d7b8a7abfb928cbd83faf885e2329da6751997eb4a5512eacde71942f1968b9f

Analysis

max time kernel
145s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
02/10/2022, 03:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d7b8a7abfb928cbd83faf885e2329da6751997eb4a5512eacde71942f1968b9f.exe
Size

249KB
MD5

66e3a0259401449d70a7b31c8e24bef0
SHA1

fe2848a8b161435518be1dc4b4f8ff136bd7ecf0
SHA256

d7b8a7abfb928cbd83faf885e2329da6751997eb4a5512eacde71942f1968b9f
SHA512

fd9076195b774df6ef783150b29904bdfb77285764413feb09ba163931c611a88f8d2d0d52131e2166716718d0ef1bea19b114af82e6a219d31b738ec6b3a0fd
SSDEEP

3072:ED6c6iU2mo4MHcebmAGuqh8HafOafal8AxS48R68YYchwa6bLEw0G+DKSOa2mHVn:TchLXcRzSPYSvPSa7zDJw

Score

8^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 14 IoCs

pid	Process
1996	512.#.exe
268	706.#.exe
628	215.#.exe
1520	780.#.exe
1108	144.#.exe
688	628.#.exe
1080	423.#.exe
1760	883.#.exe
932	137.#.exe
1764	382.#.exe
524	246.#.exe
1752	205.#.exe
1828	912.#.exe
316	534.#.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1744-56-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral1/files/0x0008000000013170-63.dat	upx
behavioral1/files/0x0008000000013170-64.dat	upx
behavioral1/files/0x0008000000013170-66.dat	upx
behavioral1/files/0x0008000000013170-71.dat	upx
behavioral1/files/0x0007000000013359-72.dat	upx
behavioral1/files/0x00070000000136c7-77.dat	upx
behavioral1/files/0x00070000000136c7-78.dat	upx
behavioral1/files/0x00070000000136c7-80.dat	upx
behavioral1/files/0x00070000000136c7-85.dat	upx
behavioral1/memory/1996-92-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral1/memory/268-94-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral1/files/0x0007000000013a03-95.dat	upx
behavioral1/files/0x0007000000013a03-96.dat	upx
behavioral1/files/0x0007000000013a03-98.dat	upx
behavioral1/files/0x0007000000013a03-103.dat	upx
behavioral1/memory/628-110-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral1/files/0x0006000000014124-111.dat	upx
behavioral1/files/0x0006000000014124-112.dat	upx
behavioral1/files/0x0006000000014124-114.dat	upx
behavioral1/memory/1744-117-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral1/memory/1520-118-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral1/files/0x0006000000014124-121.dat	upx
behavioral1/files/0x000200000001062c-122.dat	upx
behavioral1/files/0x0006000000014159-123.dat	upx
behavioral1/files/0x0003000000010638-129.dat	upx
behavioral1/files/0x000300000001062c-131.dat	upx
behavioral1/files/0x000300000001062c-130.dat	upx
behavioral1/files/0x000300000001062c-133.dat	upx
behavioral1/memory/1108-138-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral1/files/0x000300000001062c-141.dat	upx
behavioral1/files/0x0003000000010321-146.dat	upx
behavioral1/files/0x0003000000010321-147.dat	upx
behavioral1/files/0x0003000000010321-150.dat	upx
behavioral1/files/0x0003000000010321-155.dat	upx
behavioral1/memory/688-158-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral1/files/0x0003000000011ca9-164.dat	upx
behavioral1/files/0x0003000000011ca9-162.dat	upx
behavioral1/files/0x0003000000011ca9-161.dat	upx
behavioral1/memory/1520-167-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral1/memory/1080-168-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral1/files/0x0003000000011ca9-171.dat	upx
behavioral1/files/0x0003000000011cac-177.dat	upx
behavioral1/files/0x0003000000011cac-179.dat	upx
behavioral1/files/0x0003000000011cac-176.dat	upx
behavioral1/files/0x0006000000014544-182.dat	upx
behavioral1/memory/1760-186-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral1/files/0x0003000000011cac-185.dat	upx
behavioral1/files/0x000600000001420e-188.dat	upx
behavioral1/files/0x0006000000014236-190.dat	upx
behavioral1/memory/1108-193-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral1/memory/1080-195-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral1/files/0x000700000001420e-196.dat	upx
behavioral1/files/0x0006000000014236-197.dat	upx
behavioral1/files/0x00060000000146a2-198.dat	upx
behavioral1/files/0x00060000000146a2-201.dat	upx
behavioral1/files/0x00060000000146a2-199.dat	upx
behavioral1/memory/932-205-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral1/files/0x000800000001420e-207.dat	upx
behavioral1/files/0x0006000000014236-208.dat	upx
behavioral1/files/0x00060000000146a2-211.dat	upx
behavioral1/memory/932-212-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral1/files/0x00060000000149b7-217.dat	upx
behavioral1/files/0x00060000000149b7-218.dat	upx

Loads dropped DLL 28 IoCs

pid	Process
1744	d7b8a7abfb928cbd83faf885e2329da6751997eb4a5512eacde71942f1968b9f.exe
1744	d7b8a7abfb928cbd83faf885e2329da6751997eb4a5512eacde71942f1968b9f.exe
1996	512.#.exe
1996	512.#.exe
268	706.#.exe
268	706.#.exe
628	215.#.exe
628	215.#.exe
1520	780.#.exe
1520	780.#.exe
1108	144.#.exe
1108	144.#.exe
688	628.#.exe
688	628.#.exe
1080	423.#.exe
1080	423.#.exe
1760	883.#.exe
1760	883.#.exe
932	137.#.exe
932	137.#.exe
1764	382.#.exe
1764	382.#.exe
524	246.#.exe
524	246.#.exe
1752	205.#.exe
1752	205.#.exe
1828	912.#.exe
1828	912.#.exe

Adds Run key to start application 2 TTPs 45 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RegSCRLib = "regsvr32.exe /s scrrun.dll"	d7b8a7abfb928cbd83faf885e2329da6751997eb4a5512eacde71942f1968b9f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	512.#.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FileProtector = "C:\\10a0699fa37928d39c\\spfirewall.exe"	144.#.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RegSCRLib = "regsvr32.exe /s scrrun.dll"	423.#.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RegSCRLib = "regsvr32.exe /s scrrun.dll"	205.#.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FileProtector = "C:\\10a0699fa37928d39c\\spfirewall.exe"	d7b8a7abfb928cbd83faf885e2329da6751997eb4a5512eacde71942f1968b9f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	215.#.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FileProtector = "C:\\10a0699fa37928d39c\\spfirewall.exe"	215.#.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RegSCRLib = "regsvr32.exe /s scrrun.dll"	215.#.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RegSCRLib = "regsvr32.exe /s scrrun.dll"	780.#.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FileProtector = "C:\\10a0699fa37928d39c\\spfirewall.exe"	706.#.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RegSCRLib = "regsvr32.exe /s scrrun.dll"	144.#.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	382.#.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RegSCRLib = "regsvr32.exe /s scrrun.dll"	382.#.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FileProtector = "C:\\10a0699fa37928d39c\\spfirewall.exe"	246.#.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	706.#.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RegSCRLib = "regsvr32.exe /s scrrun.dll"	706.#.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	423.#.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FileProtector = "C:\\10a0699fa37928d39c\\spfirewall.exe"	423.#.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	246.#.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	883.#.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RegSCRLib = "regsvr32.exe /s scrrun.dll"	883.#.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RegSCRLib = "regsvr32.exe /s scrrun.dll"	137.#.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RegSCRLib = "regsvr32.exe /s scrrun.dll"	246.#.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FileProtector = "C:\\10a0699fa37928d39c\\spfirewall.exe"	534.#.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	912.#.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FileProtector = "C:\\10a0699fa37928d39c\\spfirewall.exe"	512.#.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	628.#.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RegSCRLib = "regsvr32.exe /s scrrun.dll"	628.#.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FileProtector = "C:\\10a0699fa37928d39c\\spfirewall.exe"	382.#.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	205.#.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	d7b8a7abfb928cbd83faf885e2329da6751997eb4a5512eacde71942f1968b9f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	144.#.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FileProtector = "C:\\10a0699fa37928d39c\\spfirewall.exe"	628.#.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	137.#.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FileProtector = "C:\\10a0699fa37928d39c\\spfirewall.exe"	912.#.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FileProtector = "C:\\10a0699fa37928d39c\\spfirewall.exe"	205.#.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RegSCRLib = "regsvr32.exe /s scrrun.dll"	912.#.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	534.#.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RegSCRLib = "regsvr32.exe /s scrrun.dll"	512.#.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	780.#.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FileProtector = "C:\\10a0699fa37928d39c\\spfirewall.exe"	780.#.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FileProtector = "C:\\10a0699fa37928d39c\\spfirewall.exe"	883.#.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FileProtector = "C:\\10a0699fa37928d39c\\spfirewall.exe"	137.#.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RegSCRLib = "regsvr32.exe /s scrrun.dll"	534.#.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\	205.#.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\	205.#.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\	912.#.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\	883.#.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\	215.#.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\	215.#.exe
File opened for modification	C:\Program Files\DVD Maker\ja-JP\	512.#.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\	246.#.exe
File opened for modification	C:\Program Files\Common Files\System\ado\en-US\	912.#.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\de-DE\	912.#.exe
File opened for modification	C:\Program Files\7-Zip\	423.#.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\	628.#.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\	137.#.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\	137.#.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\	382.#.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\	d7b8a7abfb928cbd83faf885e2329da6751997eb4a5512eacde71942f1968b9f.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\	883.#.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\	d7b8a7abfb928cbd83faf885e2329da6751997eb4a5512eacde71942f1968b9f.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\	628.#.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\	883.#.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\	512.#.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\en-US\enu-dsk\	382.#.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\	706.#.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\	423.#.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VC\	423.#.exe
File created	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	144.#.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\it-IT\	883.#.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\	144.#.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\	883.#.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\	628.#.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\ja-JP\	780.#.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\	423.#.exe
File opened for modification	C:\Program Files\Common Files\System\	628.#.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\ja-JP\	246.#.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\	382.#.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\	423.#.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\	144.#.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\	780.#.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\en-US\	205.#.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\	512.#.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VGX\	215.#.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\	628.#.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\	912.#.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.exe	912.#.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\	706.#.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\	883.#.exe
File opened for modification	C:\Program Files\Common Files\System\ado\it-IT\	512.#.exe
File opened for modification	C:\Program Files\DVD Maker\de-DE\	883.#.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\	382.#.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.exe	382.#.exe
File opened for modification	C:\Program Files\7-Zip\	883.#.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\	883.#.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\en-US\enu-dsk\	215.#.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\	137.#.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.exe	382.#.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\win_x64\	215.#.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\	512.#.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\	d7b8a7abfb928cbd83faf885e2329da6751997eb4a5512eacde71942f1968b9f.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\ja-JP\	215.#.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\	246.#.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\fr-FR\	912.#.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\	205.#.exe
File opened for modification	C:\Program Files\Common Files\System\it-IT\	382.#.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\	382.#.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{85131630-480C-11D2-B1F9-00C04F86C324}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ScriptHostEncode	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{85131630-480C-11D2-B1F9-00C04F86C324}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EE09B103-97E0-11CF-978F-00A02463E06F}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ASP.HostEncode\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Scripting.Encoder\ = "Script Encoder Object"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Scripting.FileSystemObject\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HTML.HostEncode\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ScriptHostEncode\ = "{0CF774D0-F077-11D1-B1BC-00C04F86C324}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.js	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Scripting.Encoder	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\aspfile\ScriptHostEncode\ = "{0CF774D1-F077-11D1-B1BC-00C04F86C324}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Scripting.FileSystemObject\ = "FileSystem Object"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ScriptHostEncode	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.cdx	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Scripting.Encoder\CLSID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\ASP.HostEncode	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EE09B103-97E0-11CF-978F-00A02463E06F}\Version	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{32DA2B15-CFED-11D1-B747-00C04FC2B085}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{85131630-480C-11D2-B1F9-00C04F86C324}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0CF774D1-F077-11D1-B1BC-00C04F86C324}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Scripting.FileSystemObject\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Scripting.Encoder	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\aspfile\ScriptHostEncode\ = "{0CF774D1-F077-11D1-B1BC-00C04F86C324}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\aspfile	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Scripting.FileSystemObject	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0CF774D0-F077-11D1-B1BC-00C04F86C324}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{85131631-480C-11D2-B1F9-00C04F86C324}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EE09B103-97E0-11CF-978F-00A02463E06F}\Version	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\aspfile\ScriptHostEncode	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JSFile.HostEncode	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\aspfile	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Scripting.Encoder	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{85131630-480C-11D2-B1F9-00C04F86C324}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EE09B103-97E0-11CF-978F-00A02463E06F}\Implemented Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HTML.HostEncode	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0CF774D1-F077-11D1-B1BC-00C04F86C324}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ScriptHostEncode	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\ScriptHostEncode\ = "{85131631-480C-11D2-B1F9-00C04F86C324}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\ScriptHostEncode\ = "{85131631-480C-11D2-B1F9-00C04F86C324}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Scripting.FileSystemObject	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\ScriptHostEncode\ = "{85131631-480C-11D2-B1F9-00C04F86C324}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HTML.HostEncode	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.js	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\HTML.HostEncode	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EE09B103-97E0-11CF-978F-00A02463E06F}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.html	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ASP.HostEncode\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EE09B103-97E0-11CF-978F-00A02463E06F}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{85131630-480C-11D2-B1F9-00C04F86C324}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\aspfile\ScriptHostEncode\ = "{0CF774D1-F077-11D1-B1BC-00C04F86C324}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\aspfile	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EE09B103-97E0-11CF-978F-00A02463E06F}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile.HostEncode\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Scripting.Dictionary	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\aspfile\ScriptHostEncode	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0CF774D1-F077-11D1-B1BC-00C04F86C324}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile.HostEncode	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\ASP.HostEncode	regsvr32.exe

NTFS ADS 15 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\:\systemlog.log	246.#.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\:\systemlog.log	205.#.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\:\systemlog.log	534.#.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\:\systemlog.log	d7b8a7abfb928cbd83faf885e2329da6751997eb4a5512eacde71942f1968b9f.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\:\systemlog.log	144.#.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\:\systemlog.log	423.#.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\:\systemlog.log	883.#.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\:\systemlog.log	137.#.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\:\systemlog.log	912.#.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\:\systemlog.log	512.#.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\:\systemlog.log	706.#.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\:\systemlog.log	780.#.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\:\systemlog.log	215.#.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\:\systemlog.log	628.#.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\:\systemlog.log	382.#.exe

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
1744	d7b8a7abfb928cbd83faf885e2329da6751997eb4a5512eacde71942f1968b9f.exe
1996	512.#.exe
268	706.#.exe
628	215.#.exe
1520	780.#.exe
1108	144.#.exe
688	628.#.exe
1080	423.#.exe
1760	883.#.exe
932	137.#.exe
1764	382.#.exe
524	246.#.exe
1752	205.#.exe
1828	912.#.exe
316	534.#.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1744 wrote to memory of 1144	1744	d7b8a7abfb928cbd83faf885e2329da6751997eb4a5512eacde71942f1968b9f.exe	28
PID 1744 wrote to memory of 1144	1744	d7b8a7abfb928cbd83faf885e2329da6751997eb4a5512eacde71942f1968b9f.exe	28
PID 1744 wrote to memory of 1144	1744	d7b8a7abfb928cbd83faf885e2329da6751997eb4a5512eacde71942f1968b9f.exe	28
PID 1744 wrote to memory of 1144	1744	d7b8a7abfb928cbd83faf885e2329da6751997eb4a5512eacde71942f1968b9f.exe	28
PID 1744 wrote to memory of 1144	1744	d7b8a7abfb928cbd83faf885e2329da6751997eb4a5512eacde71942f1968b9f.exe	28
PID 1744 wrote to memory of 1144	1744	d7b8a7abfb928cbd83faf885e2329da6751997eb4a5512eacde71942f1968b9f.exe	28
PID 1744 wrote to memory of 1144	1744	d7b8a7abfb928cbd83faf885e2329da6751997eb4a5512eacde71942f1968b9f.exe	28
PID 1744 wrote to memory of 2016	1744	d7b8a7abfb928cbd83faf885e2329da6751997eb4a5512eacde71942f1968b9f.exe	29
PID 1744 wrote to memory of 2016	1744	d7b8a7abfb928cbd83faf885e2329da6751997eb4a5512eacde71942f1968b9f.exe	29
PID 1744 wrote to memory of 2016	1744	d7b8a7abfb928cbd83faf885e2329da6751997eb4a5512eacde71942f1968b9f.exe	29
PID 1744 wrote to memory of 2016	1744	d7b8a7abfb928cbd83faf885e2329da6751997eb4a5512eacde71942f1968b9f.exe	29
PID 1744 wrote to memory of 1996	1744	d7b8a7abfb928cbd83faf885e2329da6751997eb4a5512eacde71942f1968b9f.exe	30
PID 1744 wrote to memory of 1996	1744	d7b8a7abfb928cbd83faf885e2329da6751997eb4a5512eacde71942f1968b9f.exe	30
PID 1744 wrote to memory of 1996	1744	d7b8a7abfb928cbd83faf885e2329da6751997eb4a5512eacde71942f1968b9f.exe	30
PID 1744 wrote to memory of 1996	1744	d7b8a7abfb928cbd83faf885e2329da6751997eb4a5512eacde71942f1968b9f.exe	30
PID 1996 wrote to memory of 1376	1996	512.#.exe	31
PID 1996 wrote to memory of 1376	1996	512.#.exe	31
PID 1996 wrote to memory of 1376	1996	512.#.exe	31
PID 1996 wrote to memory of 1376	1996	512.#.exe	31
PID 1996 wrote to memory of 1376	1996	512.#.exe	31
PID 1996 wrote to memory of 1376	1996	512.#.exe	31
PID 1996 wrote to memory of 1376	1996	512.#.exe	31
PID 1996 wrote to memory of 864	1996	512.#.exe	32
PID 1996 wrote to memory of 864	1996	512.#.exe	32
PID 1996 wrote to memory of 864	1996	512.#.exe	32
PID 1996 wrote to memory of 864	1996	512.#.exe	32
PID 1996 wrote to memory of 268	1996	512.#.exe	33
PID 1996 wrote to memory of 268	1996	512.#.exe	33
PID 1996 wrote to memory of 268	1996	512.#.exe	33
PID 1996 wrote to memory of 268	1996	512.#.exe	33
PID 268 wrote to memory of 1324	268	706.#.exe	34
PID 268 wrote to memory of 1324	268	706.#.exe	34
PID 268 wrote to memory of 1324	268	706.#.exe	34
PID 268 wrote to memory of 1324	268	706.#.exe	34
PID 268 wrote to memory of 1324	268	706.#.exe	34
PID 268 wrote to memory of 1324	268	706.#.exe	34
PID 268 wrote to memory of 1324	268	706.#.exe	34
PID 268 wrote to memory of 1172	268	706.#.exe	35
PID 268 wrote to memory of 1172	268	706.#.exe	35
PID 268 wrote to memory of 1172	268	706.#.exe	35
PID 268 wrote to memory of 1172	268	706.#.exe	35
PID 268 wrote to memory of 628	268	706.#.exe	36
PID 268 wrote to memory of 628	268	706.#.exe	36
PID 268 wrote to memory of 628	268	706.#.exe	36
PID 268 wrote to memory of 628	268	706.#.exe	36
PID 628 wrote to memory of 1660	628	215.#.exe	37
PID 628 wrote to memory of 1660	628	215.#.exe	37
PID 628 wrote to memory of 1660	628	215.#.exe	37
PID 628 wrote to memory of 1660	628	215.#.exe	37
PID 628 wrote to memory of 1660	628	215.#.exe	37
PID 628 wrote to memory of 1660	628	215.#.exe	37
PID 628 wrote to memory of 1660	628	215.#.exe	37
PID 628 wrote to memory of 568	628	215.#.exe	38
PID 628 wrote to memory of 568	628	215.#.exe	38
PID 628 wrote to memory of 568	628	215.#.exe	38
PID 628 wrote to memory of 568	628	215.#.exe	38
PID 628 wrote to memory of 1520	628	215.#.exe	39
PID 628 wrote to memory of 1520	628	215.#.exe	39
PID 628 wrote to memory of 1520	628	215.#.exe	39
PID 628 wrote to memory of 1520	628	215.#.exe	39
PID 1520 wrote to memory of 1968	1520	780.#.exe	40
PID 1520 wrote to memory of 1968	1520	780.#.exe	40
PID 1520 wrote to memory of 1968	1520	780.#.exe	40
PID 1520 wrote to memory of 1968	1520	780.#.exe	40

C:\Users\Admin\AppData\Local\Temp\d7b8a7abfb928cbd83faf885e2329da6751997eb4a5512eacde71942f1968b9f.exe
"C:\Users\Admin\AppData\Local\Temp\d7b8a7abfb928cbd83faf885e2329da6751997eb4a5512eacde71942f1968b9f.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- NTFS ADS
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1744
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32.exe /s scrrun.dll
  2⤵
  - Modifies registry class
  PID:1144
- C:\Windows\SysWOW64\wscript.exe
  wscript.exe "C:\documents and settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\2C10A89\617626.vbs"
  2⤵
  PID:2016
- C:\Users\Admin\AppData\Local\Temp\512.#.exe
  C:\Users\Admin\AppData\Local\Temp\512.#.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Program Files directory
  - NTFS ADS
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1996
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s scrrun.dll
    3⤵
    - Modifies registry class
    PID:1376
- - C:\Windows\SysWOW64\wscript.exe
    wscript.exe "C:\documents and settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\2C10A89\632991.vbs"
    3⤵
    PID:864
- - C:\Users\Admin\AppData\Local\Temp\706.#.exe
    C:\Users\Admin\AppData\Local\Temp\706.#.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in Program Files directory
    - NTFS ADS
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:268
  - - C:\Windows\SysWOW64\regsvr32.exe
      regsvr32.exe /s scrrun.dll
      4⤵
      Modifies registry class
      PID:1324
  - - C:\Windows\SysWOW64\wscript.exe
      wscript.exe "C:\documents and settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\2C10A89\772274.vbs"
      4⤵
      PID:1172
  - - C:\Users\Admin\AppData\Local\Temp\215.#.exe
      C:\Users\Admin\AppData\Local\Temp\215.#.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in Program Files directory
      NTFS ADS
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:628
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s scrrun.dll
        5⤵
        Modifies registry class
        
        PID:1660
    - - C:\Windows\SysWOW64\wscript.exe
        
        wscript.exe "C:\documents and settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\2C10A89\660625.vbs"
        5⤵
        
        PID:568
    - - C:\Users\Admin\AppData\Local\Temp\780.#.exe
        
        C:\Users\Admin\AppData\Local\Temp\780.#.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in Program Files directory
        NTFS ADS
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1520
      - C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s scrrun.dll
        6⤵
        Modifies registry class
        
        PID:1968
      - C:\Windows\SysWOW64\wscript.exe
        
        wscript.exe "C:\documents and settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\2C10A89\796795.vbs"
        6⤵
        
        PID:564
      - C:\Users\Admin\AppData\Local\Temp\144.#.exe
        
        C:\Users\Admin\AppData\Local\Temp\144.#.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in Program Files directory
        NTFS ADS
        Suspicious use of SetWindowsHookEx
        
        PID:1108
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s scrrun.dll
        7⤵
        Modifies registry class
        
        PID:2044
        
        C:\Windows\SysWOW64\wscript.exe
        
        wscript.exe "C:\documents and settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\2C10A89\144970.vbs"
        7⤵
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\628.#.exe
        
        C:\Users\Admin\AppData\Local\Temp\628.#.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in Program Files directory
        NTFS ADS
        Suspicious use of SetWindowsHookEx
        
        PID:688
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s scrrun.dll
        8⤵
        Modifies registry class
        
        PID:1168
        
        C:\Windows\SysWOW64\wscript.exe
        
        wscript.exe "C:\documents and settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\2C10A89\72323.vbs"
        8⤵
        
        PID:580
        
        C:\Users\Admin\AppData\Local\Temp\423.#.exe
        
        C:\Users\Admin\AppData\Local\Temp\423.#.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in Program Files directory
        NTFS ADS
        Suspicious use of SetWindowsHookEx
        
        PID:1080
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s scrrun.dll
        9⤵
        Modifies registry class
        
        PID:1216
        
        C:\Windows\SysWOW64\wscript.exe
        
        wscript.exe "C:\documents and settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\2C10A89\266323.vbs"
        9⤵
        
        PID:1028
        
        C:\Users\Admin\AppData\Local\Temp\883.#.exe
        
        C:\Users\Admin\AppData\Local\Temp\883.#.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in Program Files directory
        NTFS ADS
        Suspicious use of SetWindowsHookEx
        
        PID:1760
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s scrrun.dll
        10⤵
        Modifies registry class
        
        PID:604
        
        C:\Windows\SysWOW64\wscript.exe
        
        wscript.exe "C:\documents and settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\2C10A89\510204.vbs"
        10⤵
        
        PID:300
        
        C:\Users\Admin\AppData\Local\Temp\137.#.exe
        
        C:\Users\Admin\AppData\Local\Temp\137.#.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in Program Files directory
        NTFS ADS
        Suspicious use of SetWindowsHookEx
        
        PID:932
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s scrrun.dll
        11⤵
        Modifies registry class
        
        PID:1084
        
        C:\Windows\SysWOW64\wscript.exe
        
        wscript.exe "C:\documents and settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\2C10A89\420391.vbs"
        11⤵
        
        PID:892
        
        C:\Users\Admin\AppData\Local\Temp\382.#.exe
        
        C:\Users\Admin\AppData\Local\Temp\382.#.exe
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in Program Files directory
        NTFS ADS
        Suspicious use of SetWindowsHookEx
        
        PID:1764
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s scrrun.dll
        12⤵
        Modifies registry class
        
        PID:1720
        
        C:\Windows\SysWOW64\wscript.exe
        
        wscript.exe "C:\documents and settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\2C10A89\896450.vbs"
        12⤵
        
        PID:1984
        
        C:\Users\Admin\AppData\Local\Temp\246.#.exe
        
        C:\Users\Admin\AppData\Local\Temp\246.#.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in Program Files directory
        NTFS ADS
        Suspicious use of SetWindowsHookEx
        
        PID:524
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s scrrun.dll
        13⤵
        Modifies registry class
        
        PID:1324
        
        C:\Windows\SysWOW64\wscript.exe
        
        wscript.exe "C:\documents and settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\2C10A89\77938.vbs"
        13⤵
        
        PID:1928
        
        C:\Users\Admin\AppData\Local\Temp\205.#.exe
        
        C:\Users\Admin\AppData\Local\Temp\205.#.exe
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in Program Files directory
        NTFS ADS
        Suspicious use of SetWindowsHookEx
        
        PID:1752
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s scrrun.dll
        14⤵
        Modifies registry class
        
        PID:1644
        
        C:\Windows\SysWOW64\wscript.exe
        
        wscript.exe "C:\documents and settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\2C10A89\294109.vbs"
        14⤵
        
        PID:1540
        
        C:\Users\Admin\AppData\Local\Temp\912.#.exe
        
        C:\Users\Admin\AppData\Local\Temp\912.#.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in Program Files directory
        NTFS ADS
        Suspicious use of SetWindowsHookEx
        
        PID:1828
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s scrrun.dll
        15⤵
        Modifies registry class
        
        PID:472
        
        C:\Windows\SysWOW64\wscript.exe
        
        wscript.exe "C:\documents and settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\2C10A89\124386.vbs"
        15⤵
        
        PID:1436
        
        C:\Users\Admin\AppData\Local\Temp\534.#.exe
        
        C:\Users\Admin\AppData\Local\Temp\534.#.exe
        15⤵
        Executes dropped EXE
        Adds Run key to start application
        NTFS ADS
        Suspicious use of SetWindowsHookEx
        
        PID:316
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s scrrun.dll
        16⤵
        Modifies registry class
        
        PID:1968
        
        C:\Windows\SysWOW64\wscript.exe
        
        wscript.exe "C:\documents and settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\2C10A89\848095.vbs"
        16⤵
        
        PID:1004
        
        C:\Users\Admin\AppData\Local\Temp\94.#.exe
        
        C:\Users\Admin\AppData\Local\Temp\94.#.exe
        16⤵
        
        PID:1440
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s scrrun.dll
        17⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\wscript.exe
        
        wscript.exe "C:\documents and settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\2C10A89\412120.vbs"
        17⤵
        
        PID:484
        
        C:\Users\Admin\AppData\Local\Temp\210.#.exe
        
        C:\Users\Admin\AppData\Local\Temp\210.#.exe
        17⤵
        
        PID:1180
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s scrrun.dll
        18⤵
        
        PID:536

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\10a0699fa37928d39c\spfirewall.exe

Filesize
249KB

MD5
66e3a0259401449d70a7b31c8e24bef0

SHA1
fe2848a8b161435518be1dc4b4f8ff136bd7ecf0

SHA256
d7b8a7abfb928cbd83faf885e2329da6751997eb4a5512eacde71942f1968b9f

SHA512
fd9076195b774df6ef783150b29904bdfb77285764413feb09ba163931c611a88f8d2d0d52131e2166716718d0ef1bea19b114af82e6a219d31b738ec6b3a0fd

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
395KB

MD5
7cbea6f7ea8787e2dc1677bafc4101da

SHA1
4ad32390e7e22730cc2ce38a2050bb7273526d8e

SHA256
539bbd8959627e983613bf021296911a97bc0c666620dc223eb1b58b2bcff282

SHA512
0bc492551a6e8f11c8f6152ebaf549e3fcfcd76ad931646e35505ab79165d9d5bdc15e9a2fd17fe9056dbded1844c31a8c4cc8ad1be014d9a91f01a25cad7c11

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
644KB

MD5
485c6425cf59f212c9ff98bfe9e8b622

SHA1
25d1b1c28d1f07d198620e5b6a677b1ed43ee168

SHA256
ea66ece21776a972c3022dd5c30ddff8a85a45ff4ff7b6d0c973515b357cba5e

SHA512
4a6816fd4150c35e2f71270d0da2b7d4e1f963c519e8a9817490aa5b81d1d42f65b4c78133a032a51f6732bee07c19a82670d6eedfbe29b297a585948be7e99d

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
894KB

MD5
739f5156b71358c3935356cdb0fa030e

SHA1
a5e9cfc3953610bb0117017d3c7c4a5422c14074

SHA256
c222f3f5565bc95bd6999180a4a9e589539b7f41975db1d0b8838fc24aee51a3

SHA512
6f0c5036f406baff9ec9eb8afa6698abfbc8485c198496d005e7e4879e3eac7e62e16f3dd929b7859ef6fd561597b4b45cf9b0fea75c131d72a8333a694f11cb

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe$

Filesize
395KB

MD5
7cbea6f7ea8787e2dc1677bafc4101da

SHA1
4ad32390e7e22730cc2ce38a2050bb7273526d8e

SHA256
539bbd8959627e983613bf021296911a97bc0c666620dc223eb1b58b2bcff282

SHA512
0bc492551a6e8f11c8f6152ebaf549e3fcfcd76ad931646e35505ab79165d9d5bdc15e9a2fd17fe9056dbded1844c31a8c4cc8ad1be014d9a91f01a25cad7c11

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe$

Filesize
644KB

MD5
485c6425cf59f212c9ff98bfe9e8b622

SHA1
25d1b1c28d1f07d198620e5b6a677b1ed43ee168

SHA256
ea66ece21776a972c3022dd5c30ddff8a85a45ff4ff7b6d0c973515b357cba5e

SHA512
4a6816fd4150c35e2f71270d0da2b7d4e1f963c519e8a9817490aa5b81d1d42f65b4c78133a032a51f6732bee07c19a82670d6eedfbe29b297a585948be7e99d

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe$

Filesize
894KB

MD5
739f5156b71358c3935356cdb0fa030e

SHA1
a5e9cfc3953610bb0117017d3c7c4a5422c14074

SHA256
c222f3f5565bc95bd6999180a4a9e589539b7f41975db1d0b8838fc24aee51a3

SHA512
6f0c5036f406baff9ec9eb8afa6698abfbc8485c198496d005e7e4879e3eac7e62e16f3dd929b7859ef6fd561597b4b45cf9b0fea75c131d72a8333a694f11cb

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe$

Filesize
1.1MB

MD5
53a649e7792498d43ee0a87ac3d1eb4e

SHA1
c13285fd7874f296e4994ebe6e2a41c6bea7be86

SHA256
40794ac3ca84b9ba0957cddb01203c2534c8611628f6868fa2e14dd571ec8141

SHA512
5d715d5a01dd717ad55fc12e96cd671c90182a2d79ef62ee2286603d489d9a1b8cba5185ab694977b4b84da04b15d68ab8a2ae2f00269848370ab65652e529a4

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
395KB

MD5
d3168a5cac174162158b939a5af1d558

SHA1
46413469aa5ef7d79e626611efe43773139b0c8a

SHA256
b15623bedddb4dc79fc351315099bfdca507f60dc17e60ec405b78fff1d09768

SHA512
317a1282c3692afe4088a150bbb864c6c5e8a499b5bee45aa617d7baf5aea146048a40984f035b60e25161f4763fe87cd35c3a792416d7aa3667eb7e43757972

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe$

Filesize
395KB

MD5
d3168a5cac174162158b939a5af1d558

SHA1
46413469aa5ef7d79e626611efe43773139b0c8a

SHA256
b15623bedddb4dc79fc351315099bfdca507f60dc17e60ec405b78fff1d09768

SHA512
317a1282c3692afe4088a150bbb864c6c5e8a499b5bee45aa617d7baf5aea146048a40984f035b60e25161f4763fe87cd35c3a792416d7aa3667eb7e43757972

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
264KB

MD5
9669c3832a629401aeb96b26bc44248d

SHA1
203db06f8e2b3986c8cf39fa732191d430e75cba

SHA256
6bb80c46fea371f1c2e941e6c4dd017ba353190f9e018ef87a1a25c403168a02

SHA512
abc0de0dcc6aefd73b34dbfb534c5a1342af783f29d38db593e17bbade6bab06a1b2870ef09a28af323584eefab9a44e8029d79999d325a8e95a345a24b8ef8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\137.#.exe

Filesize
249KB

MD5
66e3a0259401449d70a7b31c8e24bef0

SHA1
fe2848a8b161435518be1dc4b4f8ff136bd7ecf0

SHA256
d7b8a7abfb928cbd83faf885e2329da6751997eb4a5512eacde71942f1968b9f

SHA512
fd9076195b774df6ef783150b29904bdfb77285764413feb09ba163931c611a88f8d2d0d52131e2166716718d0ef1bea19b114af82e6a219d31b738ec6b3a0fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\137.#.exe

Filesize
249KB

MD5
66e3a0259401449d70a7b31c8e24bef0

SHA1
fe2848a8b161435518be1dc4b4f8ff136bd7ecf0

SHA256
d7b8a7abfb928cbd83faf885e2329da6751997eb4a5512eacde71942f1968b9f

SHA512
fd9076195b774df6ef783150b29904bdfb77285764413feb09ba163931c611a88f8d2d0d52131e2166716718d0ef1bea19b114af82e6a219d31b738ec6b3a0fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\144.#.exe

Filesize
249KB

MD5
66e3a0259401449d70a7b31c8e24bef0

SHA1
fe2848a8b161435518be1dc4b4f8ff136bd7ecf0

SHA256
d7b8a7abfb928cbd83faf885e2329da6751997eb4a5512eacde71942f1968b9f

SHA512
fd9076195b774df6ef783150b29904bdfb77285764413feb09ba163931c611a88f8d2d0d52131e2166716718d0ef1bea19b114af82e6a219d31b738ec6b3a0fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\144.#.exe

Filesize
249KB

MD5
66e3a0259401449d70a7b31c8e24bef0

SHA1
fe2848a8b161435518be1dc4b4f8ff136bd7ecf0

SHA256
d7b8a7abfb928cbd83faf885e2329da6751997eb4a5512eacde71942f1968b9f

SHA512
fd9076195b774df6ef783150b29904bdfb77285764413feb09ba163931c611a88f8d2d0d52131e2166716718d0ef1bea19b114af82e6a219d31b738ec6b3a0fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\215.#.exe

Filesize
249KB

MD5
66e3a0259401449d70a7b31c8e24bef0

SHA1
fe2848a8b161435518be1dc4b4f8ff136bd7ecf0

SHA256
d7b8a7abfb928cbd83faf885e2329da6751997eb4a5512eacde71942f1968b9f

SHA512
fd9076195b774df6ef783150b29904bdfb77285764413feb09ba163931c611a88f8d2d0d52131e2166716718d0ef1bea19b114af82e6a219d31b738ec6b3a0fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\215.#.exe

Filesize
249KB

MD5
66e3a0259401449d70a7b31c8e24bef0

SHA1
fe2848a8b161435518be1dc4b4f8ff136bd7ecf0

SHA256
d7b8a7abfb928cbd83faf885e2329da6751997eb4a5512eacde71942f1968b9f

SHA512
fd9076195b774df6ef783150b29904bdfb77285764413feb09ba163931c611a88f8d2d0d52131e2166716718d0ef1bea19b114af82e6a219d31b738ec6b3a0fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\382.#.exe

Filesize
249KB

MD5
66e3a0259401449d70a7b31c8e24bef0

SHA1
fe2848a8b161435518be1dc4b4f8ff136bd7ecf0

SHA256
d7b8a7abfb928cbd83faf885e2329da6751997eb4a5512eacde71942f1968b9f

SHA512
fd9076195b774df6ef783150b29904bdfb77285764413feb09ba163931c611a88f8d2d0d52131e2166716718d0ef1bea19b114af82e6a219d31b738ec6b3a0fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\382.#.exe

Filesize
249KB

MD5
66e3a0259401449d70a7b31c8e24bef0

SHA1
fe2848a8b161435518be1dc4b4f8ff136bd7ecf0

SHA256
d7b8a7abfb928cbd83faf885e2329da6751997eb4a5512eacde71942f1968b9f

SHA512
fd9076195b774df6ef783150b29904bdfb77285764413feb09ba163931c611a88f8d2d0d52131e2166716718d0ef1bea19b114af82e6a219d31b738ec6b3a0fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\423.#.exe

Filesize
249KB

MD5
66e3a0259401449d70a7b31c8e24bef0

SHA1
fe2848a8b161435518be1dc4b4f8ff136bd7ecf0

SHA256
d7b8a7abfb928cbd83faf885e2329da6751997eb4a5512eacde71942f1968b9f

SHA512
fd9076195b774df6ef783150b29904bdfb77285764413feb09ba163931c611a88f8d2d0d52131e2166716718d0ef1bea19b114af82e6a219d31b738ec6b3a0fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\423.#.exe

Filesize
249KB

MD5
66e3a0259401449d70a7b31c8e24bef0

SHA1
fe2848a8b161435518be1dc4b4f8ff136bd7ecf0

SHA256
d7b8a7abfb928cbd83faf885e2329da6751997eb4a5512eacde71942f1968b9f

SHA512
fd9076195b774df6ef783150b29904bdfb77285764413feb09ba163931c611a88f8d2d0d52131e2166716718d0ef1bea19b114af82e6a219d31b738ec6b3a0fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\512.#.exe

Filesize
249KB

MD5
66e3a0259401449d70a7b31c8e24bef0

SHA1
fe2848a8b161435518be1dc4b4f8ff136bd7ecf0

SHA256
d7b8a7abfb928cbd83faf885e2329da6751997eb4a5512eacde71942f1968b9f

SHA512
fd9076195b774df6ef783150b29904bdfb77285764413feb09ba163931c611a88f8d2d0d52131e2166716718d0ef1bea19b114af82e6a219d31b738ec6b3a0fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\512.#.exe

Filesize
249KB

MD5
66e3a0259401449d70a7b31c8e24bef0

SHA1
fe2848a8b161435518be1dc4b4f8ff136bd7ecf0

SHA256
d7b8a7abfb928cbd83faf885e2329da6751997eb4a5512eacde71942f1968b9f

SHA512
fd9076195b774df6ef783150b29904bdfb77285764413feb09ba163931c611a88f8d2d0d52131e2166716718d0ef1bea19b114af82e6a219d31b738ec6b3a0fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\628.#.exe

Filesize
249KB

MD5
66e3a0259401449d70a7b31c8e24bef0

SHA1
fe2848a8b161435518be1dc4b4f8ff136bd7ecf0

SHA256
d7b8a7abfb928cbd83faf885e2329da6751997eb4a5512eacde71942f1968b9f

SHA512
fd9076195b774df6ef783150b29904bdfb77285764413feb09ba163931c611a88f8d2d0d52131e2166716718d0ef1bea19b114af82e6a219d31b738ec6b3a0fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\628.#.exe

Filesize
249KB

MD5
66e3a0259401449d70a7b31c8e24bef0

SHA1
fe2848a8b161435518be1dc4b4f8ff136bd7ecf0

SHA256
d7b8a7abfb928cbd83faf885e2329da6751997eb4a5512eacde71942f1968b9f

SHA512
fd9076195b774df6ef783150b29904bdfb77285764413feb09ba163931c611a88f8d2d0d52131e2166716718d0ef1bea19b114af82e6a219d31b738ec6b3a0fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\706.#.exe

Filesize
249KB

MD5
66e3a0259401449d70a7b31c8e24bef0

SHA1
fe2848a8b161435518be1dc4b4f8ff136bd7ecf0

SHA256
d7b8a7abfb928cbd83faf885e2329da6751997eb4a5512eacde71942f1968b9f

SHA512
fd9076195b774df6ef783150b29904bdfb77285764413feb09ba163931c611a88f8d2d0d52131e2166716718d0ef1bea19b114af82e6a219d31b738ec6b3a0fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\706.#.exe

Filesize
249KB

MD5
66e3a0259401449d70a7b31c8e24bef0

SHA1
fe2848a8b161435518be1dc4b4f8ff136bd7ecf0

SHA256
d7b8a7abfb928cbd83faf885e2329da6751997eb4a5512eacde71942f1968b9f

SHA512
fd9076195b774df6ef783150b29904bdfb77285764413feb09ba163931c611a88f8d2d0d52131e2166716718d0ef1bea19b114af82e6a219d31b738ec6b3a0fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\780.#.exe

Filesize
249KB

MD5
66e3a0259401449d70a7b31c8e24bef0

SHA1
fe2848a8b161435518be1dc4b4f8ff136bd7ecf0

SHA256
d7b8a7abfb928cbd83faf885e2329da6751997eb4a5512eacde71942f1968b9f

SHA512
fd9076195b774df6ef783150b29904bdfb77285764413feb09ba163931c611a88f8d2d0d52131e2166716718d0ef1bea19b114af82e6a219d31b738ec6b3a0fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\780.#.exe

Filesize
249KB

MD5
66e3a0259401449d70a7b31c8e24bef0

SHA1
fe2848a8b161435518be1dc4b4f8ff136bd7ecf0

SHA256
d7b8a7abfb928cbd83faf885e2329da6751997eb4a5512eacde71942f1968b9f

SHA512
fd9076195b774df6ef783150b29904bdfb77285764413feb09ba163931c611a88f8d2d0d52131e2166716718d0ef1bea19b114af82e6a219d31b738ec6b3a0fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\883.#.exe

Filesize
249KB

MD5
66e3a0259401449d70a7b31c8e24bef0

SHA1
fe2848a8b161435518be1dc4b4f8ff136bd7ecf0

SHA256
d7b8a7abfb928cbd83faf885e2329da6751997eb4a5512eacde71942f1968b9f

SHA512
fd9076195b774df6ef783150b29904bdfb77285764413feb09ba163931c611a88f8d2d0d52131e2166716718d0ef1bea19b114af82e6a219d31b738ec6b3a0fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\883.#.exe

Filesize
249KB

MD5
66e3a0259401449d70a7b31c8e24bef0

SHA1
fe2848a8b161435518be1dc4b4f8ff136bd7ecf0

SHA256
d7b8a7abfb928cbd83faf885e2329da6751997eb4a5512eacde71942f1968b9f

SHA512
fd9076195b774df6ef783150b29904bdfb77285764413feb09ba163931c611a88f8d2d0d52131e2166716718d0ef1bea19b114af82e6a219d31b738ec6b3a0fd

Download Submit
C:\documents and settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\2C10A89\144970.vbs

Filesize
19KB

MD5
e98740f59246b23b0d7f73f141f24d47

SHA1
1bfd55b3f13c85f94e1694bffa89a2d79a61a630

SHA256
68af315a2e48e340c71d9235a050dac6f82ac1c10fcc4b7158aeb32230530a9a

SHA512
d00ecfc709dc1fc912203f98118a6c47d7a01dfd13f8bf1acd3a7cc9a80ad184507788b027990af47659505e5a09e61f852f73e6529766429a2af8bf0358e928

Download Submit
C:\documents and settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\2C10A89\266323.vbs

Filesize
19KB

MD5
e98740f59246b23b0d7f73f141f24d47

SHA1
1bfd55b3f13c85f94e1694bffa89a2d79a61a630

SHA256
68af315a2e48e340c71d9235a050dac6f82ac1c10fcc4b7158aeb32230530a9a

SHA512
d00ecfc709dc1fc912203f98118a6c47d7a01dfd13f8bf1acd3a7cc9a80ad184507788b027990af47659505e5a09e61f852f73e6529766429a2af8bf0358e928

Download Submit
C:\documents and settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\2C10A89\420391.vbs

Filesize
19KB

MD5
e98740f59246b23b0d7f73f141f24d47

SHA1
1bfd55b3f13c85f94e1694bffa89a2d79a61a630

SHA256
68af315a2e48e340c71d9235a050dac6f82ac1c10fcc4b7158aeb32230530a9a

SHA512
d00ecfc709dc1fc912203f98118a6c47d7a01dfd13f8bf1acd3a7cc9a80ad184507788b027990af47659505e5a09e61f852f73e6529766429a2af8bf0358e928

Download Submit
C:\documents and settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\2C10A89\510204.vbs

Filesize
19KB

MD5
e98740f59246b23b0d7f73f141f24d47

SHA1
1bfd55b3f13c85f94e1694bffa89a2d79a61a630

SHA256
68af315a2e48e340c71d9235a050dac6f82ac1c10fcc4b7158aeb32230530a9a

SHA512
d00ecfc709dc1fc912203f98118a6c47d7a01dfd13f8bf1acd3a7cc9a80ad184507788b027990af47659505e5a09e61f852f73e6529766429a2af8bf0358e928

Download Submit
C:\documents and settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\2C10A89\617626.vbs

Filesize
19KB

MD5
e98740f59246b23b0d7f73f141f24d47

SHA1
1bfd55b3f13c85f94e1694bffa89a2d79a61a630

SHA256
68af315a2e48e340c71d9235a050dac6f82ac1c10fcc4b7158aeb32230530a9a

SHA512
d00ecfc709dc1fc912203f98118a6c47d7a01dfd13f8bf1acd3a7cc9a80ad184507788b027990af47659505e5a09e61f852f73e6529766429a2af8bf0358e928

Download Submit
C:\documents and settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\2C10A89\632991.vbs

Filesize
19KB

MD5
e98740f59246b23b0d7f73f141f24d47

SHA1
1bfd55b3f13c85f94e1694bffa89a2d79a61a630

SHA256
68af315a2e48e340c71d9235a050dac6f82ac1c10fcc4b7158aeb32230530a9a

SHA512
d00ecfc709dc1fc912203f98118a6c47d7a01dfd13f8bf1acd3a7cc9a80ad184507788b027990af47659505e5a09e61f852f73e6529766429a2af8bf0358e928

Download Submit
C:\documents and settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\2C10A89\660625.vbs

Filesize
19KB

MD5
e98740f59246b23b0d7f73f141f24d47

SHA1
1bfd55b3f13c85f94e1694bffa89a2d79a61a630

SHA256
68af315a2e48e340c71d9235a050dac6f82ac1c10fcc4b7158aeb32230530a9a

SHA512
d00ecfc709dc1fc912203f98118a6c47d7a01dfd13f8bf1acd3a7cc9a80ad184507788b027990af47659505e5a09e61f852f73e6529766429a2af8bf0358e928

Download Submit
C:\documents and settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\2C10A89\72323.vbs

Filesize
19KB

MD5
e98740f59246b23b0d7f73f141f24d47

SHA1
1bfd55b3f13c85f94e1694bffa89a2d79a61a630

SHA256
68af315a2e48e340c71d9235a050dac6f82ac1c10fcc4b7158aeb32230530a9a

SHA512
d00ecfc709dc1fc912203f98118a6c47d7a01dfd13f8bf1acd3a7cc9a80ad184507788b027990af47659505e5a09e61f852f73e6529766429a2af8bf0358e928

Download Submit
C:\documents and settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\2C10A89\772274.vbs

Filesize
19KB

MD5
e98740f59246b23b0d7f73f141f24d47

SHA1
1bfd55b3f13c85f94e1694bffa89a2d79a61a630

SHA256
68af315a2e48e340c71d9235a050dac6f82ac1c10fcc4b7158aeb32230530a9a

SHA512
d00ecfc709dc1fc912203f98118a6c47d7a01dfd13f8bf1acd3a7cc9a80ad184507788b027990af47659505e5a09e61f852f73e6529766429a2af8bf0358e928

Download Submit
C:\documents and settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\2C10A89\796795.vbs

Filesize
19KB

MD5
e98740f59246b23b0d7f73f141f24d47

SHA1
1bfd55b3f13c85f94e1694bffa89a2d79a61a630

SHA256
68af315a2e48e340c71d9235a050dac6f82ac1c10fcc4b7158aeb32230530a9a

SHA512
d00ecfc709dc1fc912203f98118a6c47d7a01dfd13f8bf1acd3a7cc9a80ad184507788b027990af47659505e5a09e61f852f73e6529766429a2af8bf0358e928

Download Submit
C:\documents and settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\2C10A89\896450.vbs

Filesize
19KB

MD5
e98740f59246b23b0d7f73f141f24d47

SHA1
1bfd55b3f13c85f94e1694bffa89a2d79a61a630

SHA256
68af315a2e48e340c71d9235a050dac6f82ac1c10fcc4b7158aeb32230530a9a

SHA512
d00ecfc709dc1fc912203f98118a6c47d7a01dfd13f8bf1acd3a7cc9a80ad184507788b027990af47659505e5a09e61f852f73e6529766429a2af8bf0358e928

Download Submit
\Users\Admin\AppData\Local\Temp\137.#.exe

Filesize
249KB

MD5
66e3a0259401449d70a7b31c8e24bef0

SHA1
fe2848a8b161435518be1dc4b4f8ff136bd7ecf0

SHA256
d7b8a7abfb928cbd83faf885e2329da6751997eb4a5512eacde71942f1968b9f

SHA512
fd9076195b774df6ef783150b29904bdfb77285764413feb09ba163931c611a88f8d2d0d52131e2166716718d0ef1bea19b114af82e6a219d31b738ec6b3a0fd

Download Submit
\Users\Admin\AppData\Local\Temp\137.#.exe

Filesize
249KB

MD5
66e3a0259401449d70a7b31c8e24bef0

SHA1
fe2848a8b161435518be1dc4b4f8ff136bd7ecf0

SHA256
d7b8a7abfb928cbd83faf885e2329da6751997eb4a5512eacde71942f1968b9f

SHA512
fd9076195b774df6ef783150b29904bdfb77285764413feb09ba163931c611a88f8d2d0d52131e2166716718d0ef1bea19b114af82e6a219d31b738ec6b3a0fd

Download Submit
\Users\Admin\AppData\Local\Temp\144.#.exe

Filesize
249KB

MD5
66e3a0259401449d70a7b31c8e24bef0

SHA1
fe2848a8b161435518be1dc4b4f8ff136bd7ecf0

SHA256
d7b8a7abfb928cbd83faf885e2329da6751997eb4a5512eacde71942f1968b9f

SHA512
fd9076195b774df6ef783150b29904bdfb77285764413feb09ba163931c611a88f8d2d0d52131e2166716718d0ef1bea19b114af82e6a219d31b738ec6b3a0fd

Download Submit
\Users\Admin\AppData\Local\Temp\144.#.exe

Filesize
249KB

MD5
66e3a0259401449d70a7b31c8e24bef0

SHA1
fe2848a8b161435518be1dc4b4f8ff136bd7ecf0

SHA256
d7b8a7abfb928cbd83faf885e2329da6751997eb4a5512eacde71942f1968b9f

SHA512
fd9076195b774df6ef783150b29904bdfb77285764413feb09ba163931c611a88f8d2d0d52131e2166716718d0ef1bea19b114af82e6a219d31b738ec6b3a0fd

Download Submit
\Users\Admin\AppData\Local\Temp\215.#.exe

Filesize
249KB

MD5
66e3a0259401449d70a7b31c8e24bef0

SHA1
fe2848a8b161435518be1dc4b4f8ff136bd7ecf0

SHA256
d7b8a7abfb928cbd83faf885e2329da6751997eb4a5512eacde71942f1968b9f

SHA512
fd9076195b774df6ef783150b29904bdfb77285764413feb09ba163931c611a88f8d2d0d52131e2166716718d0ef1bea19b114af82e6a219d31b738ec6b3a0fd

Download Submit
\Users\Admin\AppData\Local\Temp\215.#.exe

Filesize
249KB

MD5
66e3a0259401449d70a7b31c8e24bef0

SHA1
fe2848a8b161435518be1dc4b4f8ff136bd7ecf0

SHA256
d7b8a7abfb928cbd83faf885e2329da6751997eb4a5512eacde71942f1968b9f

SHA512
fd9076195b774df6ef783150b29904bdfb77285764413feb09ba163931c611a88f8d2d0d52131e2166716718d0ef1bea19b114af82e6a219d31b738ec6b3a0fd

Download Submit
\Users\Admin\AppData\Local\Temp\246.#.exe

Filesize
249KB

MD5
66e3a0259401449d70a7b31c8e24bef0

SHA1
fe2848a8b161435518be1dc4b4f8ff136bd7ecf0

SHA256
d7b8a7abfb928cbd83faf885e2329da6751997eb4a5512eacde71942f1968b9f

SHA512
fd9076195b774df6ef783150b29904bdfb77285764413feb09ba163931c611a88f8d2d0d52131e2166716718d0ef1bea19b114af82e6a219d31b738ec6b3a0fd

Download Submit
\Users\Admin\AppData\Local\Temp\246.#.exe

Filesize
249KB

MD5
66e3a0259401449d70a7b31c8e24bef0

SHA1
fe2848a8b161435518be1dc4b4f8ff136bd7ecf0

SHA256
d7b8a7abfb928cbd83faf885e2329da6751997eb4a5512eacde71942f1968b9f

SHA512
fd9076195b774df6ef783150b29904bdfb77285764413feb09ba163931c611a88f8d2d0d52131e2166716718d0ef1bea19b114af82e6a219d31b738ec6b3a0fd

Download Submit
\Users\Admin\AppData\Local\Temp\382.#.exe

Filesize
249KB

MD5
66e3a0259401449d70a7b31c8e24bef0

SHA1
fe2848a8b161435518be1dc4b4f8ff136bd7ecf0

SHA256
d7b8a7abfb928cbd83faf885e2329da6751997eb4a5512eacde71942f1968b9f

SHA512
fd9076195b774df6ef783150b29904bdfb77285764413feb09ba163931c611a88f8d2d0d52131e2166716718d0ef1bea19b114af82e6a219d31b738ec6b3a0fd

Download Submit
\Users\Admin\AppData\Local\Temp\382.#.exe

Filesize
249KB

MD5
66e3a0259401449d70a7b31c8e24bef0

SHA1
fe2848a8b161435518be1dc4b4f8ff136bd7ecf0

SHA256
d7b8a7abfb928cbd83faf885e2329da6751997eb4a5512eacde71942f1968b9f

SHA512
fd9076195b774df6ef783150b29904bdfb77285764413feb09ba163931c611a88f8d2d0d52131e2166716718d0ef1bea19b114af82e6a219d31b738ec6b3a0fd

Download Submit
\Users\Admin\AppData\Local\Temp\423.#.exe

Filesize
249KB

MD5
66e3a0259401449d70a7b31c8e24bef0

SHA1
fe2848a8b161435518be1dc4b4f8ff136bd7ecf0

SHA256
d7b8a7abfb928cbd83faf885e2329da6751997eb4a5512eacde71942f1968b9f

SHA512
fd9076195b774df6ef783150b29904bdfb77285764413feb09ba163931c611a88f8d2d0d52131e2166716718d0ef1bea19b114af82e6a219d31b738ec6b3a0fd

Download Submit
\Users\Admin\AppData\Local\Temp\423.#.exe

Filesize
249KB

MD5
66e3a0259401449d70a7b31c8e24bef0

SHA1
fe2848a8b161435518be1dc4b4f8ff136bd7ecf0

SHA256
d7b8a7abfb928cbd83faf885e2329da6751997eb4a5512eacde71942f1968b9f

SHA512
fd9076195b774df6ef783150b29904bdfb77285764413feb09ba163931c611a88f8d2d0d52131e2166716718d0ef1bea19b114af82e6a219d31b738ec6b3a0fd

Download Submit
\Users\Admin\AppData\Local\Temp\512.#.exe

Filesize
249KB

MD5
66e3a0259401449d70a7b31c8e24bef0

SHA1
fe2848a8b161435518be1dc4b4f8ff136bd7ecf0

SHA256
d7b8a7abfb928cbd83faf885e2329da6751997eb4a5512eacde71942f1968b9f

SHA512
fd9076195b774df6ef783150b29904bdfb77285764413feb09ba163931c611a88f8d2d0d52131e2166716718d0ef1bea19b114af82e6a219d31b738ec6b3a0fd

Download Submit
\Users\Admin\AppData\Local\Temp\512.#.exe

Filesize
249KB

MD5
66e3a0259401449d70a7b31c8e24bef0

SHA1
fe2848a8b161435518be1dc4b4f8ff136bd7ecf0

SHA256
d7b8a7abfb928cbd83faf885e2329da6751997eb4a5512eacde71942f1968b9f

SHA512
fd9076195b774df6ef783150b29904bdfb77285764413feb09ba163931c611a88f8d2d0d52131e2166716718d0ef1bea19b114af82e6a219d31b738ec6b3a0fd

Download Submit
\Users\Admin\AppData\Local\Temp\628.#.exe

Filesize
249KB

MD5
66e3a0259401449d70a7b31c8e24bef0

SHA1
fe2848a8b161435518be1dc4b4f8ff136bd7ecf0

SHA256
d7b8a7abfb928cbd83faf885e2329da6751997eb4a5512eacde71942f1968b9f

SHA512
fd9076195b774df6ef783150b29904bdfb77285764413feb09ba163931c611a88f8d2d0d52131e2166716718d0ef1bea19b114af82e6a219d31b738ec6b3a0fd

Download Submit
\Users\Admin\AppData\Local\Temp\628.#.exe

Filesize
249KB

MD5
66e3a0259401449d70a7b31c8e24bef0

SHA1
fe2848a8b161435518be1dc4b4f8ff136bd7ecf0

SHA256
d7b8a7abfb928cbd83faf885e2329da6751997eb4a5512eacde71942f1968b9f

SHA512
fd9076195b774df6ef783150b29904bdfb77285764413feb09ba163931c611a88f8d2d0d52131e2166716718d0ef1bea19b114af82e6a219d31b738ec6b3a0fd

Download Submit
\Users\Admin\AppData\Local\Temp\706.#.exe

Filesize
249KB

MD5
66e3a0259401449d70a7b31c8e24bef0

SHA1
fe2848a8b161435518be1dc4b4f8ff136bd7ecf0

SHA256
d7b8a7abfb928cbd83faf885e2329da6751997eb4a5512eacde71942f1968b9f

SHA512
fd9076195b774df6ef783150b29904bdfb77285764413feb09ba163931c611a88f8d2d0d52131e2166716718d0ef1bea19b114af82e6a219d31b738ec6b3a0fd

Download Submit
\Users\Admin\AppData\Local\Temp\706.#.exe

Filesize
249KB

MD5
66e3a0259401449d70a7b31c8e24bef0

SHA1
fe2848a8b161435518be1dc4b4f8ff136bd7ecf0

SHA256
d7b8a7abfb928cbd83faf885e2329da6751997eb4a5512eacde71942f1968b9f

SHA512
fd9076195b774df6ef783150b29904bdfb77285764413feb09ba163931c611a88f8d2d0d52131e2166716718d0ef1bea19b114af82e6a219d31b738ec6b3a0fd

Download Submit
\Users\Admin\AppData\Local\Temp\780.#.exe

Filesize
249KB

MD5
66e3a0259401449d70a7b31c8e24bef0

SHA1
fe2848a8b161435518be1dc4b4f8ff136bd7ecf0

SHA256
d7b8a7abfb928cbd83faf885e2329da6751997eb4a5512eacde71942f1968b9f

SHA512
fd9076195b774df6ef783150b29904bdfb77285764413feb09ba163931c611a88f8d2d0d52131e2166716718d0ef1bea19b114af82e6a219d31b738ec6b3a0fd

Download Submit
\Users\Admin\AppData\Local\Temp\780.#.exe

Filesize
249KB

MD5
66e3a0259401449d70a7b31c8e24bef0

SHA1
fe2848a8b161435518be1dc4b4f8ff136bd7ecf0

SHA256
d7b8a7abfb928cbd83faf885e2329da6751997eb4a5512eacde71942f1968b9f

SHA512
fd9076195b774df6ef783150b29904bdfb77285764413feb09ba163931c611a88f8d2d0d52131e2166716718d0ef1bea19b114af82e6a219d31b738ec6b3a0fd

Download Submit
\Users\Admin\AppData\Local\Temp\883.#.exe

Filesize
249KB

MD5
66e3a0259401449d70a7b31c8e24bef0

SHA1
fe2848a8b161435518be1dc4b4f8ff136bd7ecf0

SHA256
d7b8a7abfb928cbd83faf885e2329da6751997eb4a5512eacde71942f1968b9f

SHA512
fd9076195b774df6ef783150b29904bdfb77285764413feb09ba163931c611a88f8d2d0d52131e2166716718d0ef1bea19b114af82e6a219d31b738ec6b3a0fd

Download Submit
\Users\Admin\AppData\Local\Temp\883.#.exe

Filesize
249KB

MD5
66e3a0259401449d70a7b31c8e24bef0

SHA1
fe2848a8b161435518be1dc4b4f8ff136bd7ecf0

SHA256
d7b8a7abfb928cbd83faf885e2329da6751997eb4a5512eacde71942f1968b9f

SHA512
fd9076195b774df6ef783150b29904bdfb77285764413feb09ba163931c611a88f8d2d0d52131e2166716718d0ef1bea19b114af82e6a219d31b738ec6b3a0fd

Download Submit
memory/268-108-0x00000000004A0000-0x00000000004B2000-memory.dmp

Filesize
72KB

Download
memory/268-109-0x00000000004A0000-0x00000000004B2000-memory.dmp

Filesize
72KB

Download
memory/268-94-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/316-277-0x00000000003B0000-0x00000000003C2000-memory.dmp

Filesize
72KB

Download
memory/316-269-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/524-239-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/524-267-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/628-110-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/688-158-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/932-212-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/932-227-0x00000000003D0000-0x00000000003E2000-memory.dmp

Filesize
72KB

Download
memory/932-205-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1080-168-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1080-195-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1108-193-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1108-138-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1108-194-0x0000000000500000-0x0000000000512000-memory.dmp

Filesize
72KB

Download
memory/1108-149-0x0000000000500000-0x0000000000512000-memory.dmp

Filesize
72KB

Download
memory/1144-58-0x0000000076DC1000-0x0000000076DC3000-memory.dmp

Filesize
8KB

Download
memory/1180-290-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1440-289-0x0000000000810000-0x0000000000822000-memory.dmp

Filesize
72KB

Download
memory/1520-167-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1520-135-0x0000000000800000-0x0000000000812000-memory.dmp

Filesize
72KB

Download
memory/1520-137-0x0000000000800000-0x0000000000812000-memory.dmp

Filesize
72KB

Download
memory/1520-118-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1744-125-0x0000000000620000-0x0000000000632000-memory.dmp

Filesize
72KB

Download
memory/1744-91-0x0000000000620000-0x0000000000632000-memory.dmp

Filesize
72KB

Download
memory/1744-117-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1744-90-0x0000000000620000-0x0000000000632000-memory.dmp

Filesize
72KB

Download
memory/1744-56-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1752-261-0x00000000002A0000-0x00000000002B2000-memory.dmp

Filesize
72KB

Download
memory/1752-253-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1760-204-0x00000000002A0000-0x00000000002B2000-memory.dmp

Filesize
72KB

Download
memory/1760-186-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1760-203-0x00000000002A0000-0x00000000002B2000-memory.dmp

Filesize
72KB

Download
memory/1764-228-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1764-238-0x00000000003A0000-0x00000000003B2000-memory.dmp

Filesize
72KB

Download
memory/1764-237-0x00000000003A0000-0x00000000003B2000-memory.dmp

Filesize
72KB

Download
memory/1828-262-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1828-268-0x0000000000420000-0x0000000000432000-memory.dmp

Filesize
72KB

Download
memory/1996-92-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1996-93-0x0000000000320000-0x0000000000332000-memory.dmp

Filesize
72KB

Download