5cfaec15d48d36b15ac725930e3203e30e40bf17fc0d11de83d5e4f42a0f717c

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240319-en
resource tags

arch:x64arch:x86image:win10v2004-20240319-enlocale:en-usos:windows10-2004-x64system
submitted
27/03/2024, 15:06

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

toolbar.exe
Size

3.1MB
MD5

4785fc1f2466a561c40668e98a60b964
SHA1

b0f863eac1dc7b521ed95369563029fecfef005d
SHA256

9c94e49f06386735ab62756155ed724470a00066c55056499fee75a3fd503dd2
SHA512

f6ff2ce5d9b208c4b62a26c8cd510a1a0983b600e182da333ce01460b6cd9363324d445d08c0f5992d10ad89dcca47f978f4665404f225da076cd67b829fe9b0
SSDEEP

98304:YuzOTv1n+r0xFM2Bjeml5NpGu2V7fICWyFkYdH4SKCYI7:YYOTv1n+r09jRl5TG7rFWyFkYm5jI7

Score

7^/10

adware discovery stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation	toolbar.exe

Executes dropped EXE 1 IoCs

pid	Process
1856	TbHelper2.exe

Loads dropped DLL 32 IoCs

pid	Process
2668	toolbar.exe
2668	toolbar.exe
2668	toolbar.exe
5644	regsvr32.exe
5644	regsvr32.exe
5644	regsvr32.exe
5644	regsvr32.exe
5644	regsvr32.exe
5644	regsvr32.exe
5644	regsvr32.exe
6136	regsvr32.exe
5644	regsvr32.exe
5644	regsvr32.exe
2668	toolbar.exe
2668	toolbar.exe
2668	toolbar.exe
2668	toolbar.exe
2668	toolbar.exe
1348	IEXPLORE.EXE
1348	IEXPLORE.EXE
1348	IEXPLORE.EXE
1348	IEXPLORE.EXE
1348	IEXPLORE.EXE
1348	IEXPLORE.EXE
1348	IEXPLORE.EXE
1348	IEXPLORE.EXE
1348	IEXPLORE.EXE
1348	IEXPLORE.EXE
1348	IEXPLORE.EXE
1348	IEXPLORE.EXE
1348	IEXPLORE.EXE
1348	IEXPLORE.EXE

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FCBCCB87-9224-4B8D-B117-F56D924BEB18}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FCBCCB87-9224-4B8D-B117-F56D924BEB18}\ = "TBSB05204"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FCBCCB87-9224-4B8D-B117-F56D924BEB18}\NoExplorer = "1"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FCBCCB87-9224-4B8D-B117-F56D924BEB18}	regsvr32.exe

Drops file in Program Files directory 47 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Pequejuegos\tbunsn80BB.tmp\peque.dll	toolbar.exe
File opened for modification	C:\Program Files (x86)\Pequejuegos\tbunsn80BB.tmp\TbHelper2.exe	toolbar.exe
File opened for modification	C:\Program Files (x86)\Pequejuegos\tbunsn80BB.tmp\your_logo.png	toolbar.exe
File created	C:\Program Files (x86)\Mozilla Firefox\searchplugins\ecustom.xml	wscript.exe
File opened for modification	C:\Program Files (x86)\Pequejuegos\tbunsn80BB.tmp\arrow_refresh.png	toolbar.exe
File opened for modification	C:\Program Files (x86)\Pequejuegos\tbunsn80BB.tmp\clasicos.png	toolbar.exe
File opened for modification	C:\Program Files (x86)\Pequejuegos\tbunsn80BB.tmp\license_es.rtf	toolbar.exe
File opened for modification	C:\Program Files (x86)\Pequejuegos\tbunsn80BB.tmp\logo.png	toolbar.exe
File opened for modification	C:\Program Files (x86)\Pequejuegos\tbunsn80BB.tmp\musica.png	toolbar.exe
File opened for modification	C:\Program Files (x86)\Pequejuegos\tbunsn80BB.tmp\toolbar_es.bmp	toolbar.exe
File opened for modification	C:\Program Files (x86)\Pequejuegos\tbunsn80BB.tmp\favicon.png	toolbar.exe
File opened for modification	C:\Program Files (x86)\Pequejuegos\tbunsn80BB.tmp\uninstall.exe	toolbar.exe
File opened for modification	C:\Program Files (x86)\Pequejuegos\tbunsn80BB.tmp\update.exe	toolbar.exe
File created	C:\Program Files (x86)\Pequejuegos\tbunsn80BB.tmp\uninstaller.exe	toolbar.exe
File opened for modification	C:\Program Files (x86)\Pequejuegos\tbunsn80BB.tmp\basis.xml	toolbar.exe
File opened for modification	C:\Program Files (x86)\Pequejuegos\tbunsn80BB.tmp\btn_canalesporpais.png	toolbar.exe
File opened for modification	C:\Program Files (x86)\Pequejuegos\tbunsn80BB.tmp\deporte.png	toolbar.exe
File opened for modification	C:\Program Files (x86)\Pequejuegos\tbunsn80BB.tmp\cog.png	toolbar.exe
File opened for modification	C:\Program Files (x86)\Pequejuegos\tbunsn80BB.tmp\infantiles.png	toolbar.exe
File opened for modification	C:\Program Files (x86)\Pequejuegos\tbunsn80BB.tmp\estrategia.png	toolbar.exe
File opened for modification	C:\Program Files (x86)\Pequejuegos\tbunsn80BB.tmp\favicon.ico	toolbar.exe
File opened for modification	C:\Program Files (x86)\Pequejuegos\tbunsn80BB.tmp\ninias.png	toolbar.exe
File opened for modification	C:\Program Files (x86)\Pequejuegos\tbunsn80BB.tmp\plataforma.png	toolbar.exe
File opened for modification	C:\Program Files (x86)\Pequejuegos\tbunsn80BB.tmp\plataformas.png	toolbar.exe
File opened for modification	C:\Program Files (x86)\Pequejuegos\tbunsn80BB.tmp\accion.png	toolbar.exe
File opened for modification	C:\Program Files (x86)\Pequejuegos\tbunsn80BB.tmp\aventuras.png	toolbar.exe
File opened for modification	C:\Program Files (x86)\Pequejuegos\tbunsn80BB.tmp\btn_radio.png	toolbar.exe
File opened for modification	C:\Program Files (x86)\Pequejuegos\tbunsn80BB.tmp\videos.png	toolbar.exe
File opened for modification	C:\Program Files (x86)\Pequejuegos\tbunsn80BB.tmp\tbhelper.dll	toolbar.exe
File created	C:\Program Files (x86)\Pequejuegos\tbunsn80BB.tmp\inst.tmp	toolbar.exe
File opened for modification	C:\Program Files (x86)\Pequejuegos\tbcore3.dll	toolbar.exe
File opened for modification	C:\Program Files (x86)\Pequejuegos\tbunsn80BB.tmp\icons.bmp	toolbar.exe
File opened for modification	C:\Program Files (x86)\Pequejuegos\tbunsn80BB.tmp\logo_urtvbar.png	toolbar.exe
File opened for modification	C:\Program Files (x86)\Pequejuegos\tbunsn80BB.tmp\info.txt	toolbar.exe
File opened for modification	C:\Program Files (x86)\Pequejuegos\tbunsn80BB.tmp\license2_es.rtf	toolbar.exe
File opened for modification	C:\Program Files (x86)\Pequejuegos\tbunsn80BB.tmp\logica.png	toolbar.exe
File opened for modification	C:\Program Files (x86)\Pequejuegos\tbunsn80BB.tmp\smses.png	toolbar.exe
File opened for modification	C:\Program Files (x86)\Pequejuegos\tbunsn80BB.tmp\tbcore3.dll	toolbar.exe
File opened for modification	C:\Program Files (x86)\Pequejuegos\tbunsn80BB.tmp\aventura.png	toolbar.exe
File opened for modification	C:\Program Files (x86)\Pequejuegos\tbunsn80BB.tmp\deportes.png	toolbar.exe
File opened for modification	C:\Program Files (x86)\Pequejuegos\tbunsn80BB.tmp\habilidad.png	toolbar.exe
File opened for modification	C:\Program Files (x86)\Pequejuegos\tbunsn80BB.tmp\version.txt	toolbar.exe
File opened for modification	C:\Program Files (x86)\Pequejuegos\tbunsn80BB.tmp\TbCommonUtils.dll	toolbar.exe
File opened for modification	C:\Program Files (x86)\Pequejuegos\tbunsn80BB.tmp\toolbarconf_es.nsh	toolbar.exe
File opened for modification	C:\Program Files (x86)\Pequejuegos\tbunsn80BB.tmp\btn_canalesportema2.png	toolbar.exe
File opened for modification	C:\Program Files (x86)\Pequejuegos\tbunsn80BB.tmp\computer_delete.png	toolbar.exe
File opened for modification	C:\Program Files (x86)\Pequejuegos\tbunsn80BB.tmp\noticias.png	toolbar.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral16/files/0x0007000000023366-412.dat	nsis_installer_1
behavioral16/files/0x0007000000023366-412.dat	nsis_installer_2

Kills process with taskkill 2 IoCs

evasion

pid	Process
3760	taskkill.exe
3704	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 6067d1705880da01	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-1111-472f-A0FF-E1416B8B2E3B}\URL = "http://www.pequesearch.com/result.php??q={searchTerms}&cx=partner-pub-6602099248235180:ab2lrqoi99i&cof=FORID%3A10&ie=UTF-8&hl=es#740"	toolbar.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Software\TBSB05204\Toolbar\Height = "22"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\{CA3EB689-8F09-4026-AA10-B9534C691CE0}	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Software\TBSB05204\Toolbar\TBPos = "1"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTLogoPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Software\TBSB05204\Toolbar\RunSearchAutomatically = "1"	toolbar.exe
Key created	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31096920"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Software\TBSB05204\Toolbar\RunSearchDragAutomatically = "1"	regsvr32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Software\TBSB05204\Toolbar\CurrentLayout = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Software\TBSB05204\Toolbar\AutoComplete = "1"	regsvr32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Software\TBSB05204\Toolbar\DeskbarMode = "0"	toolbar.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconURLFallback = "http://www.bing.com/favicon.ico"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Software\TBSB05204\Toolbar	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Software\TBSB05204\Toolbar\KeepHistory = "1"	regsvr32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Software\TBSB05204\Toolbar\rtime = "1711551994"	toolbar.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Software\TBSB05204\Toolbar\toolbar_version = "1.0.12"	toolbar.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{9A7CB614-EC4B-11EE-BC8C-7E04413C8FA3} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\{CA3EB689-8F09-4026-AA10-B9534C691CE0}	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURL = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IESS02&market={language}"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Software\Microsoft\Internet Explorer\URLSearchHooks\	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTSuggestionsURL = "http://api.bing.com/qsml.aspx?query={searchTerms}&market={language}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IENTSS"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Software\TBSB05204\Toolbar\AutoSearch = " http://www.pequesearch.com/result.php?Keywords=%s"	regsvr32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000000700005e010000060000000903000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000faf96fc8edae1b45a9cc39a53173ae2e0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Software\TBSB05204\Toolbar\SendReports = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{C86FF9FA-AEED-451B-A9CC-39A53173AE2E}\MenuStatusBar = "Pequejuegos"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Software\TBSB05204	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Software\TBSB05204\Toolbar\toolbar_name = "Pequejuegos"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Software\TBSB05204\Toolbar\ShowFindButtons = "0"	regsvr32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Software\TBSB05204\Toolbar\Height = "22"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31096920"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Software\TBSB05204\Toolbar\needSetHomepage = "1"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Software\TBSB05204\Toolbar\TBShow = "1"	toolbar.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Software\TBSB05204\Toolbar\mac_id = "7e04413c8fa3"	IEXPLORE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{C86FF9FA-AEED-451B-A9CC-39A53173AE2E}\Default Visible = "yes"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Software\TBSB05204\Toolbar\UpdateAutomatically = "2"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "418316970"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Software\TBSB05204\Toolbar\DescriptiveText = "1"	toolbar.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Software\TBSB05204\Toolbar\needSetHomepage = "1"	toolbar.exe
Key created	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000	regsvr32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Software\TBSB05204\Toolbar\RTL = "0"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Software\TBSB05204\Toolbar\tb_items	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000	IEXPLORE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{628F3201-34D0-49C0-BB9A-82A26AEFB291}\AppName = "TbHelper2.exe"	TbHelper2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{C86FF9FA-AEED-451B-A9CC-39A53173AE2E}\Icon = "C:\\Program Files (x86)\\Pequejuegos\\tbunsn80BB.tmp\\favicon.ico"	regsvr32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31096920"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Internet Explorer\User Preferences\2BB20B33B4171CDAAB6469225AE6A582ED33D7B488 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000516244317b44ad49b8c99564e34e94d3000000000200000000001066000000010000200000007623e32702ea7439174372ae5f16e1cedb2d9d0e137ba5fd86baacaf4b32c201000000000e8000000002000020000000679356b6d12d7f68918308abf7cd790c379b2e626bd118e0258a523eb705ff6010000000fabdb45c2a46ce5eb8f7fd9ad917feba40000000e8da5de5f98ef0b48506a99414cf8f9d83f3eba01159aa2bb71081e60dca8cc20fabebf8eba74161e010d93e90e58ff17fe316b620b1cf12333297b924173ff3	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconURL = "http://www.bing.com/favicon.ico"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\ShowSearchSuggestions = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Software\Microsoft\Internet Explorer\URLSearchHooks\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Software\TBSB05204\Toolbar	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Software\TBSB05204\Toolbar\C:\Users\Admin\AppData\LocalLow\Toolbar4\{C86FF9FA-AEED- = "1711551998"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\DisplayName = "Bing"	iexplore.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D565B35E-B787-40FA-95E3-E3562F8FC1A0}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TbHelper.TbPropertyManager\CurVer	TbHelper2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Toolbar3.CustomInternetSecurityImpl\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0FA32667-9A8A-4E9C-902F-CA3323180003}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\TbCommonUtils.DLL	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TbHelper.ToolbarHelper.1	TbHelper2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TbHelper.TbRequest.1\CLSID\ = "{1C950DE5-D31E-42FB-AFB9-91B0161633D8}"	TbHelper2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TBSB05204.IEToolbar.1\ = "IE Toolbar"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C86FF9FA-AEED-451B-A9CC-39A53173AE2E}\VersionIndependentProgID\ = "TBSB05204.IEToolbar"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{01221FCC-4BFB-461C-B08C-F6D2DF309921}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{01221FCC-4BFB-461C-B08C-F6D2DF309921}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1C950DE5-D31E-42FB-AFB9-91B0161633D8}	TbHelper2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C339D489-FABC-41DD-B39D-276101667C70}\VersionIndependentProgID	TbHelper2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B2CA345D-ADB8-4F5D-AC64-4AB34322F659}\TypeLib\ = "{B87F8B63-7274-43FD-87FA-09D3B7496148}"	TbHelper2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{EC4085F2-8DB3-45A6-AD0B-CA289F3C5D7E}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E67D5BC7-7129-493E-9281-F47BDAFACE4F}\TypeLib\ = "{EC4085F2-8DB3-45A6-AD0B-CA289F3C5D7E}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Toolbar3.SearchProviderManager\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E67D5BC7-7129-493E-9281-F47BDAFACE4F}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9F34B17E-FF0D-4FAB-97C4-9713FEE79052}\ProgID\ = "Toolbar3.ContextMenuNotifier.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B87F8B63-7274-43FD-87FA-09D3B7496148}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Pequejuegos\\tbunsn80BB.tmp"	TbHelper2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{95B6A271-FEB4-4160-B0FF-44394C21C8DC}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B2CA345D-ADB8-4F5D-AC64-4AB34322F659}\TypeLib\Version = "1.0"	TbHelper2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Toolbar3.SearchProviderManager\ = "SearchProviderManager Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AE338F6D-5A7C-4D1D-86E3-C618532079B5}\TypeLib\ = "{B87F8B63-7274-43FD-87FA-09D3B7496148}"	TbHelper2.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{57CADC46-58FF-4105-B733-5A9F3FC9783C}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Toolbar3.SearchProviderManager.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\URLSearchHook.ToolbarURLSearchHook\CLSID\ = "{CA3EB689-8F09-4026-AA10-B9534C691CE0}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TbHelper.TbTask.1\CLSID\ = "{A9A56B8E-2DEB-4ED3-BC92-1FA450BCE1A5}"	TbHelper2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A9A56B8E-2DEB-4ED3-BC92-1FA450BCE1A5}\LocalServer32\ = "\"C:\\Program Files (x86)\\Pequejuegos\\tbunsn80BB.tmp\\TbHelper2.exe\""	TbHelper2.exe
Key created	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Software\Microsoft	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Toolbar3.CustomInternetSecurityImpl\ = "CustomInternetSecurityImpl Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2A42D13C-D427-4787-821B-CF6973855778}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TBSB05204.IEToolbar\ = "IE Toolbar"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TBSB05204.IEToolbar.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BF921DD3-732A-4A11-933B-A5EA49F2FD2C}	TbHelper2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1C950DE5-D31E-42FB-AFB9-91B0161633D8}\Programmable	TbHelper2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TbHelper.TbTask\CurVer	TbHelper2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{452AE416-9A97-44CA-93DA-D0F15C36254F}\ = "ITbRequest"	TbHelper2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FCC9CDD3-EFFF-11D1-A9F0-00A0244AC403}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TbHelper.TbRequest\CurVer	TbHelper2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2A42D13C-D427-4787-821B-CF6973855778}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4D8ED2B3-DC62-43EC-ABA3-5B74F046B1BE}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6B458F62-592F-4B25-8967-E6A350A59328}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TBSB05204.TBSB05204\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BF921DD3-732A-4A11-933B-A5EA49F2FD2C}\ = "_IPropertyManagerEvents"	TbHelper2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B9F43021-60D4-42A6-A065-9BA37F38AC47}\ = "ITbPropertyManager"	TbHelper2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{57CADC46-58FF-4105-B733-5A9F3FC9783C}\ProgID\ = "ComObject.DeskbarEnabler.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{57CADC46-58FF-4105-B733-5A9F3FC9783C}\VersionIndependentProgID\ = "ComObject.DeskbarEnabler"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B9F43021-60D4-42A6-A065-9BA37F38AC47}\TypeLib	TbHelper2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AE338F6D-5A7C-4D1D-86E3-C618532079B5}\VersionIndependentProgID	TbHelper2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1C950DE5-D31E-42FB-AFB9-91B0161633D8}\ = "TbRequest Class"	TbHelper2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AE338F6D-5A7C-4D1D-86E3-C618532079B5}\ProgID	TbHelper2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AE338F6D-5A7C-4D1D-86E3-C618532079B5}\LocalServer32	TbHelper2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{45CDA4F7-594C-49A0-AAD1-8224517FE979}\TypeLib\ = "{B87F8B63-7274-43FD-87FA-09D3B7496148}"	TbHelper2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B9F43021-60D4-42A6-A065-9BA37F38AC47}\TypeLib\Version = "1.0"	TbHelper2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FCBCCB87-9224-4B8D-B117-F56D924BEB18}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3D8478AA-7B88-48A9-8BCB-B85D594411EC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TbHelper.ToolbarHelper.1\ = "ToolbarHelper Class"	TbHelper2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{45CDA4F7-594C-49A0-AAD1-8224517FE979}\TypeLib\ = "{B87F8B63-7274-43FD-87FA-09D3B7496148}"	TbHelper2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C86FF9FA-AEED-451B-A9CC-39A53173AE2E}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3BDF4CE9-E81D-432B-A55E-9F0570CE811F}\ProgID\ = "TbCommonUtils.CommonUtils.1"	regsvr32.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3760	taskkill.exe
Token: SeDebugPrivilege	3704	taskkill.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3272	iexplore.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
3272	iexplore.exe
3272	iexplore.exe
1348	IEXPLORE.EXE
1348	IEXPLORE.EXE
1348	IEXPLORE.EXE
1348	IEXPLORE.EXE
1348	IEXPLORE.EXE
1348	IEXPLORE.EXE
1348	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 2668 wrote to memory of 3760	2668	toolbar.exe	98
PID 2668 wrote to memory of 3760	2668	toolbar.exe	98
PID 2668 wrote to memory of 3760	2668	toolbar.exe	98
PID 2668 wrote to memory of 3704	2668	toolbar.exe	100
PID 2668 wrote to memory of 3704	2668	toolbar.exe	100
PID 2668 wrote to memory of 3704	2668	toolbar.exe	100
PID 2668 wrote to memory of 5188	2668	toolbar.exe	102
PID 2668 wrote to memory of 5188	2668	toolbar.exe	102
PID 2668 wrote to memory of 5188	2668	toolbar.exe	102
PID 2668 wrote to memory of 5644	2668	toolbar.exe	108
PID 2668 wrote to memory of 5644	2668	toolbar.exe	108
PID 2668 wrote to memory of 5644	2668	toolbar.exe	108
PID 5644 wrote to memory of 6136	5644	regsvr32.exe	110
PID 5644 wrote to memory of 6136	5644	regsvr32.exe	110
PID 5644 wrote to memory of 6136	5644	regsvr32.exe	110
PID 5644 wrote to memory of 1856	5644	regsvr32.exe	111
PID 5644 wrote to memory of 1856	5644	regsvr32.exe	111
PID 5644 wrote to memory of 1856	5644	regsvr32.exe	111
PID 2668 wrote to memory of 3272	2668	toolbar.exe	112
PID 2668 wrote to memory of 3272	2668	toolbar.exe	112
PID 3272 wrote to memory of 1348	3272	iexplore.exe	113
PID 3272 wrote to memory of 1348	3272	iexplore.exe	113
PID 3272 wrote to memory of 1348	3272	iexplore.exe	113
PID 1348 wrote to memory of 2736	1348	IEXPLORE.EXE	115
PID 1348 wrote to memory of 2736	1348	IEXPLORE.EXE	115
PID 2736 wrote to memory of 1912	2736	ie_to_edge_stub.exe	116
PID 2736 wrote to memory of 1912	2736	ie_to_edge_stub.exe	116

C:\Users\Admin\AppData\Local\Temp\toolbar.exe
"C:\Users\Admin\AppData\Local\Temp\toolbar.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2668
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\system32\taskkill.exe" /F /IM rssclient.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3760
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\system32\taskkill.exe" /F /IM tbhelper2.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3704
- C:\Windows\SysWOW64\wscript.exe
  C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Local\Temp\parametrosFFtp.vbs http://www.pequesearch.com partner-pub-6602099248235180:ab2lrqoi99i
  2⤵
  - Drops file in Program Files directory
  PID:5188
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32 /s "C:\Program Files (x86)\Pequejuegos\tbunsn80BB.tmp\tbcore3.dll"
  2⤵
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:5644
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 /s "C:\Program Files (x86)\Pequejuegos\tbunsn80BB.tmp\TbCommonUtils.dll"
    3⤵
    - Loads dropped DLL
    - Modifies registry class
    PID:6136
- - C:\Program Files (x86)\Pequejuegos\tbunsn80BB.tmp\TbHelper2.exe
    "C:\Program Files (x86)\Pequejuegos\tbunsn80BB.tmp\TbHelper2.exe" -RegServer
    3⤵
    - Executes dropped EXE
    - Modifies Internet Explorer settings
    - Modifies registry class
    PID:1856
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.pequesearch.com/on
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3272
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3272 CREDAT:17410 /prefetch:2
    3⤵
    - Loads dropped DLL
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1348
  - - C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.92\BHO\ie_to_edge_stub.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.92\BHO\ie_to_edge_stub.exe" --from-ie-to-edge=3 --ie-frame-hwnd=901f4
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2736
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --from-ie-to-edge=3 --ie-frame-hwnd=901f4
        5⤵
        
        PID:1912

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3488 --field-trial-handle=2808,i,4621512294509789388,1545966267740426092,262144 --variations-seed-version /prefetch:8
1⤵
PID:1504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Pequejuegos\tbunsn80BB.tmp\TbCommonUtils.dll

Filesize
117KB

MD5
3ec2121c9da9ef9fddbc88edac1cb622

SHA1
4d3840371f5e131989f8d47c6c47616ad7593875

SHA256
600f336e90372a148b1460f6feda5f6fb2801c3f54c40584221f2bf5bbb0bfc9

SHA512
af461a511dbc4c70736a8029e84bf8e875cae2cd91162e304d292ad2c0dd174b4cc0288306537d9c9d875788f8122670be47f7d547227ed499e92ac1b40b12ce

Download Submit
C:\Program Files (x86)\Pequejuegos\tbunsn80BB.tmp\TbHelper2.exe

Filesize
198KB

MD5
f990b3799426cd9742f0e38890628b89

SHA1
e92de99adfa10c90bef30c96cadb52ea3af7749c

SHA256
d88964c603ea4b607bc5001d0aa986ba54a7a39ea35dfb9c1a43fd7978ec7f48

SHA512
bb1e512378a8c62611140862d044943b990026b1bd2e97bad6063cd9e111f7791416186ad5e10839683c8c0c280141d6b7962fe4d0540af93cda5624f9a7a5cf

Download Submit
C:\Program Files (x86)\Pequejuegos\tbunsn80BB.tmp\accion.png

Filesize
3KB

MD5
3c5f18da30a7b58c0e927e79abd5a96a

SHA1
736f88132fadb34506f86749ddb542473c6cc560

SHA256
1e50928b4f38b94fc787cf87b150db7d6c4b586c3a6c88bfa221af57de461832

SHA512
a166c6f36741f93fd1ae2cf74ae74d55fa20d6de3a9c5891ac7b207208044f782caa3ce20e151ac5e36c631c762ca07f7d1353091940634a4ddf2cf7dd3dd7b8

Download Submit
C:\Program Files (x86)\Pequejuegos\tbunsn80BB.tmp\arrow_refresh.png

Filesize
685B

MD5
6b95778460f660aa7c08f47d244780a7

SHA1
f2eea1beb95edd6009a6f5098cccc3962794e1b3

SHA256
280dbbf4671d54b64df74e62245a831d8586215bac281b4cfd6f2254d7bff59e

SHA512
b346a5e713d48ff2bd6ff67a806a36c8c4f8a80c9c2ada1e3a13ae5f26e9174765935c22848a409b3607744c299d3c4a9b66083e57d2c22faf6a644eb24ab6f0

Download Submit
C:\Program Files (x86)\Pequejuegos\tbunsn80BB.tmp\aventura.png

Filesize
2KB

MD5
7250a1d1285eed599bb2485a188417d5

SHA1
fa23d13d4d17d3200a5d139d61b919f8875d3bac

SHA256
969e284c7ecfc144d23db4bbf382f2207fa55c72f1b0c203b167ee1971897f6b

SHA512
411fb88bc9916a70cb1ce47ce66184e372c90c48cbc863123262d5d5db6533ed795c804c9ef8ad96294e1ed3686c69d414ef383adacdc69239248adb002b927c

Download Submit
C:\Program Files (x86)\Pequejuegos\tbunsn80BB.tmp\aventuras.png

Filesize
52KB

MD5
4870703a4af583c8a47d9d030c49b47d

SHA1
5431411a13cabda950288c222074d89aff9a45de

SHA256
bf888431730831514ba95b68aea0794f4b48ee4daf9508c720992e2dc38ff600

SHA512
c611c86306ca6e22e5e3c5dd2cec0fa023038ed567696d955b78f42b5a744ba4a8cbe7976335c8b67aacf160d59d433c7978b1bdfa3b7539f8952ffe62e2cc35

Download Submit
C:\Program Files (x86)\Pequejuegos\tbunsn80BB.tmp\basis.xml

Filesize
12KB

MD5
54507dbdda179bf90279ba2b2cfed982

SHA1
112fa03ef665144d36c3c2e89f203c6f3ff6b1ab

SHA256
be372ab9dc9de52fbc6ca506187883f18852c15c0a05ae930491570f05f47275

SHA512
7e6ca404e91ab1e031ecef5fd69ee5c73357937b90da29389f22906c178ea1f8d893edaf3879ae5458d6001ad23248c3cf8fcc3db8df9594c59ec1a1a506c0e3

Download Submit
C:\Program Files (x86)\Pequejuegos\tbunsn80BB.tmp\btn_canalesporpais.png

Filesize
24KB

MD5
1756733dbbf06d47a04880ec27f024a0

SHA1
5b61f6a291b0081a8f905039f1dd58f28c4d5bb5

SHA256
42960a9d896cdead2b0bd0b756145a0e75f9b5aa446aa04b1c2f3045a80526e1

SHA512
70ffb2ff894cfe5edd671262ea78485a3206ec5a59c614e54d15181f5b02bfa0969a4ea6b937f2e11290bfa3725d3a141987a9c8bbbaa4995cd3b06478869076

Download Submit
C:\Program Files (x86)\Pequejuegos\tbunsn80BB.tmp\btn_canalesportema2.png

Filesize
23KB

MD5
83727de25d9f3800392741e7f3d221cd

SHA1
60938195cb99cc008a701e017ae1abbcc66c7794

SHA256
58c9107ec09e8e2cafe66598f4779478f52cf480f00326eb08582111129062e3

SHA512
63d53bbcde956818efe61bc9308352e8fd54a08b3f40b70ae2f41a0e58c9d48acedd45b9a44e84de20990886154457bc43d28991763eed1d4e92fc01b07dbdcb

Download Submit
C:\Program Files (x86)\Pequejuegos\tbunsn80BB.tmp\btn_radio.png

Filesize
21KB

MD5
917cd17a294a0bbad6fa8c15e2388899

SHA1
5da8573ee8a15435fa1f97bca24f1632c3f444d7

SHA256
268bb361f709cb3fe98ee0fad0e664a2b9ffe834d4de226940926da3ca298e8f

SHA512
e622cf1a09b96381e64bb43d43ad1a9c2e1e5867992e22de42b5453a24322b2bb462034921bd189413299728d3b6feae5ab272da0ed74370cc220deb770974e5

Download Submit
C:\Program Files (x86)\Pequejuegos\tbunsn80BB.tmp\clasicos.png

Filesize
52KB

MD5
3d431f85259bf8c4013bb8ff7f9d6871

SHA1
0b71b58f3f4cb0e24f56907b0cad4c9b75339a26

SHA256
174a33c867d886f847fc07fcdff91868f8b0bcebbfee4c33b467e71b285735ca

SHA512
3b0992cb42664e21dff7f36ddef3116594a307709d6722cb8d8c23db1a934f7d7497647527809eec3866f33fa460330725aae93574af24506dde60d659e23148

Download Submit
C:\Program Files (x86)\Pequejuegos\tbunsn80BB.tmp\cog.png

Filesize
512B

MD5
30a18063ef42b090194a7e936086960f

SHA1
bda19a5e3e34a27909ee79f59c4042ebfb12994c

SHA256
73bd21e518c03a9904199b19dc0a0b621e0b9fafcc9482e8b9623e05bb4cafb6

SHA512
8b8089076c0dc5a77ac6fcad0e0f98520a8e6271fe7cc03dd33993522eaa39be602182d15cc630e14067a80677c1af6eb126df2e4525de4473e0b2a1dd5bb180

Download Submit
C:\Program Files (x86)\Pequejuegos\tbunsn80BB.tmp\computer_delete.png

Filesize
775B

MD5
83a683bd157467c88733772d239d973e

SHA1
7baffb7264edcfb64786860c988a42e30c4d5db9

SHA256
8c011bf02c9b01ffcb3398d20948e6dc1b3f2de797a70249c5e7f5bd396a6683

SHA512
1d4b3af0085291de10c1755dd9457418c44c6b89d55ef1d717520057d12bce8e633f3a02e830b57c64403a42480d2f368022aed4dd80513de703df2ca3c29197

Download Submit
C:\Program Files (x86)\Pequejuegos\tbunsn80BB.tmp\deporte.png

Filesize
2KB

MD5
e872abd3d0a9a7ea5626a48663f311a8

SHA1
1dd2dc3694a0c0b2fd1f78168575b4aacf8a0fa8

SHA256
63565024b9d0f8ffbdf50748349702b1ca6055d54c487f8ddb5d57654ba5f4c4

SHA512
ff9d96bc891257c1f2f15f532480bfa9e27c321c4f91374514af6d32aa011de5bc66c50dd3c5edc2b440636346ffe56b3593fdf62327d69426a654c64ea99d3c

Download Submit
C:\Program Files (x86)\Pequejuegos\tbunsn80BB.tmp\deportes.png

Filesize
51KB

MD5
0618b45850004ade305a19c4196cb858

SHA1
8444e1afcb84f74bfd718dbe11498ed39d302987

SHA256
638b0fd9806d253e2a16c511e1a3eda61bb15b834f0a57cb756647da5d216863

SHA512
33a4ea0d007c6e97967e1c74590090a7aa4945bf5fb24e28025028e30052d01b878ed673a9baea55b8482972a75629f9079ce2ca86cd3980d95c160d7a223ca3

Download Submit
C:\Program Files (x86)\Pequejuegos\tbunsn80BB.tmp\estrategia.png

Filesize
51KB

MD5
a56c0eda7ac93162ee22f54e025d8364

SHA1
cc065ca293027d94bd94011ea58e77021c376f12

SHA256
b25a1d2ce45cf47fd0b8dd42a5ed7a39c5143b41b040866d2adf1a26ebdfb6dc

SHA512
12294276f9018db61b297192da0f3ba9c3142af878f03f9fb31a5bd6c79c4c73c6ed9ad0759abd43acd2911b54fde2fe164cbedded354412a3d30cdb1db8bb28

Download Submit
C:\Program Files (x86)\Pequejuegos\tbunsn80BB.tmp\favicon.ico

Filesize
5KB

MD5
dbdc085fa22b7da5a978af51dbd41103

SHA1
8b994da9f4f2027d19423644ad496f7d8bdb21ea

SHA256
616e999698be65e4f3860a2520d9e1788af1976680c92f3657bdc75df6bf9870

SHA512
914d2c6f83c9c3076ad811ab841516017c11dcaa5ccc5a59a70b433e60151024ff4507481787608c1cfb04624c302d52e11e30e08d058381e0fb37d56ec78742

Download Submit
C:\Program Files (x86)\Pequejuegos\tbunsn80BB.tmp\favicon.png

Filesize
2KB

MD5
e3445964bb14cc185d7f648cc1d84a50

SHA1
d0e7d0105be50dc62736df374cde9e0b74cdf6a5

SHA256
3e282319a20a7a0bd80c4f17437edd3832a87d623ba1a37b2ca3aeb976cd48ac

SHA512
245e77b4c9c5af98ab9da29e1dc3d5977164a24f12b11869aade0f935a9ad872dc02aaffbaf0eee8c43ff279671dbc34758a7fbfebfd7751d1d82ff5b2932abf

Download Submit
C:\Program Files (x86)\Pequejuegos\tbunsn80BB.tmp\habilidad.png

Filesize
50KB

MD5
4ddae0df044ec07829389854c1e9fedd

SHA1
a9fa81cc1d40c3bf2b3eb649a75149b9d3c10ab9

SHA256
b0158c7e84df27580e87fda51b22fbe1e004fc9dc4cf9852a905ead6feab016f

SHA512
887c087a879cf066a47749f74152f5f6f279def08220399e00f9ecde95c651042864f8cf4fdc6fb37bcb375d35f7e2b7414d608939d488c3b6f0925b936b6847

Download Submit
C:\Program Files (x86)\Pequejuegos\tbunsn80BB.tmp\icons.bmp

Filesize
164KB

MD5
e98caeca9bb74b1c8e41035b540efc63

SHA1
c8aa9831610cef9a71b823852e30c20ac852d3ed

SHA256
8d53c349759199d988f5137d1674f55148a7fdf88a03d937f105e6b57a50cac0

SHA512
7d1c2a90ed63b584b3686f01bd7d6df1ef8e881718b78ba660c5dfb89a76b36e063d7443c9cdaf2227098a6b46272515e70fdfba6e719efa72fe1d20f26ba8e6

Download Submit
C:\Program Files (x86)\Pequejuegos\tbunsn80BB.tmp\infantiles.png

Filesize
50KB

MD5
e03ea095599abf7a92beb61c3a19a0de

SHA1
d9e53abbf879da071027c8b071ef745f9eb2c7cf

SHA256
73f7375111e3a0b68098bf8a7505e28d637d309c02d3ecbab4aed30233352994

SHA512
6cf2fb8f9cafdb05c54a6133edc0ade25ba5a725bf83613d8e092df296254bc01eae30cdece5022ca39135c71e3d1b8566a438a829d5d9c7199caffcc964bfa0

Download Submit
C:\Program Files (x86)\Pequejuegos\tbunsn80BB.tmp\info.txt

Filesize
715B

MD5
1cca92d8b5e00eedf06136d043502d9e

SHA1
332dbc39ca6cde899d69e72fdfe86e1571d5fdc9

SHA256
bdb74ba2a7db4bf1eb0f3f81f6cec66e52e2d189ffd72aac417228cf39f5c661

SHA512
6bd0d3b78906ca84b1302ce9c9b664bde52c4890ef695ab7c0980135cee23a804b8cba823e4b10ed17383ccfa438b260c05d258473586503ae4456c21ff00468

Download Submit
C:\Program Files (x86)\Pequejuegos\tbunsn80BB.tmp\license2_es.rtf

Filesize
35KB

MD5
12ebbccaed28b4563d2fcd4ec7732de0

SHA1
40b3bbf374b56313b3cca311ff1d7ebf73ecc9ec

SHA256
f63dee2f111b8d4a9490685aad7fb81f1bb1f53aa905cdf4edaee85de514eb56

SHA512
aa4fc4cbbecce5a8899d4805c752c717b40b4f1e692f6be4542acbb14542937707976a7d371b4263ce7c58cad630f7082966e955aad0d1220f85c58ae065de59

Download Submit
C:\Program Files (x86)\Pequejuegos\tbunsn80BB.tmp\license_es.rtf

Filesize
47KB

MD5
d18e55bed2144a1fcba280b899caf67a

SHA1
bb3c34d58d3551708649beab02f404acbec5b27d

SHA256
8e8e2fd737c7f86c2a06960cbecf3c292401aed22e52a91c485808af9a4960cc

SHA512
8ac644f0279daaae09872d13d62e9c98d42b1213b870d0f2b230b5e1dfb6e38ef87d2d1530e8e46e6763b4efe2001b314b188de6efddf01160fa63ceb4bd5381

Download Submit
C:\Program Files (x86)\Pequejuegos\tbunsn80BB.tmp\logica.png

Filesize
51KB

MD5
6386f8dc7cd41208d22e2e6f1b9f3b45

SHA1
e8db04d4cffa0aac8846ff987a54b226978c76b0

SHA256
1a34098333726f9ac55e8344dc14e37eeb45ea88ea088c2250de364e87245f68

SHA512
7e2df2353cde6d559cc314796388c2747f2d2461d02368528a05da16154f1cefb9e58a9dd3cef87811a3ec2694c9598b7d03d184ecd21117f5b85db5373f35f0

Download Submit
C:\Program Files (x86)\Pequejuegos\tbunsn80BB.tmp\logo.png

Filesize
51KB

MD5
c4c129ea46862c4c0e702727da33584e

SHA1
5e2f24bf201d42cd1e8c33c809e7fe3102475890

SHA256
90c75e57ebeee38a78e5123278041f757176617dc7d0e40b06ca9ef7db51ea5f

SHA512
544e0efdc4475b6159c9cece8e43c82a03504a82eb34687c03874ca7aecdf17c04f9084cd643f4c1b5bbd8e03c3053d9e448e1be5e7a5b842373bd7b16c2590e

Download Submit
C:\Program Files (x86)\Pequejuegos\tbunsn80BB.tmp\logo_urtvbar.png

Filesize
25KB

MD5
9eb5e504ac41f9710138f990788e783d

SHA1
baa8dc158c2229d8efa16304f39f452bc9f4e739

SHA256
319dd9d23911379c73bae9a311360fc7d0684324454dac56f0fd326d7ba77e16

SHA512
34bddda8078747b9e633db25553f18b0ce5f5040d6103a7c10600775517ea778d33650a29799297e2b88363a4197dda6c863f86c6ae56d78db42a24aff8a1bb0

Download Submit
C:\Program Files (x86)\Pequejuegos\tbunsn80BB.tmp\musica.png

Filesize
52KB

MD5
92b2dd131b26ca0771cd30e552884e91

SHA1
8c72cdce0a1950f958ff9dd096d7813ed485f83f

SHA256
76e6972a513155ee419e8b071002b462a3a4ae57a503640a62dfc2f94e40afdc

SHA512
7833d2a5791f45604e4c290730d30967d222facb40a9bdfb9625ae4147365b2708f32916c35aab479f9146d01b87bc435d5a6fa0fc1aa103c34aa2c2d6845938

Download Submit
C:\Program Files (x86)\Pequejuegos\tbunsn80BB.tmp\ninias.png

Filesize
51KB

MD5
f07d826eb7c209462ede06e6bfd7d8dd

SHA1
1ea547aba57155fd3cd1a5ca4c2623049ea0bd8c

SHA256
9565599b7a1c2066ddd08ea152746e1b8a9d3268717ef5925dd7f060add4e630

SHA512
df44b6002f592869b59904f63c85e4d7d1391ca1b52353c115259278cec28cc5ce457a4bca287994ac1d545a36f8a6dbdf35fbec42f05455c485775b911c7302

Download Submit
C:\Program Files (x86)\Pequejuegos\tbunsn80BB.tmp\noticias.png

Filesize
51KB

MD5
b83da5b82eb31dce1bbb98fd4029da3d

SHA1
00555aea60b16b127cfa731c4e29274589c8a5a8

SHA256
186dd343834b103d92f98b9ec6f5a911c69da347107ec75e7a2227bf89e22a71

SHA512
bf78074ddac912416a938adcf8bdfd9af24cf0fef121dc4345a457f30ce4c18f05724a615fe21782a021f6aed819cf67cf5cf7b4d92ea25b571a40422d44cc4b

Download Submit
C:\Program Files (x86)\Pequejuegos\tbunsn80BB.tmp\peque.dll

Filesize
46KB

MD5
46fd28f5e3bd350d69324a5136b499d7

SHA1
683bb44ac881c963cf214d7000d2191065f7581c

SHA256
4a7f7bf7a94c103d4ad308ef3d4de5f21ef263ae265270ba1c748fd7f2102cc9

SHA512
98cba6905816e2325c5484213ce918f38091d4fa90421b9e31a660bc68ae700729744476f7337e49ece48bacead44adc7f1007c7e9ca96bf8b10c9487c3efb0c

Download Submit
C:\Program Files (x86)\Pequejuegos\tbunsn80BB.tmp\plataforma.png

Filesize
2KB

MD5
52d0083a2dd60cb1bc7b24a15400a19a

SHA1
4e1759e14be55acb9fcc99c72e36fb26cb8f0a23

SHA256
ffb628e372a8a75698358d4a6bc8f094b677e7e5d01adfb3f824a9ff26238e3b

SHA512
ecea9586991d3a4e39b3a8d950d28453bec87f3e5e873e32b206e2a8bac8f1c189ee1779e21065123b0027be2f32eca0967380051ba511b655cb24161574f714

Download Submit
C:\Program Files (x86)\Pequejuegos\tbunsn80BB.tmp\plataformas.png

Filesize
51KB

MD5
954f808a1c92fb3bbd7eb2ec12b9f111

SHA1
10eb6e353ce32f55531ff72b83ca3ba84a951231

SHA256
82a61854583623d48900bb64e8ad3b91b2b9fb08adecaa832b22b6b314adb99f

SHA512
2e1a3e66bbcfce307c6feafff423e4cb9857660d61c66ed6dcbd848daa007778ca56ab64910ee883537001816154b853a9b455b88dbab477de00dcd2fcac9cca

Download Submit
C:\Program Files (x86)\Pequejuegos\tbunsn80BB.tmp\smses.png

Filesize
3KB

MD5
14a9051d7670f1dab33c516cf1a2f2ad

SHA1
7884a0039bee11d98b4dc5ee5e7f0b13d339153f

SHA256
2de78bbb04d50552627cc337ac3663f02644a53e3582e588c92e8e52dd68ec8a

SHA512
909afe6efe5bb784a9a51481934d3a6d0b10484c094cedf09f5d270c1141547c075bbada2d0e6198302c45f8ac52b9e3455a1c17d9e4e1659404d087eb0c9c85

Download Submit
C:\Program Files (x86)\Pequejuegos\tbunsn80BB.tmp\tbcore3.dll

Filesize
2.5MB

MD5
cceaadc55eb13402f53544dade5183fb

SHA1
8871968463ad5a60475ec6c78f50f62558f79949

SHA256
0371791628b1ce5f6ea3134773a06f1766479859439e9bca5d855bee51393ee7

SHA512
e5f0ff94e04c1eabec7a5b919ef135fbb6d07ced6876a51228f76b4ad08a612bf3d00055f93772ecf1634f5677bb1d401e4bfbf7c8952704b775588d40c24d22

Download Submit
C:\Program Files (x86)\Pequejuegos\tbunsn80BB.tmp\tbhelper.dll

Filesize
303KB

MD5
c971332990a06bf95210ed6f899ce22d

SHA1
0bda79a68d49aab9d5313be030b1deda3447cc37

SHA256
d002d04a0a0aaaaf22ef8fe81e16edf548e57d54744a7b3640d79d80d2159d8d

SHA512
049933b04c9896bfd2affcbcf07faf4bc50b047b6f9a3a9e7ac4ad2644d7040570e9d457b081019f183f204979571cfcb06f8356de6f25b14977eaee5fd500ed

Download Submit
C:\Program Files (x86)\Pequejuegos\tbunsn80BB.tmp\toolbar_es.bmp

Filesize
33KB

MD5
4aa05d6f4a937d4bdf0f35ed71281ad5

SHA1
a854d9957ca7fd839a59966a767e7f3ad9038719

SHA256
f2e74be0f9bb0aefcb46c38adb3660989fd0466edaebe7724a1996b870cc6416

SHA512
3304423e5f788ec0f80521c691324822738fa294ba9a1ddd064e8427f4f40012c2a617b88bca71949dcd0df081c4479d81c2c48a659c87ddd12151b3c40636e3

Download Submit
C:\Program Files (x86)\Pequejuegos\tbunsn80BB.tmp\toolbarconf_es.nsh

Filesize
1KB

MD5
031a4262f160f64ba0ff01cf99f6d436

SHA1
0d4532be72711a6eabc310c2f3464a16adfc8e38

SHA256
7797d14103faa6591656b95a9978ff7b94651eff898af680df2a0748ee79a028

SHA512
ef70dc82f4086bba6cb93d9566662c7ea602c2c9dd002355bd07e4a39a538759c1a729bc147bc4c583582190d763edf0d359f757c44f75856898b4a81d9a5c3f

Download Submit
C:\Program Files (x86)\Pequejuegos\tbunsn80BB.tmp\uninstall.exe

Filesize
47KB

MD5
eba99b8eadc2239d2f702050d7ff226c

SHA1
8dbce65c8587c0f4671d09b48ef8f47d0580cb7c

SHA256
cebc178af1e0f75ee94aa390d161a06856c74593a52a51418dc006428eb73149

SHA512
e855b9346ba07440dc66b091d451585d80442ba73d7ff6b62a35af409bbe624972c844a1c216322303adc4eed3f39fc535b062f6479f19942c859db0d79c4287

Download Submit
C:\Program Files (x86)\Pequejuegos\tbunsn80BB.tmp\uninstaller.exe

Filesize
98KB

MD5
2a8f6602d2e1747277a6a8e1167404ca

SHA1
f49589bc474b0f4251958df869d520f9e0660026

SHA256
7b1f460ade267b0301cb0d9f54971e3ea288ca89a53c3332494eb7d4b70504ba

SHA512
8e5ea5d05716ec153e11b8e3e8ccf67c6569037f61e96aa50b4a9dd22050d8f359bc1178a4e01285a557c93edf05cb41a42fdc1e77606d5c911f55dec0adb9fa

Download Submit
C:\Program Files (x86)\Pequejuegos\tbunsn80BB.tmp\update.exe

Filesize
75KB

MD5
c0c8d6de70d3bdcd30fe8c825fedda7f

SHA1
34724e9bccd05d55a51a4491ef1533c11eb60e02

SHA256
1a4d3e8bfeffcef2e93a4d2495c89c0736a4464b202508138da0dacf7093ed42

SHA512
f9e5aefb2dcded815a8e5c8512518de2dcc1d6d0845960f1db5cd23078e42fcafa6caaee2a1135e93c3cdfd1b616da5990395ff60724c8d2c7aecb4ea253e99a

Download Submit
C:\Program Files (x86)\Pequejuegos\tbunsn80BB.tmp\version.txt

Filesize
48B

MD5
f9a3ee844f52829d4d9f9a50a73c4a45

SHA1
071f61bb4eb8cc6565a2063d7013d34d47987ebf

SHA256
cd9c7adcfa5adb5ca22b2f8f2fb90b7e0c77bc0fb16d4b2c01d81213d44d3d6a

SHA512
83ceb3ad082b8cc8d1e9b0e3c7620c7d65b590eab78962d07dcfd438fe18b545253c475853092313333a0ea6acca2f68670dd96b37a88306152294815040dacc

Download Submit
C:\Program Files (x86)\Pequejuegos\tbunsn80BB.tmp\videos.png

Filesize
1KB

MD5
69cc612eb08085220474a23f09542e2d

SHA1
74291b5cd87b74bb05940c92ef6a853d33af2b3f

SHA256
e0d8c738fb5fde259584588e776342cae3a1613587e81be153921a3dded47b10

SHA512
695fd8e43a573cda144c7e346f49cd764d53fec3dc044acfd1faeea5e66689883a44d74138749d761f0a23a761eb24db6c8fa961c521dfee1e3a901e8c19c8ac

Download Submit
C:\Program Files (x86)\Pequejuegos\tbunsn80BB.tmp\your_logo.png

Filesize
4KB

MD5
4f85d6b204fe0eb75858031af68b62fd

SHA1
85a2e6a6ba242c0cbd6027b0bee00fe47f9ac390

SHA256
f1f6901c53d9bc846c65ff79486c93c82ecd832912104b76f0e0a049883e0b1e

SHA512
d2be63b38b5012b1179d92c62327bdf703ee3b9762fdc98364ee35dd10a2c9dbb1120e83a36cd5ed8e7188708db70799dfff73d9030b5eba0761378955911e56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver1A0B.tmp

Filesize
15KB

MD5
1a545d0052b581fbb2ab4c52133846bc

SHA1
62f3266a9b9925cd6d98658b92adec673cbe3dd3

SHA256
557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

SHA512
bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\63P52RXT\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\PSD5LAGV\v1[1].xml

Filesize
742KB

MD5
25a40f949855471562a1a9e465cfed7c

SHA1
c3a563c56fb8323e6c2ee7fa417c45d8384a4156

SHA256
075f1f4ec57dcfdbb2f1b60ffbf9efe0286216c43d0a65f82eae86af66b36127

SHA512
e5b4ed8df62488e7bb9ccb77f1daac251f65cd3251257ab94094df1316fa50a96901b32e7e76e47a4616d763ae54d7134f5d29f030ee7d2399bbe728498fedd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsr7F04.tmp\CabDLL.dll

Filesize
80KB

MD5
3b8cf4f6c883c7ca0c964ef2a96525aa

SHA1
7f0d1b89783056decea951fa7b25d3c4c354d0d3

SHA256
58b29737613b3b916ae6d8ad12790da5cffcf0f354739abfa41bab60a80d40ea

SHA512
6474c7a8fb31c0e1cdbb4fbc5653a060961557565484ee2d26beb8be0e5d047790f8ff96710729bf5ee9eb00011beb98c370eb2ae01aa4ad0971f58910ebcd24

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsr7F04.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsr7F04.tmp\UAC.dll

Filesize
13KB

MD5
bcec2a6095d38abc192a68d094c302d0

SHA1
9e88c5b957b45524690513b75d81dee259d5d599

SHA256
446000200eff4f9c20761ce1680902daba190c81a57154f4917b1741d7800e3c

SHA512
b48e85a17904a104eef573358763a0b1215eec96f72f83ff544d2dab22737bc42411ca505adf3f7e95c6f7e7997ad3e408f258093727105b678d5eee8d8e6278

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsr7F04.tmp\inetc.dll

Filesize
24KB

MD5
ef630cf1898c257df36b1037bd1e5392

SHA1
b2c47d9a741d2b5391387059552b37f2daddade2

SHA256
41776a77b4e3bba1c3e70d10b9f560248148b8f2c45d39d4cd8683754112860f

SHA512
986b405d723294ff5b3649f899bc048c5693bd386dc3f489b390ccb1d56e8e65a9dbe6d0863d553525ce93d505a162eaa087faf4b4c5133345c3330d01327211

Download Submit
C:\Users\Admin\AppData\Local\Temp\parametrosFFtp.vbs

Filesize
6KB

MD5
5ec59b5ac77266afc3a93dbe77f38633

SHA1
4e1d8dcf106cae18384995b489682012c5d4443f

SHA256
afc23f0eaebd37f645e9a8f95592b74f3910e1330d8604dc6aa6a0a1002adb56

SHA512
2e93e4139a61c351fd40a82eb8d09e6e5e79253c319dc9556cb2201f794a86bb8cb7c582450afb4f978d31d6279c1175c41a889d763beca5139cd5713cbdd685

Download Submit
C:\Users\Admin\AppData\Local\Temp\peque.cab

Filesize
1.8MB

MD5
744f20b624c28ebc10d796c1396e4e3e

SHA1
19ce646383a286088741c5631288ece62c99a287

SHA256
8c1638dcfabc1ace9f40c74295b4c4b7ee4863e196e607586013a6f8cf77f59b

SHA512
8aa755aa3e4a6ddb5854a35f2b2ceb4a3a395c6fb0038c995b2d1d76e7168802fa8f8406bc17d46cd712efa80f1e90f12c945dfa0b36f3819c7696d072888113

Download Submit
memory/2668-456-0x0000000004FE0000-0x0000000005271000-memory.dmp

Filesize
2.6MB

Download
memory/5644-425-0x0000000002EE0000-0x0000000002F34000-memory.dmp

Filesize
336KB

Download
memory/5644-434-0x0000000003060000-0x00000000030B4000-memory.dmp

Filesize
336KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads