96cb2dc58eac493ea9f11b3caef92acea5b4c19759d4ecca93cc84852b008cd7

Analysis

max time kernel
15s
max time network
16s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
29/08/2024, 02:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6ff0af87db380a914a4330a0f26d21c0N.exe
Size

6.7MB
MD5

6ff0af87db380a914a4330a0f26d21c0
SHA1

03dadaf918343dfd8d49daa34ffe228d09917d91
SHA256

96cb2dc58eac493ea9f11b3caef92acea5b4c19759d4ecca93cc84852b008cd7
SHA512

946690de23948d997c6490ad644f6e1fea69d30ab49e4127c0ed93ffead22d3fc367ffd7f9bfbb0e49ed740874d7cc540c18dcbacdc57ef2f39d13eb5b5b8c34
SSDEEP

196608:SfisoMvrHMOVBZKYigaeTgxfzhPk28MR685tWtKhDRA/6Nsk:SfisoMvrH5VBZKYigaagxfzhPk28O68p

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 14 IoCs

pid	Process
2428	regsvr32.exe
2972	regsvr32.exe
2092	regsvr32.exe
2416	regsvr32.exe
2544	regsvr32.exe
2104	regsvr32.exe
2188	regsvr32.exe
1456	regsvr32.exe
1660	6ff0af87db380a914a4330a0f26d21c0N.exe
1660	6ff0af87db380a914a4330a0f26d21c0N.exe
1660	6ff0af87db380a914a4330a0f26d21c0N.exe
1660	6ff0af87db380a914a4330a0f26d21c0N.exe
1660	6ff0af87db380a914a4330a0f26d21c0N.exe
1660	6ff0af87db380a914a4330a0f26d21c0N.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\MSSTDFMT.DLL	6ff0af87db380a914a4330a0f26d21c0N.exe
File opened for modification	C:\Windows\SysWOW64\actskn43.ocx	6ff0af87db380a914a4330a0f26d21c0N.exe
File opened for modification	C:\Windows\SysWOW64\MSADODC.OCX	6ff0af87db380a914a4330a0f26d21c0N.exe
File opened for modification	C:\Windows\SysWOW64\MSCOMCT2.OCX	6ff0af87db380a914a4330a0f26d21c0N.exe
File opened for modification	C:\Windows\SysWOW64\MSDATGRD.OCX	6ff0af87db380a914a4330a0f26d21c0N.exe
File opened for modification	C:\Windows\SysWOW64\MSINET.OCX	6ff0af87db380a914a4330a0f26d21c0N.exe
File opened for modification	C:\Windows\SysWOW64\dao360.dll	6ff0af87db380a914a4330a0f26d21c0N.exe
File opened for modification	C:\Windows\SysWOW64\MSBIND.DLL	6ff0af87db380a914a4330a0f26d21c0N.exe

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6ff0af87db380a914a4330a0f26d21c0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20DD1B9E-87C4-11D1-8BE3-0000F8754DA1}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C2F13ED0-91B0-11D0-9484-00A0C91110ED}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{67397AA3-7FB1-11D0-B148-00A0C922E820}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00F442C2-5C9E-4ae5-AF7D-FB4E0350C2E3}\InprocServer32\ThreadingModel = "Apartment"	6ff0af87db380a914a4330a0f26d21c0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E9D00F06-D948-11D0-BCF7-00C04FC2FB86}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000101-0000-0010-8000-00AA006D2EA4}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20DD1B9E-87C4-11D1-8BE3-0000F8754DA1}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{32239586-29DE-4268-8AF3-CE7658D3D672}\TypeLib	6ff0af87db380a914a4330a0f26d21c0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{586A6353-87C8-11D1-8BE3-0000F8754DA1}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B09DE713-87C1-11D1-8BE3-0000F8754DA1}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSBind.BindingCollection	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSSTDFMT.StdDataFormat.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5AAECB3B-3D56-47c7-8706-77899E73802A}\TypeLib	6ff0af87db380a914a4330a0f26d21c0N.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{586A6355-87C8-11D1-8BE3-0000F8754DA1}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CDE57A43-8B86-11D0-B3C6-00A0C90AEA82}\Version	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00000043-0000-0010-8000-00AA006D2EA4}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\ToolboxBitmap32\ = "C:\\Windows\\SysWOW64\\MSINET.OCX, 1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0000003B-0000-0010-8000-00AA006D2EA4}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{586A6355-87C8-11D1-8BE3-0000F8754DA1}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ActiveSkin4.Skin2\ = "ActiveSkin 4.3 Control"	6ff0af87db380a914a4330a0f26d21c0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{67397AA3-7FB1-11D0-B148-00A0C922E820}\TypeLib\ = "{67397AA1-7FB1-11D0-B148-00A0C922E820}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{586A6352-87C8-11D1-8BE3-0000F8754DA1}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FE38753A-44A3-11D1-B5B7-0000C09000C4}\TypeLib\ = "{86CF1D34-0C5F-11D2-A9FC-0000F8754DA1}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000100-0000-0010-8000-00AA006D2EA4}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00000039-0000-0010-8000-00AA006D2EA4}\ = "Workspace"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{47A738F1-7FAF-11D0-B148-00A0C922E820}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5AAECB3B-3D56-47C7-8706-77899E73802A}\Implemented Categories	6ff0af87db380a914a4330a0f26d21c0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2651DD90-DB42-11D1-B1CD-00A0C922E820}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00000063-0000-0010-8000-00AA006D2EA4}\TypeLib\ = "{00025E01-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{56BF9020-7A2F-11D0-9482-00A0C91110ED}\1.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{99FF4677-FFC3-11D0-BD02-00C04FC2FB86}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSSTDFMT.StdDataFormats\CLSID\ = "{99FF4677-FFC3-11D0-BD02-00C04FC2FB86}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CDE57A43-8B86-11D0-B3C6-00A0C90AEA82}\Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{99FF4676-FFC3-11D0-BD02-00C04FC2FB86}\TypeLib\ = "{6B263850-900B-11D0-9484-00A0C91110ED}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6C51B910-900B-11D0-9484-00A0C91110ED}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00000089-0000-0010-8000-00AA006D2EA4}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B09DE714-87C1-11D1-8BE3-0000F8754DA1}\ = "DAnimationEvents"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{232E4569-87C3-11D1-8BE3-0000F8754DA1}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3E60C550-7BD6-11D0-9482-00A0C91110ED}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C2F13ED0-91B0-11D0-9484-00A0C91110ED}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{232E456A-87C3-11D1-8BE3-0000F8754DA1}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComCtl2.DTPicker\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2334D2B1-713E-11CF-8AE5-00AA00C00905}\TypeLib\ = "{86CF1D34-0C5F-11D2-A9FC-0000F8754DA1}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00000029-0000-0010-8000-00AA006D2EA4}\TypeLib\Version = "5.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSSTDFMT.StdDataValue\CLSID\ = "{2B11E9B0-9F09-11D0-9484-00A0C91110ED}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ActiveSkin4.Skin2.1\CLSID\ = "{BA8C584B-209C-4d54-8BB1-8AB5F1DCA18E}"	6ff0af87db380a914a4330a0f26d21c0N.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{232E456A-87C3-11D1-8BE3-0000F8754DA1}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20DD1B9B-87C4-11D1-8BE3-0000F8754DA1}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{603C7E7F-87C2-11D1-8BE3-0000F8754DA1}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\InetCtls.Inet.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0000000A-0000-0010-8000-00AA006D2EA4}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00000091-0000-0010-8000-00AA006D2EA4}\TypeLib\ = "{00025E01-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00000083-0000-0010-8000-00AA006D2EA4}\TypeLib\ = "{00025E01-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{699DDBCC-DC7E-11D0-BCF7-00C04FC2FB86}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BA8C584B-209C-4d54-8BB1-8AB5F1DCA18E}\verb\2	6ff0af87db380a914a4330a0f26d21c0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E28DD8A6-E9BC-4d3e-A7F7-BC9644138CE2}\InprocServer32\ = "C:\\Windows\\SysWow64\\actskn43.ocx"	6ff0af87db380a914a4330a0f26d21c0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComCtl2.Animation.2\CLSID\ = "{B09DE715-87C1-11D1-8BE3-0000F8754DA1}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00F442C2-5C9E-4AE5-AF7D-FB4E0350C2E3}\Implemented Categories\{55E89939-3D2B-4954-80EA-2703A8EA1A10}	6ff0af87db380a914a4330a0f26d21c0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00F442C2-5C9E-4ae5-AF7D-FB4E0350C2E3}\TypeLib\ = "{74848F95-A02A-4286-AF0C-A3C755E4A5B3}"	6ff0af87db380a914a4330a0f26d21c0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{56BF9020-7A2F-11D0-9482-00A0C91110ED}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EDBA2AAC-8A00-4EED-A2E4-74BFB760BE10}\Implemented Categories\{55E89939-3D2B-4954-80EA-2703A8EA1A10}	6ff0af87db380a914a4330a0f26d21c0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{586A6353-87C8-11D1-8BE3-0000F8754DA1}\InprocServer32\ = "C:\\Windows\\SysWOW64\\MSCOMCT2.OCX"	regsvr32.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1660	6ff0af87db380a914a4330a0f26d21c0N.exe

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 1660 wrote to memory of 2428	1660	6ff0af87db380a914a4330a0f26d21c0N.exe	30
PID 1660 wrote to memory of 2428	1660	6ff0af87db380a914a4330a0f26d21c0N.exe	30
PID 1660 wrote to memory of 2428	1660	6ff0af87db380a914a4330a0f26d21c0N.exe	30
PID 1660 wrote to memory of 2428	1660	6ff0af87db380a914a4330a0f26d21c0N.exe	30
PID 1660 wrote to memory of 2428	1660	6ff0af87db380a914a4330a0f26d21c0N.exe	30
PID 1660 wrote to memory of 2428	1660	6ff0af87db380a914a4330a0f26d21c0N.exe	30
PID 1660 wrote to memory of 2428	1660	6ff0af87db380a914a4330a0f26d21c0N.exe	30
PID 1660 wrote to memory of 2972	1660	6ff0af87db380a914a4330a0f26d21c0N.exe	31
PID 1660 wrote to memory of 2972	1660	6ff0af87db380a914a4330a0f26d21c0N.exe	31
PID 1660 wrote to memory of 2972	1660	6ff0af87db380a914a4330a0f26d21c0N.exe	31
PID 1660 wrote to memory of 2972	1660	6ff0af87db380a914a4330a0f26d21c0N.exe	31
PID 1660 wrote to memory of 2972	1660	6ff0af87db380a914a4330a0f26d21c0N.exe	31
PID 1660 wrote to memory of 2972	1660	6ff0af87db380a914a4330a0f26d21c0N.exe	31
PID 1660 wrote to memory of 2972	1660	6ff0af87db380a914a4330a0f26d21c0N.exe	31
PID 1660 wrote to memory of 2092	1660	6ff0af87db380a914a4330a0f26d21c0N.exe	32
PID 1660 wrote to memory of 2092	1660	6ff0af87db380a914a4330a0f26d21c0N.exe	32
PID 1660 wrote to memory of 2092	1660	6ff0af87db380a914a4330a0f26d21c0N.exe	32
PID 1660 wrote to memory of 2092	1660	6ff0af87db380a914a4330a0f26d21c0N.exe	32
PID 1660 wrote to memory of 2092	1660	6ff0af87db380a914a4330a0f26d21c0N.exe	32
PID 1660 wrote to memory of 2092	1660	6ff0af87db380a914a4330a0f26d21c0N.exe	32
PID 1660 wrote to memory of 2092	1660	6ff0af87db380a914a4330a0f26d21c0N.exe	32
PID 1660 wrote to memory of 2416	1660	6ff0af87db380a914a4330a0f26d21c0N.exe	33
PID 1660 wrote to memory of 2416	1660	6ff0af87db380a914a4330a0f26d21c0N.exe	33
PID 1660 wrote to memory of 2416	1660	6ff0af87db380a914a4330a0f26d21c0N.exe	33
PID 1660 wrote to memory of 2416	1660	6ff0af87db380a914a4330a0f26d21c0N.exe	33
PID 1660 wrote to memory of 2416	1660	6ff0af87db380a914a4330a0f26d21c0N.exe	33
PID 1660 wrote to memory of 2416	1660	6ff0af87db380a914a4330a0f26d21c0N.exe	33
PID 1660 wrote to memory of 2416	1660	6ff0af87db380a914a4330a0f26d21c0N.exe	33
PID 1660 wrote to memory of 2544	1660	6ff0af87db380a914a4330a0f26d21c0N.exe	34
PID 1660 wrote to memory of 2544	1660	6ff0af87db380a914a4330a0f26d21c0N.exe	34
PID 1660 wrote to memory of 2544	1660	6ff0af87db380a914a4330a0f26d21c0N.exe	34
PID 1660 wrote to memory of 2544	1660	6ff0af87db380a914a4330a0f26d21c0N.exe	34
PID 1660 wrote to memory of 2544	1660	6ff0af87db380a914a4330a0f26d21c0N.exe	34
PID 1660 wrote to memory of 2544	1660	6ff0af87db380a914a4330a0f26d21c0N.exe	34
PID 1660 wrote to memory of 2544	1660	6ff0af87db380a914a4330a0f26d21c0N.exe	34
PID 1660 wrote to memory of 2104	1660	6ff0af87db380a914a4330a0f26d21c0N.exe	35
PID 1660 wrote to memory of 2104	1660	6ff0af87db380a914a4330a0f26d21c0N.exe	35
PID 1660 wrote to memory of 2104	1660	6ff0af87db380a914a4330a0f26d21c0N.exe	35
PID 1660 wrote to memory of 2104	1660	6ff0af87db380a914a4330a0f26d21c0N.exe	35
PID 1660 wrote to memory of 2104	1660	6ff0af87db380a914a4330a0f26d21c0N.exe	35
PID 1660 wrote to memory of 2104	1660	6ff0af87db380a914a4330a0f26d21c0N.exe	35
PID 1660 wrote to memory of 2104	1660	6ff0af87db380a914a4330a0f26d21c0N.exe	35
PID 1660 wrote to memory of 2188	1660	6ff0af87db380a914a4330a0f26d21c0N.exe	36
PID 1660 wrote to memory of 2188	1660	6ff0af87db380a914a4330a0f26d21c0N.exe	36
PID 1660 wrote to memory of 2188	1660	6ff0af87db380a914a4330a0f26d21c0N.exe	36
PID 1660 wrote to memory of 2188	1660	6ff0af87db380a914a4330a0f26d21c0N.exe	36
PID 1660 wrote to memory of 2188	1660	6ff0af87db380a914a4330a0f26d21c0N.exe	36
PID 1660 wrote to memory of 2188	1660	6ff0af87db380a914a4330a0f26d21c0N.exe	36
PID 1660 wrote to memory of 2188	1660	6ff0af87db380a914a4330a0f26d21c0N.exe	36
PID 1660 wrote to memory of 1456	1660	6ff0af87db380a914a4330a0f26d21c0N.exe	37
PID 1660 wrote to memory of 1456	1660	6ff0af87db380a914a4330a0f26d21c0N.exe	37
PID 1660 wrote to memory of 1456	1660	6ff0af87db380a914a4330a0f26d21c0N.exe	37
PID 1660 wrote to memory of 1456	1660	6ff0af87db380a914a4330a0f26d21c0N.exe	37
PID 1660 wrote to memory of 1456	1660	6ff0af87db380a914a4330a0f26d21c0N.exe	37
PID 1660 wrote to memory of 1456	1660	6ff0af87db380a914a4330a0f26d21c0N.exe	37
PID 1660 wrote to memory of 1456	1660	6ff0af87db380a914a4330a0f26d21c0N.exe	37

C:\Users\Admin\AppData\Local\Temp\6ff0af87db380a914a4330a0f26d21c0N.exe
"C:\Users\Admin\AppData\Local\Temp\6ff0af87db380a914a4330a0f26d21c0N.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1660
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 /s actskn43.ocx
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2428
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 /s MSADODC.OCX
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:2972
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 /s MSCOMCT2.OCX
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:2092
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 /s MSDATGRD.OCX
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:2416
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 /s MSINET.OCX
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:2544
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 /s dao360.dll
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:2104
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 /s MSBIND.DLL
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:2188
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 /s MSSTDFMT.DLL
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:1456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\MSADODC.OCX

Filesize
115KB

MD5
d827412fc2d9c7bdc190a457206270ae

SHA1
14045b78fb848532b677bf8114c8107d21c28fa8

SHA256
d7a81a9de2c737673301d1d695bf31dfc2bc9bc5db2df18f85b4d4fa2e590a91

SHA512
975214f4c09295f09f3fc902fafec05d8179beccb44027851fb14177b350b65a02ba42f5f955b417e24b2bab0770070c3d6ba7254128d7eb3d1cae45c58cf266

Download Submit
C:\Windows\SysWOW64\MSBIND.DLL

Filesize
76KB

MD5
195fe2c984e8d827b862672b0f4761e4

SHA1
ad4f27638c2fea85c89c103be71ad3465be8e3c4

SHA256
6120a0e85b95a02a8c8484f98936ee8ddf70f612554f3a7f1bd340b41aa42f62

SHA512
09b31f9b84380dbeba239d7aad62efc76a304b91b12f349827d069c25c5937b49ad68eb35279b956dbf3678e36ee8806ffcd54dce67bb39ed3359312dcbd9e36

Download Submit
C:\Windows\SysWOW64\MSDATGRD.OCX

Filesize
254KB

MD5
fa8de5f76ba59bc4190fde2c78401d40

SHA1
8704a57a8b9f3a55242b9eae710c2645286c6e64

SHA256
1582418d27088049bb8ce628f87f9243f8e3c949508a69a509f2462de9db943b

SHA512
5015dbf7c7d6fd8cc147f16d09cfadbbd9a97b028da4b6f6424b74e442358bc605a71c1a9e2e14d40dc3d116403ea5808c88e445c808cbcd434b451ba8a19c1e

Download Submit
C:\Windows\SysWOW64\MSINET.OCX

Filesize
112KB

MD5
7bec181a21753498b6bd001c42a42722

SHA1
3249f233657dc66632c0539c47895bfcee5770cc

SHA256
73da54b69911bdd08ea8bbbd508f815ef7cfa59c4684d75c1c602252ec88ee31

SHA512
d671e25ae5e02a55f444d253f0e4a42af6a5362d9759fb243ad6d2c333976ab3e98669621ec0850ad915ee06acbe8e70d77b084128fc275462223f4f5ab401bc

Download Submit
C:\Windows\SysWOW64\MSSTDFMT.DLL

Filesize
116KB

MD5
38950fbc15ea45be9b8988d897007fb1

SHA1
5aabb9eff890f63c300e0633028b65cd0a93660e

SHA256
73eae3c481beaf127017349e0dd03f023d5ed1888b2333b0d562c2522cd34800

SHA512
6a392beeb1563977d4b1b39d683f067a6e3ed6af708c598e87fd234b25220c480d0eb5ff5eaedbc573d31fba3b38f7e82dded38824e30be6c4eeb2e40c9061c2

Download Submit
C:\Windows\SysWOW64\actskn43.ocx

Filesize
380KB

MD5
9ba2c75dc9e825d35aa0bb6cb1398583

SHA1
59b8fb4c19864b77330d7252938b361dfba4a1e5

SHA256
6e360af66efac4abc2772769df1e41e5ffbf143890aba4dd3848b5219e1ef09e

SHA512
d154f700675f2a5feb81f3f7bd8075788d4b12d64e5b143fdb0852858912648f71d3644018ebc32889fa75025a694beb690780a2c5ddbb7493050f026389cf8e

Download Submit
C:\Windows\SysWOW64\dao360.dll

Filesize
541KB

MD5
54e10ad6ebbedcb221aded5d9f0c8f3f

SHA1
642ccb4e8d5963daa1f710200d997faad1ce5005

SHA256
adda2095d8c43424a50d8e6887babd21263dafcf7a7acf57a92a547ae210bb0d

SHA512
bb5f38d23527cd6cb40afe42f4c05dfa8ed41512d766a9d345279071228722164e56c930553d707ebccbc38ea96b75b9c25b2da6902e05d122e7273ae4a651bb

Download Submit
\Windows\SysWOW64\MSCOMCT2.OCX

Filesize
629KB

MD5
8facb683ecab70fb85b26683f9c742a3

SHA1
abb30706e49e6fb34b7e15ba154e3ada596c95ec

SHA256
8204b2913504c9c921b551d2b028c0171fe11c3ee38db788517830987ba5b126

SHA512
2e15e8935ce0eb347d1962dc7bdc7273a9991759c19473eed4822479b2286fd27910c95b6a568b57353be80860ef1aa7681c5c469ad252e797d8eaa7205e2caa

Download Submit
memory/1660-2-0x0000000000400000-0x0000000000ABE000-memory.dmp

Filesize
6.7MB

Download
memory/1660-36-0x0000000000400000-0x0000000000ABE000-memory.dmp

Filesize
6.7MB

Download