Malware Analysis Report

2025-03-14 23:47

Sample ID 240603-fym4yacg7w
Target ee1d2216310f6f084f482b81f1c75f6778ff85340ea9643a41b3a428d04ee986
SHA256 ee1d2216310f6f084f482b81f1c75f6778ff85340ea9643a41b3a428d04ee986
Tags
persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

ee1d2216310f6f084f482b81f1c75f6778ff85340ea9643a41b3a428d04ee986

Threat Level: Shows suspicious behavior

The file ee1d2216310f6f084f482b81f1c75f6778ff85340ea9643a41b3a428d04ee986 was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Drops file in Program Files directory

Unsigned PE

NTFS ADS

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-03 05:16

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 05:16

Reported

2024-06-03 05:19

Platform

win7-20240508-en

Max time kernel

126s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ee1d2216310f6f084f482b81f1c75f6778ff85340ea9643a41b3a428d04ee986.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\993.#.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\368.#.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3.#.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\240.#.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\875.#.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\187.#.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\581.#.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\304.#.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\544.#.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\877.#.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\258.#.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491.#.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\659.#.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\657.#.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\870.#.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\218.#.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\173.#.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\49.#.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\915.#.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752.#.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\406.#.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\376.#.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\345.#.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\697.#.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96.#.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\83.#.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\843.#.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\551.#.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\293.#.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\183.#.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ee1d2216310f6f084f482b81f1c75f6778ff85340ea9643a41b3a428d04ee986.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\993.#.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\993.#.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\993.#.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\993.#.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\368.#.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\368.#.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\368.#.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\368.#.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3.#.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3.#.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3.#.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3.#.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\240.#.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\240.#.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\240.#.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\240.#.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\875.#.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\875.#.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\875.#.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\875.#.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\187.#.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\187.#.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\187.#.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\187.#.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\581.#.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\581.#.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\581.#.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\581.#.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\304.#.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\304.#.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\304.#.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\304.#.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\544.#.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\544.#.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\544.#.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\544.#.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\877.#.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\877.#.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\877.#.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\877.#.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\258.#.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\258.#.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\258.#.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\258.#.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491.#.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491.#.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491.#.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491.#.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\659.#.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\659.#.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\659.#.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\659.#.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\657.#.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\657.#.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\657.#.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\657.#.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\870.#.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\870.#.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\870.#.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\870.#.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\218.#.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\218.#.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\218.#.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RegSCRLib = "regsvr32.exe /s scrrun.dll" C:\Users\Admin\AppData\Local\Temp\187.#.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RegSCRLib = "regsvr32.exe /s scrrun.dll" C:\Users\Admin\AppData\Local\Temp\406.#.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FileProtector = "C:\\10a0699fa37928d39c\\spfirewall.exe" C:\Users\Admin\AppData\Local\Temp\843.#.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FileProtector = "C:\\10a0699fa37928d39c\\spfirewall.exe" C:\Users\Admin\AppData\Local\Temp\544.#.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RegSCRLib = "regsvr32.exe /s scrrun.dll" C:\Users\Admin\AppData\Local\Temp\491.#.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RegSCRLib = "regsvr32.exe /s scrrun.dll" C:\Users\Admin\AppData\Local\Temp\173.#.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RegSCRLib = "regsvr32.exe /s scrrun.dll" C:\Users\Admin\AppData\Local\Temp\49.#.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RegSCRLib = "regsvr32.exe /s scrrun.dll" C:\Users\Admin\AppData\Local\Temp\3.#.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RegSCRLib = "regsvr32.exe /s scrrun.dll" C:\Users\Admin\AppData\Local\Temp\875.#.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FileProtector = "C:\\10a0699fa37928d39c\\spfirewall.exe" C:\Users\Admin\AppData\Local\Temp\304.#.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FileProtector = "C:\\10a0699fa37928d39c\\spfirewall.exe" C:\Users\Admin\AppData\Local\Temp\752.#.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RegSCRLib = "regsvr32.exe /s scrrun.dll" C:\Users\Admin\AppData\Local\Temp\376.#.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RegSCRLib = "regsvr32.exe /s scrrun.dll" C:\Users\Admin\AppData\Local\Temp\877.#.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FileProtector = "C:\\10a0699fa37928d39c\\spfirewall.exe" C:\Users\Admin\AppData\Local\Temp\915.#.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FileProtector = "C:\\10a0699fa37928d39c\\spfirewall.exe" C:\Users\Admin\AppData\Local\Temp\258.#.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RegSCRLib = "regsvr32.exe /s scrrun.dll" C:\Users\Admin\AppData\Local\Temp\915.#.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FileProtector = "C:\\10a0699fa37928d39c\\spfirewall.exe" C:\Users\Admin\AppData\Local\Temp\406.#.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RegSCRLib = "regsvr32.exe /s scrrun.dll" C:\Users\Admin\AppData\Local\Temp\551.#.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FileProtector = "C:\\10a0699fa37928d39c\\spfirewall.exe" C:\Users\Admin\AppData\Local\Temp\293.#.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FileProtector = "C:\\10a0699fa37928d39c\\spfirewall.exe" C:\Users\Admin\AppData\Local\Temp\183.#.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FileProtector = "C:\\10a0699fa37928d39c\\spfirewall.exe" C:\Users\Admin\AppData\Local\Temp\240.#.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RegSCRLib = "regsvr32.exe /s scrrun.dll" C:\Users\Admin\AppData\Local\Temp\240.#.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FileProtector = "C:\\10a0699fa37928d39c\\spfirewall.exe" C:\Users\Admin\AppData\Local\Temp\187.#.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RegSCRLib = "regsvr32.exe /s scrrun.dll" C:\Users\Admin\AppData\Local\Temp\870.#.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FileProtector = "C:\\10a0699fa37928d39c\\spfirewall.exe" C:\Users\Admin\AppData\Local\Temp\ee1d2216310f6f084f482b81f1c75f6778ff85340ea9643a41b3a428d04ee986.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FileProtector = "C:\\10a0699fa37928d39c\\spfirewall.exe" C:\Users\Admin\AppData\Local\Temp\993.#.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RegSCRLib = "regsvr32.exe /s scrrun.dll" C:\Users\Admin\AppData\Local\Temp\993.#.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FileProtector = "C:\\10a0699fa37928d39c\\spfirewall.exe" C:\Users\Admin\AppData\Local\Temp\368.#.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FileProtector = "C:\\10a0699fa37928d39c\\spfirewall.exe" C:\Users\Admin\AppData\Local\Temp\345.#.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FileProtector = "C:\\10a0699fa37928d39c\\spfirewall.exe" C:\Users\Admin\AppData\Local\Temp\697.#.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RegSCRLib = "regsvr32.exe /s scrrun.dll" C:\Users\Admin\AppData\Local\Temp\345.#.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RegSCRLib = "regsvr32.exe /s scrrun.dll" C:\Users\Admin\AppData\Local\Temp\83.#.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RegSCRLib = "regsvr32.exe /s scrrun.dll" C:\Users\Admin\AppData\Local\Temp\657.#.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RegSCRLib = "regsvr32.exe /s scrrun.dll" C:\Users\Admin\AppData\Local\Temp\218.#.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RegSCRLib = "regsvr32.exe /s scrrun.dll" C:\Users\Admin\AppData\Local\Temp\368.#.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FileProtector = "C:\\10a0699fa37928d39c\\spfirewall.exe" C:\Users\Admin\AppData\Local\Temp\581.#.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FileProtector = "C:\\10a0699fa37928d39c\\spfirewall.exe" C:\Users\Admin\AppData\Local\Temp\376.#.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RegSCRLib = "regsvr32.exe /s scrrun.dll" C:\Users\Admin\AppData\Local\Temp\293.#.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RegSCRLib = "regsvr32.exe /s scrrun.dll" C:\Users\Admin\AppData\Local\Temp\843.#.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FileProtector = "C:\\10a0699fa37928d39c\\spfirewall.exe" C:\Users\Admin\AppData\Local\Temp\551.#.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FileProtector = "C:\\10a0699fa37928d39c\\spfirewall.exe" C:\Users\Admin\AppData\Local\Temp\3.#.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FileProtector = "C:\\10a0699fa37928d39c\\spfirewall.exe" C:\Users\Admin\AppData\Local\Temp\877.#.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RegSCRLib = "regsvr32.exe /s scrrun.dll" C:\Users\Admin\AppData\Local\Temp\258.#.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RegSCRLib = "regsvr32.exe /s scrrun.dll" C:\Users\Admin\AppData\Local\Temp\659.#.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FileProtector = "C:\\10a0699fa37928d39c\\spfirewall.exe" C:\Users\Admin\AppData\Local\Temp\657.#.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FileProtector = "C:\\10a0699fa37928d39c\\spfirewall.exe" C:\Users\Admin\AppData\Local\Temp\83.#.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RegSCRLib = "regsvr32.exe /s scrrun.dll" C:\Users\Admin\AppData\Local\Temp\544.#.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FileProtector = "C:\\10a0699fa37928d39c\\spfirewall.exe" C:\Users\Admin\AppData\Local\Temp\173.#.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RegSCRLib = "regsvr32.exe /s scrrun.dll" C:\Users\Admin\AppData\Local\Temp\752.#.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RegSCRLib = "regsvr32.exe /s scrrun.dll" C:\Users\Admin\AppData\Local\Temp\697.#.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RegSCRLib = "regsvr32.exe /s scrrun.dll" C:\Users\Admin\AppData\Local\Temp\ee1d2216310f6f084f482b81f1c75f6778ff85340ea9643a41b3a428d04ee986.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RegSCRLib = "regsvr32.exe /s scrrun.dll" C:\Users\Admin\AppData\Local\Temp\304.#.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FileProtector = "C:\\10a0699fa37928d39c\\spfirewall.exe" C:\Users\Admin\AppData\Local\Temp\659.#.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FileProtector = "C:\\10a0699fa37928d39c\\spfirewall.exe" C:\Users\Admin\AppData\Local\Temp\870.#.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FileProtector = "C:\\10a0699fa37928d39c\\spfirewall.exe" C:\Users\Admin\AppData\Local\Temp\218.#.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RegSCRLib = "regsvr32.exe /s scrrun.dll" C:\Users\Admin\AppData\Local\Temp\183.#.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FileProtector = "C:\\10a0699fa37928d39c\\spfirewall.exe" C:\Users\Admin\AppData\Local\Temp\49.#.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FileProtector = "C:\\10a0699fa37928d39c\\spfirewall.exe" C:\Users\Admin\AppData\Local\Temp\875.#.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RegSCRLib = "regsvr32.exe /s scrrun.dll" C:\Users\Admin\AppData\Local\Temp\581.#.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FileProtector = "C:\\10a0699fa37928d39c\\spfirewall.exe" C:\Users\Admin\AppData\Local\Temp\491.#.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FileProtector = "C:\\10a0699fa37928d39c\\spfirewall.exe" C:\Users\Admin\AppData\Local\Temp\96.#.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RegSCRLib = "regsvr32.exe /s scrrun.dll" C:\Users\Admin\AppData\Local\Temp\96.#.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Windows Journal\PDIALOG.exe$ C:\Users\Admin\AppData\Local\Temp\544.#.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\css\ C:\Users\Admin\AppData\Local\Temp\659.#.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\mk\LC_MESSAGES\ C:\Users\Admin\AppData\Local\Temp\3.#.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\Ole DB\es-ES\ C:\Users\Admin\AppData\Local\Temp\877.#.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\css\ C:\Users\Admin\AppData\Local\Temp\875.#.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Document Parts\ C:\Users\Admin\AppData\Local\Temp\187.#.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ca@valencia\LC_MESSAGES\ C:\Users\Admin\AppData\Local\Temp\49.#.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\ja-JP\ C:\Users\Admin\AppData\Local\Temp\368.#.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\ja-JP\ C:\Users\Admin\AppData\Local\Temp\258.#.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ C:\Users\Admin\AppData\Local\Temp\406.#.exe N/A
File opened for modification C:\Program Files\DVD Maker\DVDMaker.exe$ C:\Users\Admin\AppData\Local\Temp\752.#.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\ C:\Users\Admin\AppData\Local\Temp\752.#.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\WSS\ C:\Users\Admin\AppData\Local\Temp\659.#.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\ C:\Users\Admin\AppData\Local\Temp\ee1d2216310f6f084f482b81f1c75f6778ff85340ea9643a41b3a428d04ee986.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr\ C:\Users\Admin\AppData\Local\Temp\304.#.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Spades\en-US\ C:\Users\Admin\AppData\Local\Temp\877.#.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\brx\LC_MESSAGES\ C:\Users\Admin\AppData\Local\Temp\581.#.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\ C:\Users\Admin\AppData\Local\Temp\368.#.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\mai\ C:\Users\Admin\AppData\Local\Temp\3.#.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\ C:\Users\Admin\AppData\Local\Temp\187.#.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ C:\Users\Admin\AppData\Local\Temp\581.#.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\ C:\Users\Admin\AppData\Local\Temp\49.#.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\ C:\Users\Admin\AppData\Local\Temp\491.#.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\js\ C:\Users\Admin\AppData\Local\Temp\877.#.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15\windows-amd64\ C:\Users\Admin\AppData\Local\Temp\240.#.exe N/A
File opened for modification C:\Program Files\Windows Journal\Templates\ C:\Users\Admin\AppData\Local\Temp\ee1d2216310f6f084f482b81f1c75f6778ff85340ea9643a41b3a428d04ee986.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\vi\ C:\Users\Admin\AppData\Local\Temp\581.#.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe$ C:\Users\Admin\AppData\Local\Temp\ee1d2216310f6f084f482b81f1c75f6778ff85340ea9643a41b3a428d04ee986.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SpringGreen\ C:\Users\Admin\AppData\Local\Temp\659.#.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AFTRNOON\ C:\Users\Admin\AppData\Local\Temp\581.#.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\ C:\Users\Admin\AppData\Local\Temp\304.#.exe N/A
File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe$ C:\Users\Admin\AppData\Local\Temp\870.#.exe N/A
File opened for modification C:\Program Files (x86)\Windows Photo Viewer\en-US\ C:\Users\Admin\AppData\Local\Temp\240.#.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\ C:\Users\Admin\AppData\Local\Temp\659.#.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\JOURNAL\ C:\Users\Admin\AppData\Local\Temp\993.#.exe N/A
File opened for modification C:\Program Files\Internet Explorer\en-US\ C:\Users\Admin\AppData\Local\Temp\544.#.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\locale\ C:\Users\Admin\AppData\Local\Temp\258.#.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\services_discovery\ C:\Users\Admin\AppData\Local\Temp\581.#.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\ C:\Users\Admin\AppData\Local\Temp\877.#.exe N/A
File opened for modification C:\Program Files\Windows NT\TableTextService\de-DE\ C:\Users\Admin\AppData\Local\Temp\993.#.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\ C:\Users\Admin\AppData\Local\Temp\240.#.exe N/A
File opened for modification C:\Program Files\Common Files\System\msadc\ C:\Users\Admin\AppData\Local\Temp\3.#.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ja\LC_MESSAGES\ C:\Users\Admin\AppData\Local\Temp\993.#.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\css\ C:\Users\Admin\AppData\Local\Temp\ee1d2216310f6f084f482b81f1c75f6778ff85340ea9643a41b3a428d04ee986.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Kentucky\ C:\Users\Admin\AppData\Local\Temp\870.#.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\en-US\ C:\Users\Admin\AppData\Local\Temp\659.#.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Welcome Tool\ C:\Users\Admin\AppData\Local\Temp\187.#.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\ja-JP\ C:\Users\Admin\AppData\Local\Temp\240.#.exe N/A
File created C:\Program Files (x86)\Windows Mail\wab.exe C:\Users\Admin\AppData\Local\Temp\491.#.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ca@valencia\LC_MESSAGES\ C:\Users\Admin\AppData\Local\Temp\581.#.exe N/A
File opened for modification C:\Program Files\Windows Defender\en-US\ C:\Users\Admin\AppData\Local\Temp\187.#.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PublicAssemblies\ C:\Users\Admin\AppData\Local\Temp\187.#.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\kk\LC_MESSAGES\ C:\Users\Admin\AppData\Local\Temp\3.#.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\en-US\css\ C:\Users\Admin\AppData\Local\Temp\544.#.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\js\ C:\Users\Admin\AppData\Local\Temp\ee1d2216310f6f084f482b81f1c75f6778ff85340ea9643a41b3a428d04ee986.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\el\LC_MESSAGES\ C:\Users\Admin\AppData\Local\Temp\657.#.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\ C:\Users\Admin\AppData\Local\Temp\915.#.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\ C:\Users\Admin\AppData\Local\Temp\993.#.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\hr\ C:\Users\Admin\AppData\Local\Temp\875.#.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\TextConv\en-US\ C:\Users\Admin\AppData\Local\Temp\304.#.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.exe C:\Users\Admin\AppData\Local\Temp\752.#.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.exe C:\Users\Admin\AppData\Local\Temp\187.#.exe N/A
File opened for modification C:\Program Files\Windows Defender\MpCmdRun.exe C:\Users\Admin\AppData\Local\Temp\ee1d2216310f6f084f482b81f1c75f6778ff85340ea9643a41b3a428d04ee986.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\de-DE\ C:\Users\Admin\AppData\Local\Temp\187.#.exe N/A

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Local\Temp\:\systemlog.log C:\Users\Admin\AppData\Local\Temp\187.#.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Temp\:\systemlog.log C:\Users\Admin\AppData\Local\Temp\697.#.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Temp\:\systemlog.log C:\Users\Admin\AppData\Local\Temp\83.#.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Temp\:\systemlog.log C:\Users\Admin\AppData\Local\Temp\218.#.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Temp\:\systemlog.log C:\Users\Admin\AppData\Local\Temp\843.#.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Temp\:\systemlog.log C:\Users\Admin\AppData\Local\Temp\183.#.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Temp\:\systemlog.log C:\Users\Admin\AppData\Local\Temp\258.#.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Temp\:\systemlog.log C:\Users\Admin\AppData\Local\Temp\915.#.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Temp\:\systemlog.log C:\Users\Admin\AppData\Local\Temp\345.#.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Temp\:\systemlog.log C:\Users\Admin\AppData\Local\Temp\293.#.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Temp\:\systemlog.log C:\Users\Admin\AppData\Local\Temp\993.#.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Temp\:\systemlog.log C:\Users\Admin\AppData\Local\Temp\544.#.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Temp\:\systemlog.log C:\Users\Admin\AppData\Local\Temp\870.#.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Temp\:\systemlog.log C:\Users\Admin\AppData\Local\Temp\49.#.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Temp\:\systemlog.log C:\Users\Admin\AppData\Local\Temp\406.#.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Temp\:\systemlog.log C:\Users\Admin\AppData\Local\Temp\376.#.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Temp\:\systemlog.log C:\Users\Admin\AppData\Local\Temp\96.#.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Temp\:\systemlog.log C:\Users\Admin\AppData\Local\Temp\3.#.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Temp\:\systemlog.log C:\Users\Admin\AppData\Local\Temp\581.#.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Temp\:\systemlog.log C:\Users\Admin\AppData\Local\Temp\304.#.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Temp\:\systemlog.log C:\Users\Admin\AppData\Local\Temp\ee1d2216310f6f084f482b81f1c75f6778ff85340ea9643a41b3a428d04ee986.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Temp\:\systemlog.log C:\Users\Admin\AppData\Local\Temp\659.#.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Temp\:\systemlog.log C:\Users\Admin\AppData\Local\Temp\657.#.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Temp\:\systemlog.log C:\Users\Admin\AppData\Local\Temp\752.#.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Temp\:\systemlog.log C:\Users\Admin\AppData\Local\Temp\368.#.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Temp\:\systemlog.log C:\Users\Admin\AppData\Local\Temp\240.#.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Temp\:\systemlog.log C:\Users\Admin\AppData\Local\Temp\875.#.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Temp\:\systemlog.log C:\Users\Admin\AppData\Local\Temp\491.#.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Temp\:\systemlog.log C:\Users\Admin\AppData\Local\Temp\173.#.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Temp\:\systemlog.log C:\Users\Admin\AppData\Local\Temp\551.#.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Temp\:\systemlog.log C:\Users\Admin\AppData\Local\Temp\877.#.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ee1d2216310f6f084f482b81f1c75f6778ff85340ea9643a41b3a428d04ee986.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\993.#.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\368.#.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3.#.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\240.#.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\875.#.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\187.#.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\581.#.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\304.#.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\544.#.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\877.#.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\258.#.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491.#.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\659.#.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\657.#.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\870.#.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\218.#.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\173.#.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\49.#.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\915.#.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752.#.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\406.#.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\376.#.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\345.#.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\697.#.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96.#.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\83.#.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\843.#.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\551.#.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\293.#.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\183.#.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2904 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\ee1d2216310f6f084f482b81f1c75f6778ff85340ea9643a41b3a428d04ee986.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2904 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\ee1d2216310f6f084f482b81f1c75f6778ff85340ea9643a41b3a428d04ee986.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2904 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\ee1d2216310f6f084f482b81f1c75f6778ff85340ea9643a41b3a428d04ee986.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2904 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\ee1d2216310f6f084f482b81f1c75f6778ff85340ea9643a41b3a428d04ee986.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2904 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\ee1d2216310f6f084f482b81f1c75f6778ff85340ea9643a41b3a428d04ee986.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2904 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\ee1d2216310f6f084f482b81f1c75f6778ff85340ea9643a41b3a428d04ee986.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2904 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\ee1d2216310f6f084f482b81f1c75f6778ff85340ea9643a41b3a428d04ee986.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2904 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\ee1d2216310f6f084f482b81f1c75f6778ff85340ea9643a41b3a428d04ee986.exe C:\Windows\SysWOW64\wscript.exe
PID 2904 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\ee1d2216310f6f084f482b81f1c75f6778ff85340ea9643a41b3a428d04ee986.exe C:\Windows\SysWOW64\wscript.exe
PID 2904 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\ee1d2216310f6f084f482b81f1c75f6778ff85340ea9643a41b3a428d04ee986.exe C:\Windows\SysWOW64\wscript.exe
PID 2904 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\ee1d2216310f6f084f482b81f1c75f6778ff85340ea9643a41b3a428d04ee986.exe C:\Windows\SysWOW64\wscript.exe
PID 2904 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\ee1d2216310f6f084f482b81f1c75f6778ff85340ea9643a41b3a428d04ee986.exe C:\Windows\SysWOW64\wscript.exe
PID 2904 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\ee1d2216310f6f084f482b81f1c75f6778ff85340ea9643a41b3a428d04ee986.exe C:\Windows\SysWOW64\wscript.exe
PID 2904 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\ee1d2216310f6f084f482b81f1c75f6778ff85340ea9643a41b3a428d04ee986.exe C:\Windows\SysWOW64\wscript.exe
PID 2904 wrote to memory of 272 N/A C:\Users\Admin\AppData\Local\Temp\ee1d2216310f6f084f482b81f1c75f6778ff85340ea9643a41b3a428d04ee986.exe C:\Users\Admin\AppData\Local\Temp\993.#.exe
PID 2904 wrote to memory of 272 N/A C:\Users\Admin\AppData\Local\Temp\ee1d2216310f6f084f482b81f1c75f6778ff85340ea9643a41b3a428d04ee986.exe C:\Users\Admin\AppData\Local\Temp\993.#.exe
PID 2904 wrote to memory of 272 N/A C:\Users\Admin\AppData\Local\Temp\ee1d2216310f6f084f482b81f1c75f6778ff85340ea9643a41b3a428d04ee986.exe C:\Users\Admin\AppData\Local\Temp\993.#.exe
PID 2904 wrote to memory of 272 N/A C:\Users\Admin\AppData\Local\Temp\ee1d2216310f6f084f482b81f1c75f6778ff85340ea9643a41b3a428d04ee986.exe C:\Users\Admin\AppData\Local\Temp\993.#.exe
PID 2904 wrote to memory of 272 N/A C:\Users\Admin\AppData\Local\Temp\ee1d2216310f6f084f482b81f1c75f6778ff85340ea9643a41b3a428d04ee986.exe C:\Users\Admin\AppData\Local\Temp\993.#.exe
PID 2904 wrote to memory of 272 N/A C:\Users\Admin\AppData\Local\Temp\ee1d2216310f6f084f482b81f1c75f6778ff85340ea9643a41b3a428d04ee986.exe C:\Users\Admin\AppData\Local\Temp\993.#.exe
PID 2904 wrote to memory of 272 N/A C:\Users\Admin\AppData\Local\Temp\ee1d2216310f6f084f482b81f1c75f6778ff85340ea9643a41b3a428d04ee986.exe C:\Users\Admin\AppData\Local\Temp\993.#.exe
PID 272 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\993.#.exe C:\Windows\SysWOW64\regsvr32.exe
PID 272 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\993.#.exe C:\Windows\SysWOW64\regsvr32.exe
PID 272 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\993.#.exe C:\Windows\SysWOW64\regsvr32.exe
PID 272 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\993.#.exe C:\Windows\SysWOW64\regsvr32.exe
PID 272 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\993.#.exe C:\Windows\SysWOW64\regsvr32.exe
PID 272 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\993.#.exe C:\Windows\SysWOW64\regsvr32.exe
PID 272 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\993.#.exe C:\Windows\SysWOW64\regsvr32.exe
PID 272 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\993.#.exe C:\Windows\SysWOW64\wscript.exe
PID 272 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\993.#.exe C:\Windows\SysWOW64\wscript.exe
PID 272 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\993.#.exe C:\Windows\SysWOW64\wscript.exe
PID 272 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\993.#.exe C:\Windows\SysWOW64\wscript.exe
PID 272 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\993.#.exe C:\Windows\SysWOW64\wscript.exe
PID 272 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\993.#.exe C:\Windows\SysWOW64\wscript.exe
PID 272 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\993.#.exe C:\Windows\SysWOW64\wscript.exe
PID 272 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\993.#.exe C:\Users\Admin\AppData\Local\Temp\368.#.exe
PID 272 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\993.#.exe C:\Users\Admin\AppData\Local\Temp\368.#.exe
PID 272 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\993.#.exe C:\Users\Admin\AppData\Local\Temp\368.#.exe
PID 272 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\993.#.exe C:\Users\Admin\AppData\Local\Temp\368.#.exe
PID 272 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\993.#.exe C:\Users\Admin\AppData\Local\Temp\368.#.exe
PID 272 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\993.#.exe C:\Users\Admin\AppData\Local\Temp\368.#.exe
PID 272 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\993.#.exe C:\Users\Admin\AppData\Local\Temp\368.#.exe
PID 2660 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\368.#.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2660 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\368.#.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2660 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\368.#.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2660 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\368.#.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2660 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\368.#.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2660 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\368.#.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2660 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\368.#.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2660 wrote to memory of 408 N/A C:\Users\Admin\AppData\Local\Temp\368.#.exe C:\Windows\SysWOW64\wscript.exe
PID 2660 wrote to memory of 408 N/A C:\Users\Admin\AppData\Local\Temp\368.#.exe C:\Windows\SysWOW64\wscript.exe
PID 2660 wrote to memory of 408 N/A C:\Users\Admin\AppData\Local\Temp\368.#.exe C:\Windows\SysWOW64\wscript.exe
PID 2660 wrote to memory of 408 N/A C:\Users\Admin\AppData\Local\Temp\368.#.exe C:\Windows\SysWOW64\wscript.exe
PID 2660 wrote to memory of 408 N/A C:\Users\Admin\AppData\Local\Temp\368.#.exe C:\Windows\SysWOW64\wscript.exe
PID 2660 wrote to memory of 408 N/A C:\Users\Admin\AppData\Local\Temp\368.#.exe C:\Windows\SysWOW64\wscript.exe
PID 2660 wrote to memory of 408 N/A C:\Users\Admin\AppData\Local\Temp\368.#.exe C:\Windows\SysWOW64\wscript.exe
PID 2660 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\368.#.exe C:\Users\Admin\AppData\Local\Temp\3.#.exe
PID 2660 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\368.#.exe C:\Users\Admin\AppData\Local\Temp\3.#.exe
PID 2660 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\368.#.exe C:\Users\Admin\AppData\Local\Temp\3.#.exe
PID 2660 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\368.#.exe C:\Users\Admin\AppData\Local\Temp\3.#.exe
PID 2660 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\368.#.exe C:\Users\Admin\AppData\Local\Temp\3.#.exe
PID 2660 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\368.#.exe C:\Users\Admin\AppData\Local\Temp\3.#.exe
PID 2660 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\368.#.exe C:\Users\Admin\AppData\Local\Temp\3.#.exe
PID 2420 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\3.#.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ee1d2216310f6f084f482b81f1c75f6778ff85340ea9643a41b3a428d04ee986.exe

"C:\Users\Admin\AppData\Local\Temp\ee1d2216310f6f084f482b81f1c75f6778ff85340ea9643a41b3a428d04ee986.exe"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe /s scrrun.dll

C:\Windows\SysWOW64\wscript.exe

wscript.exe "C:\documents and settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\2C10A89\237880.vbs"

C:\Users\Admin\AppData\Local\Temp\993.#.exe

C:\Users\Admin\AppData\Local\Temp\993.#.exe

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe /s scrrun.dll

C:\Windows\SysWOW64\wscript.exe

wscript.exe "C:\documents and settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\2C10A89\79281.vbs"

C:\Users\Admin\AppData\Local\Temp\368.#.exe

C:\Users\Admin\AppData\Local\Temp\368.#.exe

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe /s scrrun.dll

C:\Windows\SysWOW64\wscript.exe

wscript.exe "C:\documents and settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\2C10A89\965969.vbs"

C:\Users\Admin\AppData\Local\Temp\3.#.exe

C:\Users\Admin\AppData\Local\Temp\3.#.exe

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe /s scrrun.dll

C:\Windows\SysWOW64\wscript.exe

wscript.exe "C:\documents and settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\2C10A89\590404.vbs"

C:\Users\Admin\AppData\Local\Temp\240.#.exe

C:\Users\Admin\AppData\Local\Temp\240.#.exe

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe /s scrrun.dll

C:\Windows\SysWOW64\wscript.exe

wscript.exe "C:\documents and settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\2C10A89\804439.vbs"

C:\Users\Admin\AppData\Local\Temp\875.#.exe

C:\Users\Admin\AppData\Local\Temp\875.#.exe

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe /s scrrun.dll

C:\Windows\SysWOW64\wscript.exe

wscript.exe "C:\documents and settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\2C10A89\462368.vbs"

C:\Users\Admin\AppData\Local\Temp\187.#.exe

C:\Users\Admin\AppData\Local\Temp\187.#.exe

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe /s scrrun.dll

C:\Windows\SysWOW64\wscript.exe

wscript.exe "C:\documents and settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\2C10A89\435924.vbs"

C:\Users\Admin\AppData\Local\Temp\581.#.exe

C:\Users\Admin\AppData\Local\Temp\581.#.exe

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe /s scrrun.dll

C:\Windows\SysWOW64\wscript.exe

wscript.exe "C:\documents and settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\2C10A89\942852.vbs"

C:\Users\Admin\AppData\Local\Temp\304.#.exe

C:\Users\Admin\AppData\Local\Temp\304.#.exe

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe /s scrrun.dll

C:\Windows\SysWOW64\wscript.exe

wscript.exe "C:\documents and settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\2C10A89\137645.vbs"

C:\Users\Admin\AppData\Local\Temp\544.#.exe

C:\Users\Admin\AppData\Local\Temp\544.#.exe

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe /s scrrun.dll

C:\Windows\SysWOW64\wscript.exe

wscript.exe "C:\documents and settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\2C10A89\111004.vbs"

C:\Users\Admin\AppData\Local\Temp\877.#.exe

C:\Users\Admin\AppData\Local\Temp\877.#.exe

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe /s scrrun.dll

C:\Windows\SysWOW64\wscript.exe

wscript.exe "C:\documents and settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\2C10A89\865459.vbs"

C:\Users\Admin\AppData\Local\Temp\258.#.exe

C:\Users\Admin\AppData\Local\Temp\258.#.exe

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe /s scrrun.dll

C:\Windows\SysWOW64\wscript.exe

wscript.exe "C:\documents and settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\2C10A89\471370.vbs"

C:\Users\Admin\AppData\Local\Temp\491.#.exe

C:\Users\Admin\AppData\Local\Temp\491.#.exe

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe /s scrrun.dll

C:\Windows\SysWOW64\wscript.exe

wscript.exe "C:\documents and settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\2C10A89\139126.vbs"

C:\Users\Admin\AppData\Local\Temp\659.#.exe

C:\Users\Admin\AppData\Local\Temp\659.#.exe

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe /s scrrun.dll

C:\Windows\SysWOW64\wscript.exe

wscript.exe "C:\documents and settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\2C10A89\877269.vbs"

C:\Users\Admin\AppData\Local\Temp\657.#.exe

C:\Users\Admin\AppData\Local\Temp\657.#.exe

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe /s scrrun.dll

C:\Windows\SysWOW64\wscript.exe

wscript.exe "C:\documents and settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\2C10A89\989711.vbs"

C:\Users\Admin\AppData\Local\Temp\870.#.exe

C:\Users\Admin\AppData\Local\Temp\870.#.exe

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe /s scrrun.dll

C:\Windows\SysWOW64\wscript.exe

wscript.exe "C:\documents and settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\2C10A89\850948.vbs"

C:\Users\Admin\AppData\Local\Temp\218.#.exe

C:\Users\Admin\AppData\Local\Temp\218.#.exe

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe /s scrrun.dll

C:\Windows\SysWOW64\wscript.exe

wscript.exe "C:\documents and settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\2C10A89\841213.vbs"

C:\Users\Admin\AppData\Local\Temp\173.#.exe

C:\Users\Admin\AppData\Local\Temp\173.#.exe

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe /s scrrun.dll

C:\Windows\SysWOW64\wscript.exe

wscript.exe "C:\documents and settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\2C10A89\505245.vbs"

C:\Users\Admin\AppData\Local\Temp\49.#.exe

C:\Users\Admin\AppData\Local\Temp\49.#.exe

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe /s scrrun.dll

C:\Windows\SysWOW64\wscript.exe

wscript.exe "C:\documents and settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\2C10A89\424160.vbs"

C:\Users\Admin\AppData\Local\Temp\915.#.exe

C:\Users\Admin\AppData\Local\Temp\915.#.exe

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe /s scrrun.dll

C:\Windows\SysWOW64\wscript.exe

wscript.exe "C:\documents and settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\2C10A89\401912.vbs"

C:\Users\Admin\AppData\Local\Temp\752.#.exe

C:\Users\Admin\AppData\Local\Temp\752.#.exe

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe /s scrrun.dll

C:\Windows\SysWOW64\wscript.exe

wscript.exe "C:\documents and settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\2C10A89\956829.vbs"

C:\Users\Admin\AppData\Local\Temp\406.#.exe

C:\Users\Admin\AppData\Local\Temp\406.#.exe

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe /s scrrun.dll

C:\Windows\SysWOW64\wscript.exe

wscript.exe "C:\documents and settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\2C10A89\898311.vbs"

C:\Users\Admin\AppData\Local\Temp\376.#.exe

C:\Users\Admin\AppData\Local\Temp\376.#.exe

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe /s scrrun.dll

C:\Windows\SysWOW64\wscript.exe

wscript.exe "C:\documents and settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\2C10A89\611751.vbs"

C:\Users\Admin\AppData\Local\Temp\345.#.exe

C:\Users\Admin\AppData\Local\Temp\345.#.exe

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe /s scrrun.dll

C:\Windows\SysWOW64\wscript.exe

wscript.exe "C:\documents and settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\2C10A89\843166.vbs"

C:\Users\Admin\AppData\Local\Temp\697.#.exe

C:\Users\Admin\AppData\Local\Temp\697.#.exe

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe /s scrrun.dll

C:\Windows\SysWOW64\wscript.exe

wscript.exe "C:\documents and settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\2C10A89\896618.vbs"

C:\Users\Admin\AppData\Local\Temp\96.#.exe

C:\Users\Admin\AppData\Local\Temp\96.#.exe

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe /s scrrun.dll

C:\Windows\SysWOW64\wscript.exe

wscript.exe "C:\documents and settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\2C10A89\301479.vbs"

C:\Users\Admin\AppData\Local\Temp\83.#.exe

C:\Users\Admin\AppData\Local\Temp\83.#.exe

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe /s scrrun.dll

C:\Windows\SysWOW64\wscript.exe

wscript.exe "C:\documents and settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\2C10A89\947857.vbs"

C:\Users\Admin\AppData\Local\Temp\843.#.exe

C:\Users\Admin\AppData\Local\Temp\843.#.exe

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe /s scrrun.dll

C:\Windows\SysWOW64\wscript.exe

wscript.exe "C:\documents and settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\2C10A89\243023.vbs"

C:\Users\Admin\AppData\Local\Temp\551.#.exe

C:\Users\Admin\AppData\Local\Temp\551.#.exe

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe /s scrrun.dll

C:\Windows\SysWOW64\wscript.exe

wscript.exe "C:\documents and settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\2C10A89\741161.vbs"

C:\Users\Admin\AppData\Local\Temp\293.#.exe

C:\Users\Admin\AppData\Local\Temp\293.#.exe

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe /s scrrun.dll

C:\Windows\SysWOW64\wscript.exe

wscript.exe "C:\documents and settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\2C10A89\75237.vbs"

C:\Users\Admin\AppData\Local\Temp\183.#.exe

C:\Users\Admin\AppData\Local\Temp\183.#.exe

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe /s scrrun.dll

C:\Windows\SysWOW64\wscript.exe

wscript.exe "C:\documents and settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\2C10A89\61779.vbs"

C:\Users\Admin\AppData\Local\Temp\166.#.exe

C:\Users\Admin\AppData\Local\Temp\166.#.exe

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe /s scrrun.dll

C:\Windows\SysWOW64\wscript.exe

wscript.exe "C:\documents and settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\2C10A89\246669.vbs"

C:\Users\Admin\AppData\Local\Temp\616.#.exe

C:\Users\Admin\AppData\Local\Temp\616.#.exe

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe /s scrrun.dll

C:\Windows\SysWOW64\wscript.exe

wscript.exe "C:\documents and settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\2C10A89\206844.vbs"

C:\Users\Admin\AppData\Local\Temp\991.#.exe

C:\Users\Admin\AppData\Local\Temp\991.#.exe

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe /s scrrun.dll

C:\Windows\SysWOW64\wscript.exe

wscript.exe "C:\documents and settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\2C10A89\847194.vbs"

C:\Users\Admin\AppData\Local\Temp\826.#.exe

C:\Users\Admin\AppData\Local\Temp\826.#.exe

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe /s scrrun.dll

C:\Windows\SysWOW64\wscript.exe

wscript.exe "C:\documents and settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\2C10A89\533001.vbs"

C:\Users\Admin\AppData\Local\Temp\484.#.exe

C:\Users\Admin\AppData\Local\Temp\484.#.exe

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe /s scrrun.dll

C:\Windows\SysWOW64\wscript.exe

wscript.exe "C:\documents and settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\2C10A89\946254.vbs"

C:\Users\Admin\AppData\Local\Temp\421.#.exe

C:\Users\Admin\AppData\Local\Temp\421.#.exe

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe /s scrrun.dll

C:\Windows\SysWOW64\wscript.exe

wscript.exe "C:\documents and settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\2C10A89\658031.vbs"

C:\Users\Admin\AppData\Local\Temp\850.#.exe

C:\Users\Admin\AppData\Local\Temp\850.#.exe

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe /s scrrun.dll

C:\Windows\SysWOW64\wscript.exe

wscript.exe "C:\documents and settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\2C10A89\681392.vbs"

C:\Users\Admin\AppData\Local\Temp\287.#.exe

C:\Users\Admin\AppData\Local\Temp\287.#.exe

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe /s scrrun.dll

C:\Windows\SysWOW64\wscript.exe

wscript.exe "C:\documents and settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\2C10A89\741298.vbs"

C:\Users\Admin\AppData\Local\Temp\429.#.exe

C:\Users\Admin\AppData\Local\Temp\429.#.exe

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe /s scrrun.dll

Network

N/A

Files

memory/2904-0-0x0000000000400000-0x000000000040E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2C10A89\237880.vbs

MD5 dcf4789d292be90c0ec83dd9df86e6c7
SHA1 b6b4fc4cfea9ed620aafdc12f28f78a247d6b13c
SHA256 1295475c143fbcba069b891760afd8969256f63a736e5f99f3ca234ad2ec8a86
SHA512 680943da13a0d2b7da72fe8007b0968d012820601999b2c414037438eae5dbaaa7208254ac4fc2d0df8d0e4a0c569af2bddc4b830495185750624cbe83e158fd

C:\documents and settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\2C10A89\237880.vbs

MD5 e98740f59246b23b0d7f73f141f24d47
SHA1 1bfd55b3f13c85f94e1694bffa89a2d79a61a630
SHA256 68af315a2e48e340c71d9235a050dac6f82ac1c10fcc4b7158aeb32230530a9a
SHA512 d00ecfc709dc1fc912203f98118a6c47d7a01dfd13f8bf1acd3a7cc9a80ad184507788b027990af47659505e5a09e61f852f73e6529766429a2af8bf0358e928

C:\Users\Admin\AppData\Local\Temp\993.#.exe

MD5 88720b6ad4c018aebfd1d3582185e88f
SHA1 d7fa196caac4de4b95945133cc66495ba4631ffb
SHA256 ee1d2216310f6f084f482b81f1c75f6778ff85340ea9643a41b3a428d04ee986
SHA512 4682ef7396d592430270b40f7349c1149b91465dd7eded4c4c3ff0dd461c238d64e78b320cb15ae4365376382ecde7d9fcddae3c414f066c2a4b7245d5649e29

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2C10A89\804439.vbs

MD5 f42603ebf410bf45def883ce35e83ab7
SHA1 18703e7e8844912b555b6d20f127a5999a97c2dc
SHA256 92066c26db6a672499031925b00b221da40f4b9776af71dd21f29ff9987f1233
SHA512 294058cd645bae9271ce0eb61c401fe829e3201a6d0441da547a98543904477b0ece58c681eccb92d2c99f7b97c0bc0f20752b5ce7f14da0ef374da328f0a908

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2C10A89\111004.vbs

MD5 7adacceb6faa0c256181ab24d6340fde
SHA1 e2869b64be3a69c3e066ac7bffde420599e79e63
SHA256 f7746107df80e83f43c0c1debfeae4f580881c6f2917e676a337694f55897ed8
SHA512 c2fdad16e23b0a7719d9761738959538744d0f89af8799d1ea300f9292f5f022fd1b8bdf4484daa2cb3935f3b9615cda8d6e612d6b7d0f1f5fb62c0aa11d15b2

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2C10A89\111004.vbs

MD5 9d42a2a88806d8e8c52618f14a37c301
SHA1 fd385e68ade7d1b024eab8a105c020faf000ef85
SHA256 3c53f04a17e1441abf856a4cf4fdf12932547429553dad21b60f0b29536b28b2
SHA512 508aa1ec5e56c7ad712948710e5d8abb5cc48ab1bd9f94d09e9351cd59b4b6f865d4d6c325b5ffa53fa192d0c001e30b7d32421a49c87f7603cb8e9aef32fdaa

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2C10A89\471370.vbs

MD5 23900aa02c3acf1695634f1c4770169d
SHA1 6dd3181459ef75c2f97285e79a760c17d26e930b
SHA256 4f08b380a196d5ee0b1e840bb559b39046a47b7a21983f729c2050b2b5b90e23
SHA512 82dce011dbd107e12785267398536bbbc4d1e668385da927b8fe7a304d9a01992662ebe4a526c1971b45493a672681583060ddeb26fbdf6245c977a56dd7a430

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2C10A89\989711.vbs

MD5 4a18cfee39361859d3f1ad2a5578911e
SHA1 0a3cc659b22ce261d730b8afd05af7913b562dfb
SHA256 0a8240568a22868582611c2f3a40bdcee742cceb82239a26928b1adf38e715a0
SHA512 09444bbb3b994af75cc78ace613b29d6bb77056c9b93aec3739db423c89a0928b4ff9bc43626bf78a8c2b791322fd6de81d6a97d23775c2831602fce1652d233

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2C10A89\505245.vbs

MD5 7c43fab32ba971d810908a8c0bc99746
SHA1 437e595e59443146406c37be9d08fe861bde512e
SHA256 c563ea209147b74a6d8a436dfa34ff1757a5b815d6a059e0fa546f819c3adbdd
SHA512 2077b5899aef5cd4238cb9360834fe1ac439dabc426813197742653b074b7364e125519716c9921b8be042de7a5a9266cafd2672078a9bc4c504e50aba764195

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2C10A89\401912.vbs

MD5 3403043fa87436bbaea9dd960144efda
SHA1 65d4c14337f23d99957c52e429e8d134178ca425
SHA256 53fc38c3a70b769154d1cbcea46570fea06ee96935101f2bdb70b4ce87f76777
SHA512 b3b0a3288443d2bf6f5c94d17d66747b1a6d3a8cbcdc7ed174730f75a1d988281815873fbcdffe4f4ae090d0a66f076615d498ca90665e430f32be8ea0c4e854

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2C10A89\898311.vbs

MD5 70a06b9638235bf5970ea79966e8bef0
SHA1 3b8b64b9fb7c400503b12865565aae29bb4aa127
SHA256 28d8abcc7ed048086cce5cb8d07abcf7d7c7bf8228ff2a8a75e54e755dfed0f3
SHA512 57ca63013fcfeb3ad8d090b5d8aa679439b83eb8a19cf4b345a969682f160019bb04cdbf915739a8bfa371a8c2b3a9514e6633055973351e6c24c3f50983f6b3

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2C10A89\611751.vbs

MD5 64ff63be04046788c0b4ddabe6f43b54
SHA1 0552f0d7684e4ad69ea711e4ee92c4801fadb3cd
SHA256 7bc697955114e6b3b92f8ac4460b2cc3da4b3ced172b61f8ef25b76bb77507ac
SHA512 3496a0b01233a1df29d1738c6b0f9abda4b8f64b91d9f7b0a1cda8f53c6be8a5692b6375b8dbc8e865c2de406a4e09cd82bf00d4cb5b44a1b77ab6cdbfb00ff4

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2C10A89\843166.vbs

MD5 ad2a2954c222325d845c76ad814c993f
SHA1 872049b377784e5fbdcc8c56c8b3d0c25c81a7dd
SHA256 103b8c2aede6fb25b4d8897d3af48c80811c4f26727dbcf1a860f1cf803ca836
SHA512 e27fafc02d2dbd55dd3e9f48f3d780b651f83ca406d5976e5c5a2d93fda242535dbe743e2ef0e4ed2fadd04105c185d2570c03179f92d6ad839448fefa41907c

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2C10A89\243023.vbs

MD5 f601e0beab40df3e193fa7f0bb0e3fb2
SHA1 e4c8c44e04969e4b983e7f50534c563547a24349
SHA256 90ee977d804ac147ff6eb984f6a07e4a0dfd1805d61ca4bda88ffbd66a1ab84a
SHA512 26b5e0d9875780c85c3ee70b46dcff6df353e83ede33b05f01368a70b75450215f92f71172f78777247765783cb4feec2cba3bfee7b67f0fcd3238cbdb342b4e

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2C10A89\75237.vbs

MD5 b9502561927f4f51a8766d47009f0f01
SHA1 1e29913942240f86d804e09fbb9e52b324e704dd
SHA256 55dec1a397db720ee4f1b4660e19534cbf15ac94e99aab14c52084cec4727476
SHA512 42c4b4a8e8af7bc7bb2c0dbff09e720a95042044d65f22e87d0e11ba87e168e751b480df13a35b9c66192ef0926117e0eef1343c600c0035e7d3bc4327f80f8d

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2C10A89\75237.vbs

MD5 f21ce4df0c73d56e121025e9a452ae70
SHA1 95062f77f52e3f23689f127f4df24a8a009d699c
SHA256 d334f814191c87d40c8a2a23980a6f3c10b45f613300111f378bf90855c53e7d
SHA512 2009c0dba73543e992a9aa406f09efc030eee9d82eeec79c5f76f4385bd8db4ad77746758e901f3b2f77a76f0e97f70426a2712717f923b9bcf195e8ae4ac3ff

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2C10A89\847194.vbs

MD5 65d2a4211db5b12673d7bd69a3de8712
SHA1 90fa1ba7fbfd34c11cfb18821d7297ba94ce04b4
SHA256 8f489bde1b497f3e9dc14588e46a61d533c4962351b42765504ed6fa4bbc1d1f
SHA512 946d89e591928ed6164e35dbff4dc7912f2c066602f044cb005d8b9e4d9aeed4ea54ba7d2170e1ccca0c490b81a7a63bda8407154be812b294131e700cd9e869

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2C10A89\847194.vbs

MD5 2262f7e683ba4661f94a8327a5456c2b
SHA1 997ce6177d2a2839030b89f96e6c539cd623ff66
SHA256 d3086badf59d3423f7315ab4295bc06eb3366081aecfb085cc0c1d6773c1ac59
SHA512 d6b245221f2f8047f7695f6c04b75e21acc569c04af6c2d10673ff963891d4292a5827a9af4b40c36ce95344a9eb9951d94bcdab0e6d6b0ddcb349dc610550f3

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 05:16

Reported

2024-06-03 05:19

Platform

win10v2004-20240426-en

Max time kernel

42s

Max time network

104s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ee1d2216310f6f084f482b81f1c75f6778ff85340ea9643a41b3a428d04ee986.exe"

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FileProtector = "C:\\10a0699fa37928d39c\\spfirewall.exe" C:\Users\Admin\AppData\Local\Temp\486.#.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FileProtector = "C:\\10a0699fa37928d39c\\spfirewall.exe" C:\Users\Admin\AppData\Local\Temp\ee1d2216310f6f084f482b81f1c75f6778ff85340ea9643a41b3a428d04ee986.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\RegSCRLib = "regsvr32.exe /s scrrun.dll" C:\Users\Admin\AppData\Local\Temp\ee1d2216310f6f084f482b81f1c75f6778ff85340ea9643a41b3a428d04ee986.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\RegSCRLib = "regsvr32.exe /s scrrun.dll" C:\Users\Admin\AppData\Local\Temp\383.#.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FileProtector = "C:\\10a0699fa37928d39c\\spfirewall.exe" C:\Users\Admin\AppData\Local\Temp\396.#.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\RegSCRLib = "regsvr32.exe /s scrrun.dll" C:\Users\Admin\AppData\Local\Temp\826.#.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FileProtector = "C:\\10a0699fa37928d39c\\spfirewall.exe" C:\Users\Admin\AppData\Local\Temp\392.#.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\RegSCRLib = "regsvr32.exe /s scrrun.dll" C:\Users\Admin\AppData\Local\Temp\392.#.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\RegSCRLib = "regsvr32.exe /s scrrun.dll" C:\Users\Admin\AppData\Local\Temp\653.#.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FileProtector = "C:\\10a0699fa37928d39c\\spfirewall.exe" C:\Users\Admin\AppData\Local\Temp\224.#.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FileProtector = "C:\\10a0699fa37928d39c\\spfirewall.exe" C:\Users\Admin\AppData\Local\Temp\383.#.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FileProtector = "C:\\10a0699fa37928d39c\\spfirewall.exe" C:\Users\Admin\AppData\Local\Temp\360.#.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FileProtector = "C:\\10a0699fa37928d39c\\spfirewall.exe" C:\Users\Admin\AppData\Local\Temp\309.#.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\RegSCRLib = "regsvr32.exe /s scrrun.dll" C:\Users\Admin\AppData\Local\Temp\309.#.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\RegSCRLib = "regsvr32.exe /s scrrun.dll" C:\Users\Admin\AppData\Local\Temp\224.#.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\RegSCRLib = "regsvr32.exe /s scrrun.dll" C:\Users\Admin\AppData\Local\Temp\28.#.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FileProtector = "C:\\10a0699fa37928d39c\\spfirewall.exe" C:\Users\Admin\AppData\Local\Temp\826.#.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FileProtector = "C:\\10a0699fa37928d39c\\spfirewall.exe" C:\Users\Admin\AppData\Local\Temp\291.#.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FileProtector = "C:\\10a0699fa37928d39c\\spfirewall.exe" C:\Users\Admin\AppData\Local\Temp\653.#.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FileProtector = "C:\\10a0699fa37928d39c\\spfirewall.exe" C:\Users\Admin\AppData\Local\Temp\28.#.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\RegSCRLib = "regsvr32.exe /s scrrun.dll" C:\Users\Admin\AppData\Local\Temp\396.#.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\RegSCRLib = "regsvr32.exe /s scrrun.dll" C:\Users\Admin\AppData\Local\Temp\291.#.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\RegSCRLib = "regsvr32.exe /s scrrun.dll" C:\Users\Admin\AppData\Local\Temp\486.#.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\RegSCRLib = "regsvr32.exe /s scrrun.dll" C:\Users\Admin\AppData\Local\Temp\360.#.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fr-CA\ C:\Users\Admin\AppData\Local\Temp\383.#.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\zh-TW\ C:\Users\Admin\AppData\Local\Temp\291.#.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe$ C:\Users\Admin\AppData\Local\Temp\28.#.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\ C:\Users\Admin\AppData\Local\Temp\396.#.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\ C:\Users\Admin\AppData\Local\Temp\291.#.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\uk-UA\ C:\Users\Admin\AppData\Local\Temp\291.#.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\uk-UA\ C:\Users\Admin\AppData\Local\Temp\826.#.exe N/A
File created C:\Program Files\7-Zip\7zG.exe C:\Users\Admin\AppData\Local\Temp\826.#.exe N/A
File opened for modification C:\Program Files\Common Files\System\Ole DB\en-US\ C:\Users\Admin\AppData\Local\Temp\224.#.exe N/A
File opened for modification C:\Program Files\Common Files\System\msadc\it-IT\ C:\Users\Admin\AppData\Local\Temp\826.#.exe N/A
File opened for modification C:\Program Files\Common Files\System\Ole DB\fr-FR\ C:\Users\Admin\AppData\Local\Temp\ee1d2216310f6f084f482b81f1c75f6778ff85340ea9643a41b3a428d04ee986.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fr-FR\ C:\Users\Admin\AppData\Local\Temp\224.#.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\ C:\Users\Admin\AppData\Local\Temp\ee1d2216310f6f084f482b81f1c75f6778ff85340ea9643a41b3a428d04ee986.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\ C:\Users\Admin\AppData\Local\Temp\383.#.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe C:\Users\Admin\AppData\Local\Temp\28.#.exe N/A
File opened for modification C:\Program Files\Common Files\System\ado\ C:\Users\Admin\AppData\Local\Temp\396.#.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fr-FR\ C:\Users\Admin\AppData\Local\Temp\826.#.exe N/A
File opened for modification C:\Program Files\Common Files\System\ado\fr-FR\ C:\Users\Admin\AppData\Local\Temp\28.#.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\ C:\Users\Admin\AppData\Local\Temp\360.#.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\da-DK\ C:\Users\Admin\AppData\Local\Temp\396.#.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\ C:\Users\Admin\AppData\Local\Temp\291.#.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ko-KR\ C:\Users\Admin\AppData\Local\Temp\383.#.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe C:\Users\Admin\AppData\Local\Temp\383.#.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\ C:\Users\Admin\AppData\Local\Temp\28.#.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\ C:\Users\Admin\AppData\Local\Temp\ee1d2216310f6f084f482b81f1c75f6778ff85340ea9643a41b3a428d04ee986.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\da-DK\ C:\Users\Admin\AppData\Local\Temp\28.#.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\es-ES\ C:\Users\Admin\AppData\Local\Temp\826.#.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\es-MX\ C:\Users\Admin\AppData\Local\Temp\291.#.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\hr-HR\ C:\Users\Admin\AppData\Local\Temp\ee1d2216310f6f084f482b81f1c75f6778ff85340ea9643a41b3a428d04ee986.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ C:\Users\Admin\AppData\Local\Temp\383.#.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\el-GR\ C:\Users\Admin\AppData\Local\Temp\486.#.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\de-DE\ C:\Users\Admin\AppData\Local\Temp\ee1d2216310f6f084f482b81f1c75f6778ff85340ea9643a41b3a428d04ee986.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\tr-TR\ C:\Users\Admin\AppData\Local\Temp\28.#.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\tr-TR\ C:\Users\Admin\AppData\Local\Temp\224.#.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\createdump.exe C:\Users\Admin\AppData\Local\Temp\ee1d2216310f6f084f482b81f1c75f6778ff85340ea9643a41b3a428d04ee986.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\createdump.exe C:\Users\Admin\AppData\Local\Temp\396.#.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\ C:\Users\Admin\AppData\Local\Temp\ee1d2216310f6f084f482b81f1c75f6778ff85340ea9643a41b3a428d04ee986.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE C:\Users\Admin\AppData\Local\Temp\826.#.exe N/A
File opened for modification C:\Program Files\dotnet\host\fxr\ C:\Users\Admin\AppData\Local\Temp\291.#.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\de-DE\ C:\Users\Admin\AppData\Local\Temp\224.#.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ar-SA\ C:\Users\Admin\AppData\Local\Temp\291.#.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\he-IL\ C:\Users\Admin\AppData\Local\Temp\396.#.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\lv-LV\ C:\Users\Admin\AppData\Local\Temp\396.#.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\pt-BR\ C:\Users\Admin\AppData\Local\Temp\383.#.exe N/A
File opened for modification C:\Program Files\7-Zip\ C:\Users\Admin\AppData\Local\Temp\ee1d2216310f6f084f482b81f1c75f6778ff85340ea9643a41b3a428d04ee986.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ar-SA\ C:\Users\Admin\AppData\Local\Temp\826.#.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\zh-TW\ C:\Users\Admin\AppData\Local\Temp\826.#.exe N/A
File opened for modification C:\Program Files\Common Files\System\fr-FR\ C:\Users\Admin\AppData\Local\Temp\826.#.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fr-FR\ C:\Users\Admin\AppData\Local\Temp\383.#.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\ C:\Users\Admin\AppData\Local\Temp\383.#.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\ C:\Users\Admin\AppData\Local\Temp\486.#.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\ C:\Users\Admin\AppData\Local\Temp\486.#.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\ C:\Users\Admin\AppData\Local\Temp\ee1d2216310f6f084f482b81f1c75f6778ff85340ea9643a41b3a428d04ee986.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\hu-HU\ C:\Users\Admin\AppData\Local\Temp\486.#.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fi-FI\ C:\Users\Admin\AppData\Local\Temp\360.#.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\ C:\Users\Admin\AppData\Local\Temp\224.#.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\es-MX\ C:\Users\Admin\AppData\Local\Temp\224.#.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\ C:\Users\Admin\AppData\Local\Temp\28.#.exe N/A
File opened for modification C:\Program Files\Common Files\System\ado\en-US\ C:\Users\Admin\AppData\Local\Temp\826.#.exe N/A
File opened for modification C:\Program Files\Common Files\System\msadc\ C:\Users\Admin\AppData\Local\Temp\826.#.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\th-TH\ C:\Users\Admin\AppData\Local\Temp\ee1d2216310f6f084f482b81f1c75f6778ff85340ea9643a41b3a428d04ee986.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\ C:\Users\Admin\AppData\Local\Temp\28.#.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\es-ES\ C:\Users\Admin\AppData\Local\Temp\360.#.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\ C:\Users\Admin\AppData\Local\Temp\383.#.exe N/A

Modifies registry class

Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\HTML.HostEncode C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Scripting.FileSystemObject\ = "FileSystem Object" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{85131631-480C-11D2-B1F9-00C04F86C324} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.cdx C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.js C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\ASP.HostEncode C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.asp C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\aspfile\ScriptHostEncode\ = "{0CF774D1-F077-11D1-B1BC-00C04F86C324}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.js C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Scripting.Dictionary\ = "Scripting.Dictionary" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\aspfile\ScriptHostEncode\ = "{0CF774D1-F077-11D1-B1BC-00C04F86C324}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\ASP.HostEncode C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{85131631-480C-11D2-B1F9-00C04F86C324}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{85131631-480C-11D2-B1F9-00C04F86C324}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.js C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EE09B103-97E0-11CF-978F-00A02463E06F}\Version C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Scripting.FileSystemObject\ = "FileSystem Object" C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\HTML.HostEncode C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{32DA2B15-CFED-11D1-B747-00C04FC2B085}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{85131630-480C-11D2-B1F9-00C04F86C324}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\HTML.HostEncode\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EE09B103-97E0-11CF-978F-00A02463E06F}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EE09B103-97E0-11CF-978F-00A02463E06F} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.asa C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0CF774D0-F077-11D1-B1BC-00C04F86C324}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile.HostEncode C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0CF774D0-F077-11D1-B1BC-00C04F86C324} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{32DA2B15-CFED-11D1-B747-00C04FC2B085}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{32DA2B15-CFED-11D1-B747-00C04FC2B085}\Version C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{85131630-480C-11D2-B1F9-00C04F86C324}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Scripting.FileSystemObject\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{420B2830-E718-11CF-893D-00A0C9054228}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Scripting.Dictionary\ = "Scripting.Dictionary" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\JSFile\ScriptHostEncode\ = "{85131630-480C-11D2-B1F9-00C04F86C324}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\ScriptHostEncode\ = "{85131631-480C-11D2-B1F9-00C04F86C324}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Scripting.FileSystemObject C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EE09B103-97E0-11CF-978F-00A02463E06F}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\HTML.HostEncode\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\aspfile\ScriptHostEncode C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228}\Version C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\JSFile.HostEncode C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\JSFile.HostEncode\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EE09B103-97E0-11CF-978F-00A02463E06F}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ScriptHostEncode\ = "{0CF774D0-F077-11D1-B1BC-00C04F86C324}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Scripting.Dictionary\ = "Scripting.Dictionary" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{420B2830-E718-11CF-893D-00A0C9054228}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{85131630-480C-11D2-B1F9-00C04F86C324} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ASP.HostEncode\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Scripting.Dictionary C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{85131630-480C-11D2-B1F9-00C04F86C324}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{85131631-480C-11D2-B1F9-00C04F86C324} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile.HostEncode\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{85131631-480C-11D2-B1F9-00C04F86C324}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{32DA2B15-CFED-11D1-B747-00C04FC2B085}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EE09B103-97E0-11CF-978F-00A02463E06F}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Scripting.Encoder\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{32DA2B15-CFED-11D1-B747-00C04FC2B085}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{32DA2B15-CFED-11D1-B747-00C04FC2B085}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Local\Temp\:\systemlog.log C:\Users\Admin\AppData\Local\Temp\486.#.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Temp\:\systemlog.log C:\Users\Admin\AppData\Local\Temp\309.#.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Temp\:\systemlog.log C:\Users\Admin\AppData\Local\Temp\ee1d2216310f6f084f482b81f1c75f6778ff85340ea9643a41b3a428d04ee986.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Temp\:\systemlog.log C:\Users\Admin\AppData\Local\Temp\224.#.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Temp\:\systemlog.log C:\Users\Admin\AppData\Local\Temp\28.#.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Temp\:\systemlog.log C:\Users\Admin\AppData\Local\Temp\383.#.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Temp\:\systemlog.log C:\Users\Admin\AppData\Local\Temp\826.#.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Temp\:\systemlog.log C:\Users\Admin\AppData\Local\Temp\291.#.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Temp\:\systemlog.log C:\Users\Admin\AppData\Local\Temp\392.#.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Temp\:\systemlog.log C:\Users\Admin\AppData\Local\Temp\396.#.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Temp\:\systemlog.log C:\Users\Admin\AppData\Local\Temp\360.#.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Temp\:\systemlog.log C:\Users\Admin\AppData\Local\Temp\653.#.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3048 wrote to memory of 4456 N/A C:\Users\Admin\AppData\Local\Temp\ee1d2216310f6f084f482b81f1c75f6778ff85340ea9643a41b3a428d04ee986.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3048 wrote to memory of 4456 N/A C:\Users\Admin\AppData\Local\Temp\ee1d2216310f6f084f482b81f1c75f6778ff85340ea9643a41b3a428d04ee986.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3048 wrote to memory of 4456 N/A C:\Users\Admin\AppData\Local\Temp\ee1d2216310f6f084f482b81f1c75f6778ff85340ea9643a41b3a428d04ee986.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3048 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\ee1d2216310f6f084f482b81f1c75f6778ff85340ea9643a41b3a428d04ee986.exe C:\Windows\SysWOW64\wscript.exe
PID 3048 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\ee1d2216310f6f084f482b81f1c75f6778ff85340ea9643a41b3a428d04ee986.exe C:\Windows\SysWOW64\wscript.exe
PID 3048 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\ee1d2216310f6f084f482b81f1c75f6778ff85340ea9643a41b3a428d04ee986.exe C:\Windows\SysWOW64\wscript.exe
PID 3048 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\ee1d2216310f6f084f482b81f1c75f6778ff85340ea9643a41b3a428d04ee986.exe C:\Users\Admin\AppData\Local\Temp\224.#.exe
PID 3048 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\ee1d2216310f6f084f482b81f1c75f6778ff85340ea9643a41b3a428d04ee986.exe C:\Users\Admin\AppData\Local\Temp\224.#.exe
PID 3048 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\ee1d2216310f6f084f482b81f1c75f6778ff85340ea9643a41b3a428d04ee986.exe C:\Users\Admin\AppData\Local\Temp\224.#.exe
PID 1756 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\224.#.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1756 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\224.#.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1756 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\224.#.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1756 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\224.#.exe C:\Windows\SysWOW64\wscript.exe
PID 1756 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\224.#.exe C:\Windows\SysWOW64\wscript.exe
PID 1756 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\224.#.exe C:\Windows\SysWOW64\wscript.exe
PID 1756 wrote to memory of 512 N/A C:\Users\Admin\AppData\Local\Temp\224.#.exe C:\Users\Admin\AppData\Local\Temp\28.#.exe
PID 1756 wrote to memory of 512 N/A C:\Users\Admin\AppData\Local\Temp\224.#.exe C:\Users\Admin\AppData\Local\Temp\28.#.exe
PID 1756 wrote to memory of 512 N/A C:\Users\Admin\AppData\Local\Temp\224.#.exe C:\Users\Admin\AppData\Local\Temp\28.#.exe
PID 512 wrote to memory of 684 N/A C:\Users\Admin\AppData\Local\Temp\28.#.exe C:\Windows\SysWOW64\regsvr32.exe
PID 512 wrote to memory of 684 N/A C:\Users\Admin\AppData\Local\Temp\28.#.exe C:\Windows\SysWOW64\regsvr32.exe
PID 512 wrote to memory of 684 N/A C:\Users\Admin\AppData\Local\Temp\28.#.exe C:\Windows\SysWOW64\regsvr32.exe
PID 512 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\28.#.exe C:\Windows\SysWOW64\wscript.exe
PID 512 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\28.#.exe C:\Windows\SysWOW64\wscript.exe
PID 512 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\28.#.exe C:\Windows\SysWOW64\wscript.exe
PID 512 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\28.#.exe C:\Users\Admin\AppData\Local\Temp\383.#.exe
PID 512 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\28.#.exe C:\Users\Admin\AppData\Local\Temp\383.#.exe
PID 512 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\28.#.exe C:\Users\Admin\AppData\Local\Temp\383.#.exe
PID 2024 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\383.#.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2024 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\383.#.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2024 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\383.#.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2024 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\383.#.exe C:\Windows\SysWOW64\wscript.exe
PID 2024 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\383.#.exe C:\Windows\SysWOW64\wscript.exe
PID 2024 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\383.#.exe C:\Windows\SysWOW64\wscript.exe
PID 2024 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\383.#.exe C:\Users\Admin\AppData\Local\Temp\396.#.exe
PID 2024 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\383.#.exe C:\Users\Admin\AppData\Local\Temp\396.#.exe
PID 2024 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\383.#.exe C:\Users\Admin\AppData\Local\Temp\396.#.exe
PID 788 wrote to memory of 4524 N/A C:\Users\Admin\AppData\Local\Temp\396.#.exe C:\Windows\SysWOW64\regsvr32.exe
PID 788 wrote to memory of 4524 N/A C:\Users\Admin\AppData\Local\Temp\396.#.exe C:\Windows\SysWOW64\regsvr32.exe
PID 788 wrote to memory of 4524 N/A C:\Users\Admin\AppData\Local\Temp\396.#.exe C:\Windows\SysWOW64\regsvr32.exe
PID 788 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\396.#.exe C:\Windows\SysWOW64\wscript.exe
PID 788 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\396.#.exe C:\Windows\SysWOW64\wscript.exe
PID 788 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\396.#.exe C:\Windows\SysWOW64\wscript.exe
PID 788 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\396.#.exe C:\Users\Admin\AppData\Local\Temp\826.#.exe
PID 788 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\396.#.exe C:\Users\Admin\AppData\Local\Temp\826.#.exe
PID 788 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\396.#.exe C:\Users\Admin\AppData\Local\Temp\826.#.exe
PID 2392 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Local\Temp\826.#.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2392 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Local\Temp\826.#.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2392 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Local\Temp\826.#.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2392 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Local\Temp\826.#.exe C:\Windows\SysWOW64\wscript.exe
PID 2392 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Local\Temp\826.#.exe C:\Windows\SysWOW64\wscript.exe
PID 2392 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Local\Temp\826.#.exe C:\Windows\SysWOW64\wscript.exe
PID 2392 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Local\Temp\826.#.exe C:\Users\Admin\AppData\Local\Temp\291.#.exe
PID 2392 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Local\Temp\826.#.exe C:\Users\Admin\AppData\Local\Temp\291.#.exe
PID 2392 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Local\Temp\826.#.exe C:\Users\Admin\AppData\Local\Temp\291.#.exe
PID 4548 wrote to memory of 4192 N/A C:\Users\Admin\AppData\Local\Temp\291.#.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4548 wrote to memory of 4192 N/A C:\Users\Admin\AppData\Local\Temp\291.#.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4548 wrote to memory of 4192 N/A C:\Users\Admin\AppData\Local\Temp\291.#.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4548 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\291.#.exe C:\Windows\SysWOW64\wscript.exe
PID 4548 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\291.#.exe C:\Windows\SysWOW64\wscript.exe
PID 4548 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\291.#.exe C:\Windows\SysWOW64\wscript.exe
PID 4548 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\291.#.exe C:\Users\Admin\AppData\Local\Temp\486.#.exe
PID 4548 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\291.#.exe C:\Users\Admin\AppData\Local\Temp\486.#.exe
PID 4548 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\291.#.exe C:\Users\Admin\AppData\Local\Temp\486.#.exe
PID 3872 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\486.#.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ee1d2216310f6f084f482b81f1c75f6778ff85340ea9643a41b3a428d04ee986.exe

"C:\Users\Admin\AppData\Local\Temp\ee1d2216310f6f084f482b81f1c75f6778ff85340ea9643a41b3a428d04ee986.exe"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe /s scrrun.dll

C:\Windows\SysWOW64\wscript.exe

wscript.exe "C:\documents and settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\2C10A89\320705.vbs"

C:\Users\Admin\AppData\Local\Temp\224.#.exe

C:\Users\Admin\AppData\Local\Temp\224.#.exe

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe /s scrrun.dll

C:\Windows\SysWOW64\wscript.exe

wscript.exe "C:\documents and settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\2C10A89\64235.vbs"

C:\Users\Admin\AppData\Local\Temp\28.#.exe

C:\Users\Admin\AppData\Local\Temp\28.#.exe

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe /s scrrun.dll

C:\Windows\SysWOW64\wscript.exe

wscript.exe "C:\documents and settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\2C10A89\326809.vbs"

C:\Users\Admin\AppData\Local\Temp\383.#.exe

C:\Users\Admin\AppData\Local\Temp\383.#.exe

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe /s scrrun.dll

C:\Windows\SysWOW64\wscript.exe

wscript.exe "C:\documents and settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\2C10A89\254909.vbs"

C:\Users\Admin\AppData\Local\Temp\396.#.exe

C:\Users\Admin\AppData\Local\Temp\396.#.exe

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe /s scrrun.dll

C:\Windows\SysWOW64\wscript.exe

wscript.exe "C:\documents and settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\2C10A89\595241.vbs"

C:\Users\Admin\AppData\Local\Temp\826.#.exe

C:\Users\Admin\AppData\Local\Temp\826.#.exe

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe /s scrrun.dll

C:\Windows\SysWOW64\wscript.exe

wscript.exe "C:\documents and settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\2C10A89\639187.vbs"

C:\Users\Admin\AppData\Local\Temp\291.#.exe

C:\Users\Admin\AppData\Local\Temp\291.#.exe

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe /s scrrun.dll

C:\Windows\SysWOW64\wscript.exe

wscript.exe "C:\documents and settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\2C10A89\913479.vbs"

C:\Users\Admin\AppData\Local\Temp\486.#.exe

C:\Users\Admin\AppData\Local\Temp\486.#.exe

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe /s scrrun.dll

C:\Windows\SysWOW64\wscript.exe

wscript.exe "C:\documents and settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\2C10A89\177517.vbs"

C:\Users\Admin\AppData\Local\Temp\360.#.exe

C:\Users\Admin\AppData\Local\Temp\360.#.exe

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe /s scrrun.dll

C:\Windows\SysWOW64\wscript.exe

wscript.exe "C:\documents and settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\2C10A89\344753.vbs"

C:\Users\Admin\AppData\Local\Temp\309.#.exe

C:\Users\Admin\AppData\Local\Temp\309.#.exe

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe /s scrrun.dll

C:\Windows\SysWOW64\wscript.exe

wscript.exe "C:\documents and settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\2C10A89\148464.vbs"

C:\Users\Admin\AppData\Local\Temp\392.#.exe

C:\Users\Admin\AppData\Local\Temp\392.#.exe

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe /s scrrun.dll

C:\Windows\SysWOW64\wscript.exe

wscript.exe "C:\documents and settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\2C10A89\349514.vbs"

C:\Users\Admin\AppData\Local\Temp\653.#.exe

C:\Users\Admin\AppData\Local\Temp\653.#.exe

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe /s scrrun.dll

C:\Windows\SysWOW64\wscript.exe

wscript.exe "C:\documents and settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\2C10A89\977199.vbs"

C:\Users\Admin\AppData\Local\Temp\460.#.exe

C:\Users\Admin\AppData\Local\Temp\460.#.exe

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe /s scrrun.dll

C:\Windows\SysWOW64\wscript.exe

wscript.exe "C:\documents and settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\2C10A89\874660.vbs"

C:\Users\Admin\AppData\Local\Temp\771.#.exe

C:\Users\Admin\AppData\Local\Temp\771.#.exe

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe /s scrrun.dll

C:\Windows\SysWOW64\wscript.exe

wscript.exe "C:\documents and settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\2C10A89\188427.vbs"

C:\Users\Admin\AppData\Local\Temp\706.#.exe

C:\Users\Admin\AppData\Local\Temp\706.#.exe

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe /s scrrun.dll

C:\Windows\SysWOW64\wscript.exe

wscript.exe "C:\documents and settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\2C10A89\20092.vbs"

C:\Users\Admin\AppData\Local\Temp\905.#.exe

C:\Users\Admin\AppData\Local\Temp\905.#.exe

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe /s scrrun.dll

C:\Windows\SysWOW64\wscript.exe

wscript.exe "C:\documents and settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\2C10A89\696239.vbs"

C:\Users\Admin\AppData\Local\Temp\122.#.exe

C:\Users\Admin\AppData\Local\Temp\122.#.exe

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe /s scrrun.dll

C:\Windows\SysWOW64\wscript.exe

wscript.exe "C:\documents and settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\2C10A89\841747.vbs"

C:\Users\Admin\AppData\Local\Temp\836.#.exe

C:\Users\Admin\AppData\Local\Temp\836.#.exe

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe /s scrrun.dll

C:\Windows\SysWOW64\wscript.exe

wscript.exe "C:\documents and settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\2C10A89\929882.vbs"

C:\Users\Admin\AppData\Local\Temp\913.#.exe

C:\Users\Admin\AppData\Local\Temp\913.#.exe

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe /s scrrun.dll

C:\Windows\SysWOW64\wscript.exe

wscript.exe "C:\documents and settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\2C10A89\840648.vbs"

C:\Users\Admin\AppData\Local\Temp\461.#.exe

C:\Users\Admin\AppData\Local\Temp\461.#.exe

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe /s scrrun.dll

C:\Windows\SysWOW64\wscript.exe

wscript.exe "C:\documents and settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\2C10A89\141430.vbs"

C:\Users\Admin\AppData\Local\Temp\337.#.exe

C:\Users\Admin\AppData\Local\Temp\337.#.exe

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe /s scrrun.dll

C:\Windows\SysWOW64\wscript.exe

wscript.exe "C:\documents and settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\2C10A89\42064.vbs"

C:\Users\Admin\AppData\Local\Temp\324.#.exe

C:\Users\Admin\AppData\Local\Temp\324.#.exe

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe /s scrrun.dll

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

memory/3048-0-0x0000000000400000-0x000000000040E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\2C10A89\320705.vbs

MD5 1107f9e364b9991502a28a40c79938ee
SHA1 24688f9eca144dd835f123d545979342c5e558a3
SHA256 6644660315712c83f006634be3dea46a14ceb9a466b89e2cf35e9843514b14f3
SHA512 a7ee81b0634e76c168893775bee514e0d7ebad10288f196f935bd3359050a2e584ee374d93540e9cc8a164b08f39637405e0f3ccee7cd644ee114063a1b0649e

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\2C10A89\320705.vbs

MD5 e98740f59246b23b0d7f73f141f24d47
SHA1 1bfd55b3f13c85f94e1694bffa89a2d79a61a630
SHA256 68af315a2e48e340c71d9235a050dac6f82ac1c10fcc4b7158aeb32230530a9a
SHA512 d00ecfc709dc1fc912203f98118a6c47d7a01dfd13f8bf1acd3a7cc9a80ad184507788b027990af47659505e5a09e61f852f73e6529766429a2af8bf0358e928

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\2C10A89\320705.vbs

MD5 26ff9c6379d5246f0b1eedd981d412ad
SHA1 8596f0b970fa6bab95a02c47a6f88f132034c24a
SHA256 909944ab91237568b17770f11f7828cef9e04f1c2397d44f6c8bba3612e24796
SHA512 36612a46ae8e137e0a7088cb31fa7973ee20013758540ce8e74ad040c93a4a5c96b76d9314b62325c411ba33ff8809c390f01ccbff32c0813979e61f390640dd

C:\Users\Admin\AppData\Local\Temp\224.#.exe

MD5 88720b6ad4c018aebfd1d3582185e88f
SHA1 d7fa196caac4de4b95945133cc66495ba4631ffb
SHA256 ee1d2216310f6f084f482b81f1c75f6778ff85340ea9643a41b3a428d04ee986
SHA512 4682ef7396d592430270b40f7349c1149b91465dd7eded4c4c3ff0dd461c238d64e78b320cb15ae4365376382ecde7d9fcddae3c414f066c2a4b7245d5649e29

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\2C10A89\64235.vbs

MD5 390e9b76241cd9ce1e0464b5a21ea58f
SHA1 590a2daa364130fc83deffaa47276f3d7768d5e6
SHA256 fe5134a802a42400ec4378fc58a199c7a9cc5fdaa96565eab1eaa505274d8654
SHA512 0f0882861150fe55a042de5975da34fd121c01c420e9973f3c00c57fc2f9f8276c34279f77227411dec64ff0691f5abe22561fb49a788993c390abe2826cd9cf

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\2C10A89\64235.vbs

MD5 23900aa02c3acf1695634f1c4770169d
SHA1 6dd3181459ef75c2f97285e79a760c17d26e930b
SHA256 4f08b380a196d5ee0b1e840bb559b39046a47b7a21983f729c2050b2b5b90e23
SHA512 82dce011dbd107e12785267398536bbbc4d1e668385da927b8fe7a304d9a01992662ebe4a526c1971b45493a672681583060ddeb26fbdf6245c977a56dd7a430

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\2C10A89\64235.vbs

MD5 7adacceb6faa0c256181ab24d6340fde
SHA1 e2869b64be3a69c3e066ac7bffde420599e79e63
SHA256 f7746107df80e83f43c0c1debfeae4f580881c6f2917e676a337694f55897ed8
SHA512 c2fdad16e23b0a7719d9761738959538744d0f89af8799d1ea300f9292f5f022fd1b8bdf4484daa2cb3935f3b9615cda8d6e612d6b7d0f1f5fb62c0aa11d15b2

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\2C10A89\254909.vbs

MD5 cd2adf8c2272c21308710f50d45e7f3e
SHA1 f88f0646259beccb3770364aa1a9e7581c6f4e8c
SHA256 2d794cce47f2779a192e32089d1c55d89ff0b7ceb3fce206724166a1837fcd00
SHA512 54a57a66aaef8372e6fc4fdc4758952112a469d383b4799799203f451b1b13f9eaf6bf84c95eb6de0e8b61b8b41ed58870cfdf95fac0bce40dc9b57b364295c9

C:\Program Files\Java\jdk-1.8\bin\orbd.exe

MD5 a3616f670275401640a8876d15eac05c
SHA1 4c3114be6562a4f13927cea41a787a238baa556e
SHA256 eab06c443f1055fe13c0ba458c335ee8c02aba33eed78af4c38f01048576642f
SHA512 60f2845136aa1b21e8c9299358a51ff9782c1f9997e2094ec9e458d1cd5af3f7d2cfb309758752e9530b4ebaa571fe5857013830cb6371bd5fa956cc84de1d79

C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe$

MD5 2025aab8d252fa2715f16c635ecb79a1
SHA1 72c028f7ece6300e4bb07cb80718047f479c8540
SHA256 0040567401ee3cbcbd959c26fcad869c4742cb7a1bfb1e042bbcf8c698bd8645
SHA512 762ed31591d7eaa00fd01a4552d7e6a6bc3397038caa64651ae8ca1220688849068c931eaf5bd7957f17d96e465605baa6c7fa9b13b6a7ef69a74652c64a57d3

C:\Program Files\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe$

MD5 ac4da09211ad9c97a4991d5d7f75a215
SHA1 2181fe66cbc8b34fc9c810369409606b299c69b7
SHA256 bd0cb3a360927fb47027888db9034e823dd2e64c2c88489c89cefc5264e70626
SHA512 538dacaa65d8d400e08006605f74ba440b4d1c4710777d1100cbc2a1417e3302d1ad550a0f6a92c0d2a0882858f50db3d8b9d13b660e9b9dfa7297b366e28644