0bbf44657d1e8a42ecf712b7e71573c3df291ec5a6dc4c40548df473e31302e7

Analysis

max time kernel
142s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
21/10/2023, 21:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.0d5bcf6d0464a96396a63381cc3d7bd0.dll
Size

2.6MB
MD5

0d5bcf6d0464a96396a63381cc3d7bd0
SHA1

67daf46add50df7fca73183b137ecb5e6ad40c5d
SHA256

0bbf44657d1e8a42ecf712b7e71573c3df291ec5a6dc4c40548df473e31302e7
SHA512

efdd4ffee5f46f9b86d8f6f967c31e337d84814c6cf5084d0ec8d754b3f277765c2a24bb6f6a4d59caabaf9fd9c7b5ce772b1eeab4f44147642bb77b032a542c
SSDEEP

49152:kdAYXkMPo79kMByZzi+DqqpzLha1ODdui4ykfE8:WAYUMPo79kIyxuWWOJu3H

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3568	AD95.tmp

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\msolui.dll	AD95.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\NPSPWRAP.DLL	AD95.tmp
File opened for modification	C:\Program Files\7-Zip\7z.sfx	AD95.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\MeetingJoinAxOC.dll	AD95.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\ONLNTCOMLIB.DLL	AD95.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\VVIEWDWG.DLL	AD95.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\adoberfp.dll	AD95.tmp
File opened for modification	C:\Program Files\7-Zip\7zCon.sfx	AD95.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\msvcr120.dll	AD95.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\concrt140.dll	AD95.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\MSOHEV.DLL	AD95.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\ADAL.DLL	AD95.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Web Server Extensions\16\BIN\FPSRVUTL.DLL	AD95.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AGM.dll	AD95.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\libcef.dll	AD95.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe	AD95.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\MSOSB.DLL	AD95.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Accessibility.api	AD95.tmp
File opened for modification	C:\Program Files (x86)\Microsoft\Temp\EU80B9.tmp\MicrosoftEdgeUpdateCore.exe	AD95.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	AD95.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\PPKLite.api	AD95.tmp
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VC\msdia100.dll	AD95.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\concrt140.dll	AD95.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\mfc140u.dll	AD95.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Web Server Extensions\16\BIN\FPWEC.DLL	AD95.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\adal.dll	AD95.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	AD95.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\MSVCR110.DLL	AD95.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	AD95.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\cryptocme.dll	AD95.tmp
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\goopdate.dll	AD95.tmp
File opened for modification	C:\Program Files (x86)\Microsoft\Temp\EU80B9.tmp\msedgeupdate.dll	AD95.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\msvcr120.dll	AD95.tmp
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2R32.dll	AD95.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\URLREDIR.DLL	AD95.tmp
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems32.dll	AD95.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\OCHelper.dll	AD95.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\sqlite.dll	AD95.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\nppdf32.dll	AD95.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm.api	AD95.tmp
File created	C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroPDFImpl.dll	AD95.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Mso50win32client.dll	AD95.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\dbghelp.dll	AD95.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\mfc140u.dll	AD95.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\ONBttnIELinkedNotes.dll	AD95.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\OWSCLT.DLL	AD95.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\MSOXMLMF.DLL	AD95.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\ONBttnIE.dll	AD95.tmp
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	AD95.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Mso98win32client.dll	AD95.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\VVIEWER.DLL	AD95.tmp
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOMessageProvider.dll	AD95.tmp
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	AD95.tmp
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x86\EmbeddedBrowserWebView.dll	AD95.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\ADALPREVIOUS.DLL	AD95.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\msmdlocal.dll	AD95.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ScCore.dll	AD95.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia.api	AD95.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\MCIMPP.mpp	AD95.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\EScript.api	AD95.tmp
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeUpdateCore.exe	AD95.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\ONNXRuntime-0.5.X.dll	AD95.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\OLKFSTUB.DLL	AD95.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\SystemX86\mfc140.dll	AD95.tmp

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{a07ccd0d-8148-11d0-87bb-00c04fc33942}\ProgID\ = "MSOLAPErrorLookup.2"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{a07ccd0c-8148-11d0-87bb-00c04fc33942}\ExtendedErrors	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A07CCD10-8148-11D0-87BB-00C04FC33942}\1.0\0	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\MSOLAP	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSOLAP\Clsid\ = "{a07ccd0c-8148-11d0-87bb-00c04fc33942}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{a07ccd0c-8148-11d0-87bb-00c04fc33942}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSOLAPErrorLookup	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSOLAPErrorLookup\Clsid	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A07CCD11-8148-11D0-87BB-00C04FC33942}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{a07ccd0c-8148-11d0-87bb-00c04fc33942}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A07CCD10-8148-11D0-87BB-00C04FC33942}\1.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A07CCD11-8148-11D0-87BB-00C04FC33942}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A07CCD11-8148-11D0-87BB-00C04FC33942}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\MSOLAP\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSOLAPErrorLookup.2\	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A07CCD10-8148-11D0-87BB-00C04FC33942}\1.0\ = "Microsoft OLE DB Provider for OLAP services dialog interfaces 8.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A07CCD11-8148-11D0-87BB-00C04FC33942}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A07CCD11-8148-11D0-87BB-00C04FC33942}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A07CCD11-8148-11D0-87BB-00C04FC33942}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{a07ccd0c-8148-11d0-87bb-00c04fc33942}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSOLAPErrorLookup.2\Clsid\ = "{a07ccd0d-8148-11d0-87bb-00c04fc33942}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{a07ccd0d-8148-11d0-87bb-00c04fc33942}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{a07ccd0d-8148-11d0-87bb-00c04fc33942}\VersionIndependentProgID\ = "MSOLAPErrorLookup"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{a07ccd0c-8148-11d0-87bb-00c04fc33942}\ExtendedErrors\{a07ccd0d-8148-11d0-87bb-00c04fc33942}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A07CCD11-8148-11D0-87BB-00C04FC33942}\ = "IDisplayConnection"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{a07ccd0c-8148-11d0-87bb-00c04fc33942}\OLE DB MD Provider	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSOLAP\ = "Microsoft OLE DB Provider for Olap Services"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{a07ccd0c-8148-11d0-87bb-00c04fc33942}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{a07ccd0d-8148-11d0-87bb-00c04fc33942}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSOLAP.2	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{a07ccd0c-8148-11d0-87bb-00c04fc33942}\ProgID\ = "MSOLAP.2"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{a07ccd0c-8148-11d0-87bb-00c04fc33942}\OLE DB Provider\ = "Microsoft OLE DB Provider for Olap Services 8.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSOLAPErrorLookup.2\Clsid	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A07CCD11-8148-11D0-87BB-00C04FC33942}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A07CCD10-8148-11D0-87BB-00C04FC33942}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{a07ccd0c-8148-11d0-87bb-00c04fc33942}\ = "MSOLAP"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{a07ccd0c-8148-11d0-87bb-00c04fc33942}\OLE DB Provider	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSOLAPErrorLookup\ = "Microsoft OLE DB Provider for Olap Services Error Lookup 8.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{a07ccd0d-8148-11d0-87bb-00c04fc33942}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.0d5bcf6d0464a96396a63381cc3d7bd0.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{a07ccd0c-8148-11d0-87bb-00c04fc33942}\ExtendedErrors\ = "Extended Error Service"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSOLAP.2\Clsid	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{a07ccd0c-8148-11d0-87bb-00c04fc33942}\VersionIndependentProgID\ = "MSOLAP"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A07CCD11-8148-11D0-87BB-00C04FC33942}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSOLAP.2\	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{a07ccd0c-8148-11d0-87bb-00c04fc33942}\OLE DB MD Provider\ = "Microsoft OLE DB Provider for Olap Services 8.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSOLAPErrorLookup\Clsid\ = "{a07ccd0d-8148-11d0-87bb-00c04fc33942}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{a07ccd0c-8148-11d0-87bb-00c04fc33942}\ExtendedErrors\{a07ccd0d-8148-11d0-87bb-00c04fc33942}\ = "MSOLAP Error Lookup"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A07CCD11-8148-11D0-87BB-00C04FC33942}\ = "IDisplayConnection"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSOLAP	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{a07ccd0d-8148-11d0-87bb-00c04fc33942}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A07CCD10-8148-11D0-87BB-00C04FC33942}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSOLAP.2\Clsid\ = "{a07ccd0c-8148-11d0-87bb-00c04fc33942}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{a07ccd0c-8148-11d0-87bb-00c04fc33942}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{a07ccd0d-8148-11d0-87bb-00c04fc33942}\ = "MSOLAP ErrorLookup"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A07CCD11-8148-11D0-87BB-00C04FC33942}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A07CCD11-8148-11D0-87BB-00C04FC33942}\TypeLib\ = "{A07CCD10-8148-11D0-87BB-00C04FC33942}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A07CCD11-8148-11D0-87BB-00C04FC33942}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A07CCD11-8148-11D0-87BB-00C04FC33942}\TypeLib\ = "{A07CCD10-8148-11D0-87BB-00C04FC33942}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSOLAP\Clsid	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSOLAPErrorLookup.2	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{a07ccd0d-8148-11d0-87bb-00c04fc33942}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A07CCD10-8148-11D0-87BB-00C04FC33942}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A07CCD10-8148-11D0-87BB-00C04FC33942}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A07CCD10-8148-11D0-87BB-00C04FC33942}	regsvr32.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4424 wrote to memory of 4436	4424	regsvr32.exe	84
PID 4424 wrote to memory of 4436	4424	regsvr32.exe	84
PID 4424 wrote to memory of 4436	4424	regsvr32.exe	84
PID 4436 wrote to memory of 3568	4436	regsvr32.exe	88
PID 4436 wrote to memory of 3568	4436	regsvr32.exe	88
PID 4436 wrote to memory of 3568	4436	regsvr32.exe	88

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\NEAS.0d5bcf6d0464a96396a63381cc3d7bd0.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:4424
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\NEAS.0d5bcf6d0464a96396a63381cc3d7bd0.dll
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4436
- - C:\Users\Admin\AppData\Local\Temp\AD95.tmp
    C:\Users\Admin\AppData\Local\Temp\AD95.tmp
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:3568

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AD95.tmp

Filesize
145KB

MD5
c610e7ccd6859872c585b2a85d7dc992

SHA1
362b3d4b72e3add687c209c79b500b7c6a246d46

SHA256
14063fc61dc71b9881d75e93a587c27a6daf8779ff5255a24a042beace541041

SHA512
8570aad2ae8b5dcba00fc5ebf3dc0ea117e96cc88a83febd820c5811bf617a6431c1367b3eb88332f43f80b30ebe2c298c22dcc44860a075f7b41bf350236666

Download Submit
C:\Users\Admin\AppData\Local\Temp\AD95.tmp

Filesize
145KB

MD5
c610e7ccd6859872c585b2a85d7dc992

SHA1
362b3d4b72e3add687c209c79b500b7c6a246d46

SHA256
14063fc61dc71b9881d75e93a587c27a6daf8779ff5255a24a042beace541041

SHA512
8570aad2ae8b5dcba00fc5ebf3dc0ea117e96cc88a83febd820c5811bf617a6431c1367b3eb88332f43f80b30ebe2c298c22dcc44860a075f7b41bf350236666

Download Submit
memory/4436-0-0x0000000000BB0000-0x0000000000C52000-memory.dmp

Filesize
648KB

Download
memory/4436-1-0x0000000000BB0000-0x0000000000C52000-memory.dmp

Filesize
648KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads