5c29571473e307c8b3707f6aa2590779fcb9bcd4aff681ff49f05fc172d99a59

Analysis

max time kernel
118s
max time network
121s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
13-02-2024 18:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

99cc674e13a8576ad88dd17ec98e9426.exe
Size

611KB
MD5

99cc674e13a8576ad88dd17ec98e9426
SHA1

647107d0f1a4319f10376e83ec286a0f0bd5a949
SHA256

5c29571473e307c8b3707f6aa2590779fcb9bcd4aff681ff49f05fc172d99a59
SHA512

0b3c2a98faade7594423b1e808ab35dd6f603c4eba4373a3ad05e8566ac941e828dd01b5afded3328f1819d4a09861628460b1ec7d1d6c0b2b4e045c8fdd8d3c
SSDEEP

12288:ZmNVdMxVxw6YzecXL0ZOd9eH0En7IOm2Xh0tmsuqf2M4GJh5UTk:ABswVCbZI9adXgoqf6eYTk

Score

7^/10

adware discovery persistence stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1820	AdvTCApp.exe

Loads dropped DLL 2 IoCs

pid	Process
2252	99cc674e13a8576ad88dd17ec98e9426.exe
2836	regsvr32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\Adv_TopC = "C:\\Program Files (x86)\\AdvTopC\\TCSearch.exe"	99cc674e13a8576ad88dd17ec98e9426.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{3E5EF872-03E2-4CE0-94DF-CA8A5004ECFD}\NoExplorer = "1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{3E5EF872-03E2-4CE0-94DF-CA8A5004ECFD}	regsvr32.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\AdvTopC\AdvTCApp.tlb	99cc674e13a8576ad88dd17ec98e9426.exe
File created	C:\Program Files (x86)\AdvTopC\TCHelper.dll	99cc674e13a8576ad88dd17ec98e9426.exe
File created	C:\Program Files (x86)\AdvTopC\TCUnins.exe	99cc674e13a8576ad88dd17ec98e9426.exe
File created	C:\Program Files (x86)\AdvTopC\tcse.dat	99cc674e13a8576ad88dd17ec98e9426.exe
File created	C:\Program Files (x86)\AdvTopC\TCSearch.exe	99cc674e13a8576ad88dd17ec98e9426.exe
File created	C:\Program Files (x86)\AdvTopC\tcwhk.dll	99cc674e13a8576ad88dd17ec98e9426.exe
File created	C:\Program Files (x86)\AdvTopC\tcskip.dat	99cc674e13a8576ad88dd17ec98e9426.exe
File created	C:\Program Files (x86)\AdvTopC\AdvTCApp.exe	99cc674e13a8576ad88dd17ec98e9426.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 11 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9FFF5A03-2C66-462e-A2AE-19CA87E20DBE}	99cc674e13a8576ad88dd17ec98e9426.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9FFF5A03-2C66-462e-A2AE-19CA87E20DBE}\AppPath = "C:\\Program Files (x86)\\AdvTopC"	99cc674e13a8576ad88dd17ec98e9426.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9FFF5A03-2C66-462e-A2AE-19CA87E20DBE}\AppName = "AdvTCApp.exe"	99cc674e13a8576ad88dd17ec98e9426.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9FFF5A03-2C66-462e-A2AE-19CA87E20DBE}\CLSID = "{86D56D8B-9667-4C58-8BE5-37616F07A2AE}"	99cc674e13a8576ad88dd17ec98e9426.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9FFF5A03-2C66-462e-A2AE-19CA87E20DBE}\Policy = "3"	99cc674e13a8576ad88dd17ec98e9426.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C0748ADA-0334-4bcd-B2A9-F12E4C754AEC}	99cc674e13a8576ad88dd17ec98e9426.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C0748ADA-0334-4bcd-B2A9-F12E4C754AEC}\AppName = "AdvTCUp.exe"	99cc674e13a8576ad88dd17ec98e9426.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C0748ADA-0334-4bcd-B2A9-F12E4C754AEC}\AppPath = "C:\\Program Files (x86)\\AdvTopC"	99cc674e13a8576ad88dd17ec98e9426.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C0748ADA-0334-4bcd-B2A9-F12E4C754AEC}\Policy = "3"	99cc674e13a8576ad88dd17ec98e9426.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	99cc674e13a8576ad88dd17ec98e9426.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{3E5EF872-03E2-4CE0-94DF-CA8A5004ECFD}	99cc674e13a8576ad88dd17ec98e9426.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D7CC10CB-5560-41D1-AA01-90ACDD24FAD8}\TypeLib	AdvTCApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1CBECE76-7A9C-4118-9B1D-255EF4A28B0A}	AdvTCApp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1CBECE76-7A9C-4118-9B1D-255EF4A28B0A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	AdvTCApp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AdvTCApp.TCUIHandler\CurVer\ = "AdvTCApp.TCUIHandler.1"	AdvTCApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{393A6F9A-B9AF-4CC4-9205-7D9AD84E3599}	AdvTCApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1CBECE76-7A9C-4118-9B1D-255EF4A28B0A}\ProxyStubClsid32	AdvTCApp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C8978781-0BA6-4D59-BC95-5FB099420444}\TypeLib\ = "{393A6F9A-B9AF-4CC4-9205-7D9AD84E3599}"	AdvTCApp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TCHelper.AdvTCCtrl\CurVer\ = "TCHelper.AdvTCCtrl.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3E5EF872-03E2-4CE0-94DF-CA8A5004ECFD}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{229EDC5F-3F55-4873-AA68-DF2EE6B37B1D}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AdvTCApp.TopClickReceiver\CurVer\ = "AdvTCApp.TopClickReceiver.1"	AdvTCApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{86D56D8B-9667-4C58-8BE5-37616F07A2AE}	AdvTCApp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{86D56D8B-9667-4C58-8BE5-37616F07A2AE}\LocalServer32\ = "\"C:\\Program Files (x86)\\AdvTopC\\AdvTCApp.exe\""	AdvTCApp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3E5EF872-03E2-4CE0-94DF-CA8A5004ECFD}\InprocServer32\ = "C:\\Program Files (x86)\\AdvTopC\\TCHelper.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D8BE945B-214C-4FF4-90D4-D27453803121}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AdvTCApp.TCExtDisp.1\CLSID	AdvTCApp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D7CC10CB-5560-41D1-AA01-90ACDD24FAD8}\ProgID\ = "AdvTCApp.TCUIHandler.1"	AdvTCApp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AdvTCApp.TopClickReceiver.1\ = "TopClickReceiver Class"	AdvTCApp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C8978781-0BA6-4D59-BC95-5FB099420444}\TypeLib\Version = "1.0"	AdvTCApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{229EDC5F-3F55-4873-AA68-DF2EE6B37B1D}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D8BE945B-214C-4FF4-90D4-D27453803121}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AdvTCApp.TCExtDisp.1\ = "TCExtDisp Class"	AdvTCApp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5AE9542B-4924-4A56-8AC8-7DC3427A2CDF}\LocalServer32\ = "\"C:\\Program Files (x86)\\AdvTopC\\AdvTCApp.exe\""	AdvTCApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AdvTCApp.TopClickReceiver\CLSID	AdvTCApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{86D56D8B-9667-4C58-8BE5-37616F07A2AE}\VersionIndependentProgID	AdvTCApp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1CBECE76-7A9C-4118-9B1D-255EF4A28B0A}\ = "ITopClickReceiver"	AdvTCApp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{133F4BA0-B28D-438C-9AC0-2632BA756582}\TypeLib\Version = "1.0"	AdvTCApp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C8978781-0BA6-4D59-BC95-5FB099420444}\ = "ITCUIHandler"	AdvTCApp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3E5EF872-03E2-4CE0-94DF-CA8A5004ECFD}\ProgID\ = "TCHelper.AdvTCCtrl.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5AE9542B-4924-4A56-8AC8-7DC3427A2CDF}\ = "TCExtDisp Class"	AdvTCApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AdvTCApp.TCUIHandler	AdvTCApp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D7CC10CB-5560-41D1-AA01-90ACDD24FAD8}\VersionIndependentProgID\ = "AdvTCApp.TCUIHandler"	AdvTCApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AdvTCApp.TopClickReceiver.1	AdvTCApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{86D56D8B-9667-4C58-8BE5-37616F07A2AE}\Implemented Categories	AdvTCApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C8978781-0BA6-4D59-BC95-5FB099420444}\ProxyStubClsid32	AdvTCApp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TCHelper.AdvTCCtrl.1\CLSID\ = "{3E5EF872-03E2-4CE0-94DF-CA8A5004ECFD}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{229EDC5F-3F55-4873-AA68-DF2EE6B37B1D}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\AdvTopC"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D8BE945B-214C-4FF4-90D4-D27453803121}\TypeLib\ = "{229EDC5F-3F55-4873-AA68-DF2EE6B37B1D}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AdvTCApp.TCUIHandler.1\ = "TCUIHandler Class"	AdvTCApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D7CC10CB-5560-41D1-AA01-90ACDD24FAD8}\ProgID	AdvTCApp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{86D56D8B-9667-4C58-8BE5-37616F07A2AE}\VersionIndependentProgID\ = "AdvTCApp.TopClickReceiver"	AdvTCApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1CBECE76-7A9C-4118-9B1D-255EF4A28B0A}\TypeLib	AdvTCApp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{133F4BA0-B28D-438C-9AC0-2632BA756582}\TypeLib\ = "{393A6F9A-B9AF-4CC4-9205-7D9AD84E3599}"	AdvTCApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5AE9542B-4924-4A56-8AC8-7DC3427A2CDF}\Programmable	AdvTCApp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1CBECE76-7A9C-4118-9B1D-255EF4A28B0A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	AdvTCApp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TCHelper.AdvTCCtrl\ = "AdvTCCtrl Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TCHelper.AdvTCCtrl\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5AE9542B-4924-4A56-8AC8-7DC3427A2CDF}\TypeLib\ = "{393A6F9A-B9AF-4cc4-9205-7D9AD84E3599}"	AdvTCApp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AdvTCApp.TopClickReceiver\CLSID\ = "{86D56D8B-9667-4C58-8BE5-37616F07A2AE}"	AdvTCApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1CBECE76-7A9C-4118-9B1D-255EF4A28B0A}\TypeLib	AdvTCApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C8978781-0BA6-4D59-BC95-5FB099420444}	AdvTCApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5AE9542B-4924-4A56-8AC8-7DC3427A2CDF}\LocalServer32	AdvTCApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AdvTCApp.TopClickReceiver\CurVer	AdvTCApp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{133F4BA0-B28D-438C-9AC0-2632BA756582}\ = "ITCExtDisp"	AdvTCApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{133F4BA0-B28D-438C-9AC0-2632BA756582}\TypeLib	AdvTCApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3E5EF872-03E2-4CE0-94DF-CA8A5004ECFD}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D8BE945B-214C-4FF4-90D4-D27453803121}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5AE9542B-4924-4A56-8AC8-7DC3427A2CDF}\ProgID	AdvTCApp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{393A6F9A-B9AF-4CC4-9205-7D9AD84E3599}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\AdvTopC"	AdvTCApp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C8978781-0BA6-4D59-BC95-5FB099420444}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	AdvTCApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C8978781-0BA6-4D59-BC95-5FB099420444}\TypeLib	AdvTCApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{7C3D497D-F1D3-4E2C-A3C1-613D598C7B65}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TCHelper.AdvTCCtrl.1\ = "AdvTCCtrl Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D7CC10CB-5560-41D1-AA01-90ACDD24FAD8}\TypeLib\ = "{393A6F9A-B9AF-4cc4-9205-7D9AD84E3599}"	AdvTCApp.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2252 wrote to memory of 1820	2252	99cc674e13a8576ad88dd17ec98e9426.exe	28
PID 2252 wrote to memory of 1820	2252	99cc674e13a8576ad88dd17ec98e9426.exe	28
PID 2252 wrote to memory of 1820	2252	99cc674e13a8576ad88dd17ec98e9426.exe	28
PID 2252 wrote to memory of 1820	2252	99cc674e13a8576ad88dd17ec98e9426.exe	28
PID 2252 wrote to memory of 2836	2252	99cc674e13a8576ad88dd17ec98e9426.exe	29
PID 2252 wrote to memory of 2836	2252	99cc674e13a8576ad88dd17ec98e9426.exe	29
PID 2252 wrote to memory of 2836	2252	99cc674e13a8576ad88dd17ec98e9426.exe	29
PID 2252 wrote to memory of 2836	2252	99cc674e13a8576ad88dd17ec98e9426.exe	29
PID 2252 wrote to memory of 2836	2252	99cc674e13a8576ad88dd17ec98e9426.exe	29
PID 2252 wrote to memory of 2836	2252	99cc674e13a8576ad88dd17ec98e9426.exe	29
PID 2252 wrote to memory of 2836	2252	99cc674e13a8576ad88dd17ec98e9426.exe	29

C:\Users\Admin\AppData\Local\Temp\99cc674e13a8576ad88dd17ec98e9426.exe
"C:\Users\Admin\AppData\Local\Temp\99cc674e13a8576ad88dd17ec98e9426.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2252
- C:\Program Files (x86)\AdvTopC\AdvTCApp.exe
  "C:\Program Files (x86)\AdvTopC\AdvTCApp.exe" /r
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  PID:1820
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\AdvTopC\TCHelper.dll"
  2⤵
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Modifies registry class
  PID:2836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\AdvTopC\AdvTCApp.tlb

Filesize
3KB

MD5
665656ceda2660da436eb6c2c518473d

SHA1
6e2b6b6b2032a2b1ce1963af8480ab41143f6371

SHA256
ddeef9fc2836cc5916456129c1500c497b5d87e0d315f0297cbbea3661f27871

SHA512
3e0c86c304babd0447284721f6746aa6c01a08f13d7f8c49b16594a7260bba7ec7073a79918107eacf9b686dd32c006b4744fff8b8e6d553507444ff8254e7d3

Download Submit
C:\Program Files (x86)\AdvTopC\TCHelper.dll

Filesize
244KB

MD5
a4e15995cacb7bd5ec5c630653b3492a

SHA1
1f45575a04095061ad35c4dfc5d2716ae273be42

SHA256
be1a008d6ab6894ff9896ffa85404f9cf419c1b8952977687aa9bb6f24672139

SHA512
1d611fbe5f0f118b20cf159dbee18261e343d4b6addded484eb30b0b2782de29a1ae6cda80006e388eb3b993f416a958a822102416b9bd086a1d088104a0d072

Download Submit
\Program Files (x86)\AdvTopC\AdvTCApp.exe

Filesize
394KB

MD5
deec7b9c0e4e632b7c0b0cf74b7d2941

SHA1
fdf8d9b9ee6c0ba37f03197c18ad4305f7be88b8

SHA256
376552c201e989925c46526db823c00f16d5709b8d9474a35736aa528ce3b3bb

SHA512
93a18e70462ad468319e88ea3dc095a721699bb26e719f41d485ced53ed28216a35a134796a877df507ee316ebb5d5c85c5f8366fedc634807e1ce721a726319

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads