cad252ecb25cc121ad229124b210a03638e4e0f6b6a74262eae6ad7bbd09f896

Analysis

max time kernel
101s
max time network
107s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 04:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cad252ecb25cc121ad229124b210a03638e4e0f6b6a74262eae6ad7bbd09f896.exe
Size

85KB
MD5

9e089681e524ff0afec259617a374221
SHA1

8852798c9434372717c3786577c73189dcf5f422
SHA256

cad252ecb25cc121ad229124b210a03638e4e0f6b6a74262eae6ad7bbd09f896
SHA512

e94d1be74e59946f6084df0d35ceabc3a9d3def4a797a7e9af5c8b3f52f35c309d728bad67734ab8da05116f9dda0210eb2146b444acfeece8bbe06e3b2b1532
SSDEEP

768:64qm867UTyiWy58XDqQRZrE6uI0ZxbgJ0qbbaWFN8N40xqF1IfoBoEeVpmJ8ohx:57UFWyx1bgnkmF

Score

1^/10

Malware Config

Signatures

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4495AD01-C993-11D1-A3E4-00A0C90AEA82}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{70841C71-067D-11D0-95D8-00A02463AB28}\TypeLib\ = "{0E59F1D2-1FBE-11D0-8FF2-00A0D10038BC}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0E59F1D3-1FBE-11D0-8FF2-00A0D10038BC}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C0324960-2AAA-11CF-AD67-00AA00614F3E}\TypeLib\Version = "6.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D5DE8D20-5BB8-11D1-A1E3-00A0C90F2731}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{70841C78-067D-11D0-95D8-00A02463AB28}\TypeLib\ = "{0E59F1D2-1FBE-11D0-8FF2-00A0D10038BC}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{85131631-480C-11D2-B1F9-00C04F86C324}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JSFile\ScriptHostEncode	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C0324960-2AAA-11CF-AD67-00AA00614F3E}\ = "ContainedControls"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D4E0F020-720A-11CF-8136-00AA00C14959}\ = "DataBindings"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Scripting.Dictionary\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.cdx	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSScriptControl.ScriptControl.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0E59F1D5-1FBE-11D0-8FF2-00A0D10038BC}\ToolboxBitmap32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ScriptControl	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\ScriptHostEncode	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2CE46480-1A08-11CF-AD63-00AA00614F3E}\TypeLib\Version = "6.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C4D651F1-7697-11D1-A1E9-00A0C90F2731}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{83C49FF0-B294-11D0-9488-00A0C91110ED}\TypeLib\ = "{EA544A21-C82D-11D1-A3E4-00A0C90AEA82}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EB41E8C3-4442-11D1-8906-00A0C9110049}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSScriptControl.ScriptControl\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0E59F1D3-1FBE-11D0-8FF2-00A0D10038BC}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EE09B103-97E0-11CF-978F-00A02463E06F}\Implemented Categories	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Scripting.FileSystemObject\ = "FileSystem Object"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EE09B103-97E0-11CF-978F-00A02463E06F}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{85131630-480C-11D2-B1F9-00C04F86C324}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{420B2830-E718-11CF-893D-00A0C9054228}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{41A7D760-6018-11CF-9016-00AA0068841E}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2CE46480-1A08-11CF-AD63-00AA00614F3E}\ = "SelectedControls"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C4D651F0-7697-11D1-A1E9-00A0C90F2731}\ = "EventParameter"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{70841C6F-067D-11D0-95D8-00A02463AB28}\TypeLib\ = "{0E59F1D2-1FBE-11D0-8FF2-00A0D10038BC}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0CF774D0-F077-11D1-B1BC-00C04F86C324}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B28FA150-0FF0-11CF-A911-00AA0062BB4C}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BE8F9800-2AAA-11CF-AD67-00AA00614F3E}\TypeLib\ = "{EA544A21-C82D-11D1-A3E4-00A0C90AEA82}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D5DE8D20-5BB8-11D1-A1E3-00A0C90F2731}\InProcServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0E59F1D2-1FBE-11D0-8FF2-00A0D10038BC}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EB41E8C2-4442-11D1-8906-00A0C9110049}\ = "_DDataSourceClass"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0E59F1D2-1FBE-11D0-8FF2-00A0D10038BC}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C4D651F0-7697-11D1-A1E9-00A0C90F2731}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{737361EC-467F-11D1-810F-0000F87557AA}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{41A7D760-6018-11CF-9016-00AA0068841E}\TypeLib\Version = "6.0"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Scripting.Dictionary	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile.HostEncode\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0CF774D0-F077-11D1-B1BC-00C04F86C324}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A4C466B8-499F-101B-BB78-00AA00383CBB}\TypeLib\ = "{000204EF-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C0324960-2AAA-11CF-AD67-00AA00614F3E}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8284B8A2-A8A8-11D1-A3D2-00A0C90AEA82}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{32DA2B15-CFED-11D1-B747-00C04FC2B085}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile.HostEncode	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4495AD01-C993-11D1-A3E4-00A0C90AEA82}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{70841C6F-067D-11D0-95D8-00A02463AB28}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ScriptControl\ = "ScriptControl Object"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{85131630-480C-11D2-B1F9-00C04F86C324}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSScriptControl.ScriptControl\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{70841C73-067D-11D0-95D8-00A02463AB28}\ = "IScriptProcedure"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\aspfile\ScriptHostEncode	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BE8F9800-2AAA-11CF-AD67-00AA00614F3E}	regsvr32.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3312	cad252ecb25cc121ad229124b210a03638e4e0f6b6a74262eae6ad7bbd09f896.exe
Token: SeBackupPrivilege	3312	cad252ecb25cc121ad229124b210a03638e4e0f6b6a74262eae6ad7bbd09f896.exe
Token: 5157836	3312	cad252ecb25cc121ad229124b210a03638e4e0f6b6a74262eae6ad7bbd09f896.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3312	cad252ecb25cc121ad229124b210a03638e4e0f6b6a74262eae6ad7bbd09f896.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3312 wrote to memory of 4764	3312	cad252ecb25cc121ad229124b210a03638e4e0f6b6a74262eae6ad7bbd09f896.exe	82
PID 3312 wrote to memory of 4764	3312	cad252ecb25cc121ad229124b210a03638e4e0f6b6a74262eae6ad7bbd09f896.exe	82
PID 3312 wrote to memory of 4764	3312	cad252ecb25cc121ad229124b210a03638e4e0f6b6a74262eae6ad7bbd09f896.exe	82
PID 3312 wrote to memory of 3448	3312	cad252ecb25cc121ad229124b210a03638e4e0f6b6a74262eae6ad7bbd09f896.exe	83
PID 3312 wrote to memory of 3448	3312	cad252ecb25cc121ad229124b210a03638e4e0f6b6a74262eae6ad7bbd09f896.exe	83
PID 3312 wrote to memory of 3448	3312	cad252ecb25cc121ad229124b210a03638e4e0f6b6a74262eae6ad7bbd09f896.exe	83
PID 3312 wrote to memory of 2312	3312	cad252ecb25cc121ad229124b210a03638e4e0f6b6a74262eae6ad7bbd09f896.exe	84
PID 3312 wrote to memory of 2312	3312	cad252ecb25cc121ad229124b210a03638e4e0f6b6a74262eae6ad7bbd09f896.exe	84
PID 3312 wrote to memory of 2312	3312	cad252ecb25cc121ad229124b210a03638e4e0f6b6a74262eae6ad7bbd09f896.exe	84
PID 3312 wrote to memory of 3700	3312	cad252ecb25cc121ad229124b210a03638e4e0f6b6a74262eae6ad7bbd09f896.exe	85
PID 3312 wrote to memory of 3700	3312	cad252ecb25cc121ad229124b210a03638e4e0f6b6a74262eae6ad7bbd09f896.exe	85
PID 3312 wrote to memory of 3700	3312	cad252ecb25cc121ad229124b210a03638e4e0f6b6a74262eae6ad7bbd09f896.exe	85
PID 3312 wrote to memory of 2300	3312	cad252ecb25cc121ad229124b210a03638e4e0f6b6a74262eae6ad7bbd09f896.exe	86
PID 3312 wrote to memory of 2300	3312	cad252ecb25cc121ad229124b210a03638e4e0f6b6a74262eae6ad7bbd09f896.exe	86
PID 3312 wrote to memory of 2300	3312	cad252ecb25cc121ad229124b210a03638e4e0f6b6a74262eae6ad7bbd09f896.exe	86
PID 3312 wrote to memory of 388	3312	cad252ecb25cc121ad229124b210a03638e4e0f6b6a74262eae6ad7bbd09f896.exe	87
PID 3312 wrote to memory of 388	3312	cad252ecb25cc121ad229124b210a03638e4e0f6b6a74262eae6ad7bbd09f896.exe	87
PID 3312 wrote to memory of 388	3312	cad252ecb25cc121ad229124b210a03638e4e0f6b6a74262eae6ad7bbd09f896.exe	87
PID 3312 wrote to memory of 2864	3312	cad252ecb25cc121ad229124b210a03638e4e0f6b6a74262eae6ad7bbd09f896.exe	88
PID 3312 wrote to memory of 2864	3312	cad252ecb25cc121ad229124b210a03638e4e0f6b6a74262eae6ad7bbd09f896.exe	88
PID 3312 wrote to memory of 2864	3312	cad252ecb25cc121ad229124b210a03638e4e0f6b6a74262eae6ad7bbd09f896.exe	88
PID 3312 wrote to memory of 2436	3312	cad252ecb25cc121ad229124b210a03638e4e0f6b6a74262eae6ad7bbd09f896.exe	89
PID 3312 wrote to memory of 2436	3312	cad252ecb25cc121ad229124b210a03638e4e0f6b6a74262eae6ad7bbd09f896.exe	89
PID 3312 wrote to memory of 2436	3312	cad252ecb25cc121ad229124b210a03638e4e0f6b6a74262eae6ad7bbd09f896.exe	89
PID 3312 wrote to memory of 2308	3312	cad252ecb25cc121ad229124b210a03638e4e0f6b6a74262eae6ad7bbd09f896.exe	90
PID 3312 wrote to memory of 2308	3312	cad252ecb25cc121ad229124b210a03638e4e0f6b6a74262eae6ad7bbd09f896.exe	90
PID 3312 wrote to memory of 2308	3312	cad252ecb25cc121ad229124b210a03638e4e0f6b6a74262eae6ad7bbd09f896.exe	90
PID 3312 wrote to memory of 1556	3312	cad252ecb25cc121ad229124b210a03638e4e0f6b6a74262eae6ad7bbd09f896.exe	91
PID 3312 wrote to memory of 1556	3312	cad252ecb25cc121ad229124b210a03638e4e0f6b6a74262eae6ad7bbd09f896.exe	91
PID 3312 wrote to memory of 1556	3312	cad252ecb25cc121ad229124b210a03638e4e0f6b6a74262eae6ad7bbd09f896.exe	91
PID 3312 wrote to memory of 3908	3312	cad252ecb25cc121ad229124b210a03638e4e0f6b6a74262eae6ad7bbd09f896.exe	92
PID 3312 wrote to memory of 3908	3312	cad252ecb25cc121ad229124b210a03638e4e0f6b6a74262eae6ad7bbd09f896.exe	92
PID 3312 wrote to memory of 3908	3312	cad252ecb25cc121ad229124b210a03638e4e0f6b6a74262eae6ad7bbd09f896.exe	92
PID 3312 wrote to memory of 3016	3312	cad252ecb25cc121ad229124b210a03638e4e0f6b6a74262eae6ad7bbd09f896.exe	93
PID 3312 wrote to memory of 3016	3312	cad252ecb25cc121ad229124b210a03638e4e0f6b6a74262eae6ad7bbd09f896.exe	93
PID 3312 wrote to memory of 3016	3312	cad252ecb25cc121ad229124b210a03638e4e0f6b6a74262eae6ad7bbd09f896.exe	93
PID 3312 wrote to memory of 3004	3312	cad252ecb25cc121ad229124b210a03638e4e0f6b6a74262eae6ad7bbd09f896.exe	94
PID 3312 wrote to memory of 3004	3312	cad252ecb25cc121ad229124b210a03638e4e0f6b6a74262eae6ad7bbd09f896.exe	94
PID 3312 wrote to memory of 3004	3312	cad252ecb25cc121ad229124b210a03638e4e0f6b6a74262eae6ad7bbd09f896.exe	94
PID 3312 wrote to memory of 4564	3312	cad252ecb25cc121ad229124b210a03638e4e0f6b6a74262eae6ad7bbd09f896.exe	95
PID 3312 wrote to memory of 4564	3312	cad252ecb25cc121ad229124b210a03638e4e0f6b6a74262eae6ad7bbd09f896.exe	95
PID 3312 wrote to memory of 4564	3312	cad252ecb25cc121ad229124b210a03638e4e0f6b6a74262eae6ad7bbd09f896.exe	95
PID 3312 wrote to memory of 2548	3312	cad252ecb25cc121ad229124b210a03638e4e0f6b6a74262eae6ad7bbd09f896.exe	96
PID 3312 wrote to memory of 2548	3312	cad252ecb25cc121ad229124b210a03638e4e0f6b6a74262eae6ad7bbd09f896.exe	96
PID 3312 wrote to memory of 2548	3312	cad252ecb25cc121ad229124b210a03638e4e0f6b6a74262eae6ad7bbd09f896.exe	96
PID 3312 wrote to memory of 4480	3312	cad252ecb25cc121ad229124b210a03638e4e0f6b6a74262eae6ad7bbd09f896.exe	98
PID 3312 wrote to memory of 4480	3312	cad252ecb25cc121ad229124b210a03638e4e0f6b6a74262eae6ad7bbd09f896.exe	98
PID 3312 wrote to memory of 4480	3312	cad252ecb25cc121ad229124b210a03638e4e0f6b6a74262eae6ad7bbd09f896.exe	98
PID 3700 wrote to memory of 744	3700	cmd.exe	114
PID 3700 wrote to memory of 744	3700	cmd.exe	114
PID 3700 wrote to memory of 744	3700	cmd.exe	114
PID 3004 wrote to memory of 1620	3004	cmd.exe	115
PID 3004 wrote to memory of 1620	3004	cmd.exe	115
PID 3004 wrote to memory of 1620	3004	cmd.exe	115
PID 4564 wrote to memory of 3300	4564	cmd.exe	116
PID 4564 wrote to memory of 3300	4564	cmd.exe	116
PID 4564 wrote to memory of 3300	4564	cmd.exe	116
PID 3448 wrote to memory of 1192	3448	cmd.exe	117
PID 3448 wrote to memory of 1192	3448	cmd.exe	117
PID 3448 wrote to memory of 1192	3448	cmd.exe	117
PID 3312 wrote to memory of 4672	3312	cad252ecb25cc121ad229124b210a03638e4e0f6b6a74262eae6ad7bbd09f896.exe	118
PID 3312 wrote to memory of 4672	3312	cad252ecb25cc121ad229124b210a03638e4e0f6b6a74262eae6ad7bbd09f896.exe	118
PID 3312 wrote to memory of 4672	3312	cad252ecb25cc121ad229124b210a03638e4e0f6b6a74262eae6ad7bbd09f896.exe	118
PID 2308 wrote to memory of 2412	2308	cmd.exe	119

C:\Users\Admin\AppData\Local\Temp\cad252ecb25cc121ad229124b210a03638e4e0f6b6a74262eae6ad7bbd09f896.exe
"C:\Users\Admin\AppData\Local\Temp\cad252ecb25cc121ad229124b210a03638e4e0f6b6a74262eae6ad7bbd09f896.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3312
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c RegSvr32.exe C:\WINDOWS\system32\scrrun.dll /S
  2⤵
  PID:4764
- - C:\Windows\SysWOW64\regsvr32.exe
    RegSvr32.exe C:\WINDOWS\system32\scrrun.dll /S
    3⤵
    - Modifies registry class
    PID:2116
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c RegSvr32.exe C:\WINDOWS\system32\wshom.ocx /S
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3448
- - C:\Windows\SysWOW64\regsvr32.exe
    RegSvr32.exe C:\WINDOWS\system32\wshom.ocx /S
    3⤵
    PID:1192
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c RegSvr32.exe C:\WINDOWS\system32\SHELL32.dll /S
  2⤵
  PID:2312
- - C:\Windows\SysWOW64\regsvr32.exe
    RegSvr32.exe C:\WINDOWS\system32\SHELL32.dll /S
    3⤵
    PID:2804
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c RegSvr32.exe C:\WINDOWS\system32\msvbvm60.dll /S
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3700
- - C:\Windows\SysWOW64\regsvr32.exe
    RegSvr32.exe C:\WINDOWS\system32\msvbvm60.dll /S
    3⤵
    - Modifies registry class
    PID:744
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c RegSvr32.exe C:\WINDOWS\system32\msvbvm50.dll /S
  2⤵
  PID:2300
- - C:\Windows\SysWOW64\regsvr32.exe
    RegSvr32.exe C:\WINDOWS\system32\msvbvm50.dll /S
    3⤵
    PID:372
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c RegSvr32.exe C:\WINDOWS\system32\msscript.ocx /S
  2⤵
  PID:388
- - C:\Windows\SysWOW64\regsvr32.exe
    RegSvr32.exe C:\WINDOWS\system32\msscript.ocx /S
    3⤵
    - Modifies registry class
    PID:4788
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c RegSvr32.exe "C:\Program Files\Common Files\DESIGNER\MSADDNDR.DLL " /S
  2⤵
  PID:2864
- - C:\Windows\SysWOW64\regsvr32.exe
    RegSvr32.exe "C:\Program Files\Common Files\DESIGNER\MSADDNDR.DLL " /S
    3⤵
    PID:4024
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c RegSvr32.exe "C:\Program Files (x86)\Common Files\DESIGNER\MSADDNDR.DLL " /S
  2⤵
  PID:2436
- - C:\Windows\SysWOW64\regsvr32.exe
    RegSvr32.exe "C:\Program Files (x86)\Common Files\DESIGNER\MSADDNDR.DLL " /S
    3⤵
    PID:2848
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c RegSvr32.exe "C:\Program Files(x86)\Common Files\DESIGNER\MSADDNDR.DLL " /S
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2308
- - C:\Windows\SysWOW64\regsvr32.exe
    RegSvr32.exe "C:\Program Files(x86)\Common Files\DESIGNER\MSADDNDR.DLL " /S
    3⤵
    PID:2412
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c RegSvr32.exe C:\Windows\system32\scrrun.dll /S
  2⤵
  PID:1556
- - C:\Windows\SysWOW64\regsvr32.exe
    RegSvr32.exe C:\Windows\system32\scrrun.dll /S
    3⤵
    - Modifies registry class
    PID:2248
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c RegSvr32.exe C:\Windows\system32\wshom.ocx /S
  2⤵
  PID:3908
- - C:\Windows\SysWOW64\regsvr32.exe
    RegSvr32.exe C:\Windows\system32\wshom.ocx /S
    3⤵
    PID:3716
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c RegSvr32.exe C:\Windows\system32\SHELL32.dll /S
  2⤵
  PID:3016
- - C:\Windows\SysWOW64\regsvr32.exe
    RegSvr32.exe C:\Windows\system32\SHELL32.dll /S
    3⤵
    PID:3464
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c RegSvr32.exe C:\Windows\system32\msvbvm60.dll /S
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3004
- - C:\Windows\SysWOW64\regsvr32.exe
    RegSvr32.exe C:\Windows\system32\msvbvm60.dll /S
    3⤵
    - Modifies registry class
    PID:1620
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c RegSvr32.exe C:\Windows\system32\msvbvm50.dll /S
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4564
- - C:\Windows\SysWOW64\regsvr32.exe
    RegSvr32.exe C:\Windows\system32\msvbvm50.dll /S
    3⤵
    PID:3300
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c RegSvr32.exe C:\Windows\system32\msscript.ocx /S
  2⤵
  PID:2548
- - C:\Windows\SysWOW64\regsvr32.exe
    RegSvr32.exe C:\Windows\system32\msscript.ocx /S
    3⤵
    - Modifies registry class
    PID:4604
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c RegSvr32.exe ExcelAddins.dll /S
  2⤵
  PID:4480
- - C:\Windows\SysWOW64\regsvr32.exe
    RegSvr32.exe ExcelAddins.dll /S
    3⤵
    PID:2592
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c RegSvr32.exe ExcelAddins.dll /S
  2⤵
  PID:4672
- - C:\Windows\SysWOW64\regsvr32.exe
    RegSvr32.exe ExcelAddins.dll /S
    3⤵
    PID:3288
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c RegSvr32.exe ExcelTools.dll /S
  2⤵
  PID:1212
- - C:\Windows\SysWOW64\regsvr32.exe
    RegSvr32.exe ExcelTools.dll /S
    3⤵
    PID:1208
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c RegSvr32.exe .\Librarys\GifPlayer.dll /S
  2⤵
  PID:1768
- - C:\Windows\SysWOW64\regsvr32.exe
    RegSvr32.exe .\Librarys\GifPlayer.dll /S
    3⤵
    PID:812
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c RegSvr32.exe Librarys\HookMenu.ocx /S
  2⤵
  PID:1600
- - C:\Windows\SysWOW64\regsvr32.exe
    RegSvr32.exe Librarys\HookMenu.ocx /S
    3⤵
    PID:1092
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c RegSvr32.exe Librarys\Msflxgrd.ocx /S
  2⤵
  PID:2836
- - C:\Windows\SysWOW64\regsvr32.exe
    RegSvr32.exe Librarys\Msflxgrd.ocx /S
    3⤵
    PID:2332
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c RegSvr32.exe Librarys\Tabctl32.ocx /S
  2⤵
  PID:1876
- - C:\Windows\SysWOW64\regsvr32.exe
    RegSvr32.exe Librarys\Tabctl32.ocx /S
    3⤵
    PID:2932
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c RegSvr32.exe Librarys\ComDlg32.ocx /S
  2⤵
  PID:2944
- - C:\Windows\SysWOW64\regsvr32.exe
    RegSvr32.exe Librarys\ComDlg32.ocx /S
    3⤵
    PID:3668

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads