f21353e4a527dd03b2c5feac9e4d21c5cbb657be026095d9a6cb32c34a0a94ce

Analysis

max time kernel
172s
max time network
147s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
24-02-2024 10:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a1b14b73897c12825d4d994e9a817140.exe
Size

2.7MB
MD5

a1b14b73897c12825d4d994e9a817140
SHA1

4e910b049638d6ad8aaf90832336c6c0a2cb48f0
SHA256

f21353e4a527dd03b2c5feac9e4d21c5cbb657be026095d9a6cb32c34a0a94ce
SHA512

71bed6b79dbdfb85b692c09def3f17f9dc0f3c20825dad5ab2427f452e94372aee402cadcacc0a9e70ad51e9f6aaba314309b04c540e3608d81bf22e8f583de8
SSDEEP

49152:6QgA7wy45ejW+0VmC9JXHnIYFFpI1vBhTodumyjJOjFzK:6Qg4w7GW+0VmC9JXHIYfkvBhTodumyjt

Score

7^/10

adware discovery persistence spyware stealer

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2816	MWSSETUP.EXE
1660	mwsoemon.exe
1760	mwsoemon.exe
888	MWSSRCSP.EXE

Loads dropped DLL 45 IoCs

pid	Process
2676	a1b14b73897c12825d4d994e9a817140.exe
2816	MWSSETUP.EXE
2816	MWSSETUP.EXE
2816	MWSSETUP.EXE
2816	MWSSETUP.EXE
2816	MWSSETUP.EXE
2816	MWSSETUP.EXE
2816	MWSSETUP.EXE
2816	MWSSETUP.EXE
2816	MWSSETUP.EXE
2816	MWSSETUP.EXE
2816	MWSSETUP.EXE
2816	MWSSETUP.EXE
2816	MWSSETUP.EXE
2816	MWSSETUP.EXE
2816	MWSSETUP.EXE
2816	MWSSETUP.EXE
2816	MWSSETUP.EXE
2816	MWSSETUP.EXE
2816	MWSSETUP.EXE
2816	MWSSETUP.EXE
2816	MWSSETUP.EXE
2816	MWSSETUP.EXE
2816	MWSSETUP.EXE
2816	MWSSETUP.EXE
1660	mwsoemon.exe
1660	mwsoemon.exe
1660	mwsoemon.exe
2816	MWSSETUP.EXE
2816	MWSSETUP.EXE
2816	MWSSETUP.EXE
2816	MWSSETUP.EXE
1760	mwsoemon.exe
1760	mwsoemon.exe
1760	mwsoemon.exe
1760	mwsoemon.exe
1760	mwsoemon.exe
1760	mwsoemon.exe
1760	mwsoemon.exe
1760	mwsoemon.exe
2676	a1b14b73897c12825d4d994e9a817140.exe
2676	a1b14b73897c12825d4d994e9a817140.exe
888	MWSSRCSP.EXE
888	MWSSRCSP.EXE
888	MWSSRCSP.EXE

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MyWebSearch Email Plugin = "C:\\PROGRA~2\\MYWEBS~1\\bar\\1.bin\\mwsoemon.exe"	MWSSETUP.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\MyWebSearch Email Plugin = "C:\\PROGRA~2\\MYWEBS~1\\bar\\1.bin\\mwsoemon.exe"	MWSSETUP.EXE

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 6 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{07B18EA1-A523-4961-B6BB-170DE4475CCA}	MWSSETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{07B18EA1-A523-4961-B6BB-170DE4475CCA}\ = "mwsBar BHO"	MWSSETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00A6FAF1-072E-44cf-8957-5838F569A31D}	MWSSRCSP.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{00A6FAF1-072E-44CF-8957-5838F569A31D}	MWSSRCSP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{00A6FAF1-072E-44cf-8957-5838F569A31D}	MWSSRCSP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{00A6FAF1-072E-44cf-8957-5838F569A31D}\ = "MyWebSearch Search Assistant BHO"	MWSSRCSP.EXE

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\f3PSSavr.scr	MWSSETUP.EXE
File opened for modification	C:\Windows\SysWOW64\f3PSSavr.scr	MWSSETUP.EXE

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\MyWebSearch\bar\1.bin\F3HISTSW.DLL	MWSSETUP.EXE
File opened for modification	C:\Program Files (x86)\MyWebSearch\bar\1.bin\M3NTSTBR.JAR	MWSSETUP.EXE
File opened for modification	C:\Program Files (x86)\MyWebSearch\bar\1.bin\MWSOEPLG.DLL	MWSSETUP.EXE
File created	C:\Program Files (x86)\MyWebSearch\bar\1.bin\F3CJPEG.DLL	MWSSETUP.EXE
File created	C:\Program Files (x86)\MyWebSearch\bar\1.bin\F3HISTSW.DLL	MWSSETUP.EXE
File opened for modification	C:\Program Files (x86)\MyWebSearch\bar\1.bin\F3PSSAVR.SCR	MWSSETUP.EXE
File opened for modification	C:\Program Files (x86)\MyWebSearch\bar\1.bin\F3SCHMON.EXE	MWSSETUP.EXE
File created	C:\Program Files (x86)\MyWebSearch\bar\1.bin\F3SCRCTR.DLL	MWSSETUP.EXE
File opened for modification	C:\Program Files (x86)\MyWebSearch\bar\1.bin\M3SKIN.DLL	MWSSETUP.EXE
File created	C:\Program Files (x86)\MyWebSearch\bar\1.bin\M3FFXTBR.JAR	MWSSETUP.EXE
File opened for modification	C:\Program Files (x86)\MyWebSearch\bar\1.bin\M3OUTLCN.DLL	MWSSETUP.EXE
File created	C:\Program Files (x86)\MyWebSearch\bar\1.bin\M3SKPLAY.EXE	MWSSETUP.EXE
File opened for modification	C:\Program Files (x86)\MyWebSearch\bar\1.bin\MWSOESTB.DLL	MWSSETUP.EXE
File created	C:\Program Files (x86)\MyWebSearch\bar\1.bin\MWSOESTB.DLL	MWSSETUP.EXE
File opened for modification	C:\Program Files (x86)\MyWebSearch\bar\Game\CHECKERS.F3S	MWSSETUP.EXE
File created	C:\Program Files (x86)\MyWebSearch\bar\1.bin\F3BKGERR.JPG	MWSSETUP.EXE
File opened for modification	C:\Program Files (x86)\MyWebSearch\bar\1.bin\F3SHLLVW.DLL	MWSSETUP.EXE
File created	C:\Program Files (x86)\MyWebSearch\bar\1.bin\F3SPACER.WMV	MWSSETUP.EXE
File opened for modification	C:\Program Files (x86)\MyWebSearch\bar\1.bin\F3WPHOOK.DLL	MWSSETUP.EXE
File created	C:\Program Files (x86)\MyWebSearch\bar\1.bin\M3OUTLCN.DLL	MWSSETUP.EXE
File opened for modification	C:\Program Files (x86)\MyWebSearch\bar\1.bin\MWSOEMON.EXE	MWSSETUP.EXE
File created	C:\Program Files (x86)\MyWebSearch\bar\1.bin\F3WALLPP.DAT	MWSSETUP.EXE
File created	C:\Program Files (x86)\MyWebSearch\bar\1.bin\M3PLUGIN.DLL	MWSSETUP.EXE
File opened for modification	C:\Program Files (x86)\MyWebSearch\bar\1.bin\M3SKPLAY.EXE	MWSSETUP.EXE
File created	C:\Program Files (x86)\MyWebSearch\bar\Game\CHESS.F3S	MWSSETUP.EXE
File created	C:\Program Files (x86)\MyWebSearch\bar\1.bin\M3SKIN.DLL	MWSSETUP.EXE
File opened for modification	C:\Program Files (x86)\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL	MWSSRCSP.EXE
File opened for modification	C:\Program Files (x86)\MyWebSearch\bar\1.bin\F3BKGERR.JPG	MWSSETUP.EXE
File opened for modification	C:\Program Files (x86)\MyWebSearch\bar\1.bin\F3SCRCTR.DLL	MWSSETUP.EXE
File created	C:\Program Files (x86)\MyWebSearch\bar\1.bin\F3WPHOOK.DLL	MWSSETUP.EXE
File opened for modification	C:\Program Files (x86)\MyWebSearch\bar\1.bin\M3FFXTBR.MANIFEST	MWSSETUP.EXE
File created	C:\Program Files (x86)\MyWebSearch\bar\1.bin\M3HTML.DLL	MWSSETUP.EXE
File created	C:\Program Files (x86)\MyWebSearch\bar\1.bin\M3NTSTBR.JAR	MWSSETUP.EXE
File opened for modification	C:\Program Files (x86)\MyWebSearch\bar\1.bin\F3HTMLMU.DLL	MWSSETUP.EXE
File opened for modification	C:\Program Files (x86)\MyWebSearch\bar\1.bin\F3IMSTUB.DLL	MWSSETUP.EXE
File opened for modification	C:\Program Files (x86)\MyWebSearch\bar\1.bin\M3IDLE.DLL	MWSSETUP.EXE
File created	C:\Program Files (x86)\MyWebSearch\bar\1.bin\M3NTSTBR.MANIFEST	MWSSETUP.EXE
File created	C:\Program Files (x86)\MyWebSearch\bar\1.bin\F3DTACTL.DLL	MWSSETUP.EXE
File opened for modification	C:\Program Files (x86)\MyWebSearch\bar\1.bin\F3HTTPCT.DLL	MWSSETUP.EXE
File opened for modification	C:\Program Files (x86)\MyWebSearch\bar\1.bin\F3POPSWT.DLL	MWSSETUP.EXE
File created	C:\Program Files (x86)\MyWebSearch\bar\1.bin\M3FFXTBR.MANIFEST	MWSSETUP.EXE
File opened for modification	C:\Program Files (x86)\MyWebSearch\bar\1.bin\M3PLUGIN.DLL	MWSSETUP.EXE
File created	C:\Program Files (x86)\MyWebSearch\bar\1.bin\MWSBAR.DLL	MWSSETUP.EXE
File opened for modification	C:\Program Files (x86)\MyWebSearch\bar\1.bin\M3HTML.DLL	MWSSETUP.EXE
File opened for modification	C:\Program Files (x86)\MyWebSearch\bar\1.bin\M3NTSTBR.MANIFEST	MWSSETUP.EXE
File opened for modification	C:\Program Files (x86)\MyWebSearch\bar\1.bin\MWSBAR.DLL	MWSSETUP.EXE
File created	C:\Program Files (x86)\MyWebSearch\bar\Settings\s_pid.dat	MWSSETUP.EXE
File created	C:\Program Files (x86)\MyWebSearch\bar\1.bin\F3IMSTUB.DLL	MWSSETUP.EXE
File created	C:\Program Files (x86)\MyWebSearch\bar\1.bin\F3SCHMON.EXE	MWSSETUP.EXE
File created	C:\Program Files (x86)\MyWebSearch\bar\1.bin\F3SHLLVW.DLL	MWSSETUP.EXE
File opened for modification	C:\Program Files (x86)\MyWebSearch\bar\1.bin\M3FFXTBR.JAR	MWSSETUP.EXE
File created	C:\Program Files (x86)\MyWebSearch\bar\1.bin\F3HTMLMU.DLL	MWSSETUP.EXE
File opened for modification	C:\Program Files (x86)\MyWebSearch\bar\1.bin\F3SPACER.WMV	MWSSETUP.EXE
File opened for modification	C:\Program Files (x86)\MyWebSearch\bar\1.bin\NPMYWEBS.DLL	MWSSETUP.EXE
File created	C:\Program Files (x86)\MyWebSearch\bar\1.bin\F3REPROX.DLL	MWSSETUP.EXE
File opened for modification	C:\Program Files (x86)\MyWebSearch\bar\1.bin\F3WALLPP.DAT	MWSSETUP.EXE
File created	C:\Program Files (x86)\MyWebSearch\bar\1.bin\M3IDLE.DLL	MWSSETUP.EXE
File created	C:\Program Files (x86)\MyWebSearch\bar\1.bin\NPMYWEBS.DLL	MWSSETUP.EXE
File created	C:\Program Files (x86)\MyWebSearch\bar\1.bin\F3POPSWT.DLL	MWSSETUP.EXE
File opened for modification	C:\Program Files (x86)\MyWebSearch\bar\1.bin\F3REPROX.DLL	MWSSETUP.EXE
File opened for modification	C:\Program Files (x86)\MyWebSearch\bar\1.bin\F3RESTUB.DLL	MWSSETUP.EXE
File created	C:\Program Files (x86)\MyWebSearch\bar\Game\CHECKERS.F3S	MWSSETUP.EXE
File opened for modification	C:\Program Files (x86)\MyWebSearch\bar\Game\CHESS.F3S	MWSSETUP.EXE
File opened for modification	C:\Program Files (x86)\MyWebSearch\bar\1.bin\F3CJPEG.DLL	MWSSETUP.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 5 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\UrlSearchHooks	MWSSRCSP.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\URLSearchHooks\{00A6FAF6-072E-44cf-8957-5838F569A31D}	MWSSRCSP.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\URLSearchHooks\{CFBFAE00-17A6-11D0-99CB-00C04FD64497}	MWSSRCSP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar	MWSSETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\{07B18EA9-A523-4961-B6BB-170DE4475CCA}	MWSSETUP.EXE

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run	MWSSETUP.EXE
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Run	MWSSETUP.EXE
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Run	MWSSETUP.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8E6F1832-9607-4440-8530-13BE7C4B1D14}\ProgID\ = "FunWebProducts.PopSwatterBarButton.1"	MWSSETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{90449521-D834-4703-BB4E-D3AA44042FF8}\ProxyStubClsid32	MWSSETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FunWebProducts.ShellViewControl\CurVer\ = "FunWebProducts.ShellViewControl.1"	MWSSETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{07B18EAB-A523-4961-B6BB-170DE4475CCA}	MWSSETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{938AA51A-996C-4884-98CE-80DD16A5C9DA}\ = "ExplorerStub Class"	MWSSETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1F52A5FA-A705-4415-B975-88503B291728}\ = "IDataCtrl"	MWSSETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FunWebProducts.IECookiesManager	MWSSETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9FFFB27-D62A-4D64-8CEC-1FF006528805}\InprocServer32\ThreadingModel = "Apartment"	MWSSETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{25560540-9571-4D7B-9389-0F166788785A}\ProgID	MWSSETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3E720450-B472-4954-B7AA-33069EB53906}\1.0\0\win32	MWSSETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ADB01E81-3C79-4272-A0F1-7B2BE7A782DC}\ProgID	MWSSETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MyWebSearchToolBar.ToolbarPlugin\CLSID	MWSSETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{07B18EA0-A523-4961-B6BB-170DE4475CCA}	MWSSETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F42228FB-E84E-479E-B922-FBBD096E792C}\1.0\0	MWSSETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DE38C398-B328-4F4C-A3AD-1B5E4ED93477}\ = "IF3AIMContainer"	MWSSETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6E74766C-4D93-4CC0-96D1-47B8E07FF9CA}\ = "IF3IMPlugin"	MWSSETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{991AAC62-B100-47CE-8B75-253965244F69}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	MWSSETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ScreenSaverControl.ScreenSaverInstaller.1\CLSID	MWSSETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FunWebProducts.ShellViewControl	MWSSETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C9D7BE3E-141A-4C85-8CD6-32461F3DF2C7}\Version	MWSSETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{07B18EAB-A523-4961-B6BB-170DE4475CCA}\InprocServer32\ = "C:\\Program Files (x86)\\MyWebSearch\\bar\\1.bin\\MWSBAR.DLL"	MWSSETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}\ProxyStubClsid32	MWSSETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{247A115F-06C2-4FB3-967D-2D62D3CF4F0A}\TypeLib\ = "{8CA01F0E-987C-49C3-B852-2F1AC4A7094C}"	MWSSETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MyWebSearch.HTMLPanel\ = "MyWebSearch HTML Panel"	MWSSETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7473D293-B7BB-4F24-AE82-7E2CE94BB6A9}\TypeLib	MWSSETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{17DE5E5E-BFE3-4E83-8E1F-8755795359EC}\ = "_IDataCtrlEvents"	MWSSETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3E720452-B472-4954-B7AA-33069EB53906}\Version	MWSSETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MyWebSearch.PseudoTransparentPlugin\CLSID	MWSSETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8E6F1830-9607-4440-8530-13BE7C4B1D14}	MWSSETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{63D0ED2B-B45B-4458-8B3B-60C69BBBD83C}	MWSSETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{53CED2D0-5E9A-4761-9005-648404E6F7E5}\InprocServer32	MWSSETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B813095C-81C0-4E40-AA14-67520372B987}\VersionIndependentProgID	MWSSETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1F52A5FA-A705-4415-B975-88503B291728}	MWSSETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FunWebProducts.KillerObjManager\CurVer\ = "FunWebProducts.KillerObjManager.1"	MWSSETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0F8ECF4F-3646-4C3A-8881-8E138FFCAF70}\TypeLib	MWSSETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1093995A-BA37-41D2-836E-091067C4AD17}\TypeLib\Version = "1.0"	MWSSETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{991AAC62-B100-47CE-8B75-253965244F69}	MWSSETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{63D0ED2B-B45B-4458-8B3B-60C69BBBD83C}\ProxyStubClsid32	MWSSETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{63D0ED2D-B45B-4458-8B3B-60C69BBBD83C}\TypeLib	MWSSETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1F52A5FA-A705-4415-B975-88503B291728}\TypeLib\Version = "1.0"	MWSSETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3E720453-B472-4954-B7AA-33069EB53906}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	MWSSETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F87D7FB5-9DC5-4C8C-B998-D8DFE02E2978}\TypeLib\ = "{07B18EA0-A523-4961-B6BB-170DE4475CCA}"	MWSSETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F42228FB-E84E-479E-B922-FBBD096E792C}\1.0\0\win32\ = "C:\\Program Files (x86)\\MyWebSearch\\bar\\1.bin\\MWSOEPLG.DLL"	MWSSETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2EFF3CF7-99C1-4c29-BC2B-68E057E22340}\Version\ = "1.0"	MWSSETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FunWebProducts.HistorySwatterControlBar.1\ = "HistorySwatterControlBar Class"	MWSSETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3E720452-B472-4954-B7AA-33069EB53906}\InprocServer32\ThreadingModel = "Apartment"	MWSSETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3E720450-B472-4954-B7AA-33069EB53906}\1.0\FLAGS\ = "0"	MWSSETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FunWebProducts.IECookiesManager.1\ = "IECookiesManager Class"	MWSSETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9FFFB27-D62A-4D64-8CEC-1FF006528805}\ = "HttpControl Class"	MWSSETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2E3537FC-CF2F-4F56-AF54-5A6A3DD375CC}	MWSSETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{53CED2D0-5E9A-4761-9005-648404E6F7E5}\VersionIndependentProgID\ = "MyWebSearchToolBar.ToolbarPlugin"	MWSSETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00A6FAF1-072E-44cf-8957-5838F569A31D}\InprocServer32\ThreadingModel = "Apartment"	MWSSRCSP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3E1656ED-F60E-4597-B6AA-B6A58E171495}\TypeLib\Version = "1.0"	MWSSETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8CA01F0E-987C-49C3-B852-2F1AC4A7094C}\1.0\ = "HistoryKiller 1.0 Type Library"	MWSSETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{98D9753D-D73B-42D5-8C85-4469CDA897AB}\InprocServer32\ = "C:\\Program Files (x86)\\MyWebSearch\\bar\\1.bin\\F3HTMLMU.DLL"	MWSSETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FunWebProducts.HTMLMenu\CurVer\ = "FunWebProducts.HTMLMenu.1"	MWSSETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9FFFB27-D62A-4D64-8CEC-1FF006528805}\InprocServer32\ = "C:\\Program Files (x86)\\MyWebSearch\\bar\\1.bin\\F3HTTPCT.DLL"	MWSSETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FunWebProducts.ShellViewControl.1\ = "Fun Web Products ShellView Control"	MWSSETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DE38C398-B328-4F4C-A3AD-1B5E4ED93477}\ = "IF3AIMContainer"	MWSSETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FunWebProducts.HistorySwatterControlBar\CLSID	MWSSETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E342AF55-B78A-4CD0-A2BB-DA7F52D9D25E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	MWSSETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9FF05104-B030-46FC-94B8-81276E4E27DF}\ProgID	MWSSETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3E720451-B472-4954-B7AA-33069EB53906}\ = "IMyWebSearchHTMLPanel"	MWSSETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00A6FAF1-072E-44cf-8957-5838F569A31D}\InprocServer32\ = "C:\\Program Files (x86)\\MyWebSearch\\SrchAstt\\1.bin\\MWSSRCAS.DLL"	MWSSRCSP.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeRestorePrivilege	2816	MWSSETUP.EXE
Token: SeBackupPrivilege	2816	MWSSETUP.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1760	mwsoemon.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2676 wrote to memory of 2816	2676	a1b14b73897c12825d4d994e9a817140.exe	29
PID 2676 wrote to memory of 2816	2676	a1b14b73897c12825d4d994e9a817140.exe	29
PID 2676 wrote to memory of 2816	2676	a1b14b73897c12825d4d994e9a817140.exe	29
PID 2676 wrote to memory of 2816	2676	a1b14b73897c12825d4d994e9a817140.exe	29
PID 2676 wrote to memory of 2816	2676	a1b14b73897c12825d4d994e9a817140.exe	29
PID 2676 wrote to memory of 2816	2676	a1b14b73897c12825d4d994e9a817140.exe	29
PID 2676 wrote to memory of 2816	2676	a1b14b73897c12825d4d994e9a817140.exe	29
PID 2816 wrote to memory of 1660	2816	MWSSETUP.EXE	30
PID 2816 wrote to memory of 1660	2816	MWSSETUP.EXE	30
PID 2816 wrote to memory of 1660	2816	MWSSETUP.EXE	30
PID 2816 wrote to memory of 1660	2816	MWSSETUP.EXE	30
PID 2816 wrote to memory of 1660	2816	MWSSETUP.EXE	30
PID 2816 wrote to memory of 1660	2816	MWSSETUP.EXE	30
PID 2816 wrote to memory of 1660	2816	MWSSETUP.EXE	30
PID 2816 wrote to memory of 1760	2816	MWSSETUP.EXE	31
PID 2816 wrote to memory of 1760	2816	MWSSETUP.EXE	31
PID 2816 wrote to memory of 1760	2816	MWSSETUP.EXE	31
PID 2816 wrote to memory of 1760	2816	MWSSETUP.EXE	31
PID 2816 wrote to memory of 1760	2816	MWSSETUP.EXE	31
PID 2816 wrote to memory of 1760	2816	MWSSETUP.EXE	31
PID 2816 wrote to memory of 1760	2816	MWSSETUP.EXE	31
PID 2676 wrote to memory of 888	2676	a1b14b73897c12825d4d994e9a817140.exe	32
PID 2676 wrote to memory of 888	2676	a1b14b73897c12825d4d994e9a817140.exe	32
PID 2676 wrote to memory of 888	2676	a1b14b73897c12825d4d994e9a817140.exe	32
PID 2676 wrote to memory of 888	2676	a1b14b73897c12825d4d994e9a817140.exe	32

C:\Users\Admin\AppData\Local\Temp\a1b14b73897c12825d4d994e9a817140.exe
"C:\Users\Admin\AppData\Local\Temp\a1b14b73897c12825d4d994e9a817140.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2676
- C:\Users\Admin\AppData\Local\Temp\bar.0\MWSSETUP.EXE
  "C:\Users\Admin\AppData\Local\Temp\bar.0\MWSSETUP.EXE" "C:\Users\Admin\AppData\Local\Temp\a1b14b73897c12825d4d994e9a817140.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Installs/modifies Browser Helper Object
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Modifies Internet Explorer settings
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2816
- - C:\PROGRA~2\MYWEBS~1\bar\1.bin\mwsoemon.exe
    "C:\PROGRA~2\MYWEBS~1\bar\1.bin\mwsoemon.exe" /d
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1660
- - C:\PROGRA~2\MYWEBS~1\bar\1.bin\mwsoemon.exe
    "C:\PROGRA~2\MYWEBS~1\bar\1.bin\mwsoemon.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:1760
- C:\Users\Admin\AppData\Local\Temp\bar.0\MWSSRCSP.EXE
  "C:\Users\Admin\AppData\Local\Temp\bar.0\MWSSRCSP.EXE" "C:\Users\Admin\AppData\Local\Temp\a1b14b73897c12825d4d994e9a817140.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  PID:888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bar.0\MWSSETUP.EXE

Filesize
1018KB

MD5
5155a7639517cfdbbb508311f1dfee57

SHA1
fcedccb6458a1f5fba636348fa14db6654ee5b70

SHA256
e4c3243ffe7424387d5d81c219c824012677d0b5f0af60e6cb9534d45dd62761

SHA512
a8db038cc878df5bb350e1d20e35eaab9ee64ee0b5590423b543c347089c6814699ff4ccce7928c068064a9a1341f4dfdd9cb535f9d7ea1ad51e226e27810c10

Download Submit
C:\Users\Admin\AppData\Local\Temp\bar.0\MWSSETUP.EXE

Filesize
2.6MB

MD5
a96ac7e53bf2dfc62f4358d521b82439

SHA1
3793e3a6d64a46f893e36047013754977247bc7e

SHA256
6b217075440abe30e25a1c05094dcbd309cf5b5b32930de977ff8d015c8def4c

SHA512
3a63b6c0d8ced0696223130e5c598d9c53352b1caf9525e36a819c69a9c0af589c1665d46f3908beb3ceddf1fca37230c51c031ac961002fc538a1991bb429a3

Download Submit
\PROGRA~2\MYWEBS~1\bar\1.bin\MWSOEMON.EXE

Filesize
28KB

MD5
dd59256ad65f4cdca0bce69216ae403b

SHA1
6e7383b770b88361ed4aa1120ae7fde1b802e536

SHA256
ec6909802e2357cb896baa0625564f02649386cc5dc9c293deb3715c5c6a37cd

SHA512
102bdd6cc34b3a02ccf885b256d3fc0422ed2d8e76ded3ffa7e053193ae3d1ff47e4794ea512966d8c131a9bd7dfaa771d3e2740efced59681fa53e419abf061

Download Submit
\Program Files (x86)\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL

Filesize
56KB

MD5
8965254e205f2696b019c651f8993b27

SHA1
7344bf36d56b6cb36366b9e41ac4b192398c4d51

SHA256
bd69d7edbf471e889d3743d806914867c833edb7afc8a3f6454ccee859325be1

SHA512
cdcb99bc47c41130f4e44a9ea79e735159413ea884baca1fd3eb28643e488d4c0f7e18590f87e467ad7ee290b7dd99f2870a767b3a6625eee1d4c36a91c1e771

Download Submit
\Program Files (x86)\MyWebSearch\bar\1.bin\F3CJPEG.DLL

Filesize
136KB

MD5
1d943cb3cbdd92161ae32532fb88265d

SHA1
78c77209fae53d1b449000a4db8b3dae840ebb3c

SHA256
3f740bbec0ae71dcf87d640a914ad3ae487a75887f8242c75524ef91d54afc62

SHA512
d61b6882a0919408be27c28f0c18d8361e4df275e14b0f664474877c008fba8629357fca3b24149f9a64bfcc6817eda95ad0378d2e3e56d7900e3ca2e5f04a17

Download Submit
\Program Files (x86)\MyWebSearch\bar\1.bin\F3DTACTL.DLL

Filesize
64KB

MD5
e11b7692643b94d7ef42de476cf88d9e

SHA1
61a5d849ca2b86153116845839af15b6fce3aad7

SHA256
99ff6a34bf99647af34947d5274e33f71b4c4a2b66bc317f9e6ab3086cdac7fc

SHA512
a11fcb41be94cdf6e32fa64d1208abc2ee53e2f1824f09a53a928a48f1d66a77fa62990e789b788326082afae284bc58cc9301b0ec73a8c46d644ac972aefd69

Download Submit
\Program Files (x86)\MyWebSearch\bar\1.bin\F3HISTSW.DLL

Filesize
244KB

MD5
e12730adb54fc2d75c5138c1165072b6

SHA1
c803ff72de92902f5ed4d2365db35431d1e25100

SHA256
b5caad4e6c5839d16f264d80548943e82013bc42fbe3315553861b5dd6d4bd4d

SHA512
537b2a1bb6bf71c9638bb47988e2576f28a17c8bc2e985db2131c9da2c222debd88720afe0dbabe8161a03eb35ee42dd984b268683ab9094bd3d849833aa58c0

Download Submit
\Program Files (x86)\MyWebSearch\bar\1.bin\F3HTMLMU.DLL

Filesize
120KB

MD5
d8ddca94a26244aa83aeffc35b65ce71

SHA1
61e33b82f008bd11f74144b78afdae47cc6b2530

SHA256
4d240f474d372b5c1de8d766bd3f8b9215d95dcb948719ce8427743335d79160

SHA512
5f9c46c267309e74ec653428666f84e95fc427e9c6941ff860bef984cc1a08c5cabd65aa7b7576e36e5fcb8858c119333e2bbfc70523d208987d17cb96c485a3

Download Submit
\Program Files (x86)\MyWebSearch\bar\1.bin\F3HTTPCT.DLL

Filesize
72KB

MD5
03e5f2e8ea3812e438d6bc34be6ce726

SHA1
50afb50a8fcd11cd2cd59f2564fe7b60bbfcf3ce

SHA256
40e6b8a99dbb872e6fcc1ba7c0ddb8f2ff0f717e586ee024962a6c2ce0f6af47

SHA512
9b613ad3e478ab9caffc6142628b845deef80e3c2f27c12f8c5eb581ee44f3ca0d0ee582fd7d970194cea8bd3aa99b697fc05249b635e1836182cd10b8a370e1

Download Submit
\Program Files (x86)\MyWebSearch\bar\1.bin\F3IMSTUB.DLL

Filesize
24KB

MD5
7272bf7bbd5eb20be011f975a81350cf

SHA1
567ccdd7a4642ea15609d8a1d6b5970a59af567f

SHA256
e522bcdc8dd85af3cea65dc6641ff533e087fbea3aed54d04b6fada4cbefa3ad

SHA512
a9da83278eaf4921b53262fb4f67ca5892e30d98dd73720206706fc234aa065ee652e5917d73bcd040dd013be9606c0948962579d138420caf0ec8e61bf635eb

Download Submit
\Program Files (x86)\MyWebSearch\bar\1.bin\F3POPSWT.DLL

Filesize
116KB

MD5
96da779e21e40dad5db7c670bd93c996

SHA1
00b224187ce4c7e378e954db76d1af86ddf1403b

SHA256
c2fc451128f64880e1f79bbda15de0c7be67f8bc43fac35cc760fc433d3ec94d

SHA512
edb221d8191e757b3ed69d4eef1335f1dd1e0feaf6fb3ad9cbf6c739862ab0d8e983a5eafb9afda6f49650e592f925177349bb3e06ecf31aa3e2bb5bfb46fb1f

Download Submit
\Program Files (x86)\MyWebSearch\bar\1.bin\F3REPROX.DLL

Filesize
92KB

MD5
ff2d63823491a2b622c16d085a764a2a

SHA1
9ce6e04ff68a9e9a3d4774a69eb8191318639066

SHA256
f0c6690a674330d38031353f21914565dc38f2e40ef48d58c4fa413289fad5cc

SHA512
62b5571fbcff508864d79de92491060551534964cbbdade3faea5c3438ce94c370bef55cd497cbef632bc698ed538d325724f23be9ca0e425461fcb5f34acdaa

Download Submit
\Program Files (x86)\MyWebSearch\bar\1.bin\F3RESTUB.DLL

Filesize
24KB

MD5
e9b3073dbf662cae01d79a4bda061018

SHA1
23ae964b34ecd915c4146ee46c0224b1d87c680c

SHA256
a3bbeab90b9e056fce5f35fe8a5aa11ccf564a695b23a3b75fa22d9edf436035

SHA512
eb62ce0fee8a8536ed710850468e1b1bcb4a0fff059590405362a366b160d10409ec8f8be90c0a4207676a1a5e0086636f98e2442a9e2f2224e375a911286fa4

Download Submit
\Program Files (x86)\MyWebSearch\bar\1.bin\F3SCRCTR.DLL

Filesize
284KB

MD5
633686c1f4c5e7da080f2314880e2040

SHA1
c7f33a33385174674639f290fd2e8e8d46f1fecc

SHA256
a2039edf550b7e8e098a5793b70078426f555cf14d40d0b865b1e330ab8942e6

SHA512
4e51a730340916013761b2c671448c89bbde2113d348f0bc838ed9cf32edca9d18d2429ac3c1000ced166767288200e0d3d78a9d2118645c9c485fbb0d319dab

Download Submit
\Program Files (x86)\MyWebSearch\bar\1.bin\F3SHLLVW.DLL

Filesize
140KB

MD5
018d30e0bd67e08eea098fecd3ec8da0

SHA1
818207a073dc6d58554861f7cb8f300e2312688d

SHA256
9524561c123070d11dc286e9a6752a271a4c3272728574533b705d60ee16e4c7

SHA512
fb2da81e3fd81c0e77bac080e8c5e0a0e5516065be525a2cc65ea0d7a1faa805b3bf78374a64aaa000bdc2e9eafa1cf0f1cbeecf336f784e2ea03bb534514baf

Download Submit
\Program Files (x86)\MyWebSearch\bar\1.bin\F3WPHOOK.DLL

Filesize
20KB

MD5
cee57e05eccf470e751689ded838b7d2

SHA1
0abbc8d0284780bfa10d09f8b78c4964ffaffecd

SHA256
2cf54c47ddbc69ebc4e199e11c15c202844645aa97aed823ad2ac2df54df92f3

SHA512
4c0399857b5152185195cd27bcb8cefd15690499ab8ea426ef53a83b9ed9e7037786eef2f3fbe9ac625d3a48364f2b343f5eb24767d9dd404ece37c88265d161

Download Submit
\Program Files (x86)\MyWebSearch\bar\1.bin\M3HTML.DLL

Filesize
80KB

MD5
0366f9d95495fbc5d9716086cca64def

SHA1
68c5477032811eb78e73ac526b37dd7cc8b684f2

SHA256
ff9e70a61754e400b92e91d20359c04f0a85fafc483186ce1c29e140d0a94b57

SHA512
49c619ae9b2c714976f30f041ed710c1862ab39ee83c996973c0545ce355f5a94832cb8416fe5feb85e41fb0909ecf2726c19f7833a2ec47b8e891a5dd3b3345

Download Submit
\Program Files (x86)\MyWebSearch\bar\1.bin\M3IDLE.DLL

Filesize
28KB

MD5
e96db55df87cfb08293e2dd1ccb5dceb

SHA1
9fb6bcf3b27e4800111046e4acdf51bb3455fec7

SHA256
593637fead6adc228609ded0b86b99ac92f4dfad094f45b1d5daaffb61f9ae41

SHA512
47aaae5770eb231ea1d09069cf579f9b3bdeaee6a9af46c7686d291a2158d50ff756fd6c4a5a69c6f0c6489b5085edaf1224a72677495bda7774dcf75a1695fc

Download Submit
\Program Files (x86)\MyWebSearch\bar\1.bin\M3OUTLCN.DLL

Filesize
56KB

MD5
d3dc055a901b6ef0bb4d01fdb142cac8

SHA1
105b6c14ecc409fe245740a8f51da2f6cd0e0240

SHA256
c1881164bb57b58c5fa1a52fe1521c4bd77a6eb5a65713cb88a43735a3eee115

SHA512
b758949d58f8332fc56afb6aa3da9374ece71bde98a9dabd8d92cb110fecafec9f772ad4246febd9f2dbbe51a1054f1e65f08d428ee0fed14d1f5e5728cf8183

Download Submit
\Program Files (x86)\MyWebSearch\bar\1.bin\M3PLUGIN.DLL

Filesize
48KB

MD5
207f30e7447503ec85cff6ca3a2c80d1

SHA1
802c923cdd0c92ee89d0327ce6af9efce61a5d45

SHA256
3bbad3a65d52b495f553fb84b33b815758de8498b06542811be21eec37275906

SHA512
6401671843dc26385953fa43f62c47de561af017c2a241191b9c1d26157b38b0ab3bdd1f8590da45a2b39779e13c32eea8de00f6e60b2bf11abfbe341cfc093c

Download Submit
\Program Files (x86)\MyWebSearch\bar\1.bin\M3SKIN.DLL

Filesize
112KB

MD5
660b4305719eb04cb96320314e64ebb2

SHA1
cc4224c33929488258752f10e4ed6614975d478c

SHA256
c2b6c2a257fedf26f85a72b9ad1e8b697c6d3c5685423e921bd74618009b91bb

SHA512
5dc0a6aae9b93ca6bdb2b2d661e7c892349ee649b5b4600029291aeaf3bb7309f1f4a5b8eb57bb56b55f1db14f76df1e777a57e5cb36d1ed8420d37f7d92dfe8

Download Submit
\Program Files (x86)\MyWebSearch\bar\1.bin\MWSBAR.DLL

Filesize
300KB

MD5
5709870f72d8a5238ee87769008080ba

SHA1
7476b4a1f3416639ee010cca48a54ca5b796624c

SHA256
7efb587b380c7d8db76c0ddca515a22ec4d767425097af4998f4d3be6e32e8b2

SHA512
53d93ebf6cb1a2470074b3f2829e9440c45752a34ad77edf6b70c3e950c8ba930c5b5353dd7aee65dc1c52c0ba12a71a7cca081cbed72fbb8a7a8c22d750f502

Download Submit
\Program Files (x86)\MyWebSearch\bar\1.bin\MWSOEPLG.DLL

Filesize
300KB

MD5
424e044fd204ff7beb61d0d6a277ca71

SHA1
1d8e389a961af54056aa2005350ec8d58f579ced

SHA256
884a83ac865b26fad854ff0dc76ab81f55de3fd063c0364e7da1bf89b3e6b78b

SHA512
6ed5cb68c175c4c70f9087061292aa3ff7ebbac7df904fb57dce2b72492eea78f9da7e2b88ddf709adcbec8891f243eea89a9036e4b346fbec23bcb53c70156f

Download Submit
\Program Files (x86)\MyWebSearch\bar\1.bin\MWSOESTB.DLL

Filesize
40KB

MD5
9faaea13c25a9e88998b246f5efaa0e7

SHA1
7ff8a9a1830f1d34bea6cd7bf8b2a05fff2e7f98

SHA256
0a41b5a451d3bfb693c8d967d0d818c1c346df6030f7bfad90ad9445fe04cb75

SHA512
a5e8d9e4eef0844da09df6ab4eb8dbfd54eb8a1533609747ba0f896acd3906896e3f7225fb00bf94de0f17126b1690ef357d2d62167e886229e3e799a8fcbe3b

Download Submit
\Program Files (x86)\MyWebSearch\bar\1.bin\NPMYWEBS.DLL

Filesize
24KB

MD5
d185292c547e25e4eed729a8c6df40d8

SHA1
c75b68b48458eec86658000a0cd7ca33251bd6b1

SHA256
d29d938d2968c296001f564a0559d06a6138f7abf1be61da4a710d464c5536d8

SHA512
3b2d8f37efaec2aff0c0da7906f1eae4c840424454683ee260cc8e6c003ab4a55e41935fd45196de876ff5569ae27680c74615ec03426c73e1573f762ef81fb6

Download Submit
\Users\Admin\AppData\Local\Temp\bar.0\MWSSETUP.EXE

Filesize
2.1MB

MD5
caf61b6594fd547e47c6b1f899b38c71

SHA1
0a2b78155ff9563c6b03e3ffd6b9f65d5c6c1df0

SHA256
973400c69383f021759c6ada48775c4ccd532dbf2afc7ee82127b5d07971e46c

SHA512
fd6046f60182a2e7467c885d6273ac1d6c111aed871012b43b42448554544007992360fc802f16ba3db6a2fb0cc138645e5b72126c23ab388924c52f5d03f4f7

Download Submit
\Users\Admin\AppData\Local\Temp\bar.0\MWSSRCSP.EXE

Filesize
76KB

MD5
799caf0a8c2f59f905be08384c3deb97

SHA1
3e07f9658e02f39a30a1754f0449bbdae6980720

SHA256
b461fb63bfd3034846138d63d2df7051f6f5ad58474a1a41a702d76494639e50

SHA512
b4446d54897958efe840e489f29de15070b2438213906f3d0eabb34b854cba58995152c0b8680924aa4ccc15f60ac6d18d031a1e383a801bedc62d436cf3c422

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads