Malware Analysis Report

2025-01-18 21:12

Sample ID 240325-k1bk5sef9w
Target dda23622e11ab157654d735ae2eef9f9
SHA256 745b1207b5e0d08e3c1e88930698e526541731bf52a63845b50eca1c0f9a493b
Tags
adware bootkit persistence stealer
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

745b1207b5e0d08e3c1e88930698e526541731bf52a63845b50eca1c0f9a493b

Threat Level: Likely malicious

The file dda23622e11ab157654d735ae2eef9f9 was found to be: Likely malicious.

Malicious Activity Summary

adware bootkit persistence stealer

Drops file in Drivers directory

Loads dropped DLL

Executes dropped EXE

Installs/modifies Browser Helper Object

Adds Run key to start application

Writes to the Master Boot Record (MBR)

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-25 09:03

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-25 09:03

Reported

2024-03-25 09:06

Platform

win7-20240221-en

Max time kernel

149s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\dda23622e11ab157654d735ae2eef9f9.dll,#1

Signatures

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Windows\SysWOW64\341d.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\341d.exe N/A
N/A N/A C:\Windows\SysWOW64\341d.exe N/A
N/A N/A C:\Windows\SysWOW64\341d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\h8nil4o8\mtv.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\341d.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\341d.exe N/A
N/A N/A C:\Windows\SysWOW64\341d.exe N/A
N/A N/A C:\Windows\SysWOW64\341d.exe N/A
N/A N/A C:\Windows\SysWOW64\341d.exe N/A
N/A N/A C:\Windows\SysWOW64\341d.exe N/A
N/A N/A C:\Windows\SysWOW64\341d.exe N/A
N/A N/A C:\Windows\SysWOW64\341d.exe N/A
N/A N/A C:\Windows\SysWOW64\341d.exe N/A
N/A N/A C:\Windows\SysWOW64\341d.exe N/A
N/A N/A C:\Windows\SysWOW64\341d.exe N/A
N/A N/A C:\Windows\SysWOW64\341d.exe N/A
N/A N/A C:\Windows\SysWOW64\341d.exe N/A
N/A N/A C:\Windows\SysWOW64\341d.exe N/A
N/A N/A C:\Windows\SysWOW64\341d.exe N/A
N/A N/A C:\Windows\SysWOW64\341d.exe N/A
N/A N/A C:\Windows\SysWOW64\341d.exe N/A
N/A N/A C:\Windows\SysWOW64\341d.exe N/A
N/A N/A C:\Windows\SysWOW64\341d.exe N/A
N/A N/A C:\Windows\SysWOW64\341d.exe N/A
N/A N/A C:\Windows\SysWOW64\341d.exe N/A
N/A N/A C:\Windows\SysWOW64\341d.exe N/A
N/A N/A C:\Windows\SysWOW64\341d.exe N/A
N/A N/A C:\Windows\SysWOW64\341d.exe N/A
N/A N/A C:\Windows\SysWOW64\341d.exe N/A
N/A N/A C:\Windows\SysWOW64\341d.exe N/A
N/A N/A C:\Windows\SysWOW64\341d.exe N/A
N/A N/A C:\Windows\SysWOW64\341d.exe N/A
N/A N/A C:\Windows\SysWOW64\341d.exe N/A
N/A N/A C:\Windows\SysWOW64\341d.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\plc = "c:\\windows\\system32\\rundll32.exe C:\\Windows\\system32/341e.dll,Always" C:\Windows\SysWOW64\rundll32.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{BB539747-416E-4ef8-ACB0-5C9F0C84BFA8}\ C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BB539747-416E-4ef8-ACB0-5C9F0C84BFA8} C:\Windows\SysWOW64\regsvr32.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\341d.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\rundll32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\b3fs.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\4f3r.dlltmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\341d.exe C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\b34o.dlltmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\s.exe C:\Users\Admin\AppData\Local\Temp\h8nil4o8\mtv.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\a1l8.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\34ua.exe C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\4f3r.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\341e.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\b34o.dll C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Windows\SysWOW64\6630-12329 C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\3bef.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\a1l8.dlltmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\1ba4.dll C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Windows\SysWOW64\3063 C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\14rb.exe C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\b4cb.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\b4cb.dlltmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\144d.exe C:\Windows\SysWOW64\rundll32.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\bf14.bmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\f6f.bmp C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Windows\Tasks\ms.job C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\6f1u.bmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\4bad.flv C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\ba8d.exe C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\a34b.flv C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\8f6.exe C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\ba8u.bmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\14ba.exe C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\a8f.flv C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\a8fd.exe C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\ba8d.flv C:\Windows\SysWOW64\rundll32.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BB539747-416E-4ef8-ACB0-5C9F0C84BFA8}\TypeLib\ = "{D0BF843D-B065-483F-9330-CF1DE76F1492}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D0BF843D-B065-483F-9330-CF1DE76F1492}\1.0\ = "BHO 1.0 Type Library" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D0BF843D-B065-483F-9330-CF1DE76F1492}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7EB073A3-D411-4474-AD30-097193FDD410}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer\ = "CFffPlayer Object" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer\CurVer\ = "BHO.FffPlayer.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BB539747-416E-4ef8-ACB0-5C9F0C84BFA8}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BB539747-416E-4ef8-ACB0-5C9F0C84BFA8} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7EB073A3-D411-4474-AD30-097193FDD410}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7EB073A3-D411-4474-AD30-097193FDD410} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7EB073A3-D411-4474-AD30-097193FDD410}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer.1\ = "CFffPlayer Object" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BB539747-416E-4ef8-ACB0-5C9F0C84BFA8}\ProgID\ = "BHO.FffPlayer.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BB539747-416E-4ef8-ACB0-5C9F0C84BFA8}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D0BF843D-B065-483F-9330-CF1DE76F1492}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D0BF843D-B065-483F-9330-CF1DE76F1492}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer.1\CLSID\ = "{BB539747-416E-4ef8-ACB0-5C9F0C84BFA8}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer\CLSID\ = "{BB539747-416E-4ef8-ACB0-5C9F0C84BFA8}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7EB073A3-D411-4474-AD30-097193FDD410} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7EB073A3-D411-4474-AD30-097193FDD410}\ = "IFffPlayer" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7EB073A3-D411-4474-AD30-097193FDD410}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BB539747-416E-4ef8-ACB0-5C9F0C84BFA8}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BB539747-416E-4ef8-ACB0-5C9F0C84BFA8}\AppID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7EB073A3-D411-4474-AD30-097193FDD410}\ = "IFffPlayer" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BB539747-416E-4ef8-ACB0-5C9F0C84BFA8}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D0BF843D-B065-483F-9330-CF1DE76F1492}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7EB073A3-D411-4474-AD30-097193FDD410}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7EB073A3-D411-4474-AD30-097193FDD410}\TypeLib\ = "{D0BF843D-B065-483F-9330-CF1DE76F1492}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BB539747-416E-4ef8-ACB0-5C9F0C84BFA8}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BB539747-416E-4ef8-ACB0-5C9F0C84BFA8}\InprocServer32\ = "C:\\Windows\\SysWow64\\b34o.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D0BF843D-B065-483F-9330-CF1DE76F1492}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D0BF843D-B065-483F-9330-CF1DE76F1492}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7EB073A3-D411-4474-AD30-097193FDD410}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7EB073A3-D411-4474-AD30-097193FDD410}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7EB073A3-D411-4474-AD30-097193FDD410}\TypeLib\ = "{D0BF843D-B065-483F-9330-CF1DE76F1492}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BB539747-416E-4ef8-ACB0-5C9F0C84BFA8}\ = "CFffPlayer Object" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BB539747-416E-4ef8-ACB0-5C9F0C84BFA8}\InprocServer32\ThreadingModel = "apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D0BF843D-B065-483F-9330-CF1DE76F1492}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\b34o.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7EB073A3-D411-4474-AD30-097193FDD410}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BB539747-416E-4ef8-ACB0-5C9F0C84BFA8}\VersionIndependentProgID\ = "BHO.FffPlayer" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D0BF843D-B065-483F-9330-CF1DE76F1492} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D0BF843D-B065-483F-9330-CF1DE76F1492}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\341d.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\h8nil4o8\mtv.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1124 wrote to memory of 2476 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1124 wrote to memory of 2476 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1124 wrote to memory of 2476 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1124 wrote to memory of 2476 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1124 wrote to memory of 2476 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1124 wrote to memory of 2476 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1124 wrote to memory of 2476 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2476 wrote to memory of 2188 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2476 wrote to memory of 2188 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2476 wrote to memory of 2188 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2476 wrote to memory of 2188 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2476 wrote to memory of 2188 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2476 wrote to memory of 2188 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2476 wrote to memory of 2188 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2476 wrote to memory of 2952 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2476 wrote to memory of 2952 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2476 wrote to memory of 2952 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2476 wrote to memory of 2952 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2476 wrote to memory of 2952 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2476 wrote to memory of 2952 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2476 wrote to memory of 2952 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2476 wrote to memory of 2604 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2476 wrote to memory of 2604 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2476 wrote to memory of 2604 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2476 wrote to memory of 2604 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2476 wrote to memory of 2604 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2476 wrote to memory of 2604 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2476 wrote to memory of 2604 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2476 wrote to memory of 2596 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2476 wrote to memory of 2596 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2476 wrote to memory of 2596 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2476 wrote to memory of 2596 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2476 wrote to memory of 2596 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2476 wrote to memory of 2596 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2476 wrote to memory of 2596 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2476 wrote to memory of 2440 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2476 wrote to memory of 2440 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2476 wrote to memory of 2440 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2476 wrote to memory of 2440 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2476 wrote to memory of 2440 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2476 wrote to memory of 2440 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2476 wrote to memory of 2440 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2476 wrote to memory of 2456 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\341d.exe
PID 2476 wrote to memory of 2456 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\341d.exe
PID 2476 wrote to memory of 2456 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\341d.exe
PID 2476 wrote to memory of 2456 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\341d.exe
PID 2476 wrote to memory of 2868 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\341d.exe
PID 2476 wrote to memory of 2868 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\341d.exe
PID 2476 wrote to memory of 2868 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\341d.exe
PID 2476 wrote to memory of 2868 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\341d.exe
PID 680 wrote to memory of 320 N/A C:\Windows\SysWOW64\341d.exe C:\Windows\SysWOW64\rundll32.exe
PID 680 wrote to memory of 320 N/A C:\Windows\SysWOW64\341d.exe C:\Windows\SysWOW64\rundll32.exe
PID 680 wrote to memory of 320 N/A C:\Windows\SysWOW64\341d.exe C:\Windows\SysWOW64\rundll32.exe
PID 680 wrote to memory of 320 N/A C:\Windows\SysWOW64\341d.exe C:\Windows\SysWOW64\rundll32.exe
PID 680 wrote to memory of 320 N/A C:\Windows\SysWOW64\341d.exe C:\Windows\SysWOW64\rundll32.exe
PID 680 wrote to memory of 320 N/A C:\Windows\SysWOW64\341d.exe C:\Windows\SysWOW64\rundll32.exe
PID 680 wrote to memory of 320 N/A C:\Windows\SysWOW64\341d.exe C:\Windows\SysWOW64\rundll32.exe
PID 2476 wrote to memory of 980 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\h8nil4o8\mtv.exe
PID 2476 wrote to memory of 980 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\h8nil4o8\mtv.exe
PID 2476 wrote to memory of 980 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\h8nil4o8\mtv.exe
PID 2476 wrote to memory of 980 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\h8nil4o8\mtv.exe
PID 2476 wrote to memory of 2332 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2476 wrote to memory of 2332 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2476 wrote to memory of 2332 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\dda23622e11ab157654d735ae2eef9f9.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\dda23622e11ab157654d735ae2eef9f9.dll,#1

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32/a1l8.dll"

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32/b4cb.dll"

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32/4f3r.dll"

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32/b34o.dll"

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\system32\regsvr32.exe /s "C:\Windows\system32/b34o.dll"

C:\Windows\SysWOW64\341d.exe

C:\Windows\system32/341d.exe -i

C:\Windows\SysWOW64\341d.exe

C:\Windows\system32/341d.exe -s

C:\Windows\SysWOW64\341d.exe

C:\Windows\SysWOW64\341d.exe

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32 C:\Windows\system32/341e.dll,Always

C:\Users\Admin\AppData\Local\Temp\h8nil4o8\mtv.exe

C:\Users\Admin\AppData\Local\Temp\h8nil4o8\mtv.exe

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32 C:\Windows\system32/341e.dll, Always

Network

Country Destination Domain Proto
US 8.8.8.8:53 yahoo.com.cn udp
US 8.8.8.8:53 122.770304123.cn udp
US 8.8.8.8:53 122.zzso.cn udp
US 8.8.8.8:53 122.aapl55.com udp
US 8.8.8.8:53 122.cant-k.com udp

Files

C:\Users\Admin\AppData\Local\Temp\h8nil4o8\b.dll

MD5 715f78fedd2141527c95eb3719a52d3b
SHA1 994069fa3d636341ef8e85118c855092b586dca8
SHA256 b9f6607783a7f19e1ed1f6b10e384cdad5a5e92526ce0a769906123d5d0d91e1
SHA512 13c9bb9e714e521f2c0ec106b028f00c6a4c6923384c16a0be65cfc006c0300341286c365d213fd6de6c335f53998dd685fda2433936b5a4a545bebc1d033170

C:\Users\Admin\AppData\Local\Temp\h8nil4o8\p.dll

MD5 ee2e8553bd0d2bcde5094eff8d9114a1
SHA1 256a15031ebd9dc667582049150a9153e9a7b3dd
SHA256 1c77d79fa9fbd8ff1dfc911a186dd511749bf675f57cec81c96e6a28f9ff1483
SHA512 e2ec8a6ba634af098fd25fae40d6c35db3782b07d5562464d52d018fd05232eb1b255de260f02bdfa3c48ecbc9c82d13ccb1b98ee76835ef9b2e85b812dd0dce

C:\Users\Admin\AppData\Local\Temp\h8nil4o8\s.exe

MD5 ecbc1deef5fb4ffb26b7f65a95a56e13
SHA1 2359f1dfc7af5d314ad4aa19a863f0f63b3e265f
SHA256 6d45e8ba3630628cbbe42c06a69e365e2c4b3f7d76bfcb37f16704ea8cd0bb5e
SHA512 3d8037f50a8984f7e40572026f73e02e3f2c84084d4a7fdea7bf00b0c37540af339b281771e45c65c650f92da8293e5721f04e73c2edb7be0927fed67fc2cd85

C:\Users\Admin\AppData\Local\Temp\h8nil4o8\mtv.exe

MD5 f49cc602d6915be07237068087bea17c
SHA1 45aabc94fbb92e79f7a38a58e340498797311bd9
SHA256 6deff6a7824e8f252ce2771b1adc677cc01707eaa635de033718c9c06265778f
SHA512 96ee1196bf861ab6d2fa1d9e605bcdc93631b2dd5fb6fed6fd5bd1c1877acad45af7038597dbd2293b7d5812f94bc863becab869cb465fabf03cdc84f9017f45

C:\Users\Admin\AppData\Local\Temp\o8nji\tmp.exe

MD5 a80101eb3d91e3c5a9891c12968cbe3c
SHA1 bf63955605cb6fb301e5de58755e4c5ad0a84669
SHA256 590552f6ff92291977bd42b4559338b264f6d9140001a150456b641015656fbe
SHA512 fc8153db20ff2ac98ac99897fd05155645b834968942214492f467cb8a9cb746b1ea14092151bea389b44cc1bf6972240ff232e0d11ec19ef6a3fc39a40a6b26

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-25 09:03

Reported

2024-03-25 09:06

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

156s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\dda23622e11ab157654d735ae2eef9f9.dll,#1

Signatures

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Windows\SysWOW64\341d.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\341d.exe N/A
N/A N/A C:\Windows\SysWOW64\341d.exe N/A
N/A N/A C:\Windows\SysWOW64\341d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\h8nil4o8\mtv.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\plc = "c:\\windows\\system32\\rundll32.exe C:\\Windows\\system32/341e.dll,Always" C:\Windows\SysWOW64\rundll32.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BB539747-416E-4ef8-ACB0-5C9F0C84BFA8} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BB539747-416E-4ef8-ACB0-5C9F0C84BFA8}\ C:\Windows\SysWOW64\regsvr32.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\341d.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\rundll32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\b4cb.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\b3fs.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\4f3r.dll C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Windows\SysWOW64\17d C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\14rb.exe C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\a1l8.dlltmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\1ba4.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\4f3r.dlltmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\341e.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\34ua.exe C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\b4cb.dlltmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\341d.exe C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\b34o.dlltmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\s.exe C:\Users\Admin\AppData\Local\Temp\h8nil4o8\mtv.exe N/A
File created C:\Windows\SysWOW64\-63-21100-67 C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\3bef.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\a1l8.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\144d.exe C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\b34o.dll C:\Windows\SysWOW64\rundll32.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\14ba.exe C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\ba8d.flv C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\ba8d.exe C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Windows\Tasks\ms.job C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\a34b.flv C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\8f6.exe C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\a8f.flv C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\6f1u.bmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\4bad.flv C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\ba8u.bmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\bf14.bmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\f6f.bmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\a8fd.exe C:\Windows\SysWOW64\rundll32.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D0BF843D-B065-483F-9330-CF1DE76F1492} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D0BF843D-B065-483F-9330-CF1DE76F1492}\1.0\ = "BHO 1.0 Type Library" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer.1\CLSID\ = "{BB539747-416E-4ef8-ACB0-5C9F0C84BFA8}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BB539747-416E-4ef8-ACB0-5C9F0C84BFA8}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BB539747-416E-4ef8-ACB0-5C9F0C84BFA8}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D0BF843D-B065-483F-9330-CF1DE76F1492}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7EB073A3-D411-4474-AD30-097193FDD410}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BB539747-416E-4ef8-ACB0-5C9F0C84BFA8}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BB539747-416E-4ef8-ACB0-5C9F0C84BFA8}\InprocServer32\ = "C:\\Windows\\SysWow64\\b34o.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BB539747-416E-4ef8-ACB0-5C9F0C84BFA8}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D0BF843D-B065-483F-9330-CF1DE76F1492}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7EB073A3-D411-4474-AD30-097193FDD410}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BB539747-416E-4ef8-ACB0-5C9F0C84BFA8}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D0BF843D-B065-483F-9330-CF1DE76F1492}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D0BF843D-B065-483F-9330-CF1DE76F1492}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\b34o.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7EB073A3-D411-4474-AD30-097193FDD410} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7EB073A3-D411-4474-AD30-097193FDD410}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer.1\ = "CFffPlayer Object" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BB539747-416E-4ef8-ACB0-5C9F0C84BFA8}\ProgID\ = "BHO.FffPlayer.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7EB073A3-D411-4474-AD30-097193FDD410}\TypeLib\ = "{D0BF843D-B065-483F-9330-CF1DE76F1492}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7EB073A3-D411-4474-AD30-097193FDD410}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer\ = "CFffPlayer Object" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BB539747-416E-4ef8-ACB0-5C9F0C84BFA8}\ = "CFffPlayer Object" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BB539747-416E-4ef8-ACB0-5C9F0C84BFA8}\VersionIndependentProgID\ = "BHO.FffPlayer" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BB539747-416E-4ef8-ACB0-5C9F0C84BFA8}\InprocServer32\ThreadingModel = "apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D0BF843D-B065-483F-9330-CF1DE76F1492}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7EB073A3-D411-4474-AD30-097193FDD410} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7EB073A3-D411-4474-AD30-097193FDD410}\ = "IFffPlayer" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer\CurVer\ = "BHO.FffPlayer.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BB539747-416E-4ef8-ACB0-5C9F0C84BFA8} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BB539747-416E-4ef8-ACB0-5C9F0C84BFA8}\TypeLib\ = "{D0BF843D-B065-483F-9330-CF1DE76F1492}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D0BF843D-B065-483F-9330-CF1DE76F1492}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7EB073A3-D411-4474-AD30-097193FDD410}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7EB073A3-D411-4474-AD30-097193FDD410}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7EB073A3-D411-4474-AD30-097193FDD410}\TypeLib\ = "{D0BF843D-B065-483F-9330-CF1DE76F1492}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer\CLSID\ = "{BB539747-416E-4ef8-ACB0-5C9F0C84BFA8}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BB539747-416E-4ef8-ACB0-5C9F0C84BFA8}\AppID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D0BF843D-B065-483F-9330-CF1DE76F1492}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D0BF843D-B065-483F-9330-CF1DE76F1492}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7EB073A3-D411-4474-AD30-097193FDD410}\ = "IFffPlayer" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7EB073A3-D411-4474-AD30-097193FDD410}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7EB073A3-D411-4474-AD30-097193FDD410}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\341d.exe N/A
N/A N/A C:\Windows\SysWOW64\341d.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\h8nil4o8\mtv.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3152 wrote to memory of 2068 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3152 wrote to memory of 2068 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3152 wrote to memory of 2068 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2068 wrote to memory of 4144 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2068 wrote to memory of 4144 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2068 wrote to memory of 4144 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2068 wrote to memory of 3932 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2068 wrote to memory of 3932 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2068 wrote to memory of 3932 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2068 wrote to memory of 4500 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2068 wrote to memory of 4500 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2068 wrote to memory of 4500 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2068 wrote to memory of 3448 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2068 wrote to memory of 3448 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2068 wrote to memory of 3448 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2068 wrote to memory of 4956 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2068 wrote to memory of 4956 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2068 wrote to memory of 4956 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2068 wrote to memory of 3372 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\341d.exe
PID 2068 wrote to memory of 3372 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\341d.exe
PID 2068 wrote to memory of 3372 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\341d.exe
PID 2068 wrote to memory of 4852 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\341d.exe
PID 2068 wrote to memory of 4852 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\341d.exe
PID 2068 wrote to memory of 4852 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\341d.exe
PID 1176 wrote to memory of 2572 N/A C:\Windows\SysWOW64\341d.exe C:\Windows\SysWOW64\rundll32.exe
PID 1176 wrote to memory of 2572 N/A C:\Windows\SysWOW64\341d.exe C:\Windows\SysWOW64\rundll32.exe
PID 1176 wrote to memory of 2572 N/A C:\Windows\SysWOW64\341d.exe C:\Windows\SysWOW64\rundll32.exe
PID 2068 wrote to memory of 2796 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\h8nil4o8\mtv.exe
PID 2068 wrote to memory of 2796 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\h8nil4o8\mtv.exe
PID 2068 wrote to memory of 2796 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\h8nil4o8\mtv.exe
PID 2068 wrote to memory of 1244 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2068 wrote to memory of 1244 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2068 wrote to memory of 1244 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\dda23622e11ab157654d735ae2eef9f9.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\dda23622e11ab157654d735ae2eef9f9.dll,#1

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32/a1l8.dll"

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32/b4cb.dll"

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32/4f3r.dll"

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32/b34o.dll"

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\system32\regsvr32.exe /s "C:\Windows\system32/b34o.dll"

C:\Windows\SysWOW64\341d.exe

C:\Windows\system32/341d.exe -i

C:\Windows\SysWOW64\341d.exe

C:\Windows\system32/341d.exe -s

C:\Windows\SysWOW64\341d.exe

C:\Windows\SysWOW64\341d.exe

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32 C:\Windows\system32/341e.dll,Always

C:\Users\Admin\AppData\Local\Temp\h8nil4o8\mtv.exe

C:\Users\Admin\AppData\Local\Temp\h8nil4o8\mtv.exe

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32 C:\Windows\system32/341e.dll, Always

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=2792 --field-trial-handle=2268,i,8796662530135712346,11409037572378858775,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 yahoo.com.cn udp
US 8.8.8.8:53 122.770304123.cn udp
US 8.8.8.8:53 122.zzso.cn udp
US 8.8.8.8:53 122.aapl55.com udp
US 8.8.8.8:53 122.cant-k.com udp
US 8.8.8.8:53 122.770304123.cn udp
US 8.8.8.8:53 122.zzso.cn udp
US 8.8.8.8:53 122.aapl55.com udp
US 8.8.8.8:53 122.cant-k.com udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 122.770304123.cn udp
US 8.8.8.8:53 122.zzso.cn udp
US 8.8.8.8:53 122.aapl55.com udp
US 8.8.8.8:53 122.cant-k.com udp
US 8.8.8.8:53 122.770304123.cn udp
US 8.8.8.8:53 122.zzso.cn udp
US 8.8.8.8:53 122.aapl55.com udp
US 8.8.8.8:53 122.cant-k.com udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 122.770304123.cn udp
US 8.8.8.8:53 122.zzso.cn udp
US 8.8.8.8:53 122.aapl55.com udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 122.cant-k.com udp
US 8.8.8.8:53 122.770304123.cn udp
US 8.8.8.8:53 122.zzso.cn udp
US 8.8.8.8:53 122.aapl55.com udp
US 8.8.8.8:53 122.cant-k.com udp
US 8.8.8.8:53 122.770304123.cn udp
US 8.8.8.8:53 122.zzso.cn udp
US 8.8.8.8:53 122.aapl55.com udp
US 8.8.8.8:53 122.cant-k.com udp
US 8.8.8.8:53 122.770304123.cn udp
US 8.8.8.8:53 122.zzso.cn udp
US 8.8.8.8:53 122.aapl55.com udp
US 8.8.8.8:53 122.cant-k.com udp
US 8.8.8.8:53 122.770304123.cn udp
US 8.8.8.8:53 122.zzso.cn udp
US 8.8.8.8:53 122.aapl55.com udp
US 8.8.8.8:53 122.cant-k.com udp
US 8.8.8.8:53 122.770304123.cn udp
US 8.8.8.8:53 122.zzso.cn udp
US 8.8.8.8:53 122.aapl55.com udp
US 8.8.8.8:53 122.cant-k.com udp
US 8.8.8.8:53 128.225.79.178.in-addr.arpa udp
US 8.8.8.8:53 122.770304123.cn udp
US 8.8.8.8:53 122.zzso.cn udp
US 8.8.8.8:53 122.aapl55.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 122.cant-k.com udp
GB 142.250.178.10:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 10.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 122.770304123.cn udp
US 8.8.8.8:53 122.zzso.cn udp
US 8.8.8.8:53 122.aapl55.com udp
US 8.8.8.8:53 122.cant-k.com udp
US 8.8.8.8:53 122.770304123.cn udp
US 8.8.8.8:53 122.zzso.cn udp
US 8.8.8.8:53 122.aapl55.com udp
US 8.8.8.8:53 122.cant-k.com udp
US 8.8.8.8:53 122.770304123.cn udp
US 8.8.8.8:53 122.zzso.cn udp
US 8.8.8.8:53 122.aapl55.com udp
US 8.8.8.8:53 122.cant-k.com udp
US 8.8.8.8:53 122.770304123.cn udp
US 8.8.8.8:53 122.zzso.cn udp
US 8.8.8.8:53 122.aapl55.com udp
US 8.8.8.8:53 122.cant-k.com udp
US 8.8.8.8:53 122.770304123.cn udp
US 8.8.8.8:53 122.zzso.cn udp
US 8.8.8.8:53 122.aapl55.com udp
US 8.8.8.8:53 122.cant-k.com udp
US 8.8.8.8:53 122.770304123.cn udp
US 8.8.8.8:53 122.zzso.cn udp
US 8.8.8.8:53 122.aapl55.com udp
US 8.8.8.8:53 122.cant-k.com udp
US 8.8.8.8:53 122.770304123.cn udp
US 8.8.8.8:53 122.zzso.cn udp
US 8.8.8.8:53 122.aapl55.com udp
US 8.8.8.8:53 122.cant-k.com udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 122.770304123.cn udp
US 8.8.8.8:53 122.zzso.cn udp
US 8.8.8.8:53 122.aapl55.com udp
US 8.8.8.8:53 122.cant-k.com udp
US 8.8.8.8:53 122.770304123.cn udp
US 8.8.8.8:53 122.zzso.cn udp
US 8.8.8.8:53 122.aapl55.com udp
US 8.8.8.8:53 122.cant-k.com udp
US 8.8.8.8:53 122.770304123.cn udp
US 8.8.8.8:53 122.zzso.cn udp
US 8.8.8.8:53 122.aapl55.com udp
US 8.8.8.8:53 122.cant-k.com udp
US 8.8.8.8:53 122.770304123.cn udp
US 8.8.8.8:53 122.zzso.cn udp
US 8.8.8.8:53 122.aapl55.com udp
US 8.8.8.8:53 122.cant-k.com udp
US 8.8.8.8:53 122.770304123.cn udp
US 8.8.8.8:53 122.zzso.cn udp
US 8.8.8.8:53 122.aapl55.com udp
US 8.8.8.8:53 122.cant-k.com udp
US 8.8.8.8:53 122.770304123.cn udp
US 8.8.8.8:53 122.zzso.cn udp
US 8.8.8.8:53 122.aapl55.com udp
US 8.8.8.8:53 122.cant-k.com udp
US 8.8.8.8:53 122.770304123.cn udp
US 8.8.8.8:53 122.zzso.cn udp
US 8.8.8.8:53 122.aapl55.com udp
US 8.8.8.8:53 122.cant-k.com udp
US 8.8.8.8:53 122.770304123.cn udp
US 8.8.8.8:53 122.zzso.cn udp
US 8.8.8.8:53 122.aapl55.com udp
US 8.8.8.8:53 122.cant-k.com udp
US 8.8.8.8:53 122.770304123.cn udp
US 8.8.8.8:53 122.zzso.cn udp
US 8.8.8.8:53 122.aapl55.com udp
US 8.8.8.8:53 122.cant-k.com udp

Files

C:\Users\Admin\AppData\Local\Temp\h8nil4o8\b.dll

MD5 7d3c0b8f800d4e022dcf587947836682
SHA1 de0f21cf9bb10e82dc18ac274f1cf1d5e09cc4ea
SHA256 143e230201efd077ba0237b195644345ae41df583a92ae13afc0e8befe5725ec
SHA512 26f9b0c3d133eee4f40d927ae0b17d9a60c881eab4f9ae129167f668217c9dab3e3d1ba01156857512c3765c0a7b66efe3c6b95f326094b87e22e0e02e2199e0

C:\Users\Admin\AppData\Local\Temp\h8nil4o8\p.dll

MD5 5cfcca7ca1b63d3d526c09283bd69f33
SHA1 072c50387498eb9d7de087ab5d980edc579a6a21
SHA256 35346aedc1a5f3fe416e0d0e82b5cedfc853225f6729e17e71265d7f6f601d35
SHA512 56c6467ec0ec0fdd67888bfaa9245f617968f5c9dd345e870685e95a8433ad083b539107b97ff33b1a6705ad2f171b5a5dd729d6cba57b7fa62585f05864eba4

C:\Users\Admin\AppData\Local\Temp\h8nil4o8\s.exe

MD5 f1b47fbb68c0a5c5d72535538dbd0d96
SHA1 736868b348f2e037a70ce2de145528fbb5274ae3
SHA256 0c86520049e8a91055ecfc05caf2fc002f3f4f4f85e01955d35d263d4b726d45
SHA512 4d56c3d9ce94e6014be3122e30dcd457a33ed5ab5130ef6476e3515f0a49722ecebb634b6c2b4deb61d7625ff63da5e978959886eb30c16abe1aa3e44ec98b6b

C:\Users\Admin\AppData\Local\Temp\h8nil4o8\mtv.exe

MD5 046c058e496ba85161fb56fe4fef972f
SHA1 e51c0efbae3b45e250a2f7e9a2756ddb990869b3
SHA256 9bda0afa9225cca37070567300a29343fb6ed9045ba33c5ba3a1d774b8b7d871
SHA512 7ad6441048533e2652501f75a1b53c76a9fe9554a0b8c889e73332c8d388fe8785636a302fb1ab6fd9dfb735173fc0f598d5d0b627b37500805045ccf312f435

C:\Users\Admin\AppData\Local\Temp\vgmeah\tmp.exe

MD5 e13c17f4e04f46067f04c93c8e75469c
SHA1 fa34ea329adfc4277834c2f31cb77da0dc887e47
SHA256 7a6d4a56f1f39d3c58fde0eaa328010eef3f7a7d1ddf663eaeff1052f2d38e11
SHA512 4019c462daea0b75f5c6952ffa48baa5782b45b1cab803076507a19154f50bf6071b6524d3fc76416f8f655bdfaef4274d9d31db8976c1fc20f50762d91299be