7d2f27e40cea3248fe952148b0d636c45a0e196c320bc9e441c186abc7f6bd0d

Analysis

max time kernel
121s
max time network
126s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
31-10-2024 08:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8270cc8f6e3575c3d6dac84783c7895b_JaffaCakes118.exe
Size

4.3MB
MD5

8270cc8f6e3575c3d6dac84783c7895b
SHA1

43057f92c25747f11bc1c28d04c899cd54003a10
SHA256

7d2f27e40cea3248fe952148b0d636c45a0e196c320bc9e441c186abc7f6bd0d
SHA512

4cadf853469c4a5bc5944d8246da4b62d8e4e506838fde5b799986ba052f4335d5d229eaa8c76f70c552210f40685b6d7a06189147cc428f9d71f5aa346869e2
SSDEEP

98304:hI5plrd55Q8ysqZw5QCVUFYnT3kup/6hoCS4rCwNM4nt:KplR7rnyw5B+AT3kS6hE45Pt

Score

7^/10

discovery upx

Malware Config

Signatures

Executes dropped EXE 17 IoCs

pid	Process
3008	setup.exe
2660	Regsvr32.exe
664	Regsvr32.exe
840	Regsvr32.exe
1720	Regsvr32.exe
1192	Regsvr32.exe
1620	Regsvr32.exe
1768	Regsvr32.exe
2076	Regsvr32.exe
2472	Regsvr32.exe
960	Regsvr32.exe
1080	Regsvr32.exe
848	Regsvr32.exe
2104	Regsvr32.exe
1996	Regsvr32.exe
916	Regsvr32.exe
716	ISOBurner.exe

Loads dropped DLL 64 IoCs

pid	Process
2572	8270cc8f6e3575c3d6dac84783c7895b_JaffaCakes118.exe
3008	setup.exe
3008	setup.exe
3008	setup.exe
3008	setup.exe
3008	setup.exe
3008	setup.exe
2660	Regsvr32.exe
2660	Regsvr32.exe
2660	Regsvr32.exe
2660	Regsvr32.exe
3008	setup.exe
3008	setup.exe
3008	setup.exe
664	Regsvr32.exe
664	Regsvr32.exe
664	Regsvr32.exe
3008	setup.exe
3008	setup.exe
840	Regsvr32.exe
840	Regsvr32.exe
840	Regsvr32.exe
840	Regsvr32.exe
3008	setup.exe
3008	setup.exe
1720	Regsvr32.exe
1720	Regsvr32.exe
1720	Regsvr32.exe
1720	Regsvr32.exe
3008	setup.exe
3008	setup.exe
1192	Regsvr32.exe
1192	Regsvr32.exe
1192	Regsvr32.exe
1192	Regsvr32.exe
3008	setup.exe
3008	setup.exe
3008	setup.exe
1620	Regsvr32.exe
1620	Regsvr32.exe
1620	Regsvr32.exe
3008	setup.exe
3008	setup.exe
3008	setup.exe
1768	Regsvr32.exe
1768	Regsvr32.exe
1768	Regsvr32.exe
3008	setup.exe
3008	setup.exe
3008	setup.exe
2076	Regsvr32.exe
2076	Regsvr32.exe
2076	Regsvr32.exe
3008	setup.exe
3008	setup.exe
3008	setup.exe
2472	Regsvr32.exe
2472	Regsvr32.exe
2472	Regsvr32.exe
3008	setup.exe
3008	setup.exe
3008	setup.exe
960	Regsvr32.exe
960	Regsvr32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 46 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\SSubTmr6.dll	setup.exe
File created	C:\Windows\SysWOW64\MSCMCFR.DLL	setup.exe
File opened for modification	C:\Windows\SysWOW64\MSCMCFR.DLL	setup.exe
File opened for modification	C:\Windows\SysWOW64\mscomctl.ocx	setup.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	setup.exe
File created	C:\Windows\SysWOW64\VB6FR.DLL	setup.exe
File opened for modification	C:\Windows\SysWOW64\MCI32.OCX	setup.exe
File created	C:\Windows\SysWOW64\MCIFR.DLL	setup.exe
File opened for modification	C:\Windows\SysWOW64\sensapi.dll	setup.exe
File opened for modification	C:\Windows\SysWOW64\ASYCFILT.DLL	setup.exe
File created	C:\Windows\SysWOW64\CMDLGFR.DLL	setup.exe
File opened for modification	C:\Windows\SysWOW64\CMDLGFR.DLL	setup.exe
File opened for modification	C:\Windows\SysWOW64\COMCAT.DLL	setup.exe
File opened for modification	C:\Windows\SysWOW64\OLEPRO32.DLL	setup.exe
File opened for modification	C:\Windows\SysWOW64\STDOLE2.TLB	setup.exe
File created	C:\Windows\SysWOW64\MSINET.OCX	setup.exe
File created	C:\Windows\SysWOW64\WNASPI32.DLL	setup.exe
File created	C:\Windows\SysWOW64\COMDLG32.OCX	setup.exe
File created	C:\Windows\SysWOW64\VB6STKIT.DLL	setup.exe
File created	C:\Windows\SysWOW64\INETFR.DLL	setup.exe
File opened for modification	C:\Windows\SysWOW64\MCIFR.DLL	setup.exe
File opened for modification	C:\Windows\SysWOW64\Mscc2fr.dll	setup.exe
File opened for modification	C:\Windows\SysWOW64\RUNNABLE.TLB	setup.exe
File created	C:\Windows\SysWOW64\CMCT3FR.DLL	setup.exe
File created	C:\Windows\SysWOW64\COMCT332.OCX	setup.exe
File opened for modification	C:\Windows\SysWOW64\COMCT332.OCX	setup.exe
File created	C:\Windows\SysWOW64\SSubTmr6.dll	setup.exe
File opened for modification	C:\Windows\SysWOW64\VB6FR.DLL	setup.exe
File opened for modification	C:\Windows\SysWOW64\msxml3.dll	setup.exe
File created	C:\Windows\SysWOW64\scrrnfr.dll	setup.exe
File opened for modification	C:\Windows\SysWOW64\scrrun.dll	setup.exe
File opened for modification	C:\Windows\SysWOW64\CMCT3FR.DLL	setup.exe
File created	C:\Windows\SysWOW64\GIF89.DLL	setup.exe
File opened for modification	C:\Windows\SysWOW64\GIF89.DLL	setup.exe
File opened for modification	C:\Windows\SysWOW64\OLEAUT32.DLL	setup.exe
File opened for modification	C:\Windows\SysWOW64\VB6STKIT.DLL	setup.exe
File created	C:\Windows\SysWOW64\MCI32.OCX	setup.exe
File opened for modification	C:\Windows\SysWOW64\scrrnfr.dll	setup.exe
File opened for modification	C:\Windows\SysWOW64\WNASPI32.DLL	setup.exe
File opened for modification	C:\Windows\SysWOW64\COMDLG32.OCX	setup.exe
File opened for modification	C:\Windows\SysWOW64\INETFR.DLL	setup.exe
File created	C:\Windows\SysWOW64\MSCOMCT2.OCX	setup.exe
File opened for modification	C:\Windows\SysWOW64\MSCOMCT2.OCX	setup.exe
File opened for modification	C:\Windows\SysWOW64\MSINET.OCX	setup.exe
File created	C:\Windows\SysWOW64\Mscc2fr.dll	setup.exe
File created	C:\Windows\SysWOW64\RUNNABLE.TLB	setup.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0008000000016d68-8.dat	upx
behavioral1/memory/2572-10-0x0000000002150000-0x00000000021C1000-memory.dmp	upx
behavioral1/memory/3008-20-0x0000000000400000-0x0000000000471000-memory.dmp	upx
behavioral1/memory/3008-64-0x0000000000400000-0x0000000000471000-memory.dmp	upx
behavioral1/memory/3008-236-0x0000000000320000-0x0000000000330000-memory.dmp	upx
behavioral1/memory/3008-264-0x0000000000400000-0x0000000000471000-memory.dmp	upx
behavioral1/memory/3008-267-0x0000000000400000-0x0000000000471000-memory.dmp	upx

Drops file in Program Files directory 40 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\ISOpen\Lang\English.lng	setup.exe
File created	C:\Program Files (x86)\ISOpen\Lang\Italiano.lng	setup.exe
File opened for modification	C:\Program Files (x86)\ISOpen\Lang\Russian.lng	setup.exe
File created	C:\Program Files (x86)\ISOpen\ISOPENASPI.dll	setup.exe
File opened for modification	C:\Program Files (x86)\ISOpen\ISOPENASPI.dll	setup.exe
File opened for modification	C:\Program Files (x86)\ISOpen\Ressources\cd.dat	setup.exe
File opened for modification	C:\Program Files (x86)\ISOpen\Ressources\Disc.dat	setup.exe
File opened for modification	C:\Program Files (x86)\ISOpen\iso2bin.exe	setup.exe
File created	C:\Program Files (x86)\ISOpen\aspi32.exe	setup.exe
File created	C:\Program Files (x86)\ISOpen\setup.log	setup.exe
File created	C:\Program Files (x86)\ISOpen\Ressources\GRAPHIC.DAT	setup.exe
File created	C:\Program Files (x86)\ISOpen\Ressources\Disc.dat	setup.exe
File created	C:\Program Files (x86)\ISOpen\Lang\French.lng	setup.exe
File opened for modification	C:\Program Files (x86)\ISOpen\Lame\lame.exe	setup.exe
File opened for modification	C:\Program Files (x86)\ISOpen\ISO.ico	setup.exe
File opened for modification	C:\Program Files (x86)\ISOpen\ISOBurner.exe	setup.exe
File opened for modification	C:\Program Files (x86)\ISOpen\Lang\Italiano.lng	setup.exe
File created	C:\Program Files (x86)\ISOpen\Lang\Russian.lng	setup.exe
File opened for modification	C:\Program Files (x86)\ISOpen\Lang\Chinese(CHS).lng	setup.exe
File created	C:\Program Files (x86)\ISOpen\izo.ico	setup.exe
File opened for modification	C:\Program Files (x86)\ISOpen\izo.ico	setup.exe
File opened for modification	C:\Program Files (x86)\ISOpen\ISOburnParam.dll	setup.exe
File opened for modification	C:\Program Files (x86)\ISOpen\uninstall.exe	setup.exe
File opened for modification	C:\Program Files (x86)\ISOpen\Lang\English.lng	setup.exe
File opened for modification	C:\Program Files (x86)\ISOpen\Lang\Dutch.Lng	setup.exe
File created	C:\Program Files (x86)\ISOpen\Lang\Chinese(CHS).lng	setup.exe
File opened for modification	C:\Program Files (x86)\ISOpen\ISOpen.exe	setup.exe
File created	C:\Program Files (x86)\ISOpen\iso2bin.exe	setup.exe
File created	C:\Program Files (x86)\ISOpen\ISOburnParam.dll	setup.exe
File opened for modification	C:\Program Files (x86)\ISOpen\setup.log	setup.exe
File created	C:\Program Files (x86)\ISOpen\uninstall.exe	setup.exe
File created	C:\Program Files (x86)\ISOpen\Ressources\cd.dat	setup.exe
File opened for modification	C:\Program Files (x86)\ISOpen\Lang\French.lng	setup.exe
File created	C:\Program Files (x86)\ISOpen\Lang\Dutch.Lng	setup.exe
File created	C:\Program Files (x86)\ISOpen\Lame\lame.exe	setup.exe
File created	C:\Program Files (x86)\ISOpen\ISOpen.exe	setup.exe
File created	C:\Program Files (x86)\ISOpen\ISOBurner.exe	setup.exe
File opened for modification	C:\Program Files (x86)\ISOpen\aspi32.exe	setup.exe
File opened for modification	C:\Program Files (x86)\ISOpen\Ressources\GRAPHIC.DAT	setup.exe
File created	C:\Program Files (x86)\ISOpen\ISO.ico	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 18 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8270cc8f6e3575c3d6dac84783c7895b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ISOBurner.exe

Modifies Internet Explorer settings 1 TTPs 27 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{1EFB6596-857C-11D1-B16A-00C0F0283628}	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{35053A22-8589-11D1-B16A-00C0F0283628}\AlternateCLSID = "{A0E7BF67-8D30-4620-8825-7111714C7CAB}"	Regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{8E3867A3-8586-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024"	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{DD9DA666-8594-11D1-B16A-00C0F0283628}\AlternateCLSID = "{87DACC48-F1C5-4AF3-84BA-A2A72C2AB959}"	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{1EFB6596-857C-11D1-B16A-00C0F0283628}\AlternateCLSID = "{24B224E0-9545-4A2F-ABD5-86AA8A849385}"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{35053A22-8589-11D1-B16A-00C0F0283628}	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{BDD1F04B-858B-11D1-B16A-00C0F0283628}\AlternateCLSID = "{996BF5E0-8044-4650-ADEB-0B013914E99C}"	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{C74190B6-8589-11D1-B16A-00C0F0283628}\AlternateCLSID = "{9181DC5F-E07D-418A-ACA6-8EEA1ECB8E9E}"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{DD9DA666-8594-11D1-B16A-00C0F0283628}	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{2C247F23-8591-11D1-B16A-00C0F0283628}	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{2C247F23-8591-11D1-B16A-00C0F0283628}\AlternateCLSID = "{F91CAF91-225B-43A7-BB9E-472F991FC402}"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{66833FE6-8583-11D1-B16A-00C0F0283628}	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{8E3867A3-8586-11D1-B16A-00C0F0283628}	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{F08DF954-8592-11D1-B16A-00C0F0283628}\AlternateCLSID = "{0B314611-2C19-4AB4-8513-A6EEA569D3C4}"	Regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{BDD1F04B-858B-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024"	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{66833FE6-8583-11D1-B16A-00C0F0283628}\AlternateCLSID = "{7DC6F291-BF55-4E50-B619-EF672D9DCC58}"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{BDD1F04B-858B-11D1-B16A-00C0F0283628}	Regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{DD9DA666-8594-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024"	Regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{C74190B6-8589-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{F08DF954-8592-11D1-B16A-00C0F0283628}	Regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{1EFB6596-857C-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024"	Regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{2C247F23-8591-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024"	Regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{35053A22-8589-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024"	Regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{66833FE6-8583-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024"	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{8E3867A3-8586-11D1-B16A-00C0F0283628}\AlternateCLSID = "{627C8B79-918A-4C5C-9E19-20F66BF30B86}"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{C74190B6-8589-11D1-B16A-00C0F0283628}	Regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{F08DF954-8592-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024"	Regsvr32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{38911D9C-E448-11D0-84A3-00DD01104159}	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2C247F26-8591-11D1-B16A-00C0F0283628}\TypeLib	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ComCtl3Satellite.Resources\ = "ComCtl3Satellite.Resources"	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{38911D8A-E448-11D0-84A3-00DD01104159}\ = "Bands"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{586A6357-87C8-11D1-8BE3-0000F8754DA1}\InprocServer32	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{603C7E7E-87C2-11D1-8BE3-0000F8754DA1}\ = "IUpDown"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5522DAF7-06D6-11D2-8D70-00A0C98B28E2}\TypeLib	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDD1F04E-858B-11D1-B16A-00C0F0283628}\TypeLib	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20DD1B9E-87C4-11D1-8BE3-0000F8754DA1}\InprocServer32	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{86CF1D34-0C5F-11D2-A9FC-0000F8754DA1}\2.0\0\win32\ = "C:\\Windows\\SysWow64\\MSCOMCT2.OCX"	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{71A27031-C7D8-11D2-BEF8-525400DFB47A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{71A27032-C7D8-11D2-BEF8-525400DFB47A}\ = "SSubTimer6.GSubclass"	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5522DB03-06D6-11D2-8D70-00A0C98B28E2}\ = "BandProperties"	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5522DAF9-06D6-11D2-8D70-00A0C98B28E2}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C27CCE40-8596-11D1-B16A-00C0F0283628}	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{D51B4E9A-368D-4C87-AD6D-A2711F72BE5E}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\ISOpen"	ISOBurner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7500A6BA-EB65-11D1-938D-0000F87557C9}\TypeLib	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{232E456A-87C3-11D1-8BE3-0000F8754DA1}\TypeLib	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FE38753A-44A3-11D1-B5B7-0000C09000C4}\MiscStatus\1\ = "139665"	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SSubTimer6.ISubclass\ = "SSubTimer6.ISubclass"	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{232E4569-87C3-11D1-8BE3-0000F8754DA1}\TypeLib\ = "{86CF1D34-0C5F-11D2-A9FC-0000F8754DA1}"	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F9043C87-F6F2-101A-A3C9-08002B2F49FB}\ = "ICommonDialogEvents"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{28D47530-CF84-11D1-834C-00A0249F0C28}\MiscStatus	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DD9DA666-8594-11D1-B16A-00C0F0283628}\Implemented Categories\{0DE86A52-2BAA-11CF-A229-00AA003D7352}	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDD1F04C-858B-11D1-B16A-00C0F0283628}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDD1F04E-858B-11D1-B16A-00C0F0283628}\ProxyStubClsid32	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EB41E8C2-4442-11D1-8906-00A0C9110049}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{232E456A-87C3-11D1-8BE3-0000F8754DA1}\InprocServer32	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7629CFA4-3FE5-101B-A3C9-08002B2F49FB}\InprocServer32	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.ListViewCtrl.2\ = "Microsoft ListView Control 6.0 (SP6)"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{24B224E0-9545-4A2F-ABD5-86AA8A849385}\Programmable	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDD1F051-858B-11D1-B16A-00C0F0283628}\ = "IColumnHeader"	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{14E469E0-BF61-11CF-8385-8F69D8F1350B}\ = "AsyncProperty_VB5"	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FCFB3D2B-A0FA-1068-A738-08002B3371B5}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{38911D8E-E448-11D0-84A3-00DD01104159}\InprocServer32\ThreadingModel = "Apartment"	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F9043C87-F6F2-101A-A3C9-08002B2F49FB}\TypeLib\ = "{F9043C88-F6F2-101A-A3C9-08002B2F49FB}"	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{28D47530-CF84-11D1-834C-00A0249F0C28}\ = "Gif89 Class"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66833FE6-8583-11D1-B16A-00C0F0283628}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352}	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8E3867A4-8586-11D1-B16A-00C0F0283628}\TypeLib	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C1A8AF27-1257-101B-8FB0-0020AF039CA3}\ProxyStubClsid32	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\HELPDIR	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8E3867A3-8586-11D1-B16A-00C0F0283628}\ToolboxBitmap32	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C27CCE33-8596-11D1-B16A-00C0F0283628}\InprocServer32\ = "C:\\Windows\\SysWow64\\mscomctl.ocx"	Regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7DC6F291-BF55-4E50-B619-EF672D9DCC58}\Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502}	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MCI.MMControl\CLSID	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BDD1F04B-858B-11D1-B16A-00C0F0283628}\Version	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MCI.MMControl\ = "Microsoft Multimedia Control, version 6.0"	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{232E4569-87C3-11D1-8BE3-0000F8754DA1}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5522DAF9-06D6-11D2-8D70-00A0C98B28E2}\TypeLib	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{38911D92-E448-11D0-84A3-00DD01104159}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352}	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\MiscStatus\1\ = "132499"	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7629CFA2-3FE5-101B-A3C9-08002B2F49FB}\InprocServer32\ = "C:\\Windows\\SysWow64\\COMDLG32.OCX"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8E3867A4-8586-11D1-B16A-00C0F0283628}	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FE38753A-44A3-11D1-B5B7-0000C09000C4}\TypeLib	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1EFB6596-857C-11D1-B16A-00C0F0283628}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66833FE6-8583-11D1-B16A-00C0F0283628}\ToolboxBitmap32	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{586A6359-87C8-11D1-8BE3-0000F8754DA1}	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FE387538-44A3-11D1-B5B7-0000C09000C4}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{71A27032-C7D8-11D2-BEF8-525400DFB47A}	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BDD1F04B-858B-11D1-B16A-00C0F0283628}\Programmable	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDD1F049-858B-11D1-B16A-00C0F0283628}\TypeLib\Version = "2.0"	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{71A2702D-C7D8-11D2-BEF8-525400DFB47A}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\SSubTmr6.dll"	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{71A27031-C7D8-11D2-BEF8-525400DFB47A}\ = "_GSubclass"	Regsvr32.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
716	ISOBurner.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2572 wrote to memory of 3008	2572	8270cc8f6e3575c3d6dac84783c7895b_JaffaCakes118.exe	31
PID 2572 wrote to memory of 3008	2572	8270cc8f6e3575c3d6dac84783c7895b_JaffaCakes118.exe	31
PID 2572 wrote to memory of 3008	2572	8270cc8f6e3575c3d6dac84783c7895b_JaffaCakes118.exe	31
PID 2572 wrote to memory of 3008	2572	8270cc8f6e3575c3d6dac84783c7895b_JaffaCakes118.exe	31
PID 2572 wrote to memory of 3008	2572	8270cc8f6e3575c3d6dac84783c7895b_JaffaCakes118.exe	31
PID 2572 wrote to memory of 3008	2572	8270cc8f6e3575c3d6dac84783c7895b_JaffaCakes118.exe	31
PID 2572 wrote to memory of 3008	2572	8270cc8f6e3575c3d6dac84783c7895b_JaffaCakes118.exe	31
PID 3008 wrote to memory of 2660	3008	setup.exe	32
PID 3008 wrote to memory of 2660	3008	setup.exe	32
PID 3008 wrote to memory of 2660	3008	setup.exe	32
PID 3008 wrote to memory of 2660	3008	setup.exe	32
PID 3008 wrote to memory of 2660	3008	setup.exe	32
PID 3008 wrote to memory of 2660	3008	setup.exe	32
PID 3008 wrote to memory of 2660	3008	setup.exe	32
PID 3008 wrote to memory of 664	3008	setup.exe	33
PID 3008 wrote to memory of 664	3008	setup.exe	33
PID 3008 wrote to memory of 664	3008	setup.exe	33
PID 3008 wrote to memory of 664	3008	setup.exe	33
PID 3008 wrote to memory of 664	3008	setup.exe	33
PID 3008 wrote to memory of 664	3008	setup.exe	33
PID 3008 wrote to memory of 664	3008	setup.exe	33
PID 3008 wrote to memory of 840	3008	setup.exe	34
PID 3008 wrote to memory of 840	3008	setup.exe	34
PID 3008 wrote to memory of 840	3008	setup.exe	34
PID 3008 wrote to memory of 840	3008	setup.exe	34
PID 3008 wrote to memory of 840	3008	setup.exe	34
PID 3008 wrote to memory of 840	3008	setup.exe	34
PID 3008 wrote to memory of 840	3008	setup.exe	34
PID 3008 wrote to memory of 1720	3008	setup.exe	35
PID 3008 wrote to memory of 1720	3008	setup.exe	35
PID 3008 wrote to memory of 1720	3008	setup.exe	35
PID 3008 wrote to memory of 1720	3008	setup.exe	35
PID 3008 wrote to memory of 1720	3008	setup.exe	35
PID 3008 wrote to memory of 1720	3008	setup.exe	35
PID 3008 wrote to memory of 1720	3008	setup.exe	35
PID 3008 wrote to memory of 1192	3008	setup.exe	36
PID 3008 wrote to memory of 1192	3008	setup.exe	36
PID 3008 wrote to memory of 1192	3008	setup.exe	36
PID 3008 wrote to memory of 1192	3008	setup.exe	36
PID 3008 wrote to memory of 1192	3008	setup.exe	36
PID 3008 wrote to memory of 1192	3008	setup.exe	36
PID 3008 wrote to memory of 1192	3008	setup.exe	36
PID 3008 wrote to memory of 1620	3008	setup.exe	37
PID 3008 wrote to memory of 1620	3008	setup.exe	37
PID 3008 wrote to memory of 1620	3008	setup.exe	37
PID 3008 wrote to memory of 1620	3008	setup.exe	37
PID 3008 wrote to memory of 1620	3008	setup.exe	37
PID 3008 wrote to memory of 1620	3008	setup.exe	37
PID 3008 wrote to memory of 1620	3008	setup.exe	37
PID 3008 wrote to memory of 1768	3008	setup.exe	38
PID 3008 wrote to memory of 1768	3008	setup.exe	38
PID 3008 wrote to memory of 1768	3008	setup.exe	38
PID 3008 wrote to memory of 1768	3008	setup.exe	38
PID 3008 wrote to memory of 1768	3008	setup.exe	38
PID 3008 wrote to memory of 1768	3008	setup.exe	38
PID 3008 wrote to memory of 1768	3008	setup.exe	38
PID 3008 wrote to memory of 2076	3008	setup.exe	39
PID 3008 wrote to memory of 2076	3008	setup.exe	39
PID 3008 wrote to memory of 2076	3008	setup.exe	39
PID 3008 wrote to memory of 2076	3008	setup.exe	39
PID 3008 wrote to memory of 2076	3008	setup.exe	39
PID 3008 wrote to memory of 2076	3008	setup.exe	39
PID 3008 wrote to memory of 2076	3008	setup.exe	39
PID 3008 wrote to memory of 2472	3008	setup.exe	40

C:\Users\Admin\AppData\Local\Temp\8270cc8f6e3575c3d6dac84783c7895b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8270cc8f6e3575c3d6dac84783c7895b_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2572
- C:\Users\Admin\AppData\Local\Temp\ae28620\setup.exe
  C:\Users\Admin\AppData\Local\Temp\ae28620\setup.exe -d "C:\Users\Admin\AppData\Local\Temp"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3008
- - C:\Users\Admin\AppData\Local\Temp\ae28620\Regsvr32.exe
    C:\Users\Admin\AppData\Local\Temp\ae28620\Regsvr32.exe /s "C:\Windows\system32\CMCT3FR.DLL"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:2660
- - C:\Users\Admin\AppData\Local\Temp\ae28620\Regsvr32.exe
    C:\Users\Admin\AppData\Local\Temp\ae28620\Regsvr32.exe /s "C:\Windows\system32\COMCAT.DLL"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:664
- - C:\Users\Admin\AppData\Local\Temp\ae28620\Regsvr32.exe
    C:\Users\Admin\AppData\Local\Temp\ae28620\Regsvr32.exe /s "C:\Windows\system32\COMCT332.OCX"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:840
- - C:\Users\Admin\AppData\Local\Temp\ae28620\Regsvr32.exe
    C:\Users\Admin\AppData\Local\Temp\ae28620\Regsvr32.exe /s "C:\Windows\system32\COMDLG32.OCX"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:1720
- - C:\Users\Admin\AppData\Local\Temp\ae28620\Regsvr32.exe
    C:\Users\Admin\AppData\Local\Temp\ae28620\Regsvr32.exe /s "C:\Windows\system32\GIF89.DLL"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:1192
- - C:\Users\Admin\AppData\Local\Temp\ae28620\Regsvr32.exe
    C:\Users\Admin\AppData\Local\Temp\ae28620\Regsvr32.exe /s "C:\Windows\system32\mscomctl.ocx"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Modifies registry class
    PID:1620
- - C:\Users\Admin\AppData\Local\Temp\ae28620\Regsvr32.exe
    C:\Users\Admin\AppData\Local\Temp\ae28620\Regsvr32.exe /s "C:\Windows\system32\msvbvm60.dll"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:1768
- - C:\Users\Admin\AppData\Local\Temp\ae28620\Regsvr32.exe
    C:\Users\Admin\AppData\Local\Temp\ae28620\Regsvr32.exe /s "C:\Windows\system32\OLEAUT32.DLL"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2076
- - C:\Users\Admin\AppData\Local\Temp\ae28620\Regsvr32.exe
    C:\Users\Admin\AppData\Local\Temp\ae28620\Regsvr32.exe /s "C:\Windows\system32\OLEPRO32.DLL"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2472
- - C:\Users\Admin\AppData\Local\Temp\ae28620\Regsvr32.exe
    C:\Users\Admin\AppData\Local\Temp\ae28620\Regsvr32.exe /s "C:\Windows\system32\MSINET.OCX"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:960
- - C:\Users\Admin\AppData\Local\Temp\ae28620\Regsvr32.exe
    C:\Users\Admin\AppData\Local\Temp\ae28620\Regsvr32.exe /s "C:\Windows\system32\MCI32.OCX"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:1080
- - C:\Users\Admin\AppData\Local\Temp\ae28620\Regsvr32.exe
    C:\Users\Admin\AppData\Local\Temp\ae28620\Regsvr32.exe /s "C:\Windows\system32\MSCOMCT2.OCX"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:848
- - C:\Users\Admin\AppData\Local\Temp\ae28620\Regsvr32.exe
    C:\Users\Admin\AppData\Local\Temp\ae28620\Regsvr32.exe /s "C:\Windows\system32\msxml3.dll"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2104
- - C:\Users\Admin\AppData\Local\Temp\ae28620\Regsvr32.exe
    C:\Users\Admin\AppData\Local\Temp\ae28620\Regsvr32.exe /s "C:\Windows\system32\scrrun.dll"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1996
- - C:\Users\Admin\AppData\Local\Temp\ae28620\Regsvr32.exe
    C:\Users\Admin\AppData\Local\Temp\ae28620\Regsvr32.exe /s "C:\Windows\system32\SSubTmr6.dll"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:916
- - C:\Program Files (x86)\ISOpen\ISOBurner.exe
    "C:\Program Files (x86)\ISOpen\ISOBurner.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    PID:716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\ISOpen\ISOBurner.exe

Filesize
40KB

MD5
f22837c8c45d5b5d60024cb5d9bcad8f

SHA1
c31c64e00082fc75b7aef17114bd087c370f91a0

SHA256
7fb3bfab48e5e74a26f2d2964d78ad3856fa474223fd9aa835948d6324ae1837

SHA512
63ad9d9209cde18e0c69523e963a1aee4888851959010d63062293008ee6fd1ffc8abaa30be69a7c1129dbce8eef2793f56198a6d8a3dc8ab8490c01a8ebea37

Download Submit
C:\Program Files (x86)\ISOpen\ISOpen.exe

Filesize
367KB

MD5
dd6d045d04d823a11a370267763d2f0c

SHA1
e1add69fa0395bbb0e0d7c1f0179238eb7bbd15a

SHA256
9203b659ef2223d6dc551d6c68eda249b11565440b70e07d2e82bebeca4feb55

SHA512
c27e57a1e1f5cfd1113b4ee755286bd973a5aa071458445c4e883e21940c92d8fd7700d370ea1f05c0c880fdf46560d0b2dcf3520c66cbce199fadef6dcf310a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ae28620\English.dat

Filesize
5KB

MD5
11075490b216306d47156dd9c9db9b52

SHA1
b7549823c0c9e147e0c0735291da9d2c7e84b768

SHA256
1f8ada3c4bbd62495b3747bdffe6f1745f7484ce86045e7227515f27d2253fe4

SHA512
b5a62d042a3146290a4bb5fff35908bbe8cc1a3f1572afa3a5f27846a191eca98d93698984f8bb6b605b9c3421d3451d1d607b0361ef552b26cb882faaa2b50d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ae28620\Setup.ini

Filesize
4KB

MD5
9c09600e62f0001a701ccaeabed8f67b

SHA1
c89690c00e04d48c773c05c5dca09f43eff66175

SHA256
be931922461aa31c158cf59bc100fd9451a6dfd920c6fa18ba9216ef7f504389

SHA512
dac81d6cab5920e0f5f4b84d57bd2eb627b69b2fdec9eef9e0cf174d0d2de3ff1afffb9d4db24fe212e9b0894c3bf0905590d04d9dd9a7d27de44330ff066493

Download Submit
C:\Users\Admin\AppData\Local\Temp\ae28620\setup.zip

Filesize
4.1MB

MD5
4949fe140f056040afedfa1e5ec9f6ae

SHA1
703ee6d309ee2cf925e81fae876092f745d1d27f

SHA256
e006bff40df6bfeae08cdc7ca481b61839c3a24a721a1ca46c2bf923a87eff48

SHA512
e410fe6666f099f3f675428763c3a66da96c80d478e960928d0568fd29aa5a8d585fcf80841b6914e3b9c664279d85f6268871c99bdf050905ded8f02b3e37d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3692.tmp

Filesize
1.1MB

MD5
88e5618f62912ad2c4fd2832b5bcb63f

SHA1
3876ea4233b27b09a67eddbadcc9aa396960974b

SHA256
19413ced1c7791a699c5469bd466d1b002bb0366961305408d1eb0e2e96dfc7d

SHA512
59cc16d4cdd6ce9dbe2f00bee5261da9798905f008fc574537a5a92b9ba27c9121a9a02cbde5a4851371ccfd25fbd1358b0dec794680bf7366071f216bb1191f

Download Submit
C:\Windows\SysWOW64\CMCT3FR.DLL

Filesize
28KB

MD5
3ef5966521538b55ac01938ab03ff6a2

SHA1
7c9b00f4f53e6f26207c16696d77d93325262fd8

SHA256
5c83a7aa92d683769fe1466da50e13442a36497c86307a07c495036b4cca403c

SHA512
8c228a5bd25b71415fbba8c18150aa81dce6c415bc5d96f9eaa936f00a61cc40bd039127842332448c47a94689b9f151f5af7cb612d6415252f081deda7e89eb

Download Submit
C:\Windows\SysWOW64\COMCT332.OCX

Filesize
405KB

MD5
821ab1f1cf9904cb9026c686f13f0f05

SHA1
398f64c00b026d1c6d94a6efd180f20c010f5ee9

SHA256
332e6a1cb4bf722092f9e774ecc14acddbf95a9655bea021681b11aac37ac716

SHA512
d63c0facd14adfca4e7e1e6d99d1fd1c2be89c2c03e9835c506418a6a3facb745888062bdf97cdab0ad67cc8bccb385ae10955f58150d9c4ac4a7c61e5c1e559

Download Submit
C:\Windows\SysWOW64\COMDLG32.OCX

Filesize
137KB

MD5
d76f0eab36f83a31d411aeaf70da7396

SHA1
9bc145b54500fb6fbea9be61fbdd90f65fd1bc14

SHA256
46f4fdb12c30742ff4607876d2f36cf432cdc7ec3d2c99097011448fc57e997c

SHA512
9c22bc6b2e7dbcd344809085894b768cfa76e8512062c5bbf3caeaa2771c6b7ce128bd5a0b6e385a5da777d0d822a5b2191773cc0ddb05abe1fa935fa853d79d

Download Submit
C:\Windows\SysWOW64\GIF89.DLL

Filesize
43KB

MD5
fb00273cf7ce639c136853f3fc04b10c

SHA1
16e612d7a4f210e78426577cd77f349306ab018a

SHA256
d4916f5c35a94e87cef46a63b4f19fb842252e0e2857b7804c808c94926156e0

SHA512
5e4bc9ce74bf81171e4a7fc6168b0dfc50268ff0069549bbf7cd0d480df9882911f4a31183d8d6c0222bede39d7d3216ad4e8c553501c376eeb0abe454fce6a8

Download Submit
\Users\Admin\AppData\Local\Temp\ae28620\Regsvr32.exe

Filesize
36KB

MD5
7b194f51f6b52233c33a7d0d88a91581

SHA1
459dc713fd52197d025fb7b4b4833ed5dca73a87

SHA256
7c05339da12624396d9911263dc7c993fc2e757e130009465a511045bf06d344

SHA512
dd835fa6d8f57159ff045bc3c89d1eea965411a34f1a8d0232ed58a1fde885cb3e489fdd01d2bf31aec606130a6b6dc6e3e7602ecb852326dc293604793504cc

Download Submit
\Users\Admin\AppData\Local\Temp\ae28620\setup.exe

Filesize
149KB

MD5
536d65fb4fc58c60cb9693360d36f536

SHA1
71bd50765c01cdd264fc647ca5fb34dfffd3499b

SHA256
79f851fc387d00331e82ac34ae9840a53b034ba9de977f84e216593fd5e6111a

SHA512
fd5cf95dd416fa7e708df3604821cc8aa0a0e6385dd3a83367b65bae6c3e0817ca1dc5e3fe4fb6e8fe24b1a612dac395e7d41284f6927b254ffcf58878591fe7

Download Submit
\Users\Admin\AppData\Local\Temp\tmp2896.tmp

Filesize
140KB

MD5
fc152d48b806bc5167a9de010181f1b7

SHA1
d38fc4323220c7ab5be27365159e8f910935a3d8

SHA256
960b59a0108573d18f8b1bfeeccf561bc1893035ea5814598875ca1a664e16d0

SHA512
67dbb11e3186dcfe0720596dacc68d5469989a970925c0e25183b460bfd56c4db8c35677d59785d5ac64a4351c95a780480dbbf3787b0fe27c5084f52f80e560

Download Submit
\Users\Admin\AppData\Local\Temp\tmp29FE.tmp

Filesize
21KB

MD5
3b180da2b50b954a55fe37afba58d428

SHA1
c2a409311853ad4608418e790621f04155e55000

SHA256
96d04cdfaf4f4d7b8722b139a15074975d4c244302f78034b7be65df1a92fd03

SHA512
cf94ad749d91169078b8829288a2fc8de86ec2fe83d89dc27d54d03c73c0deca66b5d83abbeaa1ff09d0acac4c4352be6502945b5187ecde952cbb08037d07e8

Download Submit
\Users\Admin\AppData\Local\Temp\tmp2D98.tmp

Filesize
1.0MB

MD5
714cf24fc19a20ae0dc701b48ded2cf6

SHA1
d904d2fa7639c38ffb6e69f1ef779ca1001b8c18

SHA256
09f126e65d90026c3f659ff41b1287671b8cc1aa16240fc75dae91079a6b9712

SHA512
d375fd9b509e58c43355263753634368fa711f02a2235f31f7fa420d1ff77504d9a29bb70ae31c87671d50bd75d6b459379a1550907fbe5c37c60da835c60bc1

Download Submit
\Users\Admin\AppData\Local\Temp\tmp2F5D.tmp

Filesize
1.3MB

MD5
3496686b7304f0034f58d3417ba1b6b6

SHA1
53565a271e708321836a6274000cfec462e81b0d

SHA256
088e9a0ec5dcdbb3d1deb412c32087c93dcf9c757b5d97ab93d7f7f91c2091ff

SHA512
8769843d1b9a2bd5980c1db1707f906e4f123aaf3fd38c76447dbf70f67e5c536fd7b629c753d2a0696aa4049a98a705ad2bcd1b79a29b6a582feba897d82fa2

Download Submit
memory/716-262-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/716-258-0x0000000000230000-0x000000000025A000-memory.dmp

Filesize
168KB

Download
memory/716-259-0x0000000000230000-0x000000000025A000-memory.dmp

Filesize
168KB

Download
memory/716-257-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2572-10-0x0000000002150000-0x00000000021C1000-memory.dmp

Filesize
452KB

Download
memory/3008-177-0x0000000000860000-0x0000000000889000-memory.dmp

Filesize
164KB

Download
memory/3008-241-0x0000000002B60000-0x0000000002B70000-memory.dmp

Filesize
64KB

Download
memory/3008-16-0x0000000000230000-0x00000000002A1000-memory.dmp

Filesize
452KB

Download
memory/3008-253-0x0000000002B60000-0x0000000002B8A000-memory.dmp

Filesize
168KB

Download
memory/3008-236-0x0000000000320000-0x0000000000330000-memory.dmp

Filesize
64KB

Download
memory/3008-20-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3008-84-0x0000000000860000-0x0000000000884000-memory.dmp

Filesize
144KB

Download
memory/3008-171-0x0000000001FE0000-0x0000000002075000-memory.dmp

Filesize
596KB

Download
memory/3008-64-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3008-263-0x0000000000320000-0x0000000000330000-memory.dmp

Filesize
64KB

Download
memory/3008-264-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3008-267-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download