935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe

Analysis

max time kernel
151s
max time network
180s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
25-11-2022 07:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
Size

9.2MB
MD5

edf07bd3ea66d2c522c9434c0aaedb42
SHA1

09c8d3d9d4cfa81b6aaca1f632b5e54bd32f84ec
SHA256

935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe
SHA512

d2c197cad73ce15c73820756ea0151a4a658f01b96073ead5fccbc205509f24fa2c0a734be50d181ccc2b7375d44989773def5f94013169c382f46218f837fb6
SSDEEP

196608:qHyia0/zCoiSgzUfF9FFu9/GIJnF9oWFgCezDc5Eua6BTHtaPI2qr9oDGeGeJaKK:UyJ0/zCoNgzUNfE9DJF5g05EH6xMJkkc

Score

8^/10

adware persistence stealer

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

Processes:

6c8151.exe

description ioc process

File created C:\Windows\SysWOW64\drivers\7801b8b1.sys 6c8151.exe
Executes dropped EXE 4 IoCs

Processes:

6c7485.tmp935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe6c8151.exeLivePOT.exe

pid process

604 6c7485.tmp
1776 935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
1636 6c8151.exe
292 LivePOT.exe

description	ioc	process
File created	C:\Windows\SysWOW64\drivers\7801b8b1.sys	6c8151.exe

pid	process
604	6c7485.tmp
1776	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
1636	6c8151.exe
292	LivePOT.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

6c8151.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\7801b8b1\ImagePath = "\\??\\C:\\Windows\\SysWOW64\\drivers\\7801b8b1.sys"	6c8151.exe

Deletes itself 1 IoCs

Processes:

6c7485.tmp

pid process

604 6c7485.tmp

pid	process
604	6c7485.tmp

Loads dropped DLL 25 IoCs

Processes:

935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe6c7485.tmp935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exeLivePOT.exe

pid	process
1652	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
1652	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
604	6c7485.tmp
604	6c7485.tmp
604	6c7485.tmp
1776	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
1776	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
1776	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
1776	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
1776	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
1776	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
1776	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
1776	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
1776	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
1776	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
1776	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
1776	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
1776	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
1776	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
1776	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
1776	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
1776	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
292	LivePOT.exe
292	LivePOT.exe
292	LivePOT.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LivePOTUpdater = "C:\\Program Files (x86)\\LivePOT\\LivePotBoot.exe"	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe

Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

6c8151.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	6c8151.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	6c8151.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}	6c8151.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects	6c8151.exe

Maps connected drives based on registry 3 TTPs 3 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

6c8151.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	6c8151.exe
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	6c8151.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	6c8151.exe

Drops file in System32 directory 54 IoCs

Processes:

935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe

description	ioc	process
File created	C:\Windows\SysWOW64\winhttp.dll	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
File created	C:\Windows\SysWOW64\vbzlib1.dll	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
File created	C:\Windows\SysWOW64\olepro32.dll	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
File created	C:\Windows\SysWOW64\SysWOW64\VB6STKIT.DLL	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
File created	C:\Windows\SysWOW64\SysWOW64\urlmon.dll	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
File created	C:\Windows\SysWOW64\SysWOW64\MSFlxGrd.ocx	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
File created	C:\Windows\SysWOW64\SysWOW64\comctl32.dll	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
File created	C:\Windows\SysWOW64\MSFlxGrd.ocx	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
File created	C:\Windows\SysWOW64\SysWOW64\scrrun.dll	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
File created	C:\Windows\SysWOW64\SysWOW64\olepro32.dll	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
File created	C:\Windows\SysWOW64\scrrun.dll	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
File created	C:\Windows\SysWOW64\SysWOW64\wininet.dll	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
File created	C:\Windows\SysWOW64\SysWOW64\SCRRNKO.DLL	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
File created	C:\Windows\SysWOW64\SysWOW64\INETKO.DLL	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
File created	C:\Windows\SysWOW64\GDIPLUS.dll	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
File created	C:\Windows\SysWOW64\SysWOW64\vbzlib1.dll	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
File created	C:\Windows\SysWOW64\SysWOW64\msvcrt.dll	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
File created	C:\Windows\SysWOW64\INETKO.DLL	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
File created	C:\Windows\SysWOW64\wininet.dll	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
File created	C:\Windows\SysWOW64\VB6KO.DLL	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
File created	C:\Windows\SysWOW64\urlmon.dll	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
File created	C:\Windows\SysWOW64\oleaut32.dll	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
File created	C:\Windows\SysWOW64\msimg32.dll	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
File created	C:\Windows\SysWOW64\comctl32.dll	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
File created	C:\Windows\SysWOW64\SysWOW64\stdole2.tlb	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
File created	C:\Windows\SysWOW64\msvcrt.dll	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
File created	C:\Windows\SysWOW64\MSINET.OCX	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
File created	C:\Windows\SysWOW64\SysWOW64\FPSPR70.ocx	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
File created	C:\Windows\SysWOW64\SysWOW64\vkUserControlsXP.ocx	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
File created	C:\Windows\SysWOW64\SysWOW64\comcat.dll	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
File created	C:\Windows\SysWOW64\vkUserControlsXP.ocx	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
File created	C:\Windows\SysWOW64\VB6STKIT.DLL	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
File created	C:\Windows\SysWOW64\MSWINSCK.ocx	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
File created	C:\Windows\SysWOW64\SysWOW64\asycfilt.dll	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
File created	C:\Windows\SysWOW64\WINSKKO.DLL	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
File created	C:\Windows\SysWOW64\SysWOW64\MSWINSCK.ocx	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
File created	C:\Windows\SysWOW64\stdole2.tlb	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
File created	C:\Windows\SysWOW64\SCRRNKO.DLL	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
File created	C:\Windows\SysWOW64\FPSPR70.ocx	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
File created	C:\Windows\SysWOW64\comcat.dll	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
File created	C:\Windows\SysWOW64\SysWOW64\VB6KO.DLL	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
File created	C:\Windows\SysWOW64\SysWOW64\oleaut32.dll	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
File created	C:\Windows\SysWOW64\SysWOW64\MSINET.OCX	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
File created	C:\Windows\SysWOW64\SysWOW64\MSCOMCTL.OCX	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
File created	C:\Windows\SysWOW64\asycfilt.dll	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
File created	C:\Windows\SysWOW64\SysWOW64\WINSKKO.DLL	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
File created	C:\Windows\SysWOW64\MSCOMCTL.OCX	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
File created	C:\Windows\SysWOW64\MSCMCKO.DLL	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
File created	C:\Windows\SysWOW64\SysWOW64\msvbvm60.dll	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
File created	C:\Windows\SysWOW64\SysWOW64\msimg32.dll	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
File created	C:\Windows\SysWOW64\SysWOW64\GDIPLUS.dll	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
File created	C:\Windows\SysWOW64\SysWOW64\winhttp.dll	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
File created	C:\Windows\SysWOW64\SysWOW64\MSCMCKO.DLL	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe

Drops file in Program Files directory 8 IoCs

Processes:

935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe

description	ioc	process
File created	C:\Program Files (x86)\LivePOT\UpdateContents.txt	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
File created	C:\Program Files (x86)\LivePOT\LivePotUpdate.exe	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
File created	C:\Program Files (x86)\LivePOT\LivePotSetting.ini	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
File created	C:\Program Files (x86)\LivePOT\LivePotInfo.INI	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
File created	C:\Program Files (x86)\LivePOT\LivePotBoot.exe	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
File created	C:\Program Files (x86)\LivePOT\LivePOTAD.INI	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
File created	C:\Program Files (x86)\LivePOT\LivePot.exe	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
File created	C:\Program Files (x86)\LivePOT\ÀÌ¿ë¾à°ü.rtf	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 6 IoCs

installer

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe	nsis_installer_1
\Users\Admin\AppData\Local\Temp\935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe	nsis_installer_2

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

888 schtasks.exe
776 schtasks.exe

pid	process
888	schtasks.exe
776	schtasks.exe

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{35053A22-8589-11D1-B16A-00C0F0283628}	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{66833FE6-8583-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024"	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{F08DF954-8592-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024"	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Compatibility Flags = "1024"	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{1EFB6596-857C-11D1-B16A-00C0F0283628}	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{35053A22-8589-11D1-B16A-00C0F0283628}\AlternateCLSID = "{A0E7BF67-8D30-4620-8825-7111714C7CAB}"	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{BDD1F04B-858B-11D1-B16A-00C0F0283628}	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{8E3867A3-8586-11D1-B16A-00C0F0283628}	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{C74190B6-8589-11D1-B16A-00C0F0283628}\AlternateCLSID = "{9181DC5F-E07D-418A-ACA6-8EEA1ECB8E9E}"	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{39977C62-C383-463D-AF61-C71220634656}	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{39977C62-C383-463D-AF61-C71220634656}\AlternateCLSID = "{6E5311A1-325D-4FFD-9AF4-B373F02AE458}"	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{35053A22-8589-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024"	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{66833FE6-8583-11D1-B16A-00C0F0283628}	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{BDD1F04B-858B-11D1-B16A-00C0F0283628}\AlternateCLSID = "{996BF5E0-8044-4650-ADEB-0B013914E99C}"	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{C74190B6-8589-11D1-B16A-00C0F0283628}	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{DD9DA666-8594-11D1-B16A-00C0F0283628}	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\AlternateCLSID = "{6E5311A1-325D-4FFD-9AF4-B373F02AE458}"	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{1EFB6596-857C-11D1-B16A-00C0F0283628}\AlternateCLSID = "{24B224E0-9545-4A2F-ABD5-86AA8A849385}"	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{2C247F23-8591-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024"	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{F08DF954-8592-11D1-B16A-00C0F0283628}\AlternateCLSID = "{0B314611-2C19-4AB4-8513-A6EEA569D3C4}"	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{DD9DA666-8594-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024"	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{6262D3A0-531B-11CF-91F6-C2863C385E30}	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{2C247F23-8591-11D1-B16A-00C0F0283628}	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{C74190B6-8589-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024"	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{F08DF954-8592-11D1-B16A-00C0F0283628}	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{DD9DA666-8594-11D1-B16A-00C0F0283628}\AlternateCLSID = "{87DACC48-F1C5-4AF3-84BA-A2A72C2AB959}"	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{39977C62-C383-463D-AF61-C71220634656}\Compatibility Flags = "1024"	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{6262D3A0-531B-11CF-91F6-C2863C385E30}\AlternateCLSID = "{74DD2713-BA98-4D10-A16E-270BBEB9B555}"	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{2C247F23-8591-11D1-B16A-00C0F0283628}\AlternateCLSID = "{F91CAF91-225B-43A7-BB9E-472F991FC402}"	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{66833FE6-8583-11D1-B16A-00C0F0283628}\AlternateCLSID = "{7DC6F291-BF55-4E50-B619-EF672D9DCC58}"	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{8E3867A3-8586-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024"	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{8E3867A3-8586-11D1-B16A-00C0F0283628}\AlternateCLSID = "{627C8B79-918A-4C5C-9E19-20F66BF30B86}"	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{6262D3A0-531B-11CF-91F6-C2863C385E30}\Compatibility Flags = "1024"	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{1EFB6596-857C-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024"	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{BDD1F04B-858B-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024"	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe

Modifies registry class 64 IoCs

Processes:

935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.ProgCtrl.2\CLSID\ = "{A0E7BF67-8D30-4620-8825-7111714C7CAB}"	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DD9DA664-8594-11D1-B16A-00C0F0283628}\TypeLib\ = "{831FDD16-0C5C-11D2-A9FC-0000F8754DA1}"	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ScriptHostEncode	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{83FFE12D-0472-44EC-8BB1-6D4426A96286}\ = "_vkHScroll"	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{21357F8F-C600-4DF5-A5D3-DCB8F19C623F}\ProxyStubClsid32	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9E7052BD-2AF2-46C1-AAD7-8FD8E6DECD4E}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7114683A-020D-4D16-80FD-6ACE384B66DF}\ToolboxBitmap32\ = "C:\\Windows\\SysWow64\\FPSPR70.ocx, 1"	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.ListViewCtrl\CLSID	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DEA6FF44-EF7D-4B57-BEC7-4DBEAB5C9386}\ProxyStubClsid	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CF323B47-64E7-42C1-BB26-6F5B6C9DF68B}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F94EF446-425A-4484-B6C5-09A363FF7E8B}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D9FD75A-CD10-471C-B09E-8CBF4051528E}\TypeLib\ = "{D03BD7A6-46D2-4B8D-B126-DFE88C1FB240}"	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{627C8B79-918A-4C5C-9E19-20F66BF30B86}\Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502}	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{39977C62-C383-463D-AF61-C71220634656}\Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502}	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{60491C5E-3BBE-4EDA-BCF4-E14490D4C10B}\TypeLib	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{69310C27-4993-11D1-8905-0020AF131A57}\ProxyStubClsid32	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{627C8B79-918A-4C5C-9E19-20F66BF30B86}\TypeLib\ = "{831FDD16-0C5C-11D2-A9FC-0000F8754DA1}"	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6319EEA0-531B-11CF-91F6-C2863C385E30}	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5F4DF280-531B-11CF-91F6-C2863C385E30}\ProxyStubClsid32	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5F4DF280-531B-11CF-91F6-C2863C385E30}\TypeLib	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BE8F9800-2AAA-11CF-AD67-00AA00614F3E}\ = "ParentControls"	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2E632D9A-F74A-4340-B907-2489F8A85C5A}\ = "_vkUpDown"	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F91CAF91-225B-43A7-BB9E-472F991FC402}\Version	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{35053A21-8589-11D1-B16A-00C0F0283628}\ProxyStubClsid32	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59294-9880-11CF-9754-00AA00C00908}\InprocServer32	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{48E59292-9880-11CF-9754-00AA00C00908}	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228}\TypeLib	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ftp\ = "ftp: Asychronous Pluggable Protocol Handler"	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7E6EF688-E792-4E66-835A-957C3288ED97}\ProxyStubClsid32	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{33297897-A3F3-48CB-A471-9ABDCECCB939}\TypeLib	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.TabStrip.2\ = "Microsoft TabStrip Control 6.0 (SP6)"	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C27CCE38-8596-11D1-B16A-00C0F0283628}\InprocServer32	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CF323B47-64E7-42C1-BB26-6F5B6C9DF68B}\ProxyStubClsid\ = "{00020420-0000-0000-C000-000000000046}"	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C1CCDD1-2F57-49D2-B6A3-A5A6E4840638}\Implemented Categories	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66833FEB-8583-11D1-B16A-00C0F0283628}\TypeLib\ = "{831FDD16-0C5C-11D2-A9FC-0000F8754DA1}"	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F08DF952-8592-11D1-B16A-00C0F0283628}\ = "ISlider"	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B97C6297-C1D3-4471-958D-183C4FCEF087}\Implemented Categories\{0DE86A52-2BAA-11CF-A229-00AA003D7352}	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{32D365CC-699B-4D50-95EB-D2F25A224718}\InprocServer32\ = "C:\\Windows\\SysWow64\\vkUserControlsXP.ocx"	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{849053F7-FF8F-48DB-8907-90BD43DACECC}\ToolboxBitmap32	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8CAC7DEA-022B-469C-9F24-BC090CC5CBEE}\MiscStatus\1	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BDD1F04B-858B-11D1-B16A-00C0F0283628}\ProgID\ = "MSComctlLib.ListViewCtrl.2"	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C27CCE3F-8596-11D1-B16A-00C0F0283628}\InprocServer32	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{81E315A6-5F97-45DA-A34D-F536402DACBC}\TypeLib	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C27CCE3C-8596-11D1-B16A-00C0F0283628}	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79eac9e6-baf9-11ce-8c82-00aa004ba90b}\InprocServer32	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{83FFE12D-0472-44EC-8BB1-6D4426A96286}\TypeLib	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F9FB92E7-98FF-4979-9D81-2AEAD65648B6}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8E3867A2-8586-11D1-B16A-00C0F0283628}\ = "IStatusBarEvents"	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDD1F04E-858B-11D1-B16A-00C0F0283628}	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{627C8B79-918A-4C5C-9E19-20F66BF30B86}	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.ImageComboCtl.2\ = "Microsoft ImageComboBox Control 6.0 (SP6)"	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DD9DA666-8594-11D1-B16A-00C0F0283628}\InprocServer32\ = "C:\\Windows\\SysWow64\\MSCOMCTL.OCX"	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9F6AA700-D188-11CD-AD48-00AA003C9CB6}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Scripting.Encoder	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1869C36D-E0BD-45A2-9155-037F9A295E68}\ProxyStubClsid32	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{71146832-020D-4D16-80FD-6ACE384B66DF}	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{24B224E0-9545-4A2F-ABD5-86AA8A849385}	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\vkUserContolsXP.clsFastCollection	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FB7B2D1D-8E6A-4BCA-ACAD-31A263D726FA}	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2C247F23-8591-11D1-B16A-00C0F0283628}\VersionIndependentProgID\ = "MSComctlLib.ImageListCtrl"	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C27CCE35-8596-11D1-B16A-00C0F0283628}\InprocServer32	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{69310C25-4993-11D1-8905-0020AF131A57}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F91CAF91-225B-43A7-BB9E-472F991FC402}\ProgID	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1E17FFC7-C17A-4F33-ADC2-9ABFF0E7623B}\ = "_vkTextBox"	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe6c8151.exe

pid	process
1776	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
1636	6c8151.exe
1636	6c8151.exe
1636	6c8151.exe
1636	6c8151.exe
1636	6c8151.exe
1636	6c8151.exe
1636	6c8151.exe
1636	6c8151.exe
1636	6c8151.exe
1636	6c8151.exe
1636	6c8151.exe
1636	6c8151.exe
1636	6c8151.exe
1636	6c8151.exe
1636	6c8151.exe
1636	6c8151.exe
1636	6c8151.exe
1636	6c8151.exe
1636	6c8151.exe
1636	6c8151.exe
1636	6c8151.exe
1636	6c8151.exe
1636	6c8151.exe
1636	6c8151.exe
1636	6c8151.exe
1636	6c8151.exe
1636	6c8151.exe
1636	6c8151.exe
1636	6c8151.exe
1636	6c8151.exe
1636	6c8151.exe
1636	6c8151.exe
1636	6c8151.exe
1636	6c8151.exe
1636	6c8151.exe
1636	6c8151.exe
1636	6c8151.exe
1636	6c8151.exe
1636	6c8151.exe
1636	6c8151.exe
1636	6c8151.exe
1636	6c8151.exe
1636	6c8151.exe
1636	6c8151.exe
1636	6c8151.exe
1636	6c8151.exe
1636	6c8151.exe
1636	6c8151.exe
1636	6c8151.exe
1636	6c8151.exe
1636	6c8151.exe
1636	6c8151.exe
1636	6c8151.exe
1636	6c8151.exe
1636	6c8151.exe
1636	6c8151.exe
1636	6c8151.exe
1636	6c8151.exe
1636	6c8151.exe
1636	6c8151.exe
1636	6c8151.exe
1636	6c8151.exe
1636	6c8151.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

6c8151.exe

pid process

472
1636 6c8151.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

6c8151.exe

description pid process

Token: SeDebugPrivilege 1636 6c8151.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

LivePOT.exe

pid process

292 LivePOT.exe
292 LivePOT.exe
292 LivePOT.exe
292 LivePOT.exe
292 LivePOT.exe
292 LivePOT.exe

pid	process
472
1636	6c8151.exe

description	pid	process
Token: SeDebugPrivilege	1636	6c8151.exe

pid	process
292	LivePOT.exe
292	LivePOT.exe
292	LivePOT.exe
292	LivePOT.exe
292	LivePOT.exe
292	LivePOT.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe6c7485.tmp935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe

description	pid	process	target process
PID 1652 wrote to memory of 604	1652	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe	6c7485.tmp
PID 1652 wrote to memory of 604	1652	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe	6c7485.tmp
PID 1652 wrote to memory of 604	1652	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe	6c7485.tmp
PID 1652 wrote to memory of 604	1652	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe	6c7485.tmp
PID 604 wrote to memory of 1776	604	6c7485.tmp	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
PID 604 wrote to memory of 1776	604	6c7485.tmp	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
PID 604 wrote to memory of 1776	604	6c7485.tmp	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
PID 604 wrote to memory of 1776	604	6c7485.tmp	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
PID 604 wrote to memory of 1636	604	6c7485.tmp	6c8151.exe
PID 604 wrote to memory of 1636	604	6c7485.tmp	6c8151.exe
PID 604 wrote to memory of 1636	604	6c7485.tmp	6c8151.exe
PID 604 wrote to memory of 1636	604	6c7485.tmp	6c8151.exe
PID 1776 wrote to memory of 888	1776	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe	schtasks.exe
PID 1776 wrote to memory of 888	1776	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe	schtasks.exe
PID 1776 wrote to memory of 888	1776	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe	schtasks.exe
PID 1776 wrote to memory of 888	1776	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe	schtasks.exe
PID 1776 wrote to memory of 776	1776	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe	schtasks.exe
PID 1776 wrote to memory of 776	1776	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe	schtasks.exe
PID 1776 wrote to memory of 776	1776	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe	schtasks.exe
PID 1776 wrote to memory of 776	1776	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe	schtasks.exe
PID 1776 wrote to memory of 292	1776	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe	LivePOT.exe
PID 1776 wrote to memory of 292	1776	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe	LivePOT.exe
PID 1776 wrote to memory of 292	1776	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe	LivePOT.exe
PID 1776 wrote to memory of 292	1776	935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe	LivePOT.exe

C:\Users\Admin\AppData\Local\Temp\935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
"C:\Users\Admin\AppData\Local\Temp\935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1652

C:\Users\Admin\AppData\Local\Temp\6c7485.tmp
>C:\Users\Admin\AppData\Local\Temp\935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
2⤵
- Executes dropped EXE
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:604

C:\Users\Admin\AppData\Local\Temp\935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
"C:\Users\Admin\AppData\Local\Temp\935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1776

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn LivePOTUpdater /tr "'C:\Program Files (x86)\LivePOT\LivePotBoot.exe'" /sc onlogon /ru NT AUTHORITY\SYSTEM
4⤵
- Creates scheduled task(s)
PID:888

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn LivePOTUpdater /tr "'C:\Program Files (x86)\LivePOT\LivePotBoot.exe'" /sc onlogon /rl highest /f
4⤵
- Creates scheduled task(s)
PID:776

C:\Program Files (x86)\LivePOT\LivePOT.exe
"C:\Program Files (x86)\LivePOT\LivePOT.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:292

C:\Users\Admin\AppData\Local\Temp\6c8151.exe
"C:\Users\Admin\AppData\Local\Temp\\6c8151.exe"
3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Sets service image path in registry
- Installs/modifies Browser Helper Object
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:1636

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Browser Extensions

T1176

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\LivePOT\LivePot.exe
Filesize
2.4MB

MD5
8b4c0d1f3a0315fc38a9736b1b457cdd

SHA1
fd7435b6bb39534afda09abdafedc372e42f23b6

SHA256
064dfc8b95d000ceaa23bf74165be230a1bc11ec1cb55bc3ff5508995f9b2733

SHA512
c12da746f819239971f32c5f6e6c486212013543d9adf7de9689489e9beca33c80599308b4edb703e53ef818482e559311d1799f8f14b407fc0d0c7d0357748a

Download Submit
C:\Users\Admin\AppData\Local\Temp\6c7485.tmp
Filesize
9.2MB

MD5
edf07bd3ea66d2c522c9434c0aaedb42

SHA1
09c8d3d9d4cfa81b6aaca1f632b5e54bd32f84ec

SHA256
935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe

SHA512
d2c197cad73ce15c73820756ea0151a4a658f01b96073ead5fccbc205509f24fa2c0a734be50d181ccc2b7375d44989773def5f94013169c382f46218f837fb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\6c7485.tmp
Filesize
9.2MB

MD5
edf07bd3ea66d2c522c9434c0aaedb42

SHA1
09c8d3d9d4cfa81b6aaca1f632b5e54bd32f84ec

SHA256
935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe

SHA512
d2c197cad73ce15c73820756ea0151a4a658f01b96073ead5fccbc205509f24fa2c0a734be50d181ccc2b7375d44989773def5f94013169c382f46218f837fb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\6c8151.exe
Filesize
1.2MB

MD5
2d3f33549e91825a2cc2fe246cbe2799

SHA1
12f12f054ab1e6daf81d85d757830a0f63d690bd

SHA256
8e7f939be042059f271258fbb68be5a31f8fd69810f258681ff48fe76cdfc02b

SHA512
13e68dc2541a8bc2e8b39449567863fa30fbfe04ce4759e3bf25cba1755b7adfffad0466aca5743a13d5615047dd87a53db80dc201d5cbe7f0f700c65986efc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\6c8151.exe
Filesize
1.2MB

MD5
2d3f33549e91825a2cc2fe246cbe2799

SHA1
12f12f054ab1e6daf81d85d757830a0f63d690bd

SHA256
8e7f939be042059f271258fbb68be5a31f8fd69810f258681ff48fe76cdfc02b

SHA512
13e68dc2541a8bc2e8b39449567863fa30fbfe04ce4759e3bf25cba1755b7adfffad0466aca5743a13d5615047dd87a53db80dc201d5cbe7f0f700c65986efc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
Filesize
8.0MB

MD5
c6f612d33b5aa4e8d27288b18ab22eae

SHA1
0f983fc1badf45c8fa243dd7536a2fe6f23d2c16

SHA256
f481273c07c6687c516d4425d42a60582bc17f471bd2201f2df68820e6a1c6a4

SHA512
37b2a6c46d0a846e758591cc33dbd0cc609af489407b2b9cf3f5cf05dfcb0d97d3b610063c8ae8c8abcc0e2b9485e3575d2bf09f342cb230ab2743598aac313a

Download Submit
C:\Users\Admin\AppData\Local\Temp\935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
Filesize
8.0MB

MD5
c6f612d33b5aa4e8d27288b18ab22eae

SHA1
0f983fc1badf45c8fa243dd7536a2fe6f23d2c16

SHA256
f481273c07c6687c516d4425d42a60582bc17f471bd2201f2df68820e6a1c6a4

SHA512
37b2a6c46d0a846e758591cc33dbd0cc609af489407b2b9cf3f5cf05dfcb0d97d3b610063c8ae8c8abcc0e2b9485e3575d2bf09f342cb230ab2743598aac313a

Download Submit
C:\Windows\SysWow64\FPSPR70.ocx
Filesize
1.3MB

MD5
26c857ff23c3ce707b0ee408add08c96

SHA1
4fc3eaf37ae77802576c980fb5bd24b26db2edeb

SHA256
d9d1a8343a984668a7f858a72e560d7ebcc3eba868eac4e4ad80e9ac6e4e75b3

SHA512
a51f6cf0a911e6a0df5189c0c6f52a5d4fa2c4b52ea3dafed15c2013c969358258ef386d860cb8352f29dfd874ed5c8618daaacf7397c01a27b31e87e18d872a

Download Submit
C:\Windows\SysWow64\MSFlxGrd.ocx
Filesize
252KB

MD5
20e06689d038e05795863694b5e1dcd7

SHA1
8183998f4cdc7fda02e45fed0b41bd90153ff944

SHA256
7827dbdbd340cee846a61238002e5d438b859c06c80e540f29130ce654cc0918

SHA512
cf47105c8bb236025b386f9c6e7cb96abd3484abf04960cdaee562f05c5c3b45e17699449d4e60333e55b0cb316433e6a0d63b94a9fe36d8e9adc2fc871d343b

Download Submit
C:\Windows\SysWow64\MSINET.OCX
Filesize
129KB

MD5
90a39346e9b67f132ef133725c487ff6

SHA1
9cd22933f628465c863bed7895d99395acaa5d2a

SHA256
e55627932120be87c7950383a75a5712b0ff2c00b8d18169195ad35bc2502fc2

SHA512
0337817b9194a10b946d7381a84a2aeefd21445986afef1b9ae5a52921e598cdb0d1a576bdf8391f1ebf8be74950883a6f50ad1f61ff08678782c6b05a18adbf

Download Submit
\Program Files (x86)\LivePOT\LivePot.exe
Filesize
2.4MB

MD5
8b4c0d1f3a0315fc38a9736b1b457cdd

SHA1
fd7435b6bb39534afda09abdafedc372e42f23b6

SHA256
064dfc8b95d000ceaa23bf74165be230a1bc11ec1cb55bc3ff5508995f9b2733

SHA512
c12da746f819239971f32c5f6e6c486212013543d9adf7de9689489e9beca33c80599308b4edb703e53ef818482e559311d1799f8f14b407fc0d0c7d0357748a

Download Submit
\Program Files (x86)\LivePOT\LivePot.exe
Filesize
2.4MB

MD5
8b4c0d1f3a0315fc38a9736b1b457cdd

SHA1
fd7435b6bb39534afda09abdafedc372e42f23b6

SHA256
064dfc8b95d000ceaa23bf74165be230a1bc11ec1cb55bc3ff5508995f9b2733

SHA512
c12da746f819239971f32c5f6e6c486212013543d9adf7de9689489e9beca33c80599308b4edb703e53ef818482e559311d1799f8f14b407fc0d0c7d0357748a

Download Submit
\Program Files (x86)\LivePOT\LivePot.exe
Filesize
2.4MB

MD5
8b4c0d1f3a0315fc38a9736b1b457cdd

SHA1
fd7435b6bb39534afda09abdafedc372e42f23b6

SHA256
064dfc8b95d000ceaa23bf74165be230a1bc11ec1cb55bc3ff5508995f9b2733

SHA512
c12da746f819239971f32c5f6e6c486212013543d9adf7de9689489e9beca33c80599308b4edb703e53ef818482e559311d1799f8f14b407fc0d0c7d0357748a

Download Submit
\Users\Admin\AppData\Local\Temp\6c7485.tmp
Filesize
9.2MB

MD5
edf07bd3ea66d2c522c9434c0aaedb42

SHA1
09c8d3d9d4cfa81b6aaca1f632b5e54bd32f84ec

SHA256
935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe

SHA512
d2c197cad73ce15c73820756ea0151a4a658f01b96073ead5fccbc205509f24fa2c0a734be50d181ccc2b7375d44989773def5f94013169c382f46218f837fb6

Download Submit
\Users\Admin\AppData\Local\Temp\6c7485.tmp
Filesize
9.2MB

MD5
edf07bd3ea66d2c522c9434c0aaedb42

SHA1
09c8d3d9d4cfa81b6aaca1f632b5e54bd32f84ec

SHA256
935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe

SHA512
d2c197cad73ce15c73820756ea0151a4a658f01b96073ead5fccbc205509f24fa2c0a734be50d181ccc2b7375d44989773def5f94013169c382f46218f837fb6

Download Submit
\Users\Admin\AppData\Local\Temp\6c8151.exe
Filesize
1.2MB

MD5
2d3f33549e91825a2cc2fe246cbe2799

SHA1
12f12f054ab1e6daf81d85d757830a0f63d690bd

SHA256
8e7f939be042059f271258fbb68be5a31f8fd69810f258681ff48fe76cdfc02b

SHA512
13e68dc2541a8bc2e8b39449567863fa30fbfe04ce4759e3bf25cba1755b7adfffad0466aca5743a13d5615047dd87a53db80dc201d5cbe7f0f700c65986efc6

Download Submit
\Users\Admin\AppData\Local\Temp\6c8151.exe
Filesize
1.2MB

MD5
2d3f33549e91825a2cc2fe246cbe2799

SHA1
12f12f054ab1e6daf81d85d757830a0f63d690bd

SHA256
8e7f939be042059f271258fbb68be5a31f8fd69810f258681ff48fe76cdfc02b

SHA512
13e68dc2541a8bc2e8b39449567863fa30fbfe04ce4759e3bf25cba1755b7adfffad0466aca5743a13d5615047dd87a53db80dc201d5cbe7f0f700c65986efc6

Download Submit
\Users\Admin\AppData\Local\Temp\935ab593fe53ee7261bc8e131db83ebd9b895714683e76fe8010f04018cba7fe.exe
Filesize
8.0MB

MD5
c6f612d33b5aa4e8d27288b18ab22eae

SHA1
0f983fc1badf45c8fa243dd7536a2fe6f23d2c16

SHA256
f481273c07c6687c516d4425d42a60582bc17f471bd2201f2df68820e6a1c6a4

SHA512
37b2a6c46d0a846e758591cc33dbd0cc609af489407b2b9cf3f5cf05dfcb0d97d3b610063c8ae8c8abcc0e2b9485e3575d2bf09f342cb230ab2743598aac313a

Download Submit
\Users\Admin\AppData\Local\Temp\nst83C2.tmp\KillProcDLL.dll
Filesize
32KB

MD5
83142eac84475f4ca889c73f10d9c179

SHA1
dbe43c0de8ef881466bd74861b2e5b17598b5ce8

SHA256
ae2f1658656e554f37e6eac896475a3862841a18ffc6fad2754e2d3525770729

SHA512
1c66eab21f0c9e0b99ecc3844516a6978f52e0c7f489405a427532ecbe78947c37dac5b4c8b722cc8bc1edfb74ba4824519d56099e587e754e5c668701e83bd1

Download Submit
\Users\Admin\AppData\Local\Temp\nst83C2.tmp\nsExec.dll
Filesize
6KB

MD5
14f5984b926208de2aafb55dd9971d4a

SHA1
e5afe0b80568135d3e259c73f93947d758a7b980

SHA256
030bcfa82e3bb424835a5fa53a3ff17ab08557d3bbeea4815313036fc4bdafe1

SHA512
e9ec97dd57ead871789d49ed38d9fde5f31d3cb2547810cae49a736e06b9f9b28cf8efea825eb83c3e07d880ee798abfb9069c6957416d5973c83e4531814e27

Download Submit
\Users\Admin\AppData\Local\Temp\nst83C2.tmp\nsExec.dll
Filesize
6KB

MD5
14f5984b926208de2aafb55dd9971d4a

SHA1
e5afe0b80568135d3e259c73f93947d758a7b980

SHA256
030bcfa82e3bb424835a5fa53a3ff17ab08557d3bbeea4815313036fc4bdafe1

SHA512
e9ec97dd57ead871789d49ed38d9fde5f31d3cb2547810cae49a736e06b9f9b28cf8efea825eb83c3e07d880ee798abfb9069c6957416d5973c83e4531814e27

Download Submit
\Windows\SysWOW64\FPSPR70.ocx
Filesize
1.3MB

MD5
26c857ff23c3ce707b0ee408add08c96

SHA1
4fc3eaf37ae77802576c980fb5bd24b26db2edeb

SHA256
d9d1a8343a984668a7f858a72e560d7ebcc3eba868eac4e4ad80e9ac6e4e75b3

SHA512
a51f6cf0a911e6a0df5189c0c6f52a5d4fa2c4b52ea3dafed15c2013c969358258ef386d860cb8352f29dfd874ed5c8618daaacf7397c01a27b31e87e18d872a

Download Submit
\Windows\SysWOW64\FPSPR70.ocx
Filesize
1.3MB

MD5
26c857ff23c3ce707b0ee408add08c96

SHA1
4fc3eaf37ae77802576c980fb5bd24b26db2edeb

SHA256
d9d1a8343a984668a7f858a72e560d7ebcc3eba868eac4e4ad80e9ac6e4e75b3

SHA512
a51f6cf0a911e6a0df5189c0c6f52a5d4fa2c4b52ea3dafed15c2013c969358258ef386d860cb8352f29dfd874ed5c8618daaacf7397c01a27b31e87e18d872a

Download Submit
\Windows\SysWOW64\INETKO.DLL
Filesize
13KB

MD5
19e49c4802e54762f613cc3fd5c240c9

SHA1
cee468cfd04f12a9fcaa9549fd4e533afc745da4

SHA256
6672e7889d5671716182b4723963a7a5354731563eb5abb67c19a3f6e79f4d8b

SHA512
96bc601aa00395b902ef2361e863d09c828cda1a83f97b4031a8cf2f3f971c072097b1b3e8fa47a2c4ba8b945d79d9e240504aad239aafbe307ad13164f950a5

Download Submit
\Windows\SysWOW64\MSCMCKO.DLL
Filesize
121KB

MD5
1aedbff4f92aa576b0389deee971dc3c

SHA1
8814275b1ac156e7fd247f0a4071e62d247760c0

SHA256
7713469fb22fef9d711b3822f1df02e045d586ac06a4107a228a96e864da0a3f

SHA512
47d890b1e5bb71980c72079be5ebc7e491141b6465a91e047a47e4f163ff95e828c358e0f95abec1a73d47b3a866890d25ca48a625d60f939a829753a885f564

Download Submit
\Windows\SysWOW64\MSFlxGrd.ocx
Filesize
252KB

MD5
20e06689d038e05795863694b5e1dcd7

SHA1
8183998f4cdc7fda02e45fed0b41bd90153ff944

SHA256
7827dbdbd340cee846a61238002e5d438b859c06c80e540f29130ce654cc0918

SHA512
cf47105c8bb236025b386f9c6e7cb96abd3484abf04960cdaee562f05c5c3b45e17699449d4e60333e55b0cb316433e6a0d63b94a9fe36d8e9adc2fc871d343b

Download Submit
\Windows\SysWOW64\MSFlxGrd.ocx
Filesize
252KB

MD5
20e06689d038e05795863694b5e1dcd7

SHA1
8183998f4cdc7fda02e45fed0b41bd90153ff944

SHA256
7827dbdbd340cee846a61238002e5d438b859c06c80e540f29130ce654cc0918

SHA512
cf47105c8bb236025b386f9c6e7cb96abd3484abf04960cdaee562f05c5c3b45e17699449d4e60333e55b0cb316433e6a0d63b94a9fe36d8e9adc2fc871d343b

Download Submit
\Windows\SysWOW64\MSINET.OCX
Filesize
129KB

MD5
90a39346e9b67f132ef133725c487ff6

SHA1
9cd22933f628465c863bed7895d99395acaa5d2a

SHA256
e55627932120be87c7950383a75a5712b0ff2c00b8d18169195ad35bc2502fc2

SHA512
0337817b9194a10b946d7381a84a2aeefd21445986afef1b9ae5a52921e598cdb0d1a576bdf8391f1ebf8be74950883a6f50ad1f61ff08678782c6b05a18adbf

Download Submit
\Windows\SysWOW64\MSINET.OCX
Filesize
129KB

MD5
90a39346e9b67f132ef133725c487ff6

SHA1
9cd22933f628465c863bed7895d99395acaa5d2a

SHA256
e55627932120be87c7950383a75a5712b0ff2c00b8d18169195ad35bc2502fc2

SHA512
0337817b9194a10b946d7381a84a2aeefd21445986afef1b9ae5a52921e598cdb0d1a576bdf8391f1ebf8be74950883a6f50ad1f61ff08678782c6b05a18adbf

Download Submit
\Windows\SysWOW64\MSWINSCK.ocx
Filesize
124KB

MD5
40fce4be52f6015c23fd96a4b3351357

SHA1
f4a23cee42125f20444a4b005555d631df2aaacf

SHA256
a0bf5f1ed8d34fd0b6cb1432618986f90256ef4f8c86a1460823e6dfa8edd8ca

SHA512
69f7a8c8a5e82a2c975e410d834aa24ed0b1a32f592fb85eac15b8d3c1bee2dc1c1c88c0dbba0435339cde92e437efebf66c7c15dde1153338b4bd3e536fc922

Download Submit
\Windows\SysWOW64\SCRRNKO.DLL
Filesize
10KB

MD5
7800f2d5e578de3ef92dbff5f88d0f44

SHA1
e570939c7e2174e8ca7031ce795b13992998b137

SHA256
b065efd98b92caa0614f12f91cb844685675d54daf1455e7f1623795241a2461

SHA512
7eb6f8c971639710514a2380d2eadb80ab50b7f122a5a1c50d358171a8f584255dbfaa039fc1e839974fe21c547fe676245276a4e743b2b44df1ddb3cdf0333b

Download Submit
\Windows\SysWOW64\VB6KO.DLL
Filesize
99KB

MD5
84742b5754690ed667372be561cf518d

SHA1
ef97aa43f804f447498568fc33704800b91a7381

SHA256
52b64e2bfc9ee0b807f2095726ace9e911bcd907054ac15686a4e7d2fd4dc751

SHA512
72ac19a3665a01519dac2ad43eb6178a66ad7f4e167f2a882cbca242978f8debe3e15d0e210c3b0391590699999f33a1fd5de4ca6559ff894b4e6cb4ac1415a0

Download Submit
\Windows\SysWOW64\VB6STKIT.DLL
Filesize
100KB

MD5
60bcd4b3e1f34299aeededbf46d67719

SHA1
9ecf20fd4652d7ec1763c405ea8769a807985514

SHA256
635b9f96fc1d8b59e6ea951061e77b5f94cd52d8ac2a8ac4c6a706458dd85864

SHA512
fd0bc3cb0691a716deb5afc4f10a4b377fc917785ea465d6aedcf4842aaa47c96a4528d59e67cf2b07f240aad91269923ad3a7d29885c3f9b1a0e868d1cb06dd

Download Submit
\Windows\SysWOW64\WINSKKO.DLL
Filesize
14KB

MD5
f1edb10b29a457ab81f101c62f70b5a4

SHA1
4a5a21ee4fca5368a79613ef8cf0d4b5f020fbeb

SHA256
efe28fa83ba93c47bb01f412d8e555eea9b1b274e2946ae0bdfa40cc0972c53c

SHA512
af0576dd5108bf441e9949f5f1f09d8b3bd284cc44c8ffabcda925949533a7dc1f39886a903866ca1607731896c4b060cb46b12eea28e3b09cb1e38deba16a5f

Download Submit
\Windows\SysWOW64\vkUserControlsXP.ocx
Filesize
1.1MB

MD5
9d1237a31acf68625e32856552d1643f

SHA1
ecb852670b6734d9946070aa38a3b26931c1d79d

SHA256
6e4e9b48f7105929362286ab434273d1828d08e9b69921d7bb6f175dcaa6170c

SHA512
ccb206060efe3569a4cc4693ddc4b0c65288238183d6676a4c706b2fff0875a32efd303dd1e4ebe96020624883afd961ffb78316898fbd5d52d24060ad7d696e

Download Submit
memory/292-96-0x0000000000000000-mapping.dmp

Download
memory/292-107-0x00000000050C0000-0x0000000006122000-memory.dmp

Filesize
16.4MB

Download
memory/604-68-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/604-69-0x0000000002950000-0x0000000003587000-memory.dmp

Filesize
12.2MB

Download
memory/604-56-0x0000000000000000-mapping.dmp

Download
memory/776-92-0x0000000000000000-mapping.dmp

Download
memory/888-90-0x0000000000000000-mapping.dmp

Download
memory/1636-76-0x0000000000230000-0x0000000000250000-memory.dmp

Filesize
128KB

Download
memory/1636-74-0x0000000000230000-0x0000000000250000-memory.dmp

Filesize
128KB

Download
memory/1636-75-0x0000000001000000-0x0000000001C37000-memory.dmp

Filesize
12.2MB

Download
memory/1636-66-0x0000000000000000-mapping.dmp

Download
memory/1636-70-0x0000000001000000-0x0000000001C37000-memory.dmp

Filesize
12.2MB

Download
memory/1652-58-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1776-63-0x0000000074FD1000-0x0000000074FD3000-memory.dmp

Filesize
8KB

Download
memory/1776-61-0x0000000000000000-mapping.dmp

Download