Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
31/10/2023, 13:53
Behavioral task
behavioral1
Sample
cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe
Resource
win7-20231020-en
windows7-x64
Behavioral task
behavioral2
Sample
cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe
Resource
win10v2004-20231020-en
windows10-2004-x64
General
-
Target
cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe
-
Size
96KB
-
MD5
c488a0d5839a3ba216efa6a6d6a12187
-
SHA1
42a7fed06b86e23292b339bc599f050bee1e263a
-
SHA256
cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce
-
SHA512
9f4873fd5425b3d30af3e46c233636ee79cb7a38848318d81d156f364e436abb818c986f5275fe0caf3aeacdbeded3ab4d14ae340b07bdc69126fdc160687c20
-
SSDEEP
3072:6ckrZwbZD+22prEIUYTUL2oy7Fq4Z6WTnbQIEh:Jqwp4NmYgB0fEdh
Malware Config
Signatures
-
resource yara_rule behavioral1/memory/2332-0-0x0000000000400000-0x0000000000451000-memory.dmp upx behavioral1/memory/2332-166-0x0000000000400000-0x0000000000451000-memory.dmp upx -
Drops desktop.ini file(s) 16 IoCs
description ioc Process File opened for modification C:\Users\Public\Videos\desktop.ini regsvr32.exe File opened for modification C:\Users\Public\Pictures\desktop.ini regsvr32.exe File opened for modification C:\Users\Public\Music\desktop.ini regsvr32.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini regsvr32.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini regsvr32.exe File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini regsvr32.exe File opened for modification C:\Users\Public\desktop.ini regsvr32.exe File opened for modification C:\Program Files (x86)\desktop.ini regsvr32.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini regsvr32.exe File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini regsvr32.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini regsvr32.exe File opened for modification C:\Users\Public\Downloads\desktop.ini regsvr32.exe File opened for modification C:\Users\Public\Desktop\desktop.ini regsvr32.exe File opened for modification C:\Users\Public\Libraries\desktop.ini regsvr32.exe File opened for modification C:\Users\Public\Documents\desktop.ini regsvr32.exe File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini regsvr32.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\h: cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe File opened (read-only) \??\t: cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe File opened (read-only) \??\u: cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe File opened (read-only) \??\w: cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe File opened (read-only) \??\z: cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe File opened (read-only) \??\a: cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe File opened (read-only) \??\e: cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe File opened (read-only) \??\l: cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe File opened (read-only) \??\s: cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe File opened (read-only) \??\b: cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe File opened (read-only) \??\i: cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe File opened (read-only) \??\j: cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe File opened (read-only) \??\n: cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe File opened (read-only) \??\o: cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe File opened (read-only) \??\p: cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe File opened (read-only) \??\r: cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe File opened (read-only) \??\g: cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe File opened (read-only) \??\m: cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe File opened (read-only) \??\q: cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe File opened (read-only) \??\v: cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe File opened (read-only) \??\x: cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe File opened (read-only) \??\y: cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe File opened (read-only) \??\k: cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe -
Drops file in Program Files directory 3 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\desktop.ini regsvr32.exe File opened for modification C:\Program Files (x86)\"Windows Mail"\WinMail.exe.manifest regsvr32.exe File created C:\Program Files (x86)\"Windows Mail"\WinMail.exe.manifest regsvr32.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\WindowsShell.Manifest regsvr32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 2 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{50A7E9B0-70EF-11D1-B75A-00A0C90564FE} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{50A7E9B0-70EF-11D1-B75A-00A0C90564FE}\1.0\0\win32\ = "C:\\Windows\\syswow64\\SHELL32.dll" regsvr32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 2332 wrote to memory of 2268 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 28 PID 2332 wrote to memory of 2268 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 28 PID 2332 wrote to memory of 2268 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 28 PID 2332 wrote to memory of 2268 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 28 PID 2332 wrote to memory of 2268 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 28 PID 2332 wrote to memory of 2268 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 28 PID 2332 wrote to memory of 2268 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 28 PID 2332 wrote to memory of 2020 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 30 PID 2332 wrote to memory of 2020 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 30 PID 2332 wrote to memory of 2020 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 30 PID 2332 wrote to memory of 2020 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 30 PID 2332 wrote to memory of 2020 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 30 PID 2332 wrote to memory of 2020 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 30 PID 2332 wrote to memory of 2020 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 30 PID 2332 wrote to memory of 2144 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 31 PID 2332 wrote to memory of 2144 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 31 PID 2332 wrote to memory of 2144 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 31 PID 2332 wrote to memory of 2144 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 31 PID 2332 wrote to memory of 2144 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 31 PID 2332 wrote to memory of 2144 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 31 PID 2332 wrote to memory of 2144 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 31 PID 2332 wrote to memory of 2536 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 32 PID 2332 wrote to memory of 2536 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 32 PID 2332 wrote to memory of 2536 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 32 PID 2332 wrote to memory of 2536 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 32 PID 2332 wrote to memory of 2536 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 32 PID 2332 wrote to memory of 2536 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 32 PID 2332 wrote to memory of 2536 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 32 PID 2332 wrote to memory of 2524 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 33 PID 2332 wrote to memory of 2524 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 33 PID 2332 wrote to memory of 2524 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 33 PID 2332 wrote to memory of 2524 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 33 PID 2332 wrote to memory of 2524 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 33 PID 2332 wrote to memory of 2524 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 33 PID 2332 wrote to memory of 2524 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 33 PID 2332 wrote to memory of 2528 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 34 PID 2332 wrote to memory of 2528 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 34 PID 2332 wrote to memory of 2528 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 34 PID 2332 wrote to memory of 2528 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 34 PID 2332 wrote to memory of 2528 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 34 PID 2332 wrote to memory of 2528 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 34 PID 2332 wrote to memory of 2528 2332 cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe"C:\Users\Admin\AppData\Local\Temp\cf5991051c9ead3bbdb7f494492b5cbff3c89fffa665e7af21ca05ede9d977ce.exe"1⤵
- Enumerates connected drives
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s /i shell32.dll2⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
PID:2268
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s mlang.dll2⤵PID:2020
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s /i browseui.dll2⤵PID:2144
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s msxml.dll2⤵PID:2536
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s /i mshtml.dll2⤵PID:2524
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s /i shdocvw.dll2⤵PID:2528
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
174B
MD55b8a2ba3138573583ff9e0158096ec48
SHA1fdb99bdc4e7016132b9efcefb5bd4c7210958927
SHA25666403205bc86d98b75f2449958f717f2f971fca0d33b0d211f03971484e9b567
SHA5129c329baf537ee23da9fb1bcec4838a70c5776195b42868dac9be21749a0fdb06186c8468c26ef93bdf654996cd620ffe3b9021523ceeda4bd96fcb3d3c5a02ad
-
Filesize
1KB
MD586888681b120c00e3b6f9d9afcd3eac5
SHA19911ba93a453cbeaa93a46656a6666add90d3670
SHA256db87305e89ee681f73baf10fcb7d52f676286a42175e0a9b905dceefa165fad9
SHA512d899c7f33c4aa8f57acd2992c8494ac7f02e343973055f0ffa21470d46504a7d8bf5586518f4574b2e537e4114206db0405ab877ff49069be3b0c2744370471b
-
Filesize
174B
MD57f1698bab066b764a314a589d338daae
SHA1524abe4db03afef220a2cc96bf0428fd1b704342
SHA256cdb11958506a5ba5478e22ed472fa3ae422fe9916d674f290207e1fc29ae5a76
SHA5124f94ad0fe3df00838b288a0ef4c12d37e175c37cbf306bdb1336ff44d0e4d126cd545c636642c0e88d8c6b8258dc138a495f4d025b662f40a9977d409d6b5719
-
Filesize
964B
MD546a4eca2a791d84afecfd9f129a567df
SHA1004f2926d9377cc23c5b68ce26907435b8539643
SHA25606b6d34db7e9ebecc07e0b53fedb2a9bc2d4563b1d2037b7630fbc002942baf7
SHA512dbeecf882210add0dd4ac57f75ccdf6a9604c3308e92f70747313f89a7f9c590f4e1cdd507e53ee37e0a1b7e437320dc6ec1299d406ef34ddd67dfd900fddd98
-
Filesize
442B
MD5981ef73d58d1e2ce146133ed7f2beea1
SHA14924d72e34dbfa3c2f6f5aa3f9334ed66f46e33e
SHA2562148d72547dab5a96f30f4487f167d07380fda0d548467f7a6a7386c61579f8b
SHA512ab778b6c074cfe77b3c56fb64d96e6d86c3122fccfe6bd58bfbd3f4f8f2f676a86500783d12ef7b2064ab372cda2add4ff5a2f079a56a38ddfe39225882566a6
-
Filesize
174B
MD5dc723b859dec1526568ad581aec334d5
SHA174e7432df4a66f246b5214d60b190b67e2f6ce52
SHA2567148fbbf1aac8b5a54d248df19b60c00d3c0dcb2fd5bb2a1efd4e0f0eac6dd0f
SHA5129bb97339f18dc8744bfb7cb8fd9392c580765e707ddc228ef5045150375510b43f1f4c310274e20fc1c0c51f50f40d4430f40561d5cff46ff42214e465490074
-
Filesize
278B
MD5ec659b643b3dc5a57dafa797bbc83871
SHA11279184f609ae3d548d88ae02a586e341baa590e
SHA256b18f9a899844d82f60ff3a1ab7fc9efc4a7297d78c04bcda65362b7bce2c02a8
SHA512f9096ec72096b15629f3153908e2f51da316b68b754daef91728c8ae86fcc51bf540709d85166538e2766864d69f906b5a67dcb1b65ed78f2bdc49ba2f4d7c96
-
Filesize
174B
MD581594cbb270b4099912612cd3c20306a
SHA11d96ac453b2bb9457550358b2479810a05f00c83
SHA2566783e0a9fea5beb9ff2bff02264784e42e5890f89da6c0395f6325591c823fbb
SHA5122a145cbaabed1ede8c78a40d7903fa48124dbfc506d881627ec3a5b34746ad24e5456955e5b6c06ecd2b486b731db1e1407aeb8c405c257b14f0a88c668c1d51
-
Filesize
2KB
MD5b9e078e799d3591616cb8680041dd8e1
SHA1e72e2cdc82e3fa02f1784fe9cecadec7affb3bf2
SHA25634e4f3fcf3a6b0072a8c3c17f2b66c14c7cc4deab92133b0a6fbf6642012f9f7
SHA512df97166fdaea0021b1ed6cd20e5ab3f23e7555f34e2d28a6aa2f7df85c81e2fc554cd416c4c1112fbe94931a2b24107434852dc7140f28018d5745f2d00771cf
-
Filesize
586B
MD5f4e48f620a4d091ac9f307bfdd52bf8e
SHA13d564da542bafb4e23c838c1f97805eaca6736ea
SHA2564cacda7a009728a268d4154dc2569716dfad1a953f08ddfeb1613018cbcaa830
SHA5126a52adca895e85afd84bb8d714963ca0e8a684445ef3638f942eb6cbda1c6ba713a95d089916e086027fdd0272db8860bbae8f67b426b4d1a9dab2c2acc96271
-
Filesize
1KB
MD5c4384efbd8677db4a9c575b5b0f245bf
SHA16f3a782988200a8fdd80a457617a5e9a706c9db7
SHA256290e7c8bfd4311335ad818b8c943494d631e91a67b859a9cd5ecfc34f07e3a9f
SHA51255534c27a685f41605777a33f62131c1b7c43cdcba3414b0e64d2a0d064b8b8214b55e425bc9f99c19e2d585f1e427c8ec5454cef0e5187bcb98b005e4dbad42
-
Filesize
380B
MD52f145cca0196fb928ee5656f2cfc2934
SHA11e90a311b867131811fe6faafd75aa17c3af64e9
SHA25673671d1ba8a835e74033f7e62afb9371c98f01efdd760a2d7093abbfcab7fafa
SHA51230c434daf25be9c1f2b6f972b7f0d47e5ee2495feff5982cf8ff0cea96765d505e112a2132cd00b24bf42ec5eb4e0e8b92cef387f9a3fe2ffa5478c0b85ab525
-
Filesize
326B
MD5a2f48d7e9c96044546c8a70a32ee45af
SHA1d8765c71f7dea2f188156c8c7058f1f952ca6dd7
SHA256fb43d5cfa8672c5c387e0fd4e68faa474e6d711cf9f6dedb2d78ab6e5e4cd5a7
SHA512c68ea85b7eb4ff027ce8757846ef346b724ba03fab35378ae3368c0aa2f425e0e09008aa16c387a0137906b4e192611d628d56f05aad8012f8f5f2b0382e92b9
-
Filesize
380B
MD5582bd0facb013808c1c4804d894cd9fd
SHA1110a526a7a56b6df5bfc547b33cb852e590bb893
SHA256d719c6796022f1e7c94a3208b6a488191e83c135067b6640dc5f7fcb872604e8
SHA512f65f6015b14149b8b5da1ec4b5c84151b3e3146fe9020e237b9e727393636b64448da4600156e0b930ae85d52da7cfea1ef2ef744ce754d9d71d3699f0193073
-
Filesize
174B
MD57220fad57a4b3d9d9755c51198cc0386
SHA1bd2d52d62d3e9810e1072cc5ca6285da5e5c3853
SHA2566de1a716b5c49541ebc9692b16efa6fdb75b18c2a210974f94f83dcfdf8800d7
SHA512e46df475a3e52535913ae369fe56a1230fa11656b6fe31cfd160302a56f599cde45841d10f5faa53ac4c7f2da4a1de34d362153c35dc47cf87a4a8358625b9bf
-
Filesize
174B
MD56b1a6a9959ce35fa0df98f8e602bb191
SHA1ae54a61fe5715a7a23f2f517dc13d23dd28b56f9
SHA2568f6c28c6f4ef09a335123af11dfd7a45ffdec661acdef2c151e871a7e060e71e
SHA5126b31800757d371e3ca9b723d328fad7260d5b7728ca8f61d294a97b3aac4bcdadae289588e4288027e93f76c00b2b0899a7a7db46b411817482f9c5c33f79cb5
-
Filesize
174B
MD56b1a6a9959ce35fa0df98f8e602bb191
SHA1ae54a61fe5715a7a23f2f517dc13d23dd28b56f9
SHA2568f6c28c6f4ef09a335123af11dfd7a45ffdec661acdef2c151e871a7e060e71e
SHA5126b31800757d371e3ca9b723d328fad7260d5b7728ca8f61d294a97b3aac4bcdadae289588e4288027e93f76c00b2b0899a7a7db46b411817482f9c5c33f79cb5
-
Filesize
749B
MD55a5cff37f1bd0f86b9bdaad7a9445882
SHA19e7303426a4ba2742a8a550ad9ebbd4a93bcad68
SHA256fbccfdc2d28e3b6edff0beea38a965bed68ce2613b5220cf4837d373faa78f8a
SHA512b317761cae1bb9375b8af54ebb9c9594bd13fa31ace639596b28f7d04a4f6b6ee1e69d0823bdd3447a06b810dbc5f47faec9e10a8bd9ab597503949d4ba7ded2