d7e7f9a898072758f1200e507b1809ae5ff868260bb17b53de07103a418de67c

Analysis

max time kernel
154s
max time network
142s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 02:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0b440e7249fc6ed68b5a9688b9dfc591.exe
Size

115KB
MD5

0b440e7249fc6ed68b5a9688b9dfc591
SHA1

093a746aa4faea421f9f2128ac86a9f586229cb0
SHA256

d7e7f9a898072758f1200e507b1809ae5ff868260bb17b53de07103a418de67c
SHA512

5fee9ff2a7f1bf4fbe185c7c4da26114af52900c8556e34a150cf8604e22c1564abd9ec685a94df1c8f8562bb52e0af56df4bc82a00bdb013de638f877f541e7
SSDEEP

3072:9yaci8+ZI+27XoIaBw3YamMzCXB4DjGA:sOqxYA3DjG

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 25 IoCs

pid	Process
2776	s.exe
2588	odbcasvc.EXE
2532	s.exe
1740	odbcasvc.EXE
2004	s.exe
2208	odbcasvc.EXE
536	s.exe
1528	odbcasvc.EXE
620	s.exe
864	odbcasvc.EXE
1884	s.exe
2480	odbcasvc.EXE
1524	s.exe
1800	odbcasvc.EXE
1296	s.exe
908	odbcasvc.EXE
1804	s.exe
2996	odbcasvc.EXE
1088	s.exe
2552	odbcasvc.EXE
2276	s.exe
2084	odbcasvc.EXE
2740	s.exe
2872	odbcasvc.EXE
2648	s.exe

Loads dropped DLL 51 IoCs

pid	Process
2544	regsvr32.exe
1872	0b440e7249fc6ed68b5a9688b9dfc591.exe
1872	0b440e7249fc6ed68b5a9688b9dfc591.exe
2588	odbcasvc.EXE
2588	odbcasvc.EXE
2532	s.exe
2532	s.exe
1740	odbcasvc.EXE
1740	odbcasvc.EXE
2004	s.exe
2004	s.exe
2208	odbcasvc.EXE
2208	odbcasvc.EXE
536	s.exe
536	s.exe
1528	odbcasvc.EXE
1528	odbcasvc.EXE
620	s.exe
620	s.exe
864	odbcasvc.EXE
864	odbcasvc.EXE
1884	s.exe
1884	s.exe
2480	odbcasvc.EXE
2480	odbcasvc.EXE
1524	s.exe
1524	s.exe
1800	odbcasvc.EXE
1800	odbcasvc.EXE
1296	s.exe
1296	s.exe
908	odbcasvc.EXE
908	odbcasvc.EXE
1804	s.exe
1804	s.exe
2996	odbcasvc.EXE
2996	odbcasvc.EXE
1088	s.exe
1088	s.exe
2552	odbcasvc.EXE
2552	odbcasvc.EXE
2276	s.exe
2276	s.exe
2084	odbcasvc.EXE
2084	odbcasvc.EXE
2740	s.exe
2740	s.exe
2872	odbcasvc.EXE
2872	odbcasvc.EXE
2648	s.exe
2648	s.exe

Drops file in System32 directory 15 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\odbcasvc.exe	s.exe
File opened for modification	C:\Windows\SysWOW64\odbcasvc.exe	s.exe
File created	C:\Windows\SysWOW64\odbcasvc.exe	s.exe
File created	C:\Windows\SysWOW64\odbcasvc.exe	s.exe
File created	C:\Windows\SysWOW64\odbcasvc.exe	s.exe
File created	C:\Windows\SysWOW64\odbcasvc.exe	s.exe
File created	C:\Windows\SysWOW64\odbcasvc.exe	s.exe
File opened for modification	C:\Windows\SysWOW64\mswinsck.ocx	0b440e7249fc6ed68b5a9688b9dfc591.exe
File created	C:\Windows\SysWOW64\odbcasvc.exe	s.exe
File created	C:\Windows\SysWOW64\odbcasvc.exe	s.exe
File created	C:\Windows\SysWOW64\odbcasvc.exe	s.exe
File created	C:\Windows\SysWOW64\odbcasvc.exe	s.exe
File created	C:\Windows\SysWOW64\odbcasvc.exe	s.exe
File created	C:\Windows\SysWOW64\odbcasvc.exe	s.exe
File created	C:\Windows\SysWOW64\odbcasvc.exe	s.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\uda.exe	0b440e7249fc6ed68b5a9688b9dfc591.exe
File opened for modification	C:\Windows\uda.exe	odbcasvc.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ScriptHostEncode	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Scripting.Dictionary	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0CF774D1-F077-11D1-B1BC-00C04F86C324}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\aspfile\ScriptHostEncode\ = "{0CF774D1-F077-11D1-B1BC-00C04F86C324}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EB41E8C3-4442-11D1-8906-00A0C9110049}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JSFile.HostEncode	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ScriptHostEncode	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JSFile\ScriptHostEncode\ = "{85131630-480C-11D2-B1F9-00C04F86C324}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\SCRIPTHOSTENCODE	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E43FD401-8715-11D1-98E7-00A0C9702442}\TypeLib	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\ASP.HostEncode	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EE09B103-97E0-11CF-978F-00A02463E06F}\TypeLib	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\ScriptHostEncode	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ScriptHostEncode	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Scripting.Dictionary	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.cdx	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D5DE8D20-5BB8-11D1-A1E3-00A0C90F2731}\InProcServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JSFile.HostEncode\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{85131630-480C-11D2-B1F9-00C04F86C324}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile.HostEncode	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile.HostEncode\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.asa	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0CF774D1-F077-11D1-B1BC-00C04F86C324}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4495AD01-C993-11D1-A3E4-00A0C90AEA82}\TypeLib\ = "{EA544A21-C82D-11D1-A3E4-00A0C90AEA82}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Scripting.FileSystemObject	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\aspfile	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\ = "Microsoft WinSock Control, version 6.0 (SP6)"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EE09B103-97E0-11CF-978F-00A02463E06F}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{32DA2B15-CFED-11D1-B747-00C04FC2B085}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{85131630-480C-11D2-B1F9-00C04F86C324}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EE09B103-97E0-11CF-978F-00A02463E06F}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EE09B103-97E0-11CF-978F-00A02463E06F}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C4D651F0-7697-11D1-A1E9-00A0C90F2731}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0CF774D1-F077-11D1-B1BC-00C04F86C324}\InprocServer32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\ScriptHostEncode	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JSFile.HostEncode	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Scripting.Encoder	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EE09B103-97E0-11CF-978F-00A02463E06F}\Version	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2CE46480-1A08-11CF-AD63-00AA00614F3E}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EE09B103-97E0-11CF-978F-00A02463E06F}\InprocServer32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Scripting.Encoder	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Scripting.Dictionary\ = "Scripting.Dictionary"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Scripting.FileSystemObject	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Scripting.FileSystemObject	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FCFB3D2B-A0FA-1068-A738-08002B3371B5}\ = "_DClass"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EB41E8C5-4442-11D1-8906-00A0C9110049}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EE09B103-97E0-11CF-978F-00A02463E06F}\InprocServer32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ScriptHostEncode	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JSFile.HostEncode	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EE09B103-97E0-11CF-978F-00A02463E06F}\Implemented Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{85131631-480C-11D2-B1F9-00C04F86C324}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{32DA2B15-CFED-11D1-B747-00C04FC2B085}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EE09B103-97E0-11CF-978F-00A02463E06F}\Implemented Categories	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\HTML.HostEncode	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Scripting.Dictionary\ = "Scripting.Dictionary"	regsvr32.exe

Suspicious use of SetWindowsHookEx 26 IoCs

pid	Process
1872	0b440e7249fc6ed68b5a9688b9dfc591.exe
2776	s.exe
2588	odbcasvc.EXE
2532	s.exe
1740	odbcasvc.EXE
2004	s.exe
2208	odbcasvc.EXE
536	s.exe
1528	odbcasvc.EXE
620	s.exe
864	odbcasvc.EXE
1884	s.exe
2480	odbcasvc.EXE
1524	s.exe
1800	odbcasvc.EXE
1296	s.exe
908	odbcasvc.EXE
1804	s.exe
2996	odbcasvc.EXE
1088	s.exe
2552	odbcasvc.EXE
2276	s.exe
2084	odbcasvc.EXE
2740	s.exe
2872	odbcasvc.EXE
2648	s.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1872 wrote to memory of 2544	1872	0b440e7249fc6ed68b5a9688b9dfc591.exe	27
PID 1872 wrote to memory of 2544	1872	0b440e7249fc6ed68b5a9688b9dfc591.exe	27
PID 1872 wrote to memory of 2544	1872	0b440e7249fc6ed68b5a9688b9dfc591.exe	27
PID 1872 wrote to memory of 2544	1872	0b440e7249fc6ed68b5a9688b9dfc591.exe	27
PID 1872 wrote to memory of 2544	1872	0b440e7249fc6ed68b5a9688b9dfc591.exe	27
PID 1872 wrote to memory of 2544	1872	0b440e7249fc6ed68b5a9688b9dfc591.exe	27
PID 1872 wrote to memory of 2544	1872	0b440e7249fc6ed68b5a9688b9dfc591.exe	27
PID 1872 wrote to memory of 2116	1872	0b440e7249fc6ed68b5a9688b9dfc591.exe	28
PID 1872 wrote to memory of 2116	1872	0b440e7249fc6ed68b5a9688b9dfc591.exe	28
PID 1872 wrote to memory of 2116	1872	0b440e7249fc6ed68b5a9688b9dfc591.exe	28
PID 1872 wrote to memory of 2116	1872	0b440e7249fc6ed68b5a9688b9dfc591.exe	28
PID 1872 wrote to memory of 2116	1872	0b440e7249fc6ed68b5a9688b9dfc591.exe	28
PID 1872 wrote to memory of 2116	1872	0b440e7249fc6ed68b5a9688b9dfc591.exe	28
PID 1872 wrote to memory of 2116	1872	0b440e7249fc6ed68b5a9688b9dfc591.exe	28
PID 1872 wrote to memory of 2888	1872	0b440e7249fc6ed68b5a9688b9dfc591.exe	29
PID 1872 wrote to memory of 2888	1872	0b440e7249fc6ed68b5a9688b9dfc591.exe	29
PID 1872 wrote to memory of 2888	1872	0b440e7249fc6ed68b5a9688b9dfc591.exe	29
PID 1872 wrote to memory of 2888	1872	0b440e7249fc6ed68b5a9688b9dfc591.exe	29
PID 1872 wrote to memory of 2888	1872	0b440e7249fc6ed68b5a9688b9dfc591.exe	29
PID 1872 wrote to memory of 2888	1872	0b440e7249fc6ed68b5a9688b9dfc591.exe	29
PID 1872 wrote to memory of 2888	1872	0b440e7249fc6ed68b5a9688b9dfc591.exe	29
PID 1872 wrote to memory of 2776	1872	0b440e7249fc6ed68b5a9688b9dfc591.exe	30
PID 1872 wrote to memory of 2776	1872	0b440e7249fc6ed68b5a9688b9dfc591.exe	30
PID 1872 wrote to memory of 2776	1872	0b440e7249fc6ed68b5a9688b9dfc591.exe	30
PID 1872 wrote to memory of 2776	1872	0b440e7249fc6ed68b5a9688b9dfc591.exe	30
PID 2776 wrote to memory of 2700	2776	s.exe	31
PID 2776 wrote to memory of 2700	2776	s.exe	31
PID 2776 wrote to memory of 2700	2776	s.exe	31
PID 2776 wrote to memory of 2700	2776	s.exe	31
PID 2776 wrote to memory of 2700	2776	s.exe	31
PID 2776 wrote to memory of 2700	2776	s.exe	31
PID 2776 wrote to memory of 2700	2776	s.exe	31
PID 2776 wrote to memory of 2720	2776	s.exe	32
PID 2776 wrote to memory of 2720	2776	s.exe	32
PID 2776 wrote to memory of 2720	2776	s.exe	32
PID 2776 wrote to memory of 2720	2776	s.exe	32
PID 2776 wrote to memory of 2720	2776	s.exe	32
PID 2776 wrote to memory of 2720	2776	s.exe	32
PID 2776 wrote to memory of 2720	2776	s.exe	32
PID 2588 wrote to memory of 2620	2588	odbcasvc.EXE	36
PID 2588 wrote to memory of 2620	2588	odbcasvc.EXE	36
PID 2588 wrote to memory of 2620	2588	odbcasvc.EXE	36
PID 2588 wrote to memory of 2620	2588	odbcasvc.EXE	36
PID 2588 wrote to memory of 2620	2588	odbcasvc.EXE	36
PID 2588 wrote to memory of 2620	2588	odbcasvc.EXE	36
PID 2588 wrote to memory of 2620	2588	odbcasvc.EXE	36
PID 2588 wrote to memory of 2644	2588	odbcasvc.EXE	37
PID 2588 wrote to memory of 2644	2588	odbcasvc.EXE	37
PID 2588 wrote to memory of 2644	2588	odbcasvc.EXE	37
PID 2588 wrote to memory of 2644	2588	odbcasvc.EXE	37
PID 2588 wrote to memory of 2644	2588	odbcasvc.EXE	37
PID 2588 wrote to memory of 2644	2588	odbcasvc.EXE	37
PID 2588 wrote to memory of 2644	2588	odbcasvc.EXE	37
PID 2588 wrote to memory of 2532	2588	odbcasvc.EXE	38
PID 2588 wrote to memory of 2532	2588	odbcasvc.EXE	38
PID 2588 wrote to memory of 2532	2588	odbcasvc.EXE	38
PID 2588 wrote to memory of 2532	2588	odbcasvc.EXE	38
PID 2532 wrote to memory of 3020	2532	s.exe	39
PID 2532 wrote to memory of 3020	2532	s.exe	39
PID 2532 wrote to memory of 3020	2532	s.exe	39
PID 2532 wrote to memory of 3020	2532	s.exe	39
PID 2532 wrote to memory of 3020	2532	s.exe	39
PID 2532 wrote to memory of 3020	2532	s.exe	39
PID 2532 wrote to memory of 3020	2532	s.exe	39

C:\Users\Admin\AppData\Local\Temp\0b440e7249fc6ed68b5a9688b9dfc591.exe
"C:\Users\Admin\AppData\Local\Temp\0b440e7249fc6ed68b5a9688b9dfc591.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1872
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 /s mswinsck.ocx
  2⤵
  - Loads dropped DLL
  - Modifies registry class
  PID:2544
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 /s scrrun.dll
  2⤵
  - Modifies registry class
  PID:2116
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 /s msvbvm60.dll
  2⤵
  - Modifies registry class
  PID:2888
- C:\Users\Admin\AppData\Local\Temp\s.exe
  C:\Users\Admin\AppData\Local\Temp\s.exe inst
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2776
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 /s scrrun.dll
    3⤵
    - Modifies registry class
    PID:2700
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 /s msvbvm60.dll
    3⤵
    PID:2720

C:\Windows\SysWOW64\odbcasvc.EXE
C:\Windows\SysWOW64\odbcasvc.EXE
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2588
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 /s scrrun.dll
  2⤵
  - Modifies registry class
  PID:2620
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 /s msvbvm60.dll
  2⤵
  PID:2644
- C:\Windows\TEMP\s.exe
  C:\Windows\TEMP\s.exe inst
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2532
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 /s scrrun.dll
    3⤵
    - Modifies registry class
    PID:3020
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 /s msvbvm60.dll
    3⤵
    PID:2572

C:\Windows\SysWOW64\odbcasvc.EXE
C:\Windows\SysWOW64\odbcasvc.EXE
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1740
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 /s scrrun.dll
  2⤵
  - Modifies registry class
  PID:1984
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 /s msvbvm60.dll
  2⤵
  PID:1992
- C:\Windows\TEMP\s.exe
  C:\Windows\TEMP\s.exe inst
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  PID:2004
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 /s scrrun.dll
    3⤵
    - Modifies registry class
    PID:1384
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 /s msvbvm60.dll
    3⤵
    PID:2204

C:\Windows\SysWOW64\odbcasvc.EXE
C:\Windows\SysWOW64\odbcasvc.EXE
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2208
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 /s scrrun.dll
  2⤵
  - Modifies registry class
  PID:268
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 /s msvbvm60.dll
  2⤵
  PID:784
- C:\Windows\TEMP\s.exe
  C:\Windows\TEMP\s.exe inst
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  PID:536
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 /s scrrun.dll
    3⤵
    - Modifies registry class
    PID:1084
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 /s msvbvm60.dll
    3⤵
    PID:2640

C:\Windows\SysWOW64\odbcasvc.EXE
C:\Windows\SysWOW64\odbcasvc.EXE
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1528
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 /s scrrun.dll
  2⤵
  - Modifies registry class
  PID:1680
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 /s msvbvm60.dll
  2⤵
  PID:2864
- C:\Windows\TEMP\s.exe
  C:\Windows\TEMP\s.exe inst
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  PID:620
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 /s scrrun.dll
    3⤵
    - Modifies registry class
    PID:2240
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 /s msvbvm60.dll
    3⤵
    PID:2824

C:\Windows\SysWOW64\odbcasvc.EXE
C:\Windows\SysWOW64\odbcasvc.EXE
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:864
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 /s scrrun.dll
  2⤵
  - Modifies registry class
  PID:2308
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 /s msvbvm60.dll
  2⤵
  PID:2400
- C:\Windows\TEMP\s.exe
  C:\Windows\TEMP\s.exe inst
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  PID:1884
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 /s scrrun.dll
    3⤵
    - Modifies registry class
    PID:1356
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 /s msvbvm60.dll
    3⤵
    PID:2684

C:\Windows\SysWOW64\odbcasvc.EXE
C:\Windows\SysWOW64\odbcasvc.EXE
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2480
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 /s scrrun.dll
  2⤵
  - Modifies registry class
  PID:2228
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 /s msvbvm60.dll
  2⤵
  PID:2476
- C:\Windows\TEMP\s.exe
  C:\Windows\TEMP\s.exe inst
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  PID:1524
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 /s scrrun.dll
    3⤵
    - Modifies registry class
    PID:1196
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 /s msvbvm60.dll
    3⤵
    PID:852

C:\Windows\SysWOW64\odbcasvc.EXE
C:\Windows\SysWOW64\odbcasvc.EXE
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1800
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 /s scrrun.dll
  2⤵
  - Modifies registry class
  PID:796
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 /s msvbvm60.dll
  2⤵
  PID:948
- C:\Windows\TEMP\s.exe
  C:\Windows\TEMP\s.exe inst
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  PID:1296
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 /s scrrun.dll
    3⤵
    - Modifies registry class
    PID:1812
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 /s msvbvm60.dll
    3⤵
    PID:2044

C:\Windows\SysWOW64\odbcasvc.EXE
C:\Windows\SysWOW64\odbcasvc.EXE
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:908
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 /s scrrun.dll
  2⤵
  - Modifies registry class
  PID:1272
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 /s msvbvm60.dll
  2⤵
  PID:1336
- C:\Windows\TEMP\s.exe
  C:\Windows\TEMP\s.exe inst
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  PID:1804
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 /s scrrun.dll
    3⤵
    - Modifies registry class
    PID:3032
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 /s msvbvm60.dll
    3⤵
    PID:1400

C:\Windows\SysWOW64\odbcasvc.EXE
C:\Windows\SysWOW64\odbcasvc.EXE
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2996
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 /s scrrun.dll
  2⤵
  - Modifies registry class
  PID:1496
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 /s msvbvm60.dll
  2⤵
  PID:3028
- C:\Windows\TEMP\s.exe
  C:\Windows\TEMP\s.exe inst
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  PID:1088
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 /s scrrun.dll
    3⤵
    - Modifies registry class
    PID:3060
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 /s msvbvm60.dll
    3⤵
    PID:1164

C:\Windows\SysWOW64\odbcasvc.EXE
C:\Windows\SysWOW64\odbcasvc.EXE
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2552
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 /s scrrun.dll
  2⤵
  - Modifies registry class
  PID:3040
- C:\Windows\TEMP\s.exe
  C:\Windows\TEMP\s.exe inst
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  PID:2276
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 /s scrrun.dll
    3⤵
    - Modifies registry class
    PID:2096
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 /s msvbvm60.dll
    3⤵
    PID:2352
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 /s msvbvm60.dll
  2⤵
  PID:1564

C:\Windows\SysWOW64\odbcasvc.EXE
C:\Windows\SysWOW64\odbcasvc.EXE
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2084
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 /s scrrun.dll
  2⤵
  - Modifies registry class
  PID:2180
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 /s msvbvm60.dll
  2⤵
  PID:2736
- C:\Windows\TEMP\s.exe
  C:\Windows\TEMP\s.exe inst
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  PID:2740
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 /s scrrun.dll
    3⤵
    PID:2836
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 /s msvbvm60.dll
    3⤵
    PID:1056

C:\Windows\SysWOW64\odbcasvc.EXE
C:\Windows\SysWOW64\odbcasvc.EXE
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2872
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 /s scrrun.dll
  2⤵
  - Modifies registry class
  PID:2768
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 /s msvbvm60.dll
  2⤵
  PID:3000
- C:\Windows\TEMP\s.exe
  C:\Windows\TEMP\s.exe inst
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  PID:2648
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 /s scrrun.dll
    3⤵
    PID:2608
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 /s msvbvm60.dll
    3⤵
    PID:2620

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\mswinsck.ocx

Filesize
121KB

MD5
0a53713d5767050fe55498aed4d8b9df

SHA1
5674a6e608cd4e9f2c6fde41a8354876845dc551

SHA256
216573b4aeea15add015109ac51092d93443b7dc6af96300963d37656e7e3a5c

SHA512
a9609ff46ea053249b8adfe341c5063ac4d3a9e555f01dc730b149ddffd3353e79af0e0e1d66c4da638ffff2f3d2a17bfb3182fa736549b812b1da1e6cb15d65

Download Submit
C:\Windows\uda.exe

Filesize
14KB

MD5
79b719f5c3bf7e1025e041df8b92a125

SHA1
3c1814800dcbb1e91b40a5875fbc5aaf2c900d08

SHA256
2deaa3d3a98fa543847a47d54d5dd3e3dbe1726773230c914cd8fdf9d378a771

SHA512
fe265b85eef719ac8832644557f8c8d71eaab5d2613942949dc60f6a209c48ce56587f5c1b560d31355a2a638f2cdaf9f840af3b3070df462b1053602e9bb535

Download Submit
\Users\Admin\AppData\Local\Temp\s.exe

Filesize
115KB

MD5
0b440e7249fc6ed68b5a9688b9dfc591

SHA1
093a746aa4faea421f9f2128ac86a9f586229cb0

SHA256
d7e7f9a898072758f1200e507b1809ae5ff868260bb17b53de07103a418de67c

SHA512
5fee9ff2a7f1bf4fbe185c7c4da26114af52900c8556e34a150cf8604e22c1564abd9ec685a94df1c8f8562bb52e0af56df4bc82a00bdb013de638f877f541e7

Download Submit