Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
30/12/2023, 01:48
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
0a9ffa57d65083c92e0d3d69b00f2f0d.dll
Resource
win7-20231129-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
0a9ffa57d65083c92e0d3d69b00f2f0d.dll
Resource
win10v2004-20231222-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
0a9ffa57d65083c92e0d3d69b00f2f0d.dll
-
Size
26KB
-
MD5
0a9ffa57d65083c92e0d3d69b00f2f0d
-
SHA1
ec88c8cf7b666e63cd800d869e56510e099b2943
-
SHA256
9bfaf2f0b53f87d1452d4c2aa75027ffb8e66aee1462c3d9eb7a6e55bcac55c8
-
SHA512
fa10ece8826badbbe1f572bfd9f4202b36dc499bca58a9d2e17ceb931b237f69867618fb2e7da732c5598cf24ad31008ebbf459380abbf071b849178eb193ae2
-
SSDEEP
768:ReyHi8DRyr9dQDG2/q2ts9m7LTi7mHnfCNZZ2C6/ix49:YwR1APQTq269mji7mH+4ix49
Score
8/10
Malware Config
Signatures
-
Blocklisted process makes network request 47 IoCs
flow pid Process 5 3040 rundll32.exe 6 3040 rundll32.exe 10 3040 rundll32.exe 12 3040 rundll32.exe 14 3040 rundll32.exe 15 3040 rundll32.exe 19 3040 rundll32.exe 22 3040 rundll32.exe 23 3040 rundll32.exe 24 3040 rundll32.exe 26 3040 rundll32.exe 29 3040 rundll32.exe 32 3040 rundll32.exe 33 3040 rundll32.exe 34 3040 rundll32.exe 35 3040 rundll32.exe 38 3040 rundll32.exe 40 3040 rundll32.exe 42 3040 rundll32.exe 46 3040 rundll32.exe 51 3040 rundll32.exe 53 3040 rundll32.exe 55 3040 rundll32.exe 58 3040 rundll32.exe 60 3040 rundll32.exe 62 3040 rundll32.exe 63 3040 rundll32.exe 66 3040 rundll32.exe 67 3040 rundll32.exe 70 3040 rundll32.exe 71 3040 rundll32.exe 74 3040 rundll32.exe 76 3040 rundll32.exe 78 3040 rundll32.exe 79 3040 rundll32.exe 81 3040 rundll32.exe 83 3040 rundll32.exe 84 3040 rundll32.exe 85 3040 rundll32.exe 86 3040 rundll32.exe 87 3040 rundll32.exe 89 3040 rundll32.exe 91 3040 rundll32.exe 92 3040 rundll32.exe 93 3040 rundll32.exe 95 3040 rundll32.exe 98 3040 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Norton Antivirus AV = "C:\\Windows\\FVProtect.exe" rundll32.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\s: rundll32.exe File opened (read-only) \??\x: rundll32.exe File opened (read-only) \??\e: rundll32.exe File opened (read-only) \??\h: rundll32.exe File opened (read-only) \??\n: rundll32.exe File opened (read-only) \??\u: rundll32.exe File opened (read-only) \??\w: rundll32.exe File opened (read-only) \??\y: rundll32.exe File opened (read-only) \??\z: rundll32.exe File opened (read-only) \??\j: rundll32.exe File opened (read-only) \??\k: rundll32.exe File opened (read-only) \??\l: rundll32.exe File opened (read-only) \??\p: rundll32.exe File opened (read-only) \??\q: rundll32.exe File opened (read-only) \??\r: rundll32.exe File opened (read-only) \??\t: rundll32.exe File opened (read-only) \??\v: rundll32.exe File opened (read-only) \??\g: rundll32.exe File opened (read-only) \??\i: rundll32.exe File opened (read-only) \??\o: rundll32.exe File opened (read-only) \??\m: rundll32.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created \??\c:\program files\videolan\vlc\lua\http\css\ui-lightness\Internet Explorer 9 setup.exe rundll32.exe File created \??\c:\program files\videolan\vlc\lua\http\css\ui-lightness\images\Win Longhorn re.exe rundll32.exe File created \??\c:\program files\videolan\vlc\lua\http\css\ui-lightness\Harry Potter e book.doc.exe rundll32.exe File created \??\c:\program files\java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\Opera 11.exe rundll32.exe File created \??\c:\program files\videolan\vlc\lua\http\css\ui-lightness\images\Matrix.mpg.exe rundll32.exe File created \??\c:\program files\videolan\vlc\lua\http\css\ui-lightness\Cloning.doc.exe rundll32.exe File created \??\c:\program files (x86)\google\update\download\Microsoft Office 2003 Crack best.exe rundll32.exe File created \??\c:\program files (x86)\google\update\download\netsky source code.scr rundll32.exe File created \??\c:\program files\java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\Matrix.mpg.exe rundll32.exe File created \??\c:\program files\java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\Cracks & Warez Archiv.exe rundll32.exe File created \??\c:\program files\videolan\vlc\lua\http\images\Adobe Photoshop 10 full.exe rundll32.exe File created \??\c:\program files\videolan\vlc\lua\http\js\Eminem.mp3.exe rundll32.exe File created \??\c:\program files\videolan\vlc\lua\http\js\netsky source code.scr rundll32.exe File created \??\c:\program files\videolan\vlc\lua\http\css\ui-lightness\Win Longhorn re.exe rundll32.exe File created \??\c:\program files\videolan\vlc\lua\http\css\ui-lightness\3D Studio Max 6 3dsmax.exe rundll32.exe File created \??\c:\program files\videolan\vlc\lua\http\css\ui-lightness\images\Visual Studio Net Crack all.exe rundll32.exe File created \??\c:\program files\videolan\vlc\lua\http\requests\Ulead Keygen 2004.exe rundll32.exe File created \??\c:\program files\java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\Windows 2003 crack.exe rundll32.exe File created \??\c:\program files\videolan\vlc\lua\http\css\ui-lightness\Harry Potter all e.book.doc.exe rundll32.exe File created \??\c:\program files\videolan\vlc\lua\http\css\Microsoft WinXP Crack full.exe rundll32.exe File created \??\c:\program files\videolan\vlc\lua\http\css\Microsoft Office 2003 Crack best.exe rundll32.exe File created \??\c:\program files\videolan\vlc\lua\http\images\Harry Potter e book.doc.exe rundll32.exe File created \??\c:\program files\videolan\vlc\lua\http\js\Britney Spears.mp3.exe rundll32.exe File created \??\c:\program files\java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\meta-inf\Harry Potter all e.book.doc.exe rundll32.exe File created \??\c:\program files\java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\meta-inf\Harry Potter 5.mpg.exe rundll32.exe File created \??\c:\program files\videolan\vlc\lua\http\requests\Eminem Spears porn.jpg.exe rundll32.exe File created \??\c:\program files\videolan\vlc\lua\http\js\How to hack new.doc.exe rundll32.exe File created \??\c:\program files\videolan\vlc\lua\http\js\Ulead Keygen 2004.exe rundll32.exe File created \??\c:\program files\videolan\vlc\lua\http\css\Full album all.mp3.pif rundll32.exe File created \??\c:\program files\videolan\vlc\lua\http\dialogs\Britney Spears fuck.jpg.exe rundll32.exe File created \??\c:\program files\videolan\vlc\lua\http\images\Harry Potter.doc.exe rundll32.exe File created \??\c:\program files\java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\Best Matrix Screensaver new.scr rundll32.exe File created \??\c:\program files\videolan\vlc\lua\http\css\ui-lightness\netsky source code.scr rundll32.exe File created \??\c:\program files\videolan\vlc\lua\http\css\ui-lightness\Ulead Keygen 2004.exe rundll32.exe File created \??\c:\program files (x86)\google\update\download\{8a69d345-d564-463c-aff1-a69d9e530f96}\Kazaa new.exe rundll32.exe File created \??\c:\program files\java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\meta-inf\Doom 3 release 2.exe rundll32.exe File created \??\c:\program files\videolan\vlc\lua\http\css\ui-lightness\images\Britney Spears Song text archive.doc.exe rundll32.exe File created \??\c:\program files\videolan\vlc\lua\http\css\ui-lightness\Eminem Sexy archive.doc.exe rundll32.exe File created \??\c:\program files\videolan\vlc\lua\http\css\Eminem Spears porn.jpg.exe rundll32.exe File created \??\c:\program files\videolan\vlc\lua\http\dialogs\Win Longhorn re.exe rundll32.exe File created \??\c:\program files\videolan\vlc\lua\http\dialogs\Partitionsmagic 10 beta.exe rundll32.exe File created \??\c:\program files\java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\WinAmp 13 full.exe rundll32.exe File created \??\c:\program files\java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\Ulead Keygen 2004.exe rundll32.exe File created \??\c:\program files (x86)\google\update\download\How to hack new.doc.exe rundll32.exe File created \??\c:\program files (x86)\google\update\download\{8a69d345-d564-463c-aff1-a69d9e530f96}\Win Longhorn re.exe rundll32.exe File created \??\c:\program files (x86)\google\update\download\{8a69d345-d564-463c-aff1-a69d9e530f96}\Norton Antivirus 2005 beta.exe rundll32.exe File created \??\c:\program files\videolan\vlc\lua\http\dialogs\Arnold Schwarzenegger.jpg.exe rundll32.exe File created \??\c:\program files\videolan\vlc\lua\http\js\Screensaver2.scr rundll32.exe File created \??\c:\program files\java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\meta-inf\Serials edition.txt.exe rundll32.exe File created \??\c:\program files\java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\Adobe Premiere 10.exe rundll32.exe File created \??\c:\program files\videolan\vlc\lua\http\WinXP eBook newest.doc.exe rundll32.exe File created \??\c:\program files\java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\meta-inf\Britney Spears blowjob.jpg.exe rundll32.exe File created \??\c:\program files\java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\Screensaver2.scr rundll32.exe File created \??\c:\program files (x86)\google\update\download\{8a69d345-d564-463c-aff1-a69d9e530f96}\Doom 3 release 2.exe rundll32.exe File created \??\c:\program files (x86)\google\update\download\{8a69d345-d564-463c-aff1-a69d9e530f96}\Dictionary English 2004 - France.doc.exe rundll32.exe File created \??\c:\program files\videolan\vlc\lua\http\css\ui-lightness\Best Matrix Screensaver new.scr rundll32.exe File created \??\c:\program files (x86)\google\update\download\{8a69d345-d564-463c-aff1-a69d9e530f96}\106.0.5249.119\Best Matrix Screensaver new.scr rundll32.exe File created \??\c:\program files\java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\Eminem full album.mp3.exe rundll32.exe File created \??\c:\program files\videolan\vlc\lua\http\css\ui-lightness\images\Adobe Photoshop 10 crack.exe rundll32.exe File created \??\c:\program files\videolan\vlc\lua\http\css\ui-lightness\Britney Spears blowjob.jpg.exe rundll32.exe File created \??\c:\program files\videolan\vlc\lua\http\js\Matrix.mpg.exe rundll32.exe File created \??\c:\program files\videolan\vlc\lua\http\requests\Britney Spears cumshot.jpg.exe rundll32.exe File created \??\c:\program files\videolan\vlc\lua\http\requests\Teen Porn 15.jpg.pif rundll32.exe File created \??\c:\program files\java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\Clone DVD 6.exe rundll32.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File created \??\c:\windows\winsxs\amd64_microsoft-windows-iis-httpcachebinaries_31bf3856ad364e35_6.1.7600.16385_none_f71a2dca0d835eb4\Britney Spears Sexy archive.doc.exe rundll32.exe File created \??\c:\windows\softwaredistribution\download\d881ecfb1357f383d18f1e4fd0554eb0\cbshandler\Eminem sex xxx.jpg.exe rundll32.exe File created \??\c:\windows\softwaredistribution\download\d881ecfb1357f383d18f1e4fd0554eb0\3D Studio Max 6 3dsmax.exe rundll32.exe File created \??\c:\windows\winsxs\amd64_microsoft-windows-msieftp_31bf3856ad364e35_6.1.7601.17514_none_747ac9df64812235\Cloning.doc.exe rundll32.exe File created \??\c:\windows\winsxs\x86_microsoft-windows-http-api.resources_31bf3856ad364e35_6.1.7600.16385_it-it_e1f37ad05dce0376\Adobe Photoshop 10 crack.exe rundll32.exe File created \??\c:\windows\winsxs\x86_microsoft-windows-rpc-http.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_f7a7c978712fc3fb\XXX hardcore pics.jpg.exe rundll32.exe File created \??\c:\windows\winsxs\amd64_microsoft-windows-iis-ftpsvc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_f7011c65ffa757c0\Harry Potter all e.book.doc.exe rundll32.exe File created \??\c:\windows\winsxs\amd64_microsoft-windows-nshhttp.resources_31bf3856ad364e35_6.1.7600.16385_it-it_4812ff8f1b691ed4\Eminem full album.mp3.exe rundll32.exe File created \??\c:\windows\winsxs\x86_microsoft-windows-http-api_31bf3856ad364e35_6.1.7601.17514_none_f7b3a6eafb8df2de\WinAmp 13 full.exe rundll32.exe File created \??\c:\windows\winsxs\amd64_microsoft.windows.winhttp.resources_31bf3856ad364e35_6.0.7600.16385_es-es_992b92a25f851dba\Star Office 9.exe rundll32.exe File created \??\c:\windows\winsxs\msil_microsoft.web.manag..ftpclient.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_88648318a708f797\Britney Spears Sexy archive.doc.exe rundll32.exe File created \??\c:\windows\winsxs\wow64_microsoft.web.ftpserver-nonmsil_31bf3856ad364e35_6.1.7600.16385_none_6922f6278463ed69\Win Longhorn re.exe rundll32.exe File created \??\c:\windows\winsxs\x86_microsoft-windows-http-api_31bf3856ad364e35_6.1.7601.17514_none_f7b3a6eafb8df2de\Eminem.mp3.exe rundll32.exe File created \??\c:\windows\microsoft.net\assembly\gac_msil\system.net.http\netsky source code.scr rundll32.exe File created \??\c:\windows\winsxs\amd64_microsoft-windows-msieftp.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1068fdef7a5da260\Windows 2000 Sourcecode.doc.exe rundll32.exe File created \??\c:\windows\winsxs\wow64_microsoft-windows-msmq-http-files_31bf3856ad364e35_6.1.7601.17514_none_597a715e304f49ad\Clone DVD 6.exe rundll32.exe File created \??\c:\windows\winsxs\amd64_microsoft-windows-http-api.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b1674d2a4c008727\Screensaver2.scr rundll32.exe File created \??\c:\windows\winsxs\msil_microsoft.web.management.ftp.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_f865f09c5842a27b\Eminem Spears porn.jpg.exe rundll32.exe File created \??\c:\windows\winsxs\wow64_microsoft-windows-iis-httpcachebinaries_31bf3856ad364e35_6.1.7600.16385_none_016ed81c41e420af\Windows XP crack.exe rundll32.exe File created \??\c:\windows\winsxs\x86_microsoft-windows-ftp.resources_31bf3856ad364e35_6.1.7600.16385_en-us_11f51a31013dfae4\Arnold Schwarzenegger.jpg.exe rundll32.exe File created \??\c:\windows\winsxs\x86_microsoft-windows-msieftp.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_56cd354eb4f93931\DivX 8.0 final.exe rundll32.exe File created \??\c:\windows\winsxs\x86_microsoft-windows-msieftp_31bf3856ad364e35_6.1.7601.17514_none_185c2e5bac23b0ff\Microsoft Office 2003 Crack best.exe rundll32.exe File created \??\c:\windows\winsxs\x86_microsoft.windows.winhttp.resources_31bf3856ad364e35_6.0.7600.16385_it-it_c9ec6364712ba864\Matrix.mpg.exe rundll32.exe File created \??\c:\windows\winsxs\amd64_microsoft-windows-http-api.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_53ea200d3ef98f2e\WinXP eBook newest.doc.exe rundll32.exe File created \??\c:\windows\winsxs\amd64_microsoft-windows-iis-ftpsvc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_c7fc311342884a05\Britney Spears and Eminem porn.jpg.exe rundll32.exe File created \??\c:\windows\winsxs\amd64_microsoft-windows-msieftp.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_3f39462637a3a1c0\WinXP eBook newest.doc.exe rundll32.exe File created \??\c:\windows\winsxs\msil_microsoft.web.management.ftp.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_69e7678091072788\Ringtones.doc.exe rundll32.exe File created \??\c:\windows\winsxs\x86_microsoft-windows-nshhttp.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_8e19e3185626bf79\Britney Spears fuck.jpg.exe rundll32.exe File created \??\c:\windows\winsxs\x86_microsoft-windows-nshhttp_31bf3856ad364e35_6.1.7600.16385_none_73837d07d5ce032a\Ulead Keygen 2004.exe rundll32.exe File created \??\c:\windows\winsxs\amd64_microsoft-windows-i..httploggingbinaries_31bf3856ad364e35_6.1.7600.16385_none_d80e847a4e2f66d3\Britney Spears blowjob.jpg.exe rundll32.exe File created \??\c:\windows\winsxs\x86_microsoft-windows-ftp_31bf3856ad364e35_6.1.7601.17514_none_aef2c7dbb6cc16c1\Harry Potter.doc.exe rundll32.exe File created \??\c:\windows\winsxs\x86_microsoft-windows-msieftp.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e31aaaa27f46308a\Harry Potter 5.mpg.exe rundll32.exe File created \??\c:\windows\winsxs\x86_microsoft-windows-nshhttp.resources_31bf3856ad364e35_6.1.7600.16385_es-es_5f14f7c59907b1be\Windows 2003 crack.exe rundll32.exe File created \??\c:\windows\winsxs\amd64_microsoft-windows-msieftp.resources_31bf3856ad364e35_6.1.7600.16385_de-de_677827f68b7f969b\Opera 11.exe rundll32.exe File created \??\c:\windows\winsxs\msil_microsoft.web.manag..ftpclient.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_88648318a708f797\MS Service Pack 6.exe rundll32.exe File created \??\c:\windows\winsxs\x86_microsoft-windows-http-api.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_8418f9dd50e91551\Eminem Song text archive.doc.exe rundll32.exe File created \??\c:\windows\winsxs\x86_microsoft.windows.winhttp.resources_31bf3856ad364e35_6.0.7600.16385_es-es_3d0cf71ea727ac84\Ringtones.mp3.exe rundll32.exe File created \??\c:\windows\winsxs\amd64_microsoft-windows-iis-ftpextensibility_31bf3856ad364e35_6.1.7600.16385_none_3f9fd9d94f9c3588\Full album all.mp3.pif rundll32.exe File created \??\c:\windows\winsxs\amd64_microsoft-windows-rpc-http.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_e013da4ff3da2c8a\Gimp 1.8 Full with Key.exe rundll32.exe File created \??\c:\windows\winsxs\msil_microsoft.web.management.ftp.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_69e7678091072788\Screensaver2.scr rundll32.exe File created \??\c:\windows\winsxs\wow64_microsoft.windows.winhttp_31bf3856ad364e35_5.1.7601.17514_none_c519dbeb6e585715\WinAmp 13 full.exe rundll32.exe File created \??\c:\windows\winsxs\x86_microsoft-windows-nshhttp_31bf3856ad364e35_6.1.7600.16385_none_73837d07d5ce032a\How to hack new.doc.exe rundll32.exe File created \??\c:\windows\winsxs\amd64_microsoft-windows-iis-httperrorsbinaries_31bf3856ad364e35_6.1.7600.16385_none_5a0871c8f08bc5a9\Saddam Hussein.jpg.exe rundll32.exe File created \??\c:\windows\winsxs\amd64_microsoft-windows-msieftp.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_3f39462637a3a1c0\Adobe Photoshop 10 crack.exe rundll32.exe File created \??\c:\windows\winsxs\amd64_microsoft-windows-nshhttp.resources_31bf3856ad364e35_6.1.7600.16385_de-de_1277606c6260258a\MS Service Pack 6.exe rundll32.exe File created \??\c:\windows\winsxs\wow64_microsoft-windows-i..httploggingbinaries_31bf3856ad364e35_6.1.7600.16385_none_e2632ecc829028ce\Britney Spears Sexy archive.doc.exe rundll32.exe File created \??\c:\windows\winsxs\amd64_microsoft-windows-ftp.resources_31bf3856ad364e35_6.1.7600.16385_de-de_c522dfbbcabd6055\How to hack new.doc.exe rundll32.exe File created \??\c:\windows\winsxs\amd64_microsoft-windows-nshhttp.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_5deb094844373956\WinXP eBook newest.doc.exe rundll32.exe File created \??\c:\windows\winsxs\amd64_microsoft-windows-rpc-http.resources_31bf3856ad364e35_6.1.7601.17514_es-es_b10eeefd36bb1ecf\ACDSee 10.exe rundll32.exe File created \??\c:\windows\winsxs\amd64_microsoft.windows.winhttp.resources_31bf3856ad364e35_6.0.7600.16385_fr-fr_3be308a15257341c\MS Service Pack 6.exe rundll32.exe File created \??\c:\windows\winsxs\wow64_microsoft.web.ftpserver-nonmsil_31bf3856ad364e35_6.1.7600.16385_none_6922f6278463ed69\Doom 3 release 2.exe rundll32.exe File created \??\c:\windows\winsxs\amd64_microsoft-windows-iis-ftpsvc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_c7fc311342884a05\Britney Spears porn.jpg.exe rundll32.exe File created \??\c:\windows\microsoft.net\assembly\gac_msil\system.servicemodel.http\Britney Spears cumshot.jpg.exe rundll32.exe File created \??\c:\windows\winsxs\x86_microsoft-windows-nshhttp.resources_31bf3856ad364e35_6.1.7600.16385_de-de_b658c4e8aa02b454\Eminem Song text archive.doc.exe rundll32.exe File created \??\c:\windows\winsxs\amd64_microsoft-windows-nshhttp.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_5deb094844373956\Britney Spears cumshot.jpg.exe rundll32.exe File created \??\c:\windows\winsxs\amd64_microsoft.windows.winhttp.resources_31bf3856ad364e35_6.0.7600.16385_es-es_992b92a25f851dba\Britney Spears Sexy archive.doc.exe rundll32.exe File created \??\c:\windows\winsxs\x86_microsoft-windows-ftp.resources_31bf3856ad364e35_6.1.7600.16385_it-it_9e9fe35acb68e869\Teen Porn 15.jpg.pif rundll32.exe File created \??\c:\windows\winsxs\x86_microsoft-windows-msieftp.resources_31bf3856ad364e35_6.1.7600.16385_de-de_0b598c72d3222565\WinXP eBook newest.doc.exe rundll32.exe File created \??\c:\windows\winsxs\x86_microsoft.windows.winhttp.resources_31bf3856ad364e35_6.0.7600.16385_es-es_3d0cf71ea727ac84\Dictionary English 2004 - France.doc.exe rundll32.exe File created \??\c:\windows\winsxs\amd64_microsoft-windows-rpc-http_31bf3856ad364e35_6.1.7601.17514_none_fe1ef25f55f373ef\Eminem.mp3.exe rundll32.exe File created \??\c:\windows\microsoft.net\assembly\gac_msil\system.net.http\v4.0_4.0.0.0__b03f5f7f11d50a3a\Saddam Hussein.jpg.exe rundll32.exe File created \??\c:\windows\softwaredistribution\download\E-Book Archive2.rtf.exe rundll32.exe File created \??\c:\windows\winsxs\amd64_microsoft-windows-ftp.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_9ce3fdeb76e16b7a\Keygen 4 all new.exe rundll32.exe File created \??\c:\windows\winsxs\wow64_microsoft-windows-iis-ftpsvc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_0155c6b8340819bb\Microsoft WinXP Crack full.exe rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 3036 wrote to memory of 3040 3036 rundll32.exe 16 PID 3036 wrote to memory of 3040 3036 rundll32.exe 16 PID 3036 wrote to memory of 3040 3036 rundll32.exe 16 PID 3036 wrote to memory of 3040 3036 rundll32.exe 16 PID 3036 wrote to memory of 3040 3036 rundll32.exe 16 PID 3036 wrote to memory of 3040 3036 rundll32.exe 16 PID 3036 wrote to memory of 3040 3036 rundll32.exe 16
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0a9ffa57d65083c92e0d3d69b00f2f0d.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0a9ffa57d65083c92e0d3d69b00f2f0d.dll,#12⤵
- Blocklisted process makes network request
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
PID:3040
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\Harry Potter all e.book.doc.exe
Filesize43KB
MD551138beea3e2c21ec44d0932c71762a8
SHA18939cf35447b22dd2c6e6f443446acc1bf986d58
SHA2565ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124
SHA512794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d