cad252ecb25cc121ad229124b210a03638e4e0f6b6a74262eae6ad7bbd09f896

Analysis

max time kernel
122s
max time network
124s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
23-05-2024 04:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cad252ecb25cc121ad229124b210a03638e4e0f6b6a74262eae6ad7bbd09f896.exe
Size

85KB
MD5

9e089681e524ff0afec259617a374221
SHA1

8852798c9434372717c3786577c73189dcf5f422
SHA256

cad252ecb25cc121ad229124b210a03638e4e0f6b6a74262eae6ad7bbd09f896
SHA512

e94d1be74e59946f6084df0d35ceabc3a9d3def4a797a7e9af5c8b3f52f35c309d728bad67734ab8da05116f9dda0210eb2146b444acfeece8bbe06e3b2b1532
SSDEEP

768:64qm867UTyiWy58XDqQRZrE6uI0ZxbgJ0qbbaWFN8N40xqF1IfoBoEeVpmJ8ohx:57UFWyx1bgnkmF

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F6-3D04-11D1-AE7D-00A0C90F26F4}\Compatibility Flags = "1024"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F6-3D04-11D1-AE7D-00A0C90F26F4}\AlternateCLSID = "{E436987E-F427-4AD7-8738-6D0895A3E93F}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F7-3D04-11D1-AE7D-00A0C90F26F4}	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F7-3D04-11D1-AE7D-00A0C90F26F4}\Compatibility Flags = "1024"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F7-3D04-11D1-AE7D-00A0C90F26F4}\AlternateCLSID = "{AB5357A7-3179-47F9-A705-966B8B936D5E}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AC0714F6-3D04-11D1-AE7D-00A0C90F26F4}	regsvr32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{70841C70-067D-11D0-95D8-00A02463AB28}\TypeLib\ = "{0E59F1D2-1FBE-11D0-8FF2-00A0D10038BC}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FCFB3D2B-A0FA-1068-A738-08002B3371B5}\TypeLib\ = "{EA544A21-C82D-11D1-A3E4-00A0C90AEA82}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC0714F7-3D04-11D1-AE7D-00A0C90F26F4}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AC0714F3-3D04-11D1-AE7D-00A0C90F26F4}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A4C46780-499F-101B-BB78-00AA00383CBB}\TypeLib\Version = "6.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C4D651F2-7697-11D1-A1E9-00A0C90F2731}\ = "EventInfo"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSAddnDr.AddInDesigner\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C4D651F2-7697-11D1-A1E9-00A0C90F2731}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C4D651F2-7697-11D1-A1E9-00A0C90F2731}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C4D651F1-7697-11D1-A1E9-00A0C90F2731}\TypeLib\ = "{EA544A21-C82D-11D1-A3E4-00A0C90AEA82}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{70841C6F-067D-11D0-95D8-00A02463AB28}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ScriptControl\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C0324960-2AAA-11CF-AD67-00AA00614F3E}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D4E0F020-720A-11CF-8136-00AA00C14959}\ = "DataBindings"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC0714F6-3D04-11D1-AE7D-00A0C90F26F4}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC0714F7-3D04-11D1-AE7D-00A0C90F26F4}\Implemented Categories	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSScriptControl.ScriptControl.1\ = "ScriptControl Object"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B28FA150-0FF0-11CF-A911-00AA0062BB4C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C4D651F1-7697-11D1-A1E9-00A0C90F2731}\ = "EventParameters"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AB5357A7-3179-47F9-A705-966B8B936D5E}\VersionIndependentProgID\ = "MSAddnDr.AddInInstance"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{70841C73-067D-11D0-95D8-00A02463AB28}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{41A7D760-6018-11CF-9016-00AA0068841E}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CBB76011-C508-11D1-A3E3-00A0C90AEA82}\TypeLib\ = "{EA544A21-C82D-11D1-A3E4-00A0C90AEA82}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0E59F1D5-1FBE-11D0-8FF2-00A0D10038BC}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4495AD01-C993-11D1-A3E4-00A0C90AEA82}\TypeLib\ = "{EA544A21-C82D-11D1-A3E4-00A0C90AEA82}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AB5357A7-3179-47F9-A705-966B8B936D5E}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AB5357A7-3179-47F9-A705-966B8B936D5E}\Implemented Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2CE46480-1A08-11CF-AD63-00AA00614F3E}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{83C49FF0-B294-11D0-9488-00A0C91110ED}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0E59F1D5-1FBE-11D0-8FF2-00A0D10038BC}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC0714F6-3D04-11D1-AE7D-00A0C90F26F4}\TypeLib\ = "{AC0714F2-3D04-11D1-AE7D-00A0C90F26F4}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC0714F6-3D04-11D1-AE7D-00A0C90F26F4}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8284B8A2-A8A8-11D1-A3D2-00A0C90AEA82}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D5DE8D20-5BB8-11D1-A1E3-00A0C90F2731}\InProcServer32\ = "C:\\Windows\\SysWow64\\msvbvm60.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0E59F1D5-1FBE-11D0-8FF2-00A0D10038BC}\Implemented Categories\{0DE86A52-2BAA-11CF-A229-00AA003D7352}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{70841C70-067D-11D0-95D8-00A02463AB28}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0E59F1D5-1FBE-11D0-8FF2-00A0D10038BC}\Control	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{41A7D760-6018-11CF-9016-00AA0068841E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CBB76011-C508-11D1-A3E3-00A0C90AEA82}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0E59F1D5-1FBE-11D0-8FF2-00A0D10038BC}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0E59F1D5-1FBE-11D0-8FF2-00A0D10038BC}\MiscStatus\1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ScriptControl\CurVer\ = "MSScriptControl.ScriptControl.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EB41E8C4-4442-11D1-8906-00A0C9110049}\ = "_DPersistableClass"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC0714F6-3D04-11D1-AE7D-00A0C90F26F4}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{70841C6F-067D-11D0-95D8-00A02463AB28}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC0714F6-3D04-11D1-AE7D-00A0C90F26F4}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AB5357A7-3179-47F9-A705-966B8B936D5E}\Version\ = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FCFB3D2B-A0FA-1068-A738-08002B3371B5}\ = "_DClass"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FCFB3D2B-A0FA-1068-A738-08002B3371B5}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AB5357A7-3179-47F9-A705-966B8B936D5E}\ = "Addin Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{70841C73-067D-11D0-95D8-00A02463AB28}\ = "IScriptProcedure"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7500A6BA-EB65-11D1-938D-0000F87557C9}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{83C49FF0-B294-11D0-9488-00A0C91110ED}\ = "DataMembers"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{70841C6F-067D-11D0-95D8-00A02463AB28}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{41A7D760-6018-11CF-9016-00AA0068841E}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AC0714F4-3D04-11D1-AE7D-00A0C90F26F4}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSAddnDr.AddInInstance.1\CLSID\ = "{AB5357A7-3179-47F9-A705-966B8B936D5E}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{70841C71-067D-11D0-95D8-00A02463AB28}\TypeLib\ = "{0E59F1D2-1FBE-11D0-8FF2-00A0D10038BC}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2CE46480-1A08-11CF-AD63-00AA00614F3E}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C4D651F2-7697-11D1-A1E9-00A0C90F2731}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AB5357A7-3179-47F9-A705-966B8B936D5E}\TypeLib\ = "{AC0714F2-3D04-11D1-AE7D-00A0C90F26F4}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC0714F7-3D04-11D1-AE7D-00A0C90F26F4}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D4E0F020-720A-11CF-8136-00AA00C14959}\TypeLib\Version = "6.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EB41E8C3-4442-11D1-8906-00A0C9110049}\ = "_DDataBoundAndDataSourceClass"	regsvr32.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3056	cad252ecb25cc121ad229124b210a03638e4e0f6b6a74262eae6ad7bbd09f896.exe
Token: SeBackupPrivilege	3056	cad252ecb25cc121ad229124b210a03638e4e0f6b6a74262eae6ad7bbd09f896.exe
Token: 2821268	3056	cad252ecb25cc121ad229124b210a03638e4e0f6b6a74262eae6ad7bbd09f896.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3056	cad252ecb25cc121ad229124b210a03638e4e0f6b6a74262eae6ad7bbd09f896.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3056 wrote to memory of 2916	3056	cad252ecb25cc121ad229124b210a03638e4e0f6b6a74262eae6ad7bbd09f896.exe	28
PID 3056 wrote to memory of 2916	3056	cad252ecb25cc121ad229124b210a03638e4e0f6b6a74262eae6ad7bbd09f896.exe	28
PID 3056 wrote to memory of 2916	3056	cad252ecb25cc121ad229124b210a03638e4e0f6b6a74262eae6ad7bbd09f896.exe	28
PID 3056 wrote to memory of 2916	3056	cad252ecb25cc121ad229124b210a03638e4e0f6b6a74262eae6ad7bbd09f896.exe	28
PID 3056 wrote to memory of 2916	3056	cad252ecb25cc121ad229124b210a03638e4e0f6b6a74262eae6ad7bbd09f896.exe	28
PID 3056 wrote to memory of 2916	3056	cad252ecb25cc121ad229124b210a03638e4e0f6b6a74262eae6ad7bbd09f896.exe	28
PID 3056 wrote to memory of 2916	3056	cad252ecb25cc121ad229124b210a03638e4e0f6b6a74262eae6ad7bbd09f896.exe	28
PID 3056 wrote to memory of 2760	3056	cad252ecb25cc121ad229124b210a03638e4e0f6b6a74262eae6ad7bbd09f896.exe	29
PID 3056 wrote to memory of 2760	3056	cad252ecb25cc121ad229124b210a03638e4e0f6b6a74262eae6ad7bbd09f896.exe	29
PID 3056 wrote to memory of 2760	3056	cad252ecb25cc121ad229124b210a03638e4e0f6b6a74262eae6ad7bbd09f896.exe	29
PID 3056 wrote to memory of 2760	3056	cad252ecb25cc121ad229124b210a03638e4e0f6b6a74262eae6ad7bbd09f896.exe	29
PID 3056 wrote to memory of 2760	3056	cad252ecb25cc121ad229124b210a03638e4e0f6b6a74262eae6ad7bbd09f896.exe	29
PID 3056 wrote to memory of 2760	3056	cad252ecb25cc121ad229124b210a03638e4e0f6b6a74262eae6ad7bbd09f896.exe	29
PID 3056 wrote to memory of 2760	3056	cad252ecb25cc121ad229124b210a03638e4e0f6b6a74262eae6ad7bbd09f896.exe	29
PID 3056 wrote to memory of 2516	3056	cad252ecb25cc121ad229124b210a03638e4e0f6b6a74262eae6ad7bbd09f896.exe	31
PID 3056 wrote to memory of 2516	3056	cad252ecb25cc121ad229124b210a03638e4e0f6b6a74262eae6ad7bbd09f896.exe	31
PID 3056 wrote to memory of 2516	3056	cad252ecb25cc121ad229124b210a03638e4e0f6b6a74262eae6ad7bbd09f896.exe	31
PID 3056 wrote to memory of 2516	3056	cad252ecb25cc121ad229124b210a03638e4e0f6b6a74262eae6ad7bbd09f896.exe	31
PID 3056 wrote to memory of 2516	3056	cad252ecb25cc121ad229124b210a03638e4e0f6b6a74262eae6ad7bbd09f896.exe	31
PID 3056 wrote to memory of 2516	3056	cad252ecb25cc121ad229124b210a03638e4e0f6b6a74262eae6ad7bbd09f896.exe	31
PID 3056 wrote to memory of 2516	3056	cad252ecb25cc121ad229124b210a03638e4e0f6b6a74262eae6ad7bbd09f896.exe	31
PID 3056 wrote to memory of 2372	3056	cad252ecb25cc121ad229124b210a03638e4e0f6b6a74262eae6ad7bbd09f896.exe	32
PID 3056 wrote to memory of 2372	3056	cad252ecb25cc121ad229124b210a03638e4e0f6b6a74262eae6ad7bbd09f896.exe	32
PID 3056 wrote to memory of 2372	3056	cad252ecb25cc121ad229124b210a03638e4e0f6b6a74262eae6ad7bbd09f896.exe	32
PID 3056 wrote to memory of 2372	3056	cad252ecb25cc121ad229124b210a03638e4e0f6b6a74262eae6ad7bbd09f896.exe	32
PID 3056 wrote to memory of 2372	3056	cad252ecb25cc121ad229124b210a03638e4e0f6b6a74262eae6ad7bbd09f896.exe	32
PID 3056 wrote to memory of 2372	3056	cad252ecb25cc121ad229124b210a03638e4e0f6b6a74262eae6ad7bbd09f896.exe	32
PID 3056 wrote to memory of 2372	3056	cad252ecb25cc121ad229124b210a03638e4e0f6b6a74262eae6ad7bbd09f896.exe	32
PID 3056 wrote to memory of 2528	3056	cad252ecb25cc121ad229124b210a03638e4e0f6b6a74262eae6ad7bbd09f896.exe	34
PID 3056 wrote to memory of 2528	3056	cad252ecb25cc121ad229124b210a03638e4e0f6b6a74262eae6ad7bbd09f896.exe	34
PID 3056 wrote to memory of 2528	3056	cad252ecb25cc121ad229124b210a03638e4e0f6b6a74262eae6ad7bbd09f896.exe	34
PID 3056 wrote to memory of 2528	3056	cad252ecb25cc121ad229124b210a03638e4e0f6b6a74262eae6ad7bbd09f896.exe	34
PID 3056 wrote to memory of 2528	3056	cad252ecb25cc121ad229124b210a03638e4e0f6b6a74262eae6ad7bbd09f896.exe	34
PID 3056 wrote to memory of 2528	3056	cad252ecb25cc121ad229124b210a03638e4e0f6b6a74262eae6ad7bbd09f896.exe	34
PID 3056 wrote to memory of 2528	3056	cad252ecb25cc121ad229124b210a03638e4e0f6b6a74262eae6ad7bbd09f896.exe	34
PID 3056 wrote to memory of 2620	3056	cad252ecb25cc121ad229124b210a03638e4e0f6b6a74262eae6ad7bbd09f896.exe	37
PID 3056 wrote to memory of 2620	3056	cad252ecb25cc121ad229124b210a03638e4e0f6b6a74262eae6ad7bbd09f896.exe	37
PID 3056 wrote to memory of 2620	3056	cad252ecb25cc121ad229124b210a03638e4e0f6b6a74262eae6ad7bbd09f896.exe	37
PID 3056 wrote to memory of 2620	3056	cad252ecb25cc121ad229124b210a03638e4e0f6b6a74262eae6ad7bbd09f896.exe	37
PID 3056 wrote to memory of 2620	3056	cad252ecb25cc121ad229124b210a03638e4e0f6b6a74262eae6ad7bbd09f896.exe	37
PID 3056 wrote to memory of 2620	3056	cad252ecb25cc121ad229124b210a03638e4e0f6b6a74262eae6ad7bbd09f896.exe	37
PID 3056 wrote to memory of 2620	3056	cad252ecb25cc121ad229124b210a03638e4e0f6b6a74262eae6ad7bbd09f896.exe	37
PID 3056 wrote to memory of 2644	3056	cad252ecb25cc121ad229124b210a03638e4e0f6b6a74262eae6ad7bbd09f896.exe	39
PID 3056 wrote to memory of 2644	3056	cad252ecb25cc121ad229124b210a03638e4e0f6b6a74262eae6ad7bbd09f896.exe	39
PID 3056 wrote to memory of 2644	3056	cad252ecb25cc121ad229124b210a03638e4e0f6b6a74262eae6ad7bbd09f896.exe	39
PID 3056 wrote to memory of 2644	3056	cad252ecb25cc121ad229124b210a03638e4e0f6b6a74262eae6ad7bbd09f896.exe	39
PID 3056 wrote to memory of 2644	3056	cad252ecb25cc121ad229124b210a03638e4e0f6b6a74262eae6ad7bbd09f896.exe	39
PID 3056 wrote to memory of 2644	3056	cad252ecb25cc121ad229124b210a03638e4e0f6b6a74262eae6ad7bbd09f896.exe	39
PID 3056 wrote to memory of 2644	3056	cad252ecb25cc121ad229124b210a03638e4e0f6b6a74262eae6ad7bbd09f896.exe	39
PID 3056 wrote to memory of 2616	3056	cad252ecb25cc121ad229124b210a03638e4e0f6b6a74262eae6ad7bbd09f896.exe	40
PID 3056 wrote to memory of 2616	3056	cad252ecb25cc121ad229124b210a03638e4e0f6b6a74262eae6ad7bbd09f896.exe	40
PID 3056 wrote to memory of 2616	3056	cad252ecb25cc121ad229124b210a03638e4e0f6b6a74262eae6ad7bbd09f896.exe	40
PID 3056 wrote to memory of 2616	3056	cad252ecb25cc121ad229124b210a03638e4e0f6b6a74262eae6ad7bbd09f896.exe	40
PID 3056 wrote to memory of 2616	3056	cad252ecb25cc121ad229124b210a03638e4e0f6b6a74262eae6ad7bbd09f896.exe	40
PID 3056 wrote to memory of 2616	3056	cad252ecb25cc121ad229124b210a03638e4e0f6b6a74262eae6ad7bbd09f896.exe	40
PID 3056 wrote to memory of 2616	3056	cad252ecb25cc121ad229124b210a03638e4e0f6b6a74262eae6ad7bbd09f896.exe	40
PID 3056 wrote to memory of 2548	3056	cad252ecb25cc121ad229124b210a03638e4e0f6b6a74262eae6ad7bbd09f896.exe	42
PID 3056 wrote to memory of 2548	3056	cad252ecb25cc121ad229124b210a03638e4e0f6b6a74262eae6ad7bbd09f896.exe	42
PID 3056 wrote to memory of 2548	3056	cad252ecb25cc121ad229124b210a03638e4e0f6b6a74262eae6ad7bbd09f896.exe	42
PID 3056 wrote to memory of 2548	3056	cad252ecb25cc121ad229124b210a03638e4e0f6b6a74262eae6ad7bbd09f896.exe	42
PID 3056 wrote to memory of 2548	3056	cad252ecb25cc121ad229124b210a03638e4e0f6b6a74262eae6ad7bbd09f896.exe	42
PID 3056 wrote to memory of 2548	3056	cad252ecb25cc121ad229124b210a03638e4e0f6b6a74262eae6ad7bbd09f896.exe	42
PID 3056 wrote to memory of 2548	3056	cad252ecb25cc121ad229124b210a03638e4e0f6b6a74262eae6ad7bbd09f896.exe	42
PID 3056 wrote to memory of 1952	3056	cad252ecb25cc121ad229124b210a03638e4e0f6b6a74262eae6ad7bbd09f896.exe	43

C:\Users\Admin\AppData\Local\Temp\cad252ecb25cc121ad229124b210a03638e4e0f6b6a74262eae6ad7bbd09f896.exe
"C:\Users\Admin\AppData\Local\Temp\cad252ecb25cc121ad229124b210a03638e4e0f6b6a74262eae6ad7bbd09f896.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3056
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c RegSvr32.exe C:\WINDOWS\system32\scrrun.dll /S
  2⤵
  PID:2916
- - C:\Windows\SysWOW64\regsvr32.exe
    RegSvr32.exe C:\WINDOWS\system32\scrrun.dll /S
    3⤵
    PID:2476
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c RegSvr32.exe C:\WINDOWS\system32\wshom.ocx /S
  2⤵
  PID:2760
- - C:\Windows\SysWOW64\regsvr32.exe
    RegSvr32.exe C:\WINDOWS\system32\wshom.ocx /S
    3⤵
    PID:1032
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c RegSvr32.exe C:\WINDOWS\system32\SHELL32.dll /S
  2⤵
  PID:2516
- - C:\Windows\SysWOW64\regsvr32.exe
    RegSvr32.exe C:\WINDOWS\system32\SHELL32.dll /S
    3⤵
    PID:2136
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c RegSvr32.exe C:\WINDOWS\system32\msvbvm60.dll /S
  2⤵
  PID:2372
- - C:\Windows\SysWOW64\regsvr32.exe
    RegSvr32.exe C:\WINDOWS\system32\msvbvm60.dll /S
    3⤵
    - Modifies registry class
    PID:1920
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c RegSvr32.exe C:\WINDOWS\system32\msvbvm50.dll /S
  2⤵
  PID:2528
- - C:\Windows\SysWOW64\regsvr32.exe
    RegSvr32.exe C:\WINDOWS\system32\msvbvm50.dll /S
    3⤵
    PID:2860
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c RegSvr32.exe C:\WINDOWS\system32\msscript.ocx /S
  2⤵
  PID:2620
- - C:\Windows\SysWOW64\regsvr32.exe
    RegSvr32.exe C:\WINDOWS\system32\msscript.ocx /S
    3⤵
    - Modifies registry class
    PID:1856
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c RegSvr32.exe "C:\Program Files\Common Files\DESIGNER\MSADDNDR.DLL " /S
  2⤵
  PID:2644
- - C:\Windows\SysWOW64\regsvr32.exe
    RegSvr32.exe "C:\Program Files\Common Files\DESIGNER\MSADDNDR.DLL " /S
    3⤵
    PID:2400
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c RegSvr32.exe "C:\Program Files (x86)\Common Files\DESIGNER\MSADDNDR.DLL " /S
  2⤵
  PID:2616
- - C:\Windows\SysWOW64\regsvr32.exe
    RegSvr32.exe "C:\Program Files (x86)\Common Files\DESIGNER\MSADDNDR.DLL " /S
    3⤵
    - Modifies Internet Explorer settings
    - Modifies registry class
    PID:2028
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c RegSvr32.exe "C:\Program Files(x86)\Common Files\DESIGNER\MSADDNDR.DLL " /S
  2⤵
  PID:2548
- - C:\Windows\SysWOW64\regsvr32.exe
    RegSvr32.exe "C:\Program Files(x86)\Common Files\DESIGNER\MSADDNDR.DLL " /S
    3⤵
    PID:2300
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c RegSvr32.exe C:\Windows\system32\scrrun.dll /S
  2⤵
  PID:1952
- - C:\Windows\SysWOW64\regsvr32.exe
    RegSvr32.exe C:\Windows\system32\scrrun.dll /S
    3⤵
    PID:2344
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c RegSvr32.exe C:\Windows\system32\wshom.ocx /S
  2⤵
  PID:2460
- - C:\Windows\SysWOW64\regsvr32.exe
    RegSvr32.exe C:\Windows\system32\wshom.ocx /S
    3⤵
    PID:1544
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c RegSvr32.exe C:\Windows\system32\SHELL32.dll /S
  2⤵
  PID:2524
- - C:\Windows\SysWOW64\regsvr32.exe
    RegSvr32.exe C:\Windows\system32\SHELL32.dll /S
    3⤵
    PID:2692
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c RegSvr32.exe C:\Windows\system32\msvbvm60.dll /S
  2⤵
  PID:2600
- - C:\Windows\SysWOW64\regsvr32.exe
    RegSvr32.exe C:\Windows\system32\msvbvm60.dll /S
    3⤵
    - Modifies registry class
    PID:2032
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c RegSvr32.exe C:\Windows\system32\msvbvm50.dll /S
  2⤵
  PID:2132
- - C:\Windows\SysWOW64\regsvr32.exe
    RegSvr32.exe C:\Windows\system32\msvbvm50.dll /S
    3⤵
    PID:1560
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c RegSvr32.exe C:\Windows\system32\msscript.ocx /S
  2⤵
  PID:2168
- - C:\Windows\SysWOW64\regsvr32.exe
    RegSvr32.exe C:\Windows\system32\msscript.ocx /S
    3⤵
    - Modifies registry class
    PID:2312
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c RegSvr32.exe C:\Program Files (x86)\Common Files\DESIGNER\MSADDNDR.DLL /S
  2⤵
  PID:2440
- - C:\Windows\SysWOW64\regsvr32.exe
    RegSvr32.exe C:\Program Files (x86)\Common Files\DESIGNER\MSADDNDR.DLL /S
    3⤵
    PID:1944
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c RegSvr32.exe ExcelAddins.dll /S
  2⤵
  PID:2488
- - C:\Windows\SysWOW64\regsvr32.exe
    RegSvr32.exe ExcelAddins.dll /S
    3⤵
    PID:2036
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c RegSvr32.exe ExcelAddins.dll /S
  2⤵
  PID:2664
- - C:\Windows\SysWOW64\regsvr32.exe
    RegSvr32.exe ExcelAddins.dll /S
    3⤵
    PID:756
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c RegSvr32.exe ExcelTools.dll /S
  2⤵
  PID:2688
- - C:\Windows\SysWOW64\regsvr32.exe
    RegSvr32.exe ExcelTools.dll /S
    3⤵
    PID:2992
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c RegSvr32.exe .\Librarys\GifPlayer.dll /S
  2⤵
  PID:2660
- - C:\Windows\SysWOW64\regsvr32.exe
    RegSvr32.exe .\Librarys\GifPlayer.dll /S
    3⤵
    PID:2196
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c RegSvr32.exe Librarys\HookMenu.ocx /S
  2⤵
  PID:2752
- - C:\Windows\SysWOW64\regsvr32.exe
    RegSvr32.exe Librarys\HookMenu.ocx /S
    3⤵
    PID:1240
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c RegSvr32.exe Librarys\Msflxgrd.ocx /S
  2⤵
  PID:2604
- - C:\Windows\SysWOW64\regsvr32.exe
    RegSvr32.exe Librarys\Msflxgrd.ocx /S
    3⤵
    PID:2208
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c RegSvr32.exe Librarys\Tabctl32.ocx /S
  2⤵
  PID:1864
- - C:\Windows\SysWOW64\regsvr32.exe
    RegSvr32.exe Librarys\Tabctl32.ocx /S
    3⤵
    PID:796
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c RegSvr32.exe Librarys\ComDlg32.ocx /S
  2⤵
  PID:1940
- - C:\Windows\SysWOW64\regsvr32.exe
    RegSvr32.exe Librarys\ComDlg32.ocx /S
    3⤵
    PID:1684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads