6e63becaf5c5e17a9d3afb6e2104eee3dbe473c8930ae8783eba0fedadb4a152

General

Target

TMACv6.0.7_Setup.exe
Size

5.1MB
MD5

a7c8cf1d50ebe630a7d0c47686a0abbf
SHA1

3229e8080975f4f5512d2382552f68c0389acff5
SHA256

a453b3ea8d8133531fad26b18701c694c324cc201e3069d07e99f0e100908c1a
SHA512

42340b7435605049e3f817feac1ac238177772b2b1ebf05eb9311bb58ee3dd1cab39913240a4c39e3407374009310770d8221c31914549524ecd92beab93b787
SSDEEP

98304:ARU3j4wtopcj2dqCYV1coZ4hv3tmF1b6CrjfW/sfH6s7zQcKDsVv/JLSF66b/:ARqt/CdqRc64hv3tmF1b6CffW/sfH6sm

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

TMAC.exe

pid process

2892 TMAC.exe

Loads dropped DLL 9 IoCs

Processes:

regsvr32.exeregsvr32.exeregsvr32.exeTMACv6.0.7_Setup.exeTMAC.exe

pid	process
2684	regsvr32.exe
2844	regsvr32.exe
2880	regsvr32.exe
2792	TMACv6.0.7_Setup.exe
2792	TMACv6.0.7_Setup.exe
2792	TMACv6.0.7_Setup.exe
2792	TMACv6.0.7_Setup.exe
2892	TMAC.exe
2892	TMAC.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 3 IoCs

Processes:

TMACv6.0.7_Setup.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\TABCTL32.OCX	TMACv6.0.7_Setup.exe
File opened for modification	C:\Windows\SysWOW64\COMDLG32.OCX	TMACv6.0.7_Setup.exe
File opened for modification	C:\Windows\SysWOW64\MSCHRT20.OCX	TMACv6.0.7_Setup.exe

Drops file in Program Files directory 13 IoCs

Processes:

TMACv6.0.7_Setup.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Technitium\TMACv6.0\CLIHelp.txt	TMACv6.0.7_Setup.exe
File opened for modification	C:\Program Files (x86)\Technitium\TMACv6.0\oui.db	TMACv6.0.7_Setup.exe
File opened for modification	C:\Program Files (x86)\Technitium\TMACv6.0\normal_footer_back_h30.jpg	TMACv6.0.7_Setup.exe
File opened for modification	C:\Program Files (x86)\Technitium\TMACv6.0\TMAC.exe	TMACv6.0.7_Setup.exe
File opened for modification	C:\Program Files (x86)\Technitium\TMACv6.0\EULA.txt	TMACv6.0.7_Setup.exe
File opened for modification	C:\Program Files (x86)\Technitium\TMACv6.0\help.html	TMACv6.0.7_Setup.exe
File opened for modification	C:\Program Files (x86)\Technitium\TMACv6.0\logo.gif	TMACv6.0.7_Setup.exe
File opened for modification	C:\Program Files (x86)\Technitium\TMACv6.0\normal_back_blue_w800.jpg	TMACv6.0.7_Setup.exe
File opened for modification	C:\Program Files (x86)\Technitium\TMACv6.0\Installer.exe	TMACv6.0.7_Setup.exe
File opened for modification	C:\Program Files (x86)\Technitium\TMACv6.0\Default.tpf	TMACv6.0.7_Setup.exe
File opened for modification	C:\Program Files (x86)\Technitium\TMACv6.0\index.css	TMACv6.0.7_Setup.exe
File opened for modification	C:\Program Files (x86)\Technitium\TMACv6.0\normal_logo_back.jpg	TMACv6.0.7_Setup.exe
File opened for modification	C:\Program Files (x86)\Technitium\TMACv6.0\Read Me.txt	TMACv6.0.7_Setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

TMACv6.0.7_Setup.exeregsvr32.exeregsvr32.exeregsvr32.exeTMAC.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TMACv6.0.7_Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TMAC.exe

Modifies registry class 64 IoCs

Processes:

regsvr32.exeregsvr32.exeregsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComDlg.CommonDialog.1\CLSID\ = "{F9043C85-F6F2-101A-A3C9-08002B2F49FB}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{65E121D4-0C60-11D2-A9FC-0000F8754DA1}\2.0\ = "Microsoft Chart Control 6.0 (SP4) (OLEDB)"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E9E074D1-BA0A-11D1-B137-0000F8753F5D}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E9E07513-BA0A-11D1-B137-0000F8753F5D}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E9E07527-BA0A-11D1-B137-0000F8753F5D}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3A2B370A-BA0A-11D1-B137-0000F8753F5D}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F9043C87-F6F2-101A-A3C9-08002B2F49FB}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC5D0DE0-BD4C-11D1-B137-0000F8753F5D}\InprocServer32\ = "C:\\Windows\\SysWow64\\MSCHRT20.OCX"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E9E0751D-BA0A-11D1-B137-0000F8753F5D}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BDC217C5-ED16-11CD-956C-0000C04E4C0A}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComDlg.CommonDialog\CurVer\ = "MSComDlg.CommonDialog.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC5D0DE5-BD4C-11D1-B137-0000F8753F5D}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E9E074E8-BA0A-11D1-B137-0000F8753F5D}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E9E07521-BA0A-11D1-B137-0000F8753F5D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BDC217C8-ED16-11CD-956C-0000C04E4C0A}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E9E074CF-BA0A-11D1-B137-0000F8753F5D}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E9E074E8-BA0A-11D1-B137-0000F8753F5D}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E9E07506-BA0A-11D1-B137-0000F8753F5D}\TypeLib\ = "{65E121D4-0C60-11D2-A9FC-0000F8754DA1}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E9E074E2-BA0A-11D1-B137-0000F8753F5D}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E9E074F4-BA0A-11D1-B137-0000F8753F5D}\ = "IVcPlotBase"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E9E0750E-BA0A-11D1-B137-0000F8753F5D}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E9E0750E-BA0A-11D1-B137-0000F8753F5D}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BDC217C5-ED16-11CD-956C-0000C04E4C0A}\ToolboxBitmap32\ = "C:\\Windows\\SysWow64\\TABCTL32.OCX, 1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2334D2B1-713E-11CF-8AE5-00AA00C00905}\TypeLib\ = "{BDC217C8-ED16-11CD-956C-0000C04E4C0A}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E9E074DE-BA0A-11D1-B137-0000F8753F5D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E9E07506-BA0A-11D1-B137-0000F8753F5D}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComDlg.CommonDialog	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E9E074F0-BA0A-11D1-B137-0000F8753F5D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3A2B370C-BA0A-11D1-B137-0000F8753F5D}\MiscStatus\1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E9E074CD-BA0A-11D1-B137-0000F8753F5D}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E9E074F0-BA0A-11D1-B137-0000F8753F5D}\TypeLib\Version = "2.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E9E07515-BA0A-11D1-B137-0000F8753F5D}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3A2B370A-BA0A-11D1-B137-0000F8753F5D}\ = "_DMSChart"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E9E07513-BA0A-11D1-B137-0000F8753F5D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3A2B370B-BA0A-11D1-B137-0000F8753F5D}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3C4F3BE7-47EB-101B-A3C9-08002B2F49FB}\InprocServer32\ = "C:\\Windows\\SysWow64\\COMDLG32.OCX"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E9E074C9-BA0A-11D1-B137-0000F8753F5D}\TypeLib\ = "{65E121D4-0C60-11D2-A9FC-0000F8754DA1}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E9E074DC-BA0A-11D1-B137-0000F8753F5D}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E9E0750E-BA0A-11D1-B137-0000F8753F5D}\TypeLib\Version = "2.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TabDlg.SSTab\CLSID\ = "{BDC217C5-ED16-11CD-956C-0000C04E4C0A}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E9E074EE-BA0A-11D1-B137-0000F8753F5D}\TypeLib\ = "{65E121D4-0C60-11D2-A9FC-0000F8754DA1}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3A2B370C-BA0A-11D1-B137-0000F8753F5D}\MiscStatus\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E9E074DE-BA0A-11D1-B137-0000F8753F5D}\TypeLib\Version = "2.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E9E0750E-BA0A-11D1-B137-0000F8753F5D}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E9E07521-BA0A-11D1-B137-0000F8753F5D}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2334D2B1-713E-11CF-8AE5-00AA00C00905}\TypeLib\Version = "1.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{083039C2-13F4-11D1-8B7E-0000F8754DA1}\TypeLib\ = "{F9043C88-F6F2-101A-A3C9-08002B2F49FB}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3A2B370C-BA0A-11D1-B137-0000F8753F5D}\Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E9E074CF-BA0A-11D1-B137-0000F8753F5D}\TypeLib\ = "{65E121D4-0C60-11D2-A9FC-0000F8754DA1}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E9E074D1-BA0A-11D1-B137-0000F8753F5D}\TypeLib\ = "{65E121D4-0C60-11D2-A9FC-0000F8754DA1}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E9E074E0-BA0A-11D1-B137-0000F8753F5D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E9E0751D-BA0A-11D1-B137-0000F8753F5D}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\Control	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E9E074CB-BA0A-11D1-B137-0000F8753F5D}\TypeLib\ = "{65E121D4-0C60-11D2-A9FC-0000F8754DA1}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E9E07502-BA0A-11D1-B137-0000F8753F5D}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E9E07506-BA0A-11D1-B137-0000F8753F5D}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BDC217C5-ED16-11CD-956C-0000C04E4C0A}\Required Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\ToolboxBitmap32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E9E074C9-BA0A-11D1-B137-0000F8753F5D}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E9E074D5-BA0A-11D1-B137-0000F8753F5D}\TypeLib\ = "{65E121D4-0C60-11D2-A9FC-0000F8754DA1}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E9E074D8-BA0A-11D1-B137-0000F8753F5D}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E9E0750C-BA0A-11D1-B137-0000F8753F5D}\TypeLib\Version = "2.0"	regsvr32.exe

Suspicious use of FindShellTrayWindow 19 IoCs

Processes:

TMACv6.0.7_Setup.exeTMAC.exe

pid	process
2792	TMACv6.0.7_Setup.exe
2892	TMAC.exe
2892	TMAC.exe
2892	TMAC.exe
2892	TMAC.exe
2892	TMAC.exe
2892	TMAC.exe
2892	TMAC.exe
2892	TMAC.exe
2892	TMAC.exe
2892	TMAC.exe
2892	TMAC.exe
2892	TMAC.exe
2892	TMAC.exe
2892	TMAC.exe
2892	TMAC.exe
2892	TMAC.exe
2892	TMAC.exe
2892	TMAC.exe

Suspicious use of SendNotifyMessage 18 IoCs

Processes:

TMAC.exe

pid	process
2892	TMAC.exe
2892	TMAC.exe
2892	TMAC.exe
2892	TMAC.exe
2892	TMAC.exe
2892	TMAC.exe
2892	TMAC.exe
2892	TMAC.exe
2892	TMAC.exe
2892	TMAC.exe
2892	TMAC.exe
2892	TMAC.exe
2892	TMAC.exe
2892	TMAC.exe
2892	TMAC.exe
2892	TMAC.exe
2892	TMAC.exe
2892	TMAC.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

TMACv6.0.7_Setup.exeTMAC.exe

pid process

2792 TMACv6.0.7_Setup.exe
2792 TMACv6.0.7_Setup.exe
2892 TMAC.exe
2892 TMAC.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

TMACv6.0.7_Setup.exe

description	pid	process	target process
PID 2792 wrote to memory of 2684	2792	TMACv6.0.7_Setup.exe	regsvr32.exe
PID 2792 wrote to memory of 2684	2792	TMACv6.0.7_Setup.exe	regsvr32.exe
PID 2792 wrote to memory of 2684	2792	TMACv6.0.7_Setup.exe	regsvr32.exe
PID 2792 wrote to memory of 2684	2792	TMACv6.0.7_Setup.exe	regsvr32.exe
PID 2792 wrote to memory of 2684	2792	TMACv6.0.7_Setup.exe	regsvr32.exe
PID 2792 wrote to memory of 2684	2792	TMACv6.0.7_Setup.exe	regsvr32.exe
PID 2792 wrote to memory of 2684	2792	TMACv6.0.7_Setup.exe	regsvr32.exe
PID 2792 wrote to memory of 2844	2792	TMACv6.0.7_Setup.exe	regsvr32.exe
PID 2792 wrote to memory of 2844	2792	TMACv6.0.7_Setup.exe	regsvr32.exe
PID 2792 wrote to memory of 2844	2792	TMACv6.0.7_Setup.exe	regsvr32.exe
PID 2792 wrote to memory of 2844	2792	TMACv6.0.7_Setup.exe	regsvr32.exe
PID 2792 wrote to memory of 2844	2792	TMACv6.0.7_Setup.exe	regsvr32.exe
PID 2792 wrote to memory of 2844	2792	TMACv6.0.7_Setup.exe	regsvr32.exe
PID 2792 wrote to memory of 2844	2792	TMACv6.0.7_Setup.exe	regsvr32.exe
PID 2792 wrote to memory of 2880	2792	TMACv6.0.7_Setup.exe	regsvr32.exe
PID 2792 wrote to memory of 2880	2792	TMACv6.0.7_Setup.exe	regsvr32.exe
PID 2792 wrote to memory of 2880	2792	TMACv6.0.7_Setup.exe	regsvr32.exe
PID 2792 wrote to memory of 2880	2792	TMACv6.0.7_Setup.exe	regsvr32.exe
PID 2792 wrote to memory of 2880	2792	TMACv6.0.7_Setup.exe	regsvr32.exe
PID 2792 wrote to memory of 2880	2792	TMACv6.0.7_Setup.exe	regsvr32.exe
PID 2792 wrote to memory of 2880	2792	TMACv6.0.7_Setup.exe	regsvr32.exe

C:\Users\Admin\AppData\Local\Temp\TMACv6.0.7_Setup.exe
"C:\Users\Admin\AppData\Local\Temp\TMACv6.0.7_Setup.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2792

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Windows\system32\COMDLG32.OCX"
2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2684

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Windows\system32\MSCHRT20.OCX"
2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2844

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Windows\system32\TABCTL32.OCX"
2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2880

C:\Program Files (x86)\Technitium\TMACv6.0\TMAC.exe
"C:\Program Files (x86)\Technitium\TMACv6.0\TMAC.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Technitium\TMACv6.0\Default.tpf

Filesize
327B

MD5
b15b6771957a32ad93ffd0e044e4dca7

SHA1
1fc37282fce391d607c71dccbaba0fea8ae0f68b

SHA256
29106fa8e3c3d9370ced3d1c18f6d99a139710d6f77c8e61d468934dbd7efeeb

SHA512
49f28ac07e41de4cca37fcd6a898f1ba90766b3387bd49f171a1c49d75b7f94eb84b2d08e9efacc9a3281091413d8f19a06feb55825756ed533084565afccc5b

Download Submit
C:\Program Files (x86)\Technitium\TMACv6.0\Installer.exe

Filesize
189KB

MD5
a5b566a320614640892332013c618d07

SHA1
a70284fb1cbb94f7b32470ad2c72cada4976dd62

SHA256
79bae09aa921f8c88bf51058a6d3a60fb7f656fe5d42bc3ab3f551f1b238dd69

SHA512
92b1368a25d69b7d1a6e18195f31bc0a8cb33262617d7e8202c32748192c0cd7514944f34c9ad6bace009b2511fa896a890d30abf3bcf5925ca01cf18cab0ede

Download Submit
C:\Program Files (x86)\Technitium\TMACv6.0\oui.db

Filesize
1.9MB

MD5
df01b5d254a5975ab617cf11d1c31fe1

SHA1
0fd90aee6d7a9b7417db574d9af5046fac45e14d

SHA256
eb13aff91a8ee50dfdf7b2cbf10e0e975f6d6111298737ab051539a4b9156944

SHA512
f6d1bfbb6793926c518b2a36f5fc46767d5fa508ee6f2973718ec8b8ae3e93d04f7d66c28c15aad1697d3bd81f4af7358dab9c4a56e95e85743ae7c6bf01f7c4

Download Submit
C:\Windows\SysWOW64\MSCHRT20.OCX

Filesize
987KB

MD5
38ce0c8fcd78d00fd717ce3a91214cbc

SHA1
953b182806a8ddcde48b033537e3432a56d1cf39

SHA256
de49eb9f935416cc57a1b590cca686e4a14e7b3cbbde10b8ff7fb88642a215ce

SHA512
bd7c0319953c5280d1e0f961cd6324c70c4949c0db0aa1cd77c27a8a1abfd6e592164a8888e3a06b5b127614d9b9caf1dfcae95b9e50216547a8e8ffb1f00006

Download Submit
C:\Windows\SysWOW64\TABCTL32.OCX

Filesize
218KB

MD5
dc925b6d77ba9ecb532e2f6750be943b

SHA1
f71215e701401f0dd6fe143e3a630b2e168a4fac

SHA256
d10a197fd53e65dc910ca4aed86cb674c613ff14ce6436d1a445bb27a7a499e0

SHA512
ee9c40e695a29de7e7b8a9fe1ca01ebba9a8bdc199d46d98c71a4e3ecfec566f2fc31300a5e9867e8c791b15ac3ebec076f0710e0f6eec6c3fdea3bde37ab171

Download Submit
\Program Files (x86)\Technitium\TMACv6.0\Installer.exe

Filesize
184KB

MD5
1a56af5a19362ff83b99eda81f5dfdf9

SHA1
1282d21a54255a49b8b4d1b9b442a7d1d56bfca6

SHA256
72367e11dbf5e3ad9fa1cc4b2fbd3d8e3e5a26d5683cfc7b06b7d1ac33aa4011

SHA512
bfd138a0a25cbf3869ebc0fe0de7ef6b60425bfde536008ecacf7c3e6b5925a66c80734cf989056c2d36b240ceae4e447762d48dcc9ca866bd51cabf1c2cf0aa

Download Submit
\Program Files (x86)\Technitium\TMACv6.0\TMAC.exe

Filesize
712KB

MD5
230b4c45774e95dd75241068c68aeb0d

SHA1
ef46dd76a8c6d4a7d6882469015a07a9bf660a50

SHA256
6c3d76c9a4d1652ce25ae8c2ba1907167cfaa0054b8e1325f370c52eafa74c97

SHA512
fc08d219e1023d7929250ecab81f640e4114f51b184d9004da0887c93b24a6026931a71da4ef0e95caa2a416d858496b5e174bcd0dd3bd3a76bca6582283e90c

Download Submit
\Windows\SysWOW64\COMDLG32.OCX

Filesize
137KB

MD5
b73809a916e6d7c1ae56f182a2e8f7e2

SHA1
34e4213d8bf0e150d3f50ae0bd3f5b328e1105f5

SHA256
64c6ee999562961d11af130254ad3ffd24bb725d3c18e7877f9fd362f4936195

SHA512
26c28cb6c7e1b47425403ab8850a765ac420dd6474327ce8469376219c830ab46218383d15a73c9ea3a23fc6b5f392ee6e2a1632a1bf644b1bd1a05a4729e333

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads