Analysis Overview
SHA256
1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca
Threat Level: Likely benign
The file 1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca was found to be: Likely benign.
Malicious Activity Summary
Drops file in Program Files directory
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 20:11
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 20:11
Reported
2024-11-09 20:14
Platform
win7-20240903-en
Max time kernel
150s
Max time network
118s
Command Line
Signatures
Drops file in Program Files directory
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe
"C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe"
C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s scrrun.dll
Network
Files
C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.Axv
| MD5 | daa0498fa402a7c8564847ac48be78df |
| SHA1 | d7fd3531dc44705aa406ed8b437a8c4759e4bef9 |
| SHA256 | 1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca |
| SHA512 | 83711de1fbd8f5976138651950be591e14a1529d6e2839f748a992ec823e533daa2550fe2a7b36de2c994483d801311ebd4c2b392f60b891ed532337dc4a980c |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-09 20:11
Reported
2024-11-09 20:14
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\ | C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\dtplugin\ | C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\ | C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\ | C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\ | C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\MSIPC\en-us\ | C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\PDFREFLOW.EXE$ | C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\locale\lt\LC_MESSAGES\ | C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\ | C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\ | C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\ | C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\Ole DB\es-ES\ | C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Templates\ | C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\Heartbeat\ | C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\pj11icon.exe | C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\defaults\ | C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe | N/A |
| File opened for modification | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\ | C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\unlimited\ | C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe | C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\x86\ | C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\MSIPC\tr\ | C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\locale\hu\LC_MESSAGES\ | C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe | N/A |
| File created | C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe | C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CASCADE\ | C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EXPEDITN\ | C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\locale\el\LC_MESSAGES\ | C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe | N/A |
| File created | C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe | C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\server\ | C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\protocolhandler.exe$ | C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOICONS.EXE | C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\ | C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Templates\1033\GettingStarted16\ | C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\locale\fa\LC_MESSAGES\ | C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Home\ | C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jdeps.exe | C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft.NET\ | C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\locale\sr\ | C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\LTR\contrast-white\ | C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\km-KH\ | C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jps.exe | C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\MSIPC\sr-Latn-RS\ | C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\uninstall.exe | C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe | C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\locale\as_IN\LC_MESSAGES\ | C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\plugins\services_discovery\ | C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe | N/A |
| File opened for modification | C:\Program Files\Windows Security\ | C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\TextConv\ | C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\ | C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\7zFM.exe | C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\lt-LT\ | C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe | N/A |
| File created | C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe | C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe$ | C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLUECALM\ | C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Resources\ | C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe | N/A |
| File opened for modification | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\ | C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\ | C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\ | C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\minidump-analyzer.exe | C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\locale\hr\LC_MESSAGES\ | C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\nl-NL\ | C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\msoasb.exe | C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\MSOSREC.EXE$ | C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-1000-0000000FF1CE}\misc.exe | C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe$ | C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Scripting.FileSystemObject\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{32DA2B15-CFED-11D1-B747-00C04FC2B085}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0CF774D1-F077-11D1-B1BC-00C04F86C324}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\JSFile | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\JSFile\ScriptHostEncode | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Scripting.Encoder | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Scripting.FileSystemObject | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ASP.HostEncode | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.js | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\HTML.HostEncode\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0CF774D1-F077-11D1-B1BC-00C04F86C324}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile.HostEncode | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{420B2830-E718-11CF-893D-00A0C9054228}\1.0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EE09B103-97E0-11CF-978F-00A02463E06F} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{85131631-480C-11D2-B1F9-00C04F86C324}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ScriptHostEncode\ = "{0CF774D0-F077-11D1-B1BC-00C04F86C324}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Scripting.FileSystemObject | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Scripting.Encoder\ = "Script Encoder Object" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\HTML.HostEncode | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\CLASSES\HTMLFILE\SCRIPTHOSTENCODE | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{420B2830-E718-11CF-893D-00A0C9054228} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{85131631-480C-11D2-B1F9-00C04F86C324}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.asp | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\JSFile.HostEncode\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\HTML.HostEncode | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\CLASSES\JSFILE\SCRIPTHOSTENCODE | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EE09B103-97E0-11CF-978F-00A02463E06F}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EE09B103-97E0-11CF-978F-00A02463E06F}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Scripting.Dictionary | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{85131630-480C-11D2-B1F9-00C04F86C324} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{85131630-480C-11D2-B1F9-00C04F86C324}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile.HostEncode\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\.html | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\ASP.HostEncode | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{32DA2B15-CFED-11D1-B747-00C04FC2B085}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ASP.HostEncode\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\JSFile\ScriptHostEncode\ = "{85131630-480C-11D2-B1F9-00C04F86C324}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Scripting.Encoder | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\aspfile\ScriptHostEncode | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.asa | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\CLASSES\VBSFILE\SCRIPTHOSTENCODE | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\aspfile | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\JSFile.HostEncode | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EE09B103-97E0-11CF-978F-00A02463E06F}\Version | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{32DA2B15-CFED-11D1-B747-00C04FC2B085}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0CF774D0-F077-11D1-B1BC-00C04F86C324}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{85131631-480C-11D2-B1F9-00C04F86C324} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EE09B103-97E0-11CF-978F-00A02463E06F}\Implemented Categories | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EE09B103-97E0-11CF-978F-00A02463E06F}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EE09B103-97E0-11CF-978F-00A02463E06F}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{32DA2B15-CFED-11D1-B747-00C04FC2B085}\Version | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Scripting.Encoder\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\JSFile.HostEncode | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228}\Version | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{85131630-480C-11D2-B1F9-00C04F86C324}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\CLASSES\ASPFILE\SCRIPTHOSTENCODE | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4488 wrote to memory of 3508 | N/A | C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 4488 wrote to memory of 3508 | N/A | C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 4488 wrote to memory of 3508 | N/A | C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe
"C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.exe"
C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s scrrun.dll
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.208.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca.Axv
| MD5 | daa0498fa402a7c8564847ac48be78df |
| SHA1 | d7fd3531dc44705aa406ed8b437a8c4759e4bef9 |
| SHA256 | 1bc5c2dede3d2e44c7ce5c8fe622b9da376485d0e4c194f2b72d8781bb569bca |
| SHA512 | 83711de1fbd8f5976138651950be591e14a1529d6e2839f748a992ec823e533daa2550fe2a7b36de2c994483d801311ebd4c2b392f60b891ed532337dc4a980c |