Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
135s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
12/10/2024, 21:30
Behavioral task
behavioral1
Sample
3c1f7ab05ead26bfce419c2d9e6150ae_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
3c1f7ab05ead26bfce419c2d9e6150ae_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
3c1f7ab05ead26bfce419c2d9e6150ae_JaffaCakes118.exe
-
Size
168KB
-
MD5
3c1f7ab05ead26bfce419c2d9e6150ae
-
SHA1
5885b97c0477f5a1d539b8d14dfed3f38b647967
-
SHA256
5e436ed745bbb4cf09202e3b7d4473650072f112a41e8b24c5e3db0f6d563e93
-
SHA512
555b8a1bf031592a58067cf2e687e244639f7138b9e617a46bdba4170bb2ff1f928539f369ebb3617147194da189570393fd39af3744bd175e7282d50561b07b
-
SSDEEP
3072:CQFvHWYPM6jKn/+QC8iL/aLTll9ZP8Lcg+LUoFjnwt5jeZUHmHb:CyPM6jU/+TL/aLTl7ZP+cgFoFjn+QqHw
Malware Config
Signatures
-
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral1/files/0x000600000001878d-46.dat acprotect -
Executes dropped EXE 2 IoCs
pid Process 1932 1.exe 2748 t7yvQO.exe -
Loads dropped DLL 8 IoCs
pid Process 2112 3c1f7ab05ead26bfce419c2d9e6150ae_JaffaCakes118.exe 2112 3c1f7ab05ead26bfce419c2d9e6150ae_JaffaCakes118.exe 2112 3c1f7ab05ead26bfce419c2d9e6150ae_JaffaCakes118.exe 1932 1.exe 1932 1.exe 2748 t7yvQO.exe 2736 regsvr32.exe 2748 t7yvQO.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wRaoat0 = "\"C:\\Users\\Admin\\AppData\\Roaming\\t7yvQO.exe\"" 1.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\s8UrXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\t7yvQO.exe\"" 1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wRaoat0 = "\"C:\\Users\\Admin\\AppData\\Roaming\\t7yvQO.exe\"" t7yvQO.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Kt2l2tAv = "\"C:\\Users\\Admin\\AppData\\Roaming\\t7yvQO.exe\"" t7yvQO.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\win.com 1.exe File opened for modification C:\Windows\SysWOW64\zlib.dll t7yvQO.exe File opened for modification C:\Windows\SysWOW64\mswinsck.ocx t7yvQO.exe -
resource yara_rule behavioral1/memory/2112-1-0x0000000000400000-0x0000000000431000-memory.dmp upx behavioral1/files/0x0016000000018657-12.dat upx behavioral1/memory/2112-14-0x0000000000340000-0x0000000000398000-memory.dmp upx behavioral1/memory/2112-24-0x0000000000400000-0x0000000000431000-memory.dmp upx behavioral1/memory/2748-48-0x0000000010000000-0x0000000010014000-memory.dmp upx behavioral1/files/0x000600000001878d-46.dat upx behavioral1/memory/2748-45-0x0000000000400000-0x0000000000458000-memory.dmp upx behavioral1/memory/1932-38-0x0000000000400000-0x0000000000458000-memory.dmp upx behavioral1/memory/2748-54-0x0000000000400000-0x0000000000458000-memory.dmp upx behavioral1/memory/2748-56-0x0000000010000000-0x0000000010014000-memory.dmp upx behavioral1/memory/2748-55-0x0000000000400000-0x0000000000458000-memory.dmp upx behavioral1/memory/2748-57-0x0000000000400000-0x0000000000458000-memory.dmp upx behavioral1/memory/2748-59-0x0000000000400000-0x0000000000458000-memory.dmp upx behavioral1/memory/2748-61-0x0000000000400000-0x0000000000458000-memory.dmp upx behavioral1/memory/2748-63-0x0000000000400000-0x0000000000458000-memory.dmp upx behavioral1/memory/2748-65-0x0000000000400000-0x0000000000458000-memory.dmp upx behavioral1/memory/2748-67-0x0000000000400000-0x0000000000458000-memory.dmp upx behavioral1/memory/2748-69-0x0000000000400000-0x0000000000458000-memory.dmp upx behavioral1/memory/2748-71-0x0000000000400000-0x0000000000458000-memory.dmp upx behavioral1/memory/2748-73-0x0000000000400000-0x0000000000458000-memory.dmp upx behavioral1/memory/2748-75-0x0000000000400000-0x0000000000458000-memory.dmp upx behavioral1/memory/2748-77-0x0000000000400000-0x0000000000458000-memory.dmp upx behavioral1/memory/2748-79-0x0000000000400000-0x0000000000458000-memory.dmp upx behavioral1/memory/2748-81-0x0000000000400000-0x0000000000458000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3c1f7ab05ead26bfce419c2d9e6150ae_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language t7yvQO.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Version regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\mswinsck.ocx" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\FLAGS regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\FLAGS\ = "2" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\HELPDIR regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\ = "Winsock General Property Page Object" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\ = "0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\1\ = "132497" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\HELPDIR\ regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CurVer regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\ = "C:\\Windows\\SysWow64\\mswinsck.ocx" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Version\ = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Programmable regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A53-2BAA-11CF-A229-00AA003D7352} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ = "IMSWinsockControl" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CLSID\ = "{248DD896-BB45-11CF-9ABC-0080C7E7B78D}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\VersionIndependentProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\VersionIndependentProgID\ = "MSWinsock.Winsock" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ToolboxBitmap32\ = "C:\\Windows\\SysWow64\\mswinsck.ocx, 1" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ = "Microsoft WinSock Control, version 6.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ProgID\ = "MSWinsock.Winsock.1" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A52-2BAA-11CF-A229-00AA003D7352} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0\win32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ = "DMSWinsockControlEvents" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ = "DMSWinsockControlEvents" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}" regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D} regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CurVer\ = "MSWinsock.Winsock.1" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\ = "Microsoft Winsock Control 6.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ToolboxBitmap32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Control regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ = "IMSWinsockControl" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib regsvr32.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 1932 1.exe 1932 1.exe 1932 1.exe 1932 1.exe 1932 1.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2112 3c1f7ab05ead26bfce419c2d9e6150ae_JaffaCakes118.exe 1932 1.exe 2748 t7yvQO.exe 2748 t7yvQO.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 2112 wrote to memory of 2296 2112 3c1f7ab05ead26bfce419c2d9e6150ae_JaffaCakes118.exe 30 PID 2112 wrote to memory of 2296 2112 3c1f7ab05ead26bfce419c2d9e6150ae_JaffaCakes118.exe 30 PID 2112 wrote to memory of 2296 2112 3c1f7ab05ead26bfce419c2d9e6150ae_JaffaCakes118.exe 30 PID 2112 wrote to memory of 2296 2112 3c1f7ab05ead26bfce419c2d9e6150ae_JaffaCakes118.exe 30 PID 2112 wrote to memory of 1932 2112 3c1f7ab05ead26bfce419c2d9e6150ae_JaffaCakes118.exe 31 PID 2112 wrote to memory of 1932 2112 3c1f7ab05ead26bfce419c2d9e6150ae_JaffaCakes118.exe 31 PID 2112 wrote to memory of 1932 2112 3c1f7ab05ead26bfce419c2d9e6150ae_JaffaCakes118.exe 31 PID 2112 wrote to memory of 1932 2112 3c1f7ab05ead26bfce419c2d9e6150ae_JaffaCakes118.exe 31 PID 1932 wrote to memory of 2748 1932 1.exe 33 PID 1932 wrote to memory of 2748 1932 1.exe 33 PID 1932 wrote to memory of 2748 1932 1.exe 33 PID 1932 wrote to memory of 2748 1932 1.exe 33 PID 2748 wrote to memory of 2736 2748 t7yvQO.exe 34 PID 2748 wrote to memory of 2736 2748 t7yvQO.exe 34 PID 2748 wrote to memory of 2736 2748 t7yvQO.exe 34 PID 2748 wrote to memory of 2736 2748 t7yvQO.exe 34 PID 2748 wrote to memory of 2736 2748 t7yvQO.exe 34 PID 2748 wrote to memory of 2736 2748 t7yvQO.exe 34 PID 2748 wrote to memory of 2736 2748 t7yvQO.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\3c1f7ab05ead26bfce419c2d9e6150ae_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3c1f7ab05ead26bfce419c2d9e6150ae_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" "C:\Users\Admin\AppData\Local\Temp\3c1f7ab05ead26bfce419c2d9e6150ae_JaffaCakes118.exe"2⤵PID:2296
-
-
C:\Users\Admin\AppData\Roaming\1.exeC:\Users\Admin\AppData\Roaming\1.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Users\Admin\AppData\Roaming\t7yvQO.exeC:\Users\Admin\AppData\Roaming\t7yvQO.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\Windows\system32\mswinsck.ocx"4⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2736
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD5e14ba6a9464bed1127c50214acaf0c1a
SHA13eeda63ac8209ffa2e1beeefdde6531e61f8dc4d
SHA256fd250c2054019c58dd71ac4469ee821b67dfa36a439091ad17969f6d4090da38
SHA51255a7ad5ea8617e8066b2854556e54e1688c70d80b6921eab3020a1bb6cc741320f5f0d63cf067864505877e010d69caa2a7bff890dd037da7efbc3e679ab9c26
-
Filesize
105KB
MD59484c04258830aa3c2f2a70eb041414c
SHA1b242a4fb0e9dcf14cb51dc36027baff9a79cb823
SHA256bf7e47c16d7e1c0e88534f4ef95e09d0fd821ed1a06b0d95a389b35364b63ff5
SHA5129d0e9f0d88594746ba41ea4a61a53498619eda596e12d8ec37d01cfe8ceb08be13e3727c83d630a6d9e6d03066f62444bb94ea5a0d2ed9d21a270e612db532a0
-
Filesize
150KB
MD58ad6ae799a1b27224714b6289be38685
SHA1ff7edddb54c294a3a7130ff65be7f7a60e26cbaf
SHA2561dc353c3668f4053b8a268044bdcca9e9ab17d9289215be057ed4e4b1786ac6c
SHA512c7995b8360156c5221e4aa432e68e92047439ba92a2fef9b8a2f8217d3e2fac36857721622ddfda22034f2d72d6fcb193db067c94fe7b881133a93ca60601593
-
Filesize
27KB
MD5200d52d81e9b4b05fa58ce5fbe511dba
SHA1c0d809ee93816d87388ed4e7fd6fca93d70294d2
SHA256d4fe89dc2e7775f4ef0dfc70ed6999b8f09635326e05e08a274d464d1814c617
SHA5127b1df70d76855d65cf246051e7b9f7119720a695d41ace1eb00e45e93e6de80d083b953269166bdee7137dbd9f3e5681e36bb036f151cea383c10d82957f39c5