Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
126s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
03/06/2024, 05:16
Static task
static1
Behavioral task
behavioral1
Sample
ee1d2216310f6f084f482b81f1c75f6778ff85340ea9643a41b3a428d04ee986.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
ee1d2216310f6f084f482b81f1c75f6778ff85340ea9643a41b3a428d04ee986.exe
Resource
win10v2004-20240426-en
General
-
Target
ee1d2216310f6f084f482b81f1c75f6778ff85340ea9643a41b3a428d04ee986.exe
-
Size
1004KB
-
MD5
88720b6ad4c018aebfd1d3582185e88f
-
SHA1
d7fa196caac4de4b95945133cc66495ba4631ffb
-
SHA256
ee1d2216310f6f084f482b81f1c75f6778ff85340ea9643a41b3a428d04ee986
-
SHA512
4682ef7396d592430270b40f7349c1149b91465dd7eded4c4c3ff0dd461c238d64e78b320cb15ae4365376382ecde7d9fcddae3c414f066c2a4b7245d5649e29
-
SSDEEP
24576:eIWjf3z96HyzbJ+AUTpldXPEKKYJkwrsrIZmDliBlzHbpabTW/cV:eIsEHRYcMil4
Malware Config
Signatures
-
Executes dropped EXE 30 IoCs
pid Process 272 993.#.exe 2660 368.#.exe 2420 3.#.exe 2196 240.#.exe 1552 875.#.exe 288 187.#.exe 2520 581.#.exe 2428 304.#.exe 964 544.#.exe 2596 877.#.exe 1000 258.#.exe 2008 491.#.exe 2652 659.#.exe 1476 657.#.exe 920 870.#.exe 2696 218.#.exe 2072 173.#.exe 1048 49.#.exe 2820 915.#.exe 1276 752.#.exe 2920 406.#.exe 1696 376.#.exe 2164 345.#.exe 2032 697.#.exe 764 96.#.exe 2912 83.#.exe 1060 843.#.exe 1752 551.#.exe 1956 293.#.exe 1936 183.#.exe -
Loads dropped DLL 64 IoCs
pid Process 2904 ee1d2216310f6f084f482b81f1c75f6778ff85340ea9643a41b3a428d04ee986.exe 272 993.#.exe 272 993.#.exe 272 993.#.exe 272 993.#.exe 2660 368.#.exe 2660 368.#.exe 2660 368.#.exe 2660 368.#.exe 2420 3.#.exe 2420 3.#.exe 2420 3.#.exe 2420 3.#.exe 2196 240.#.exe 2196 240.#.exe 2196 240.#.exe 2196 240.#.exe 1552 875.#.exe 1552 875.#.exe 1552 875.#.exe 1552 875.#.exe 288 187.#.exe 288 187.#.exe 288 187.#.exe 288 187.#.exe 2520 581.#.exe 2520 581.#.exe 2520 581.#.exe 2520 581.#.exe 2428 304.#.exe 2428 304.#.exe 2428 304.#.exe 2428 304.#.exe 964 544.#.exe 964 544.#.exe 964 544.#.exe 964 544.#.exe 2596 877.#.exe 2596 877.#.exe 2596 877.#.exe 2596 877.#.exe 1000 258.#.exe 1000 258.#.exe 1000 258.#.exe 1000 258.#.exe 2008 491.#.exe 2008 491.#.exe 2008 491.#.exe 2008 491.#.exe 2652 659.#.exe 2652 659.#.exe 2652 659.#.exe 2652 659.#.exe 1476 657.#.exe 1476 657.#.exe 1476 657.#.exe 1476 657.#.exe 920 870.#.exe 920 870.#.exe 920 870.#.exe 920 870.#.exe 2696 218.#.exe 2696 218.#.exe 2696 218.#.exe -
Adds Run key to start application 2 TTPs 62 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RegSCRLib = "regsvr32.exe /s scrrun.dll" 187.#.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RegSCRLib = "regsvr32.exe /s scrrun.dll" 406.#.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FileProtector = "C:\\10a0699fa37928d39c\\spfirewall.exe" 843.#.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FileProtector = "C:\\10a0699fa37928d39c\\spfirewall.exe" 544.#.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RegSCRLib = "regsvr32.exe /s scrrun.dll" 491.#.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RegSCRLib = "regsvr32.exe /s scrrun.dll" 173.#.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RegSCRLib = "regsvr32.exe /s scrrun.dll" 49.#.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RegSCRLib = "regsvr32.exe /s scrrun.dll" 3.#.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RegSCRLib = "regsvr32.exe /s scrrun.dll" 875.#.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FileProtector = "C:\\10a0699fa37928d39c\\spfirewall.exe" 304.#.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FileProtector = "C:\\10a0699fa37928d39c\\spfirewall.exe" 752.#.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RegSCRLib = "regsvr32.exe /s scrrun.dll" 376.#.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RegSCRLib = "regsvr32.exe /s scrrun.dll" 877.#.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FileProtector = "C:\\10a0699fa37928d39c\\spfirewall.exe" 915.#.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FileProtector = "C:\\10a0699fa37928d39c\\spfirewall.exe" 258.#.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RegSCRLib = "regsvr32.exe /s scrrun.dll" 915.#.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FileProtector = "C:\\10a0699fa37928d39c\\spfirewall.exe" 406.#.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RegSCRLib = "regsvr32.exe /s scrrun.dll" 551.#.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FileProtector = "C:\\10a0699fa37928d39c\\spfirewall.exe" 293.#.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FileProtector = "C:\\10a0699fa37928d39c\\spfirewall.exe" 183.#.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FileProtector = "C:\\10a0699fa37928d39c\\spfirewall.exe" 240.#.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RegSCRLib = "regsvr32.exe /s scrrun.dll" 240.#.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FileProtector = "C:\\10a0699fa37928d39c\\spfirewall.exe" 187.#.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RegSCRLib = "regsvr32.exe /s scrrun.dll" 870.#.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FileProtector = "C:\\10a0699fa37928d39c\\spfirewall.exe" ee1d2216310f6f084f482b81f1c75f6778ff85340ea9643a41b3a428d04ee986.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FileProtector = "C:\\10a0699fa37928d39c\\spfirewall.exe" 993.#.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RegSCRLib = "regsvr32.exe /s scrrun.dll" 993.#.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FileProtector = "C:\\10a0699fa37928d39c\\spfirewall.exe" 368.#.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FileProtector = "C:\\10a0699fa37928d39c\\spfirewall.exe" 345.#.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FileProtector = "C:\\10a0699fa37928d39c\\spfirewall.exe" 697.#.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RegSCRLib = "regsvr32.exe /s scrrun.dll" 345.#.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RegSCRLib = "regsvr32.exe /s scrrun.dll" 83.#.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RegSCRLib = "regsvr32.exe /s scrrun.dll" 657.#.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RegSCRLib = "regsvr32.exe /s scrrun.dll" 218.#.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RegSCRLib = "regsvr32.exe /s scrrun.dll" 368.#.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FileProtector = "C:\\10a0699fa37928d39c\\spfirewall.exe" 581.#.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FileProtector = "C:\\10a0699fa37928d39c\\spfirewall.exe" 376.#.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RegSCRLib = "regsvr32.exe /s scrrun.dll" 293.#.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RegSCRLib = "regsvr32.exe /s scrrun.dll" 843.#.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FileProtector = "C:\\10a0699fa37928d39c\\spfirewall.exe" 551.#.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FileProtector = "C:\\10a0699fa37928d39c\\spfirewall.exe" 3.#.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FileProtector = "C:\\10a0699fa37928d39c\\spfirewall.exe" 877.#.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RegSCRLib = "regsvr32.exe /s scrrun.dll" 258.#.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RegSCRLib = "regsvr32.exe /s scrrun.dll" 659.#.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FileProtector = "C:\\10a0699fa37928d39c\\spfirewall.exe" 657.#.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FileProtector = "C:\\10a0699fa37928d39c\\spfirewall.exe" 83.#.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RegSCRLib = "regsvr32.exe /s scrrun.dll" 544.#.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FileProtector = "C:\\10a0699fa37928d39c\\spfirewall.exe" 173.#.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RegSCRLib = "regsvr32.exe /s scrrun.dll" 752.#.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RegSCRLib = "regsvr32.exe /s scrrun.dll" 697.#.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RegSCRLib = "regsvr32.exe /s scrrun.dll" ee1d2216310f6f084f482b81f1c75f6778ff85340ea9643a41b3a428d04ee986.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RegSCRLib = "regsvr32.exe /s scrrun.dll" 304.#.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FileProtector = "C:\\10a0699fa37928d39c\\spfirewall.exe" 659.#.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FileProtector = "C:\\10a0699fa37928d39c\\spfirewall.exe" 870.#.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FileProtector = "C:\\10a0699fa37928d39c\\spfirewall.exe" 218.#.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RegSCRLib = "regsvr32.exe /s scrrun.dll" 183.#.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FileProtector = "C:\\10a0699fa37928d39c\\spfirewall.exe" 49.#.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FileProtector = "C:\\10a0699fa37928d39c\\spfirewall.exe" 875.#.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RegSCRLib = "regsvr32.exe /s scrrun.dll" 581.#.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FileProtector = "C:\\10a0699fa37928d39c\\spfirewall.exe" 491.#.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FileProtector = "C:\\10a0699fa37928d39c\\spfirewall.exe" 96.#.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RegSCRLib = "regsvr32.exe /s scrrun.dll" 96.#.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Windows Journal\PDIALOG.exe$ 544.#.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\css\ 659.#.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\mk\LC_MESSAGES\ 3.#.exe File opened for modification C:\Program Files (x86)\Common Files\System\Ole DB\es-ES\ 877.#.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\css\ 875.#.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Document Parts\ 187.#.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ca@valencia\LC_MESSAGES\ 49.#.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\ja-JP\ 368.#.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\ja-JP\ 258.#.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ 406.#.exe File opened for modification C:\Program Files\DVD Maker\DVDMaker.exe$ 752.#.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\ 752.#.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\WSS\ 659.#.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\ ee1d2216310f6f084f482b81f1c75f6778ff85340ea9643a41b3a428d04ee986.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr\ 304.#.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Spades\en-US\ 877.#.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\brx\LC_MESSAGES\ 581.#.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\ 368.#.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\mai\ 3.#.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\ 187.#.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ 581.#.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\ 49.#.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\ 491.#.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\js\ 877.#.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15\windows-amd64\ 240.#.exe File opened for modification C:\Program Files\Windows Journal\Templates\ ee1d2216310f6f084f482b81f1c75f6778ff85340ea9643a41b3a428d04ee986.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\vi\ 581.#.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe$ ee1d2216310f6f084f482b81f1c75f6778ff85340ea9643a41b3a428d04ee986.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SpringGreen\ 659.#.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AFTRNOON\ 581.#.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\ 304.#.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe$ 870.#.exe File opened for modification C:\Program Files (x86)\Windows Photo Viewer\en-US\ 240.#.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\ 659.#.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\JOURNAL\ 993.#.exe File opened for modification C:\Program Files\Internet Explorer\en-US\ 544.#.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\locale\ 258.#.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\services_discovery\ 581.#.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\ 877.#.exe File opened for modification C:\Program Files\Windows NT\TableTextService\de-DE\ 993.#.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\ 240.#.exe File opened for modification C:\Program Files\Common Files\System\msadc\ 3.#.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ja\LC_MESSAGES\ 993.#.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\css\ ee1d2216310f6f084f482b81f1c75f6778ff85340ea9643a41b3a428d04ee986.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Kentucky\ 870.#.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\en-US\ 659.#.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Welcome Tool\ 187.#.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\ja-JP\ 240.#.exe File created C:\Program Files (x86)\Windows Mail\wab.exe 491.#.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ca@valencia\LC_MESSAGES\ 581.#.exe File opened for modification C:\Program Files\Windows Defender\en-US\ 187.#.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PublicAssemblies\ 187.#.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\kk\LC_MESSAGES\ 3.#.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\en-US\css\ 544.#.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\js\ ee1d2216310f6f084f482b81f1c75f6778ff85340ea9643a41b3a428d04ee986.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\el\LC_MESSAGES\ 657.#.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\ 915.#.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\ 993.#.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\hr\ 875.#.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\TextConv\en-US\ 304.#.exe File created C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.exe 752.#.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.exe 187.#.exe File opened for modification C:\Program Files\Windows Defender\MpCmdRun.exe ee1d2216310f6f084f482b81f1c75f6778ff85340ea9643a41b3a428d04ee986.exe File opened for modification C:\Program Files\Windows Sidebar\de-DE\ 187.#.exe -
NTFS ADS 31 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Local\Temp\:\systemlog.log 187.#.exe File opened for modification C:\Users\Admin\AppData\Local\Temp\:\systemlog.log 697.#.exe File opened for modification C:\Users\Admin\AppData\Local\Temp\:\systemlog.log 83.#.exe File opened for modification C:\Users\Admin\AppData\Local\Temp\:\systemlog.log 218.#.exe File opened for modification C:\Users\Admin\AppData\Local\Temp\:\systemlog.log 843.#.exe File opened for modification C:\Users\Admin\AppData\Local\Temp\:\systemlog.log 183.#.exe File opened for modification C:\Users\Admin\AppData\Local\Temp\:\systemlog.log 258.#.exe File opened for modification C:\Users\Admin\AppData\Local\Temp\:\systemlog.log 915.#.exe File opened for modification C:\Users\Admin\AppData\Local\Temp\:\systemlog.log 345.#.exe File opened for modification C:\Users\Admin\AppData\Local\Temp\:\systemlog.log 293.#.exe File opened for modification C:\Users\Admin\AppData\Local\Temp\:\systemlog.log 993.#.exe File opened for modification C:\Users\Admin\AppData\Local\Temp\:\systemlog.log 544.#.exe File opened for modification C:\Users\Admin\AppData\Local\Temp\:\systemlog.log 870.#.exe File opened for modification C:\Users\Admin\AppData\Local\Temp\:\systemlog.log 49.#.exe File opened for modification C:\Users\Admin\AppData\Local\Temp\:\systemlog.log 406.#.exe File opened for modification C:\Users\Admin\AppData\Local\Temp\:\systemlog.log 376.#.exe File opened for modification C:\Users\Admin\AppData\Local\Temp\:\systemlog.log 96.#.exe File opened for modification C:\Users\Admin\AppData\Local\Temp\:\systemlog.log 3.#.exe File opened for modification C:\Users\Admin\AppData\Local\Temp\:\systemlog.log 581.#.exe File opened for modification C:\Users\Admin\AppData\Local\Temp\:\systemlog.log 304.#.exe File opened for modification C:\Users\Admin\AppData\Local\Temp\:\systemlog.log ee1d2216310f6f084f482b81f1c75f6778ff85340ea9643a41b3a428d04ee986.exe File opened for modification C:\Users\Admin\AppData\Local\Temp\:\systemlog.log 659.#.exe File opened for modification C:\Users\Admin\AppData\Local\Temp\:\systemlog.log 657.#.exe File opened for modification C:\Users\Admin\AppData\Local\Temp\:\systemlog.log 752.#.exe File opened for modification C:\Users\Admin\AppData\Local\Temp\:\systemlog.log 368.#.exe File opened for modification C:\Users\Admin\AppData\Local\Temp\:\systemlog.log 240.#.exe File opened for modification C:\Users\Admin\AppData\Local\Temp\:\systemlog.log 875.#.exe File opened for modification C:\Users\Admin\AppData\Local\Temp\:\systemlog.log 491.#.exe File opened for modification C:\Users\Admin\AppData\Local\Temp\:\systemlog.log 173.#.exe File opened for modification C:\Users\Admin\AppData\Local\Temp\:\systemlog.log 551.#.exe File opened for modification C:\Users\Admin\AppData\Local\Temp\:\systemlog.log 877.#.exe -
Suspicious use of SetWindowsHookEx 31 IoCs
pid Process 2904 ee1d2216310f6f084f482b81f1c75f6778ff85340ea9643a41b3a428d04ee986.exe 272 993.#.exe 2660 368.#.exe 2420 3.#.exe 2196 240.#.exe 1552 875.#.exe 288 187.#.exe 2520 581.#.exe 2428 304.#.exe 964 544.#.exe 2596 877.#.exe 1000 258.#.exe 2008 491.#.exe 2652 659.#.exe 1476 657.#.exe 920 870.#.exe 2696 218.#.exe 2072 173.#.exe 1048 49.#.exe 2820 915.#.exe 1276 752.#.exe 2920 406.#.exe 1696 376.#.exe 2164 345.#.exe 2032 697.#.exe 764 96.#.exe 2912 83.#.exe 1060 843.#.exe 1752 551.#.exe 1956 293.#.exe 1936 183.#.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2904 wrote to memory of 2976 2904 ee1d2216310f6f084f482b81f1c75f6778ff85340ea9643a41b3a428d04ee986.exe 28 PID 2904 wrote to memory of 2976 2904 ee1d2216310f6f084f482b81f1c75f6778ff85340ea9643a41b3a428d04ee986.exe 28 PID 2904 wrote to memory of 2976 2904 ee1d2216310f6f084f482b81f1c75f6778ff85340ea9643a41b3a428d04ee986.exe 28 PID 2904 wrote to memory of 2976 2904 ee1d2216310f6f084f482b81f1c75f6778ff85340ea9643a41b3a428d04ee986.exe 28 PID 2904 wrote to memory of 2976 2904 ee1d2216310f6f084f482b81f1c75f6778ff85340ea9643a41b3a428d04ee986.exe 28 PID 2904 wrote to memory of 2976 2904 ee1d2216310f6f084f482b81f1c75f6778ff85340ea9643a41b3a428d04ee986.exe 28 PID 2904 wrote to memory of 2976 2904 ee1d2216310f6f084f482b81f1c75f6778ff85340ea9643a41b3a428d04ee986.exe 28 PID 2904 wrote to memory of 2316 2904 ee1d2216310f6f084f482b81f1c75f6778ff85340ea9643a41b3a428d04ee986.exe 29 PID 2904 wrote to memory of 2316 2904 ee1d2216310f6f084f482b81f1c75f6778ff85340ea9643a41b3a428d04ee986.exe 29 PID 2904 wrote to memory of 2316 2904 ee1d2216310f6f084f482b81f1c75f6778ff85340ea9643a41b3a428d04ee986.exe 29 PID 2904 wrote to memory of 2316 2904 ee1d2216310f6f084f482b81f1c75f6778ff85340ea9643a41b3a428d04ee986.exe 29 PID 2904 wrote to memory of 2316 2904 ee1d2216310f6f084f482b81f1c75f6778ff85340ea9643a41b3a428d04ee986.exe 29 PID 2904 wrote to memory of 2316 2904 ee1d2216310f6f084f482b81f1c75f6778ff85340ea9643a41b3a428d04ee986.exe 29 PID 2904 wrote to memory of 2316 2904 ee1d2216310f6f084f482b81f1c75f6778ff85340ea9643a41b3a428d04ee986.exe 29 PID 2904 wrote to memory of 272 2904 ee1d2216310f6f084f482b81f1c75f6778ff85340ea9643a41b3a428d04ee986.exe 30 PID 2904 wrote to memory of 272 2904 ee1d2216310f6f084f482b81f1c75f6778ff85340ea9643a41b3a428d04ee986.exe 30 PID 2904 wrote to memory of 272 2904 ee1d2216310f6f084f482b81f1c75f6778ff85340ea9643a41b3a428d04ee986.exe 30 PID 2904 wrote to memory of 272 2904 ee1d2216310f6f084f482b81f1c75f6778ff85340ea9643a41b3a428d04ee986.exe 30 PID 2904 wrote to memory of 272 2904 ee1d2216310f6f084f482b81f1c75f6778ff85340ea9643a41b3a428d04ee986.exe 30 PID 2904 wrote to memory of 272 2904 ee1d2216310f6f084f482b81f1c75f6778ff85340ea9643a41b3a428d04ee986.exe 30 PID 2904 wrote to memory of 272 2904 ee1d2216310f6f084f482b81f1c75f6778ff85340ea9643a41b3a428d04ee986.exe 30 PID 272 wrote to memory of 2432 272 993.#.exe 31 PID 272 wrote to memory of 2432 272 993.#.exe 31 PID 272 wrote to memory of 2432 272 993.#.exe 31 PID 272 wrote to memory of 2432 272 993.#.exe 31 PID 272 wrote to memory of 2432 272 993.#.exe 31 PID 272 wrote to memory of 2432 272 993.#.exe 31 PID 272 wrote to memory of 2432 272 993.#.exe 31 PID 272 wrote to memory of 2240 272 993.#.exe 32 PID 272 wrote to memory of 2240 272 993.#.exe 32 PID 272 wrote to memory of 2240 272 993.#.exe 32 PID 272 wrote to memory of 2240 272 993.#.exe 32 PID 272 wrote to memory of 2240 272 993.#.exe 32 PID 272 wrote to memory of 2240 272 993.#.exe 32 PID 272 wrote to memory of 2240 272 993.#.exe 32 PID 272 wrote to memory of 2660 272 993.#.exe 33 PID 272 wrote to memory of 2660 272 993.#.exe 33 PID 272 wrote to memory of 2660 272 993.#.exe 33 PID 272 wrote to memory of 2660 272 993.#.exe 33 PID 272 wrote to memory of 2660 272 993.#.exe 33 PID 272 wrote to memory of 2660 272 993.#.exe 33 PID 272 wrote to memory of 2660 272 993.#.exe 33 PID 2660 wrote to memory of 2492 2660 368.#.exe 34 PID 2660 wrote to memory of 2492 2660 368.#.exe 34 PID 2660 wrote to memory of 2492 2660 368.#.exe 34 PID 2660 wrote to memory of 2492 2660 368.#.exe 34 PID 2660 wrote to memory of 2492 2660 368.#.exe 34 PID 2660 wrote to memory of 2492 2660 368.#.exe 34 PID 2660 wrote to memory of 2492 2660 368.#.exe 34 PID 2660 wrote to memory of 408 2660 368.#.exe 35 PID 2660 wrote to memory of 408 2660 368.#.exe 35 PID 2660 wrote to memory of 408 2660 368.#.exe 35 PID 2660 wrote to memory of 408 2660 368.#.exe 35 PID 2660 wrote to memory of 408 2660 368.#.exe 35 PID 2660 wrote to memory of 408 2660 368.#.exe 35 PID 2660 wrote to memory of 408 2660 368.#.exe 35 PID 2660 wrote to memory of 2420 2660 368.#.exe 36 PID 2660 wrote to memory of 2420 2660 368.#.exe 36 PID 2660 wrote to memory of 2420 2660 368.#.exe 36 PID 2660 wrote to memory of 2420 2660 368.#.exe 36 PID 2660 wrote to memory of 2420 2660 368.#.exe 36 PID 2660 wrote to memory of 2420 2660 368.#.exe 36 PID 2660 wrote to memory of 2420 2660 368.#.exe 36 PID 2420 wrote to memory of 1924 2420 3.#.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\ee1d2216310f6f084f482b81f1c75f6778ff85340ea9643a41b3a428d04ee986.exe"C:\Users\Admin\AppData\Local\Temp\ee1d2216310f6f084f482b81f1c75f6778ff85340ea9643a41b3a428d04ee986.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- NTFS ADS
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s scrrun.dll2⤵PID:2976
-
-
C:\Windows\SysWOW64\wscript.exewscript.exe "C:\documents and settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\2C10A89\237880.vbs"2⤵PID:2316
-
-
C:\Users\Admin\AppData\Local\Temp\993.#.exeC:\Users\Admin\AppData\Local\Temp\993.#.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- NTFS ADS
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:272 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s scrrun.dll3⤵PID:2432
-
-
C:\Windows\SysWOW64\wscript.exewscript.exe "C:\documents and settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\2C10A89\79281.vbs"3⤵PID:2240
-
-
C:\Users\Admin\AppData\Local\Temp\368.#.exeC:\Users\Admin\AppData\Local\Temp\368.#.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- NTFS ADS
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s scrrun.dll4⤵PID:2492
-
-
C:\Windows\SysWOW64\wscript.exewscript.exe "C:\documents and settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\2C10A89\965969.vbs"4⤵PID:408
-
-
C:\Users\Admin\AppData\Local\Temp\3.#.exeC:\Users\Admin\AppData\Local\Temp\3.#.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- NTFS ADS
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s scrrun.dll5⤵PID:1924
-
-
C:\Windows\SysWOW64\wscript.exewscript.exe "C:\documents and settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\2C10A89\590404.vbs"5⤵PID:2812
-
-
C:\Users\Admin\AppData\Local\Temp\240.#.exeC:\Users\Admin\AppData\Local\Temp\240.#.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- NTFS ADS
- Suspicious use of SetWindowsHookEx
PID:2196 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s scrrun.dll6⤵PID:1252
-
-
C:\Windows\SysWOW64\wscript.exewscript.exe "C:\documents and settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\2C10A89\804439.vbs"6⤵PID:1264
-
-
C:\Users\Admin\AppData\Local\Temp\875.#.exeC:\Users\Admin\AppData\Local\Temp\875.#.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- NTFS ADS
- Suspicious use of SetWindowsHookEx
PID:1552 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s scrrun.dll7⤵PID:1720
-
-
C:\Windows\SysWOW64\wscript.exewscript.exe "C:\documents and settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\2C10A89\462368.vbs"7⤵PID:1120
-
-
C:\Users\Admin\AppData\Local\Temp\187.#.exeC:\Users\Admin\AppData\Local\Temp\187.#.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- NTFS ADS
- Suspicious use of SetWindowsHookEx
PID:288 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s scrrun.dll8⤵PID:2112
-
-
C:\Windows\SysWOW64\wscript.exewscript.exe "C:\documents and settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\2C10A89\435924.vbs"8⤵PID:2604
-
-
C:\Users\Admin\AppData\Local\Temp\581.#.exeC:\Users\Admin\AppData\Local\Temp\581.#.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- NTFS ADS
- Suspicious use of SetWindowsHookEx
PID:2520 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s scrrun.dll9⤵PID:2696
-
-
C:\Windows\SysWOW64\wscript.exewscript.exe "C:\documents and settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\2C10A89\942852.vbs"9⤵PID:912
-
-
C:\Users\Admin\AppData\Local\Temp\304.#.exeC:\Users\Admin\AppData\Local\Temp\304.#.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- NTFS ADS
- Suspicious use of SetWindowsHookEx
PID:2428 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s scrrun.dll10⤵PID:2056
-
-
C:\Windows\SysWOW64\wscript.exewscript.exe "C:\documents and settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\2C10A89\137645.vbs"10⤵PID:2944
-
-
C:\Users\Admin\AppData\Local\Temp\544.#.exeC:\Users\Admin\AppData\Local\Temp\544.#.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- NTFS ADS
- Suspicious use of SetWindowsHookEx
PID:964 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s scrrun.dll11⤵PID:2560
-
-
C:\Windows\SysWOW64\wscript.exewscript.exe "C:\documents and settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\2C10A89\111004.vbs"11⤵PID:2180
-
-
C:\Users\Admin\AppData\Local\Temp\877.#.exeC:\Users\Admin\AppData\Local\Temp\877.#.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- NTFS ADS
- Suspicious use of SetWindowsHookEx
PID:2596 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s scrrun.dll12⤵PID:2680
-
-
C:\Windows\SysWOW64\wscript.exewscript.exe "C:\documents and settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\2C10A89\865459.vbs"12⤵PID:2972
-
-
C:\Users\Admin\AppData\Local\Temp\258.#.exeC:\Users\Admin\AppData\Local\Temp\258.#.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- NTFS ADS
- Suspicious use of SetWindowsHookEx
PID:1000 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s scrrun.dll13⤵PID:704
-
-
C:\Windows\SysWOW64\wscript.exewscript.exe "C:\documents and settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\2C10A89\471370.vbs"13⤵PID:2700
-
-
C:\Users\Admin\AppData\Local\Temp\491.#.exeC:\Users\Admin\AppData\Local\Temp\491.#.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- NTFS ADS
- Suspicious use of SetWindowsHookEx
PID:2008 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s scrrun.dll14⤵PID:1636
-
-
C:\Windows\SysWOW64\wscript.exewscript.exe "C:\documents and settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\2C10A89\139126.vbs"14⤵PID:2916
-
-
C:\Users\Admin\AppData\Local\Temp\659.#.exeC:\Users\Admin\AppData\Local\Temp\659.#.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- NTFS ADS
- Suspicious use of SetWindowsHookEx
PID:2652 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s scrrun.dll15⤵PID:2992
-
-
C:\Windows\SysWOW64\wscript.exewscript.exe "C:\documents and settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\2C10A89\877269.vbs"15⤵PID:2700
-
-
C:\Users\Admin\AppData\Local\Temp\657.#.exeC:\Users\Admin\AppData\Local\Temp\657.#.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- NTFS ADS
- Suspicious use of SetWindowsHookEx
PID:1476 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s scrrun.dll16⤵PID:1724
-
-
C:\Windows\SysWOW64\wscript.exewscript.exe "C:\documents and settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\2C10A89\989711.vbs"16⤵PID:2888
-
-
C:\Users\Admin\AppData\Local\Temp\870.#.exeC:\Users\Admin\AppData\Local\Temp\870.#.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- NTFS ADS
- Suspicious use of SetWindowsHookEx
PID:920 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s scrrun.dll17⤵PID:1832
-
-
C:\Windows\SysWOW64\wscript.exewscript.exe "C:\documents and settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\2C10A89\850948.vbs"17⤵PID:1660
-
-
C:\Users\Admin\AppData\Local\Temp\218.#.exeC:\Users\Admin\AppData\Local\Temp\218.#.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- NTFS ADS
- Suspicious use of SetWindowsHookEx
PID:2696 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s scrrun.dll18⤵PID:1992
-
-
C:\Windows\SysWOW64\wscript.exewscript.exe "C:\documents and settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\2C10A89\841213.vbs"18⤵PID:2180
-
-
C:\Users\Admin\AppData\Local\Temp\173.#.exeC:\Users\Admin\AppData\Local\Temp\173.#.exe18⤵
- Executes dropped EXE
- Adds Run key to start application
- NTFS ADS
- Suspicious use of SetWindowsHookEx
PID:2072 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s scrrun.dll19⤵PID:2440
-
-
C:\Windows\SysWOW64\wscript.exewscript.exe "C:\documents and settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\2C10A89\505245.vbs"19⤵PID:852
-
-
C:\Users\Admin\AppData\Local\Temp\49.#.exeC:\Users\Admin\AppData\Local\Temp\49.#.exe19⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- NTFS ADS
- Suspicious use of SetWindowsHookEx
PID:1048 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s scrrun.dll20⤵PID:1096
-
-
C:\Windows\SysWOW64\wscript.exewscript.exe "C:\documents and settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\2C10A89\424160.vbs"20⤵PID:876
-
-
C:\Users\Admin\AppData\Local\Temp\915.#.exeC:\Users\Admin\AppData\Local\Temp\915.#.exe20⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- NTFS ADS
- Suspicious use of SetWindowsHookEx
PID:2820 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s scrrun.dll21⤵PID:1820
-
-
C:\Windows\SysWOW64\wscript.exewscript.exe "C:\documents and settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\2C10A89\401912.vbs"21⤵PID:1212
-
-
C:\Users\Admin\AppData\Local\Temp\752.#.exeC:\Users\Admin\AppData\Local\Temp\752.#.exe21⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- NTFS ADS
- Suspicious use of SetWindowsHookEx
PID:1276 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s scrrun.dll22⤵PID:1568
-
-
C:\Windows\SysWOW64\wscript.exewscript.exe "C:\documents and settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\2C10A89\956829.vbs"22⤵PID:2832
-
-
C:\Users\Admin\AppData\Local\Temp\406.#.exeC:\Users\Admin\AppData\Local\Temp\406.#.exe22⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- NTFS ADS
- Suspicious use of SetWindowsHookEx
PID:2920 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s scrrun.dll23⤵PID:2888
-
-
C:\Windows\SysWOW64\wscript.exewscript.exe "C:\documents and settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\2C10A89\898311.vbs"23⤵PID:1508
-
-
C:\Users\Admin\AppData\Local\Temp\376.#.exeC:\Users\Admin\AppData\Local\Temp\376.#.exe23⤵
- Executes dropped EXE
- Adds Run key to start application
- NTFS ADS
- Suspicious use of SetWindowsHookEx
PID:1696 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s scrrun.dll24⤵PID:1584
-
-
C:\Windows\SysWOW64\wscript.exewscript.exe "C:\documents and settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\2C10A89\611751.vbs"24⤵PID:1504
-
-
C:\Users\Admin\AppData\Local\Temp\345.#.exeC:\Users\Admin\AppData\Local\Temp\345.#.exe24⤵
- Executes dropped EXE
- Adds Run key to start application
- NTFS ADS
- Suspicious use of SetWindowsHookEx
PID:2164 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s scrrun.dll25⤵PID:2448
-
-
C:\Windows\SysWOW64\wscript.exewscript.exe "C:\documents and settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\2C10A89\843166.vbs"25⤵PID:2040
-
-
C:\Users\Admin\AppData\Local\Temp\697.#.exeC:\Users\Admin\AppData\Local\Temp\697.#.exe25⤵
- Executes dropped EXE
- Adds Run key to start application
- NTFS ADS
- Suspicious use of SetWindowsHookEx
PID:2032 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s scrrun.dll26⤵PID:1500
-
-
C:\Windows\SysWOW64\wscript.exewscript.exe "C:\documents and settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\2C10A89\896618.vbs"26⤵PID:1644
-
-
C:\Users\Admin\AppData\Local\Temp\96.#.exeC:\Users\Admin\AppData\Local\Temp\96.#.exe26⤵
- Executes dropped EXE
- Adds Run key to start application
- NTFS ADS
- Suspicious use of SetWindowsHookEx
PID:764 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s scrrun.dll27⤵PID:1516
-
-
C:\Windows\SysWOW64\wscript.exewscript.exe "C:\documents and settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\2C10A89\301479.vbs"27⤵PID:2576
-
-
C:\Users\Admin\AppData\Local\Temp\83.#.exeC:\Users\Admin\AppData\Local\Temp\83.#.exe27⤵
- Executes dropped EXE
- Adds Run key to start application
- NTFS ADS
- Suspicious use of SetWindowsHookEx
PID:2912 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s scrrun.dll28⤵PID:2392
-
-
C:\Windows\SysWOW64\wscript.exewscript.exe "C:\documents and settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\2C10A89\947857.vbs"28⤵PID:468
-
-
C:\Users\Admin\AppData\Local\Temp\843.#.exeC:\Users\Admin\AppData\Local\Temp\843.#.exe28⤵
- Executes dropped EXE
- Adds Run key to start application
- NTFS ADS
- Suspicious use of SetWindowsHookEx
PID:1060 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s scrrun.dll29⤵PID:1284
-
-
C:\Windows\SysWOW64\wscript.exewscript.exe "C:\documents and settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\2C10A89\243023.vbs"29⤵PID:2808
-
-
C:\Users\Admin\AppData\Local\Temp\551.#.exeC:\Users\Admin\AppData\Local\Temp\551.#.exe29⤵
- Executes dropped EXE
- Adds Run key to start application
- NTFS ADS
- Suspicious use of SetWindowsHookEx
PID:1752 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s scrrun.dll30⤵PID:2916
-
-
C:\Windows\SysWOW64\wscript.exewscript.exe "C:\documents and settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\2C10A89\741161.vbs"30⤵PID:1792
-
-
C:\Users\Admin\AppData\Local\Temp\293.#.exeC:\Users\Admin\AppData\Local\Temp\293.#.exe30⤵
- Executes dropped EXE
- Adds Run key to start application
- NTFS ADS
- Suspicious use of SetWindowsHookEx
PID:1956 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s scrrun.dll31⤵PID:2956
-
-
C:\Windows\SysWOW64\wscript.exewscript.exe "C:\documents and settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\2C10A89\75237.vbs"31⤵PID:1492
-
-
C:\Users\Admin\AppData\Local\Temp\183.#.exeC:\Users\Admin\AppData\Local\Temp\183.#.exe31⤵
- Executes dropped EXE
- Adds Run key to start application
- NTFS ADS
- Suspicious use of SetWindowsHookEx
PID:1936 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s scrrun.dll32⤵PID:1592
-
-
C:\Windows\SysWOW64\wscript.exewscript.exe "C:\documents and settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\2C10A89\61779.vbs"32⤵PID:2928
-
-
C:\Users\Admin\AppData\Local\Temp\166.#.exeC:\Users\Admin\AppData\Local\Temp\166.#.exe32⤵PID:2864
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s scrrun.dll33⤵PID:2332
-
-
C:\Windows\SysWOW64\wscript.exewscript.exe "C:\documents and settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\2C10A89\246669.vbs"33⤵PID:2480
-
-
C:\Users\Admin\AppData\Local\Temp\616.#.exeC:\Users\Admin\AppData\Local\Temp\616.#.exe33⤵PID:2312
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s scrrun.dll34⤵PID:2412
-
-
C:\Windows\SysWOW64\wscript.exewscript.exe "C:\documents and settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\2C10A89\206844.vbs"34⤵PID:2888
-
-
C:\Users\Admin\AppData\Local\Temp\991.#.exeC:\Users\Admin\AppData\Local\Temp\991.#.exe34⤵PID:2220
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s scrrun.dll35⤵PID:2572
-
-
C:\Windows\SysWOW64\wscript.exewscript.exe "C:\documents and settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\2C10A89\847194.vbs"35⤵PID:2144
-
-
C:\Users\Admin\AppData\Local\Temp\826.#.exeC:\Users\Admin\AppData\Local\Temp\826.#.exe35⤵PID:1348
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s scrrun.dll36⤵PID:1948
-
-
C:\Windows\SysWOW64\wscript.exewscript.exe "C:\documents and settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\2C10A89\533001.vbs"36⤵PID:2244
-
-
C:\Users\Admin\AppData\Local\Temp\484.#.exeC:\Users\Admin\AppData\Local\Temp\484.#.exe36⤵PID:1684
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s scrrun.dll37⤵PID:2776
-
-
C:\Windows\SysWOW64\wscript.exewscript.exe "C:\documents and settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\2C10A89\946254.vbs"37⤵PID:2304
-
-
C:\Users\Admin\AppData\Local\Temp\421.#.exeC:\Users\Admin\AppData\Local\Temp\421.#.exe37⤵PID:2160
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s scrrun.dll38⤵PID:1812
-
-
C:\Windows\SysWOW64\wscript.exewscript.exe "C:\documents and settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\2C10A89\658031.vbs"38⤵PID:1356
-
-
C:\Users\Admin\AppData\Local\Temp\850.#.exeC:\Users\Admin\AppData\Local\Temp\850.#.exe38⤵PID:2624
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s scrrun.dll39⤵PID:2984
-
-
C:\Windows\SysWOW64\wscript.exewscript.exe "C:\documents and settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\2C10A89\681392.vbs"39⤵PID:2320
-
-
C:\Users\Admin\AppData\Local\Temp\287.#.exeC:\Users\Admin\AppData\Local\Temp\287.#.exe39⤵PID:2288
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s scrrun.dll40⤵PID:2844
-
-
C:\Windows\SysWOW64\wscript.exewscript.exe "C:\documents and settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\2C10A89\741298.vbs"40⤵PID:2228
-
-
C:\Users\Admin\AppData\Local\Temp\429.#.exeC:\Users\Admin\AppData\Local\Temp\429.#.exe40⤵PID:1832
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s scrrun.dll41⤵PID:1568
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2C10A89\111004.vbs
Filesize1KB
MD57adacceb6faa0c256181ab24d6340fde
SHA1e2869b64be3a69c3e066ac7bffde420599e79e63
SHA256f7746107df80e83f43c0c1debfeae4f580881c6f2917e676a337694f55897ed8
SHA512c2fdad16e23b0a7719d9761738959538744d0f89af8799d1ea300f9292f5f022fd1b8bdf4484daa2cb3935f3b9615cda8d6e612d6b7d0f1f5fb62c0aa11d15b2
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2C10A89\111004.vbs
Filesize3KB
MD59d42a2a88806d8e8c52618f14a37c301
SHA1fd385e68ade7d1b024eab8a105c020faf000ef85
SHA2563c53f04a17e1441abf856a4cf4fdf12932547429553dad21b60f0b29536b28b2
SHA512508aa1ec5e56c7ad712948710e5d8abb5cc48ab1bd9f94d09e9351cd59b4b6f865d4d6c325b5ffa53fa192d0c001e30b7d32421a49c87f7603cb8e9aef32fdaa
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2C10A89\237880.vbs
Filesize5KB
MD5dcf4789d292be90c0ec83dd9df86e6c7
SHA1b6b4fc4cfea9ed620aafdc12f28f78a247d6b13c
SHA2561295475c143fbcba069b891760afd8969256f63a736e5f99f3ca234ad2ec8a86
SHA512680943da13a0d2b7da72fe8007b0968d012820601999b2c414037438eae5dbaaa7208254ac4fc2d0df8d0e4a0c569af2bddc4b830495185750624cbe83e158fd
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2C10A89\243023.vbs
Filesize4KB
MD5f601e0beab40df3e193fa7f0bb0e3fb2
SHA1e4c8c44e04969e4b983e7f50534c563547a24349
SHA25690ee977d804ac147ff6eb984f6a07e4a0dfd1805d61ca4bda88ffbd66a1ab84a
SHA51226b5e0d9875780c85c3ee70b46dcff6df353e83ede33b05f01368a70b75450215f92f71172f78777247765783cb4feec2cba3bfee7b67f0fcd3238cbdb342b4e
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2C10A89\401912.vbs
Filesize3KB
MD53403043fa87436bbaea9dd960144efda
SHA165d4c14337f23d99957c52e429e8d134178ca425
SHA25653fc38c3a70b769154d1cbcea46570fea06ee96935101f2bdb70b4ce87f76777
SHA512b3b0a3288443d2bf6f5c94d17d66747b1a6d3a8cbcdc7ed174730f75a1d988281815873fbcdffe4f4ae090d0a66f076615d498ca90665e430f32be8ea0c4e854
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2C10A89\471370.vbs
Filesize3KB
MD523900aa02c3acf1695634f1c4770169d
SHA16dd3181459ef75c2f97285e79a760c17d26e930b
SHA2564f08b380a196d5ee0b1e840bb559b39046a47b7a21983f729c2050b2b5b90e23
SHA51282dce011dbd107e12785267398536bbbc4d1e668385da927b8fe7a304d9a01992662ebe4a526c1971b45493a672681583060ddeb26fbdf6245c977a56dd7a430
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2C10A89\505245.vbs
Filesize3KB
MD57c43fab32ba971d810908a8c0bc99746
SHA1437e595e59443146406c37be9d08fe861bde512e
SHA256c563ea209147b74a6d8a436dfa34ff1757a5b815d6a059e0fa546f819c3adbdd
SHA5122077b5899aef5cd4238cb9360834fe1ac439dabc426813197742653b074b7364e125519716c9921b8be042de7a5a9266cafd2672078a9bc4c504e50aba764195
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2C10A89\611751.vbs
Filesize1KB
MD564ff63be04046788c0b4ddabe6f43b54
SHA10552f0d7684e4ad69ea711e4ee92c4801fadb3cd
SHA2567bc697955114e6b3b92f8ac4460b2cc3da4b3ced172b61f8ef25b76bb77507ac
SHA5123496a0b01233a1df29d1738c6b0f9abda4b8f64b91d9f7b0a1cda8f53c6be8a5692b6375b8dbc8e865c2de406a4e09cd82bf00d4cb5b44a1b77ab6cdbfb00ff4
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2C10A89\75237.vbs
Filesize1KB
MD5b9502561927f4f51a8766d47009f0f01
SHA11e29913942240f86d804e09fbb9e52b324e704dd
SHA25655dec1a397db720ee4f1b4660e19534cbf15ac94e99aab14c52084cec4727476
SHA51242c4b4a8e8af7bc7bb2c0dbff09e720a95042044d65f22e87d0e11ba87e168e751b480df13a35b9c66192ef0926117e0eef1343c600c0035e7d3bc4327f80f8d
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2C10A89\75237.vbs
Filesize1KB
MD5f21ce4df0c73d56e121025e9a452ae70
SHA195062f77f52e3f23689f127f4df24a8a009d699c
SHA256d334f814191c87d40c8a2a23980a6f3c10b45f613300111f378bf90855c53e7d
SHA5122009c0dba73543e992a9aa406f09efc030eee9d82eeec79c5f76f4385bd8db4ad77746758e901f3b2f77a76f0e97f70426a2712717f923b9bcf195e8ae4ac3ff
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2C10A89\804439.vbs
Filesize2KB
MD5f42603ebf410bf45def883ce35e83ab7
SHA118703e7e8844912b555b6d20f127a5999a97c2dc
SHA25692066c26db6a672499031925b00b221da40f4b9776af71dd21f29ff9987f1233
SHA512294058cd645bae9271ce0eb61c401fe829e3201a6d0441da547a98543904477b0ece58c681eccb92d2c99f7b97c0bc0f20752b5ce7f14da0ef374da328f0a908
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2C10A89\843166.vbs
Filesize1KB
MD5ad2a2954c222325d845c76ad814c993f
SHA1872049b377784e5fbdcc8c56c8b3d0c25c81a7dd
SHA256103b8c2aede6fb25b4d8897d3af48c80811c4f26727dbcf1a860f1cf803ca836
SHA512e27fafc02d2dbd55dd3e9f48f3d780b651f83ca406d5976e5c5a2d93fda242535dbe743e2ef0e4ed2fadd04105c185d2570c03179f92d6ad839448fefa41907c
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2C10A89\847194.vbs
Filesize180B
MD565d2a4211db5b12673d7bd69a3de8712
SHA190fa1ba7fbfd34c11cfb18821d7297ba94ce04b4
SHA2568f489bde1b497f3e9dc14588e46a61d533c4962351b42765504ed6fa4bbc1d1f
SHA512946d89e591928ed6164e35dbff4dc7912f2c066602f044cb005d8b9e4d9aeed4ea54ba7d2170e1ccca0c490b81a7a63bda8407154be812b294131e700cd9e869
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2C10A89\847194.vbs
Filesize1KB
MD52262f7e683ba4661f94a8327a5456c2b
SHA1997ce6177d2a2839030b89f96e6c539cd623ff66
SHA256d3086badf59d3423f7315ab4295bc06eb3366081aecfb085cc0c1d6773c1ac59
SHA512d6b245221f2f8047f7695f6c04b75e21acc569c04af6c2d10673ff963891d4292a5827a9af4b40c36ce95344a9eb9951d94bcdab0e6d6b0ddcb349dc610550f3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2C10A89\898311.vbs
Filesize3KB
MD570a06b9638235bf5970ea79966e8bef0
SHA13b8b64b9fb7c400503b12865565aae29bb4aa127
SHA25628d8abcc7ed048086cce5cb8d07abcf7d7c7bf8228ff2a8a75e54e755dfed0f3
SHA51257ca63013fcfeb3ad8d090b5d8aa679439b83eb8a19cf4b345a969682f160019bb04cdbf915739a8bfa371a8c2b3a9514e6633055973351e6c24c3f50983f6b3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2C10A89\989711.vbs
Filesize6KB
MD54a18cfee39361859d3f1ad2a5578911e
SHA10a3cc659b22ce261d730b8afd05af7913b562dfb
SHA2560a8240568a22868582611c2f3a40bdcee742cceb82239a26928b1adf38e715a0
SHA51209444bbb3b994af75cc78ace613b29d6bb77056c9b93aec3739db423c89a0928b4ff9bc43626bf78a8c2b791322fd6de81d6a97d23775c2831602fce1652d233
-
Filesize
1004KB
MD588720b6ad4c018aebfd1d3582185e88f
SHA1d7fa196caac4de4b95945133cc66495ba4631ffb
SHA256ee1d2216310f6f084f482b81f1c75f6778ff85340ea9643a41b3a428d04ee986
SHA5124682ef7396d592430270b40f7349c1149b91465dd7eded4c4c3ff0dd461c238d64e78b320cb15ae4365376382ecde7d9fcddae3c414f066c2a4b7245d5649e29
-
C:\documents and settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\2C10A89\237880.vbs
Filesize19KB
MD5e98740f59246b23b0d7f73f141f24d47
SHA11bfd55b3f13c85f94e1694bffa89a2d79a61a630
SHA25668af315a2e48e340c71d9235a050dac6f82ac1c10fcc4b7158aeb32230530a9a
SHA512d00ecfc709dc1fc912203f98118a6c47d7a01dfd13f8bf1acd3a7cc9a80ad184507788b027990af47659505e5a09e61f852f73e6529766429a2af8bf0358e928