Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
7Static
static
RDR2CHEAT/...er.exe
windows10-1703-x64
7RDR2CHEAT/...op.dll
windows10-1703-x64
1RDR2CHEAT/...op.dll
windows10-1703-x64
1RDR2CHEAT/...op.dll
windows10-1703-x64
1RDR2CHEAT/...op.dll
windows10-1703-x64
1RDR2CHEAT/...op.dll
windows10-1703-x64
1RDR2CHEAT/...op.dll
windows10-1703-x64
1RDR2CHEAT/...op.dll
windows10-1703-x64
1RDR2CHEAT/...op.dll
windows10-1703-x64
1RDR2CHEAT/...op.dll
windows10-1703-x64
1RDR2CHEAT/...op.dll
windows10-1703-x64
1RDR2CHEAT/...te.dll
windows10-1703-x64
1RDR2CHEAT/...ll.xml
windows10-1703-x64
1RDR2CHEAT/...te.dll
windows10-1703-x64
1RDR2CHEAT/...ll.xml
windows10-1703-x64
1RDR2CHEAT/...te.dll
windows10-1703-x64
1RDR2CHEAT/...ll.xml
windows10-1703-x64
1RDR2CHEAT/...te.dll
windows10-1703-x64
1RDR2CHEAT/...ll.xml
windows10-1703-x64
1RDR2CHEAT/...te.dll
windows10-1703-x64
1RDR2CHEAT/...ll.xml
windows10-1703-x64
1Resubmissions
11/10/2023, 00:51
231011-a7gevsbe37 1011/10/2023, 00:50
231011-a652tshd41 1031/01/2023, 09:06
230131-k21xeshe3z 7Analysis
-
max time kernel
94s -
max time network
148s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system -
submitted
31/01/2023, 09:06
Static task
static1
Behavioral task
behavioral1
Sample
RDR2CHEAT/PrimeXLauncher.exe
Resource
win10-20220812-en
windows10-1703-x64
Behavioral task
behavioral2
Sample
RDR2CHEAT/build/net20/x64/SQLite.Interop.dll
Resource
win10-20220812-en
windows10-1703-x64
Behavioral task
behavioral3
Sample
RDR2CHEAT/build/net20/x86/SQLite.Interop.dll
Resource
win10-20220901-en
windows10-1703-x64
Behavioral task
behavioral4
Sample
RDR2CHEAT/build/net40/x64/SQLite.Interop.dll
Resource
win10-20220812-en
windows10-1703-x64
Behavioral task
behavioral5
Sample
RDR2CHEAT/build/net40/x86/SQLite.Interop.dll
Resource
win10-20220812-en
windows10-1703-x64
Behavioral task
behavioral6
Sample
RDR2CHEAT/build/net45/x64/SQLite.Interop.dll
Resource
win10-20220812-en
windows10-1703-x64
Behavioral task
behavioral7
Sample
RDR2CHEAT/build/net45/x86/SQLite.Interop.dll
Resource
win10-20220901-en
windows10-1703-x64
Behavioral task
behavioral8
Sample
RDR2CHEAT/build/net451/x64/SQLite.Interop.dll
Resource
win10-20220812-en
windows10-1703-x64
Behavioral task
behavioral9
Sample
RDR2CHEAT/build/net451/x86/SQLite.Interop.dll
Resource
win10-20220812-en
windows10-1703-x64
Behavioral task
behavioral10
Sample
RDR2CHEAT/build/net46/x64/SQLite.Interop.dll
Resource
win10-20220812-en
windows10-1703-x64
Behavioral task
behavioral11
Sample
RDR2CHEAT/build/net46/x86/SQLite.Interop.dll
Resource
win10-20220901-en
windows10-1703-x64
Behavioral task
behavioral12
Sample
RDR2CHEAT/lib/net20/System.Data.SQLite.dll
Resource
win10-20220812-en
windows10-1703-x64
Behavioral task
behavioral13
Sample
RDR2CHEAT/lib/net20/System.Data.SQLite.dll.xml
Resource
win10-20220812-en
windows10-1703-x64
Behavioral task
behavioral14
Sample
RDR2CHEAT/lib/net40/System.Data.SQLite.dll
Resource
win10-20220901-en
windows10-1703-x64
Behavioral task
behavioral15
Sample
RDR2CHEAT/lib/net40/System.Data.SQLite.dll.xml
Resource
win10-20220812-en
windows10-1703-x64
Behavioral task
behavioral16
Sample
RDR2CHEAT/lib/net45/System.Data.SQLite.dll
Resource
win10-20220812-en
windows10-1703-x64
Behavioral task
behavioral17
Sample
RDR2CHEAT/lib/net45/System.Data.SQLite.dll.xml
Resource
win10-20220812-en
windows10-1703-x64
Behavioral task
behavioral18
Sample
RDR2CHEAT/lib/net451/System.Data.SQLite.dll
Resource
win10-20220901-en
windows10-1703-x64
Behavioral task
behavioral19
Sample
RDR2CHEAT/lib/net451/System.Data.SQLite.dll.xml
Resource
win10-20220812-en
windows10-1703-x64
Behavioral task
behavioral20
Sample
RDR2CHEAT/lib/net46/System.Data.SQLite.dll
Resource
win10-20220812-en
windows10-1703-x64
Behavioral task
behavioral21
Sample
RDR2CHEAT/lib/net46/System.Data.SQLite.dll.xml
Resource
win10-20220812-en
windows10-1703-x64
General
-
Target
RDR2CHEAT/lib/net45/System.Data.SQLite.dll.xml
-
Size
739B
-
MD5
2858babc2a9d70c1ae5a47079d05469a
-
SHA1
949d6bbd12f1e303888c4ce3a6da0b7f99d05db9
-
SHA256
cd0380242335f78fe62fe6e288eb9c9f1d3c51ff8d41b3facb89c9b59d8ee401
-
SHA512
4ba02e408987c9d0b00df38d9da9becc1bd73bc388f625915969c82618842400f98cae1c86d08080a4d9dc89d4337b238d7793444554029a72d17a90890d321d
Malware Config
Signatures
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3805589675" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\FlipAhead iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31012187" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d80f8d5dc3e89941899d6ad5cfd4269900000000020000000000106600000001000020000000612d854d668e0d8e4bbf5c4bad3406219559ac04cbf00d190cfad2cf17436393000000000e80000000020000200000003b2edbb0b7cee5e48f7db68bafb57bb436255286e915a5d5d1c300b94190d37c20000000326eb68399c60ea72a8f1010255186eeab5f204b8a0a09aa7c8d40c111e2354f400000007899d31bd06e2281cf9b2cbadde0c768124996f4953135668d9f11c9396dce66794ab346f38ea2da4c44739657d3802c9e3a3f452aec8ca15adefd5eda86c601 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "381924617" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz! iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31012187" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b06fd1e35b35d901 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3805589675" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "381973203" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "381941211" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31012187" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{0D88A650-A14F-11ED-A7A3-CAA9CE0ED775} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3814808418" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3814808418" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 703de9e35b35d901 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31012187" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d80f8d5dc3e89941899d6ad5cfd4269900000000020000000000106600000001000020000000d49ec92f7af2ec9272fb3e7a609d2eabd8af648cd6d63eb9db82bcaa2186fa7a000000000e80000000020000200000007f3f24ca62461c4b2c5ebf371ca38fdd9b2664c9f1639f2099fbb9badb8de00e2000000006ceae137d59adc941784662e4ed02fee2cd06a13bf9115330688241da353643400000008e35c3c370a986ff4948d05c9b9eb35aab7fdf8fc2378e4ec37d8b87c8fd82df8970f0f6e9e4289174fb6bc3eb959ec9413f832af06826cff6f35410c060d1ff iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3320 iexplore.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3320 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 3320 iexplore.exe 3320 iexplore.exe 4756 IEXPLORE.EXE 4756 IEXPLORE.EXE 4756 IEXPLORE.EXE 4756 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 4672 wrote to memory of 3320 4672 MSOXMLED.EXE 66 PID 4672 wrote to memory of 3320 4672 MSOXMLED.EXE 66 PID 3320 wrote to memory of 4756 3320 iexplore.exe 68 PID 3320 wrote to memory of 4756 3320 iexplore.exe 68 PID 3320 wrote to memory of 4756 3320 iexplore.exe 68
Processes
-
C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\RDR2CHEAT\lib\net45\System.Data.SQLite.dll.xml"1⤵
- Suspicious use of WriteProcessMemory
PID:4672 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\RDR2CHEAT\lib\net45\System.Data.SQLite.dll.xml2⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3320 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3320 CREDAT:82945 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4756
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize471B
MD5ee0a37a05b705a5f66ebdd61da30b479
SHA1136f52350f4f9213cd7a3062b4143b64a54c9549
SHA25611a400393192414706b8051b4b37f3ef76d81885d41e0259d17a1517c2ccf56f
SHA512c724734022d241f608b8b9515a6c1c87b4899f2d2dc2ea637a6c2acfabf7f00864bcf4478359f9ac5de31316046151e25eca389b8a9d136d4d84fcd61f9670bd
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize404B
MD5371a0bf7fd981b02318558b2910139ae
SHA178f3571c68450d23a622488d7eaa68cb0c0501ad
SHA256356a4a095e26f32fadac75bb4504e8375c3cbffda6e63eacece8775f35376a95
SHA512d00bc81e30ec1b3dd5c8886ba849abc4ef21cbc67aa52e50ab66b534e8d2124dffe6651930cb18b53e30c1b5df3826e23dd390e38d66776eb75ca924d04ba520
-
Filesize
614B
MD5746ace9c639cd3941383b7ac7ee88750
SHA10fb465720e83a141c91e564c838ca322a8901014
SHA25664ad30b932898fd40b2efd6f809a22f9fd6c19c0d0907dad39c05a68b25d98db
SHA512079d168ea1d351da2a71e464b1efbfc4dc653a045c7d5a25d0c22b971deb784dc296f8a34361cbadc51b243e3a2cc9b9141cefe0195c9b4303fbc94d66e6f728