D-4899-4D6C-B360-403A5A20B5D2}\TypeLib\ = "{3E54C6DC-A2C6-404C-A36F-DE346281B3A7}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\FineTop.TopBand.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\FineTop.TopBand.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\FineTop.TopBand\CLSID\ = "{CBF53489-AD8D-4637-965A-413861EEC7CF}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CBF53489-AD8D-4637-965A-413861EEC7CF}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F1AACA8D-4899-4D6C-B360-403A5A20B5D2}\ = "ITopBand" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F1AACA8D-4899-4D6C-B360-403A5A20B5D2}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\FineTop.TopBand\ = "TopBand Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\FineTop.TopBand\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3E54C6DC-A2C6-404C-A36F-DE346281B3A7}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3E54C6DC-A2C6-404C-A36F-DE346281B3A7}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F1AACA8D-4899-4D6C-B360-403A5A20B5D2}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F1AACA8D-4899-4D6C-B360-403A5A20B5D2}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CBF53489-AD8D-4637-965A-413861EEC7CF}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CBF53489-AD8D-4637-965A-413861EEC7CF}\TypeLib\ = "{3E54C6DC-A2C6-404C-A36F-DE346281B3A7}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F1AACA8D-4899-4D6C-B360-403A5A20B5D2}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F1AACA8D-4899-4D6C-B360-403A5A20B5D2}\TypeLib\ = "{3E54C6DC-A2C6-404C-A36F-DE346281B3A7}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F1AACA8D-4899-4D6C-B360-403A5A20B5D2}\ = "ITopBand" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CBF53489-AD8D-4637-965A-413861EEC7CF}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CBF53489-AD8D-4637-965A-413861EEC7CF}\ProgID\ = "FineTop.TopBand.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CBF53489-AD8D-4637-965A-413861EEC7CF}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FineTop.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3E54C6DC-A2C6-404C-A36F-DE346281B3A7} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3E54C6DC-A2C6-404C-A36F-DE346281B3A7}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FineTop.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\FineTop.TopBand\CurVer\ = "FineTop.TopBand.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\FineTop.TopBand\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CBF53489-AD8D-4637-965A-413861EEC7CF}\ = "FineTop" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CBF53489-AD8D-4637-965A-413861EEC7CF}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CBF53489-AD8D-4637-965A-413861EEC7CF}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3E54C6DC-A2C6-404C-A36F-DE346281B3A7}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F1AACA8D-4899-4D6C-B360-403A5A20B5D2}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F1AACA8D-4899-4D6C-B360-403A5A20B5D2}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4856 wrote to memory of 4644 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4856 wrote to memory of 4644 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4856 wrote to memory of 4644 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\FineTop.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\FineTop.dll

Network

Country Destination Domain Proto
US 138.91.171.81:80 tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 195.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 16.234.44.23.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 210.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 123.10.44.20.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-02-04 19:08

Reported

2024-02-04 19:10

Platform

win10v2004-20231215-en

Max time kernel

143s

Max time network

150s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4516 wrote to memory of 4840 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4516 wrote to memory of 4840 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4516 wrote to memory of 4840 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4840 -ip 4840

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4840 -s 624

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 208.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 16.234.44.23.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 186.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 190.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 210.143.182.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-02-04 19:08

Reported

2024-02-04 19:10

Platform

win7-20231215-en

Max time kernel

117s

Max time network

118s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcess.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcess.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcess.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3048 -s 224

Network

N/A

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-02-04 19:08

Reported

2024-02-04 19:10

Platform

win7-20231129-en

Max time kernel

150s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\FineTop.exe"

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FineTop = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FineTop.exe" C:\Users\Admin\AppData\Local\Temp\FineTop.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{CBF53489-AD8D-4637-965A-413861EEC7CF} C:\Windows\SysWOW64\regsvr32.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\TabProcGrowth = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\TabProcGrowth = "0" C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F1AACA8D-4899-4D6C-B360-403A5A20B5D2}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\FineTop.TopBand\CurVer\ = "FineTop.TopBand.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CBF53489-AD8D-4637-965A-413861EEC7CF}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CBF53489-AD8D-4637-965A-413861EEC7CF}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FineTop.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3E54C6DC-A2C6-404C-A36F-DE346281B3A7} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3E54C6DC-A2C6-404C-A36F-DE346281B3A7}\1.0\ = "FineTop 1.0 Type Library" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\FineTop.TopBand.1\CLSID\ = "{CBF53489-AD8D-4637-965A-413861EEC7CF}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CBF53489-AD8D-4637-965A-413861EEC7CF}\ProgID\ = "FineTop.TopBand.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CBF53489-AD8D-4637-965A-413861EEC7CF}\VersionIndependentProgID\ = "FineTop.TopBand" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3E54C6DC-A2C6-404C-A36F-DE346281B3A7}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CBF53489-AD8D-4637-965A-413861EEC7CF}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3E54C6DC-A2C6-404C-A36F-DE346281B3A7}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3E54C6DC-A2C6-404C-A36F-DE346281B3A7}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F1AACA8D-4899-4D6C-B360-403A5A20B5D2}\TypeLib\ = "{3E54C6DC-A2C6-404C-A36F-DE346281B3A7}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\FineTop.TopBand.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\FineTop.TopBand C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\FineTop.TopBand\ = "TopBand Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CBF53489-AD8D-4637-965A-413861EEC7CF}\ = "FineTop" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F1AACA8D-4899-4D6C-B360-403A5A20B5D2}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F1AACA8D-4899-4D6C-B360-403A5A20B5D2}\ = "ITopBand" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F1AACA8D-4899-4D6C-B360-403A5A20B5D2}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CBF53489-AD8D-4637-965A-413861EEC7CF}\TypeLib\ = "{3E54C6DC-A2C6-404C-A36F-DE346281B3A7}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3E54C6DC-A2C6-404C-A36F-DE346281B3A7}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FineTop.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F1AACA8D-4899-4D6C-B360-403A5A20B5D2}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\FineTop.TopBand\CLSID\ = "{CBF53489-AD8D-4637-965A-413861EEC7CF}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\FineTop.TopBand\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CBF53489-AD8D-4637-965A-413861EEC7CF} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F1AACA8D-4899-4D6C-B360-403A5A20B5D2} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3E54C6DC-A2C6-404C-A36F-DE346281B3A7}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F1AACA8D-4899-4D6C-B360-403A5A20B5D2}\ = "ITopBand" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\FineTop.TopBand.1\ = "TopBand Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\FineTop.TopBand\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CBF53489-AD8D-4637-965A-413861EEC7CF}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3E54C6DC-A2C6-404C-A36F-DE346281B3A7}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3E54C6DC-A2C6-404C-A36F-DE346281B3A7}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F1AACA8D-4899-4D6C-B360-403A5A20B5D2}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F1AACA8D-4899-4D6C-B360-403A5A20B5D2}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F1AACA8D-4899-4D6C-B360-403A5A20B5D2}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CBF53489-AD8D-4637-965A-413861EEC7CF}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CBF53489-AD8D-4637-965A-413861EEC7CF}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CBF53489-AD8D-4637-965A-413861EEC7CF}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3E54C6DC-A2C6-404C-A36F-DE346281B3A7}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\FineTop.TopBand.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F1AACA8D-4899-4D6C-B360-403A5A20B5D2} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F1AACA8D-4899-4D6C-B360-403A5A20B5D2}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F1AACA8D-4899-4D6C-B360-403A5A20B5D2}\TypeLib\ = "{3E54C6DC-A2C6-404C-A36F-DE346281B3A7}" C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\FineTop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FineTop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FineTop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FineTop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FineTop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FineTop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FineTop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FineTop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FineTop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FineTop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FineTop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FineTop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FineTop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FineTop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FineTop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FineTop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FineTop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FineTop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FineTop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FineTop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FineTop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FineTop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FineTop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FineTop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FineTop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FineTop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FineTop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FineTop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FineTop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FineTop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FineTop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FineTop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FineTop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FineTop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FineTop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FineTop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FineTop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FineTop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FineTop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FineTop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FineTop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FineTop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FineTop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FineTop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FineTop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FineTop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FineTop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FineTop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FineTop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FineTop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FineTop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FineTop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FineTop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FineTop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FineTop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FineTop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FineTop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FineTop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FineTop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FineTop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FineTop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FineTop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FineTop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FineTop.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\FineTop.exe

"C:\Users\Admin\AppData\Local\Temp\FineTop.exe"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\FineTop.dll"

Network

Country Destination Domain Proto
US 8.8.8.8:53 finetop.topguide.co.kr udp

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-02-04 19:08

Reported

2024-02-04 19:10

Platform

win10v2004-20231222-en

Max time kernel

92s

Max time network

125s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\adc.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2304 wrote to memory of 8 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2304 wrote to memory of 8 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2304 wrote to memory of 8 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\adc.dll,#1

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\adc.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 195.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 209.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 200.178.17.96.in-addr.arpa udp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-02-04 19:08

Reported

2024-02-04 19:10

Platform

win10v2004-20231215-en

Max time kernel

144s

Max time network

150s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IpConfig.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5048 wrote to memory of 5012 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5048 wrote to memory of 5012 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5048 wrote to memory of 5012 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IpConfig.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IpConfig.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5012 -ip 5012

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5012 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 195.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 210.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 200.64.52.20.in-addr.arpa udp
US 8.8.8.8:53 16.234.44.23.in-addr.arpa udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-02-04 19:08

Reported

2024-02-04 19:10

Platform

win7-20231215-en

Max time kernel

140s

Max time network

120s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\SelfDel.dll,#1

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\SelfDel.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\SelfDel.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1884 -s 220

Network

N/A

Files

memory/1884-0-0x0000000074EC0000-0x0000000074EC9000-memory.dmp

memory/1884-1-0x0000000074EB0000-0x0000000074EB9000-memory.dmp

memory/1884-2-0x0000000074EC0000-0x0000000074EC9000-memory.dmp

memory/1884-5-0x0000000074EC0000-0x0000000074EC9000-memory.dmp

memory/1884-6-0x0000000074EC0000-0x0000000074EC9000-memory.dmp