Malware Analysis Report

2025-05-28 18:28

Sample ID 241109-yyh44a1epk
Target 1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca
SHA256 1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca
Tags
discovery
score
4/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
4/10

SHA256

1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca

Threat Level: Likely benign

The file 1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca was found to be: Likely benign.

Malicious Activity Summary

discovery

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 20:11

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 20:11

Reported

2024-11-09 20:14

Platform

win7-20240903-en

Max time kernel

150s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe"

Signatures

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\VideoLAN\VLC\locale\lo\LC_MESSAGES\ C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\intf\modules\ C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF\ C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft SQL Server Compact Edition\ C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\fur\LC_MESSAGES\ C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTA\ C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BORDERS\ C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Solitaire\Solitaire.exe$ C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\fi\LC_MESSAGES\ C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\ C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ku_IQ\ C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\tt\ C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe N/A
File created C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe N/A
File opened for modification C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe$ C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe N/A
File opened for modification C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\en-US\enu-dsk\ C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe$ C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\ado\de-DE\ C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\META-INF\ C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\javaws.exe$ C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\an\LC_MESSAGES\ C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\zh_TW\ C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe$ C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\SELFCERT.EXE C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\js\ C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe N/A
File opened for modification C:\Program Files\Microsoft Games\More Games\fr-FR\ C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\ C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\ C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\ C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\is\LC_MESSAGES\ C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe N/A
File created C:\Program Files\Windows Mail\wab.exe C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\ C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\ C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ne\ C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Web Folders\1033\ C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\TTS20\ C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe$ C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\be\ C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe N/A
File opened for modification C:\Program Files\Microsoft Office\ C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\ja-JP\ C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Oasis\ C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\Icons\ C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\setup_wm.exe$ C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe N/A
File opened for modification C:\Program Files\Common Files\System\Ole DB\en-US\ C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\js\ C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Hearts\it-IT\ C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\bn_IN\LC_MESSAGES\ C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\ C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\images\cursors\ C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PPTICO.EXE C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\ C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe$ C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe$ C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\skins\fonts\ C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe

"C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe /s scrrun.dll

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.Axv

MD5 daa0498fa402a7c8564847ac48be78df
SHA1 d7fd3531dc44705aa406ed8b437a8c4759e4bef9
SHA256 1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca
SHA512 83711de1fbd8f5976138651950be591e14a1529d6e2839f748a992ec823e533daa2550fe2a7b36de2c994483d801311ebd4c2b392f60b891ed532337dc4a980c

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-09 20:11

Reported

2024-11-09 20:14

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe"

Signatures

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\ C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\dtplugin\ C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\ C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\ C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\ C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\en-us\ C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PDFREFLOW.EXE$ C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\lt\LC_MESSAGES\ C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\ C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\ C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe N/A
File opened for modification C:\Program Files\7-Zip\ C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe N/A
File opened for modification C:\Program Files\Common Files\System\Ole DB\es-ES\ C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Templates\ C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\Heartbeat\ C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\pj11icon.exe C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\defaults\ C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\ C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\unlimited\ C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\x86\ C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\tr\ C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\hu\LC_MESSAGES\ C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CASCADE\ C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EXPEDITN\ C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\el\LC_MESSAGES\ C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\server\ C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\protocolhandler.exe$ C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOICONS.EXE C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\ C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\GettingStarted16\ C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\fa\LC_MESSAGES\ C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Home\ C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft.NET\ C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\sr\ C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\LTR\contrast-white\ C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\km-KH\ C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jps.exe C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\sr-Latn-RS\ C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe N/A
File created C:\Program Files\VideoLAN\VLC\uninstall.exe C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\as_IN\LC_MESSAGES\ C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\services_discovery\ C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe N/A
File opened for modification C:\Program Files\Windows Security\ C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\TextConv\ C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\ C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe N/A
File opened for modification C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\lt-LT\ C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe$ C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLUECALM\ C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Resources\ C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\ C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\ C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe N/A
File opened for modification C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\ C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\hr\LC_MESSAGES\ C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\nl-NL\ C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\msoasb.exe C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSOSREC.EXE$ C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-1000-0000000FF1CE}\misc.exe C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe N/A
File opened for modification C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe$ C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Scripting.FileSystemObject\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{32DA2B15-CFED-11D1-B747-00C04FC2B085}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0CF774D1-F077-11D1-B1BC-00C04F86C324}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\JSFile C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\JSFile\ScriptHostEncode C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Scripting.Encoder C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Scripting.FileSystemObject C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ASP.HostEncode C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.js C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\HTML.HostEncode\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0CF774D1-F077-11D1-B1BC-00C04F86C324}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile.HostEncode C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{420B2830-E718-11CF-893D-00A0C9054228}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EE09B103-97E0-11CF-978F-00A02463E06F} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{85131631-480C-11D2-B1F9-00C04F86C324}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ScriptHostEncode\ = "{0CF774D0-F077-11D1-B1BC-00C04F86C324}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Scripting.FileSystemObject C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Scripting.Encoder\ = "Script Encoder Object" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\HTML.HostEncode C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\HTMLFILE\SCRIPTHOSTENCODE C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{420B2830-E718-11CF-893D-00A0C9054228} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{85131631-480C-11D2-B1F9-00C04F86C324}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.asp C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\JSFile.HostEncode\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\HTML.HostEncode C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\JSFILE\SCRIPTHOSTENCODE C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EE09B103-97E0-11CF-978F-00A02463E06F}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EE09B103-97E0-11CF-978F-00A02463E06F}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Scripting.Dictionary C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{85131630-480C-11D2-B1F9-00C04F86C324} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{85131630-480C-11D2-B1F9-00C04F86C324}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile.HostEncode\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\.html C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\ASP.HostEncode C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{32DA2B15-CFED-11D1-B747-00C04FC2B085}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ASP.HostEncode\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\JSFile\ScriptHostEncode\ = "{85131630-480C-11D2-B1F9-00C04F86C324}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Scripting.Encoder C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\aspfile\ScriptHostEncode C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.asa C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\VBSFILE\SCRIPTHOSTENCODE C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\aspfile C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\JSFile.HostEncode C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EE09B103-97E0-11CF-978F-00A02463E06F}\Version C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{32DA2B15-CFED-11D1-B747-00C04FC2B085}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0CF774D0-F077-11D1-B1BC-00C04F86C324}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{85131631-480C-11D2-B1F9-00C04F86C324} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EE09B103-97E0-11CF-978F-00A02463E06F}\Implemented Categories C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EE09B103-97E0-11CF-978F-00A02463E06F}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EE09B103-97E0-11CF-978F-00A02463E06F}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{32DA2B15-CFED-11D1-B747-00C04FC2B085}\Version C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Scripting.Encoder\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\JSFile.HostEncode C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228}\Version C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{85131630-480C-11D2-B1F9-00C04F86C324}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\ASPFILE\SCRIPTHOSTENCODE C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe

"C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe /s scrrun.dll

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 72.208.201.84.in-addr.arpa udp
US 8.8.8.8:53 28.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.Axv

MD5 daa0498fa402a7c8564847ac48be78df
SHA1 d7fd3531dc44705aa406ed8b437a8c4759e4bef9
SHA256 1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca
SHA512 83711de1fbd8f5976138651950be591e14a1529d6e2839f748a992ec823e533daa2550fe2a7b36de2c994483d801311ebd4c2b392f60b891ed532337dc4a980c