Overview
overview
10Static
static
7About.chm
windows7-x64
1About.chm
windows10-2004-x64
10Setup_s34.exe
windows7-x64
7Setup_s34.exe
windows10-2004-x64
10baid.exe
windows7-x64
7baid.exe
windows10-2004-x64
10bind_8152.exe
windows7-x64
7bind_8152.exe
windows10-2004-x64
10duisc.exe
windows7-x64
8duisc.exe
windows10-2004-x64
10edmtd.exe
windows7-x64
7edmtd.exe
windows10-2004-x64
10itadx.exe
windows7-x64
7itadx.exe
windows10-2004-x64
10ly2_03.exe
windows7-x64
10ly2_03.exe
windows10-2004-x64
10pcast.exe
windows7-x64
10pcast.exe
windows10-2004-x64
10pingtu12.exe
windows7-x64
1pingtu12.exe
windows10-2004-x64
10qqa02_u88setup.exe
windows7-x64
8qqa02_u88setup.exe
windows10-2004-x64
10sdcnc.exe
windows7-x64
8sdcnc.exe
windows10-2004-x64
10sdpig.exe
windows7-x64
7sdpig.exe
windows10-2004-x64
10sdreg.exe
windows7-x64
1sdreg.exe
windows10-2004-x64
10sdset.exe
windows7-x64
10sdset.exe
windows10-2004-x64
10sogoutb_se...ni.exe
windows7-x64
7sogoutb_se...ni.exe
windows10-2004-x64
10Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
25-01-2024 17:27
Behavioral task
behavioral1
Sample
About.chm
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral2
Sample
About.chm
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
Setup_s34.exe
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral4
Sample
Setup_s34.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
baid.exe
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral6
Sample
baid.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
bind_8152.exe
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral8
Sample
bind_8152.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
duisc.exe
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral10
Sample
duisc.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
edmtd.exe
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral12
Sample
edmtd.exe
Resource
win10v2004-20231222-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
itadx.exe
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral14
Sample
itadx.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
ly2_03.exe
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral16
Sample
ly2_03.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
pcast.exe
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral18
Sample
pcast.exe
Resource
win10v2004-20231222-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
pingtu12.exe
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral20
Sample
pingtu12.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
qqa02_u88setup.exe
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral22
Sample
qqa02_u88setup.exe
Resource
win10v2004-20231222-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
sdcnc.exe
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral24
Sample
sdcnc.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
sdpig.exe
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral26
Sample
sdpig.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
sdreg.exe
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral28
Sample
sdreg.exe
Resource
win10v2004-20231222-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
sdset.exe
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral30
Sample
sdset.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
sogoutb_setup_pp365sosoft08mini.exe
Resource
win7-20231215-en
windows7-x64
General
-
Target
duisc.exe
-
Size
262KB
-
MD5
28199122b75f244cd44d2dfc0107dc03
-
SHA1
5a8b0ad0cdd4864d421916f5034a6913035750c1
-
SHA256
a345cbd37c52c9926d789826a82f1d1a17986d1833e21ffc97afed70e1a0a4e1
-
SHA512
331755f64a8d41332e59787b628f26c526340bc73eb7acbecf1fe6ac461710d6b97fa524556ac53a23118f2e0f4649659701ca018d47e9749c3901c2f71aebe5
-
SSDEEP
3072:XHYR8jkJ5y+wLjOKWeKI9hyqfDydmfPmbAT2V1p9p7/Wg8gV6tZy4co28kd+06bb:oEXueBjyAGkqV1pPWVw4BEe5uqmGv
Malware Config
Signatures
-
Blocklisted process makes network request 3 IoCs
flow pid Process 6 1208 RunDll32.exe 7 4796 RunDll32.exe 8 4796 RunDll32.exe -
Executes dropped EXE 1 IoCs
pid Process 3304 CFSQdll.exe -
Loads dropped DLL 11 IoCs
pid Process 1208 RunDll32.exe 4796 RunDll32.exe 2728 Rundll32.exe 1208 RunDll32.exe 1208 RunDll32.exe 1208 RunDll32.exe 1208 RunDll32.exe 4796 RunDll32.exe 4796 RunDll32.exe 1208 RunDll32.exe 1208 RunDll32.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mscfs = "RUNDLL32 C:\\Windows\\system32\\msibm\\cfsys.dll,cfs" duisc.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Installs/modifies Browser Helper Object 2 TTPs 2 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8A4280AD-9B37-4922-A51D-73F3C3A32AF7} RunDll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8A4280AD-9B37-4922-A51D-73F3C3A32AF7}\ = "BHelper" RunDll32.exe -
Drops file in System32 directory 25 IoCs
description ioc Process File created C:\Windows\SysWOW64\msibm\post.tpl duisc.exe File created C:\Windows\SysWOW64\msibm\intro.tpl duisc.exe File created C:\Windows\SysWOW64\msibm\cfs7zd.DLL duisc.exe File opened for modification C:\Windows\SysWOW64\ibmuuid_.dll Rundll32.exe File created C:\Windows\SysWOW64\msibm\cfscfg.7z RunDll32.exe File created C:\Windows\SysWOW64\msibm\CFSQdll.exe duisc.exe File opened for modification C:\Windows\SysWOW64\ibmuuid_.dll RunDll32.exe File created C:\Windows\SysWOW64\msuuid_.dll RunDll32.exe File created C:\Windows\SysWOW64\ibmuuid_.dll Rundll32.exe File opened for modification C:\Windows\SysWOW64\msibm\cfscfg.7z RunDll32.exe File created C:\Windows\SysWOW64\msibm\cfsupd.dll duisc.exe File created C:\Windows\SysWOW64\msibm\intro.htm Rundll32.exe File opened for modification C:\Windows\SysWOW64\msibm\CFSQdll.exe duisc.exe File created C:\Windows\SysWOW64\msibm\cfsys.dll duisc.exe File created C:\Windows\SysWOW64\msibm\post.htm Rundll32.exe File created C:\Windows\SysWOW64\msibm\Uninstall.exe duisc.exe File created C:\Windows\SysWOW64\msibm\lowlvl.dll duisc.exe File created C:\Windows\SysWOW64\msvendr_.dll RunDll32.exe File opened for modification C:\Windows\SysWOW64\msibm\post.tpl duisc.exe File opened for modification C:\Windows\SysWOW64\msibm\intro.tpl duisc.exe File created C:\Windows\SysWOW64\msibm\linbak.dll duisc.exe File created C:\Windows\SysWOW64\msibm\cfsbho.dll duisc.exe File opened for modification C:\Windows\SysWOW64\ibmvdr_.dll duisc.exe File created C:\Windows\SysWOW64\ibmvdr_.dll duisc.exe File opened for modification C:\Windows\SysWOW64\msuuid_.dll RunDll32.exe -
Modifies registry class 51 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CE82AFC1-5E4B-4F19-A3E3-4FFF55F3D279}\TypeLib RunDll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\cfsbho.BHelper.1\CLSID RunDll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8A4280AD-9B37-4922-A51D-73F3C3A32AF7}\InprocServer32\ThreadingModel = "apartment" RunDll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B46D3E4A-3F54-497D-AFFD-464AAE8098EF} RunDll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B46D3E4A-3F54-497D-AFFD-464AAE8098EF}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\msibm\\" RunDll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\cfsbho.BHelper\CurVer\ = "cfsbho.BHelper.1" RunDll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8A4280AD-9B37-4922-A51D-73F3C3A32AF7}\InprocServer32 RunDll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B46D3E4A-3F54-497D-AFFD-464AAE8098EF}\1.0\FLAGS RunDll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CE82AFC1-5E4B-4F19-A3E3-4FFF55F3D279}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" RunDll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CE82AFC1-5E4B-4F19-A3E3-4FFF55F3D279}\TypeLib\ = "{B46D3E4A-3F54-497D-AFFD-464AAE8098EF}" RunDll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\cfsbho.BHelper.1\CLSID\ = "{8A4280AD-9B37-4922-A51D-73F3C3A32AF7}" RunDll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8A4280AD-9B37-4922-A51D-73F3C3A32AF7}\InprocServer32\ = "C:\\Windows\\SysWow64\\msibm\\cfsbho.dll" RunDll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8A4280AD-9B37-4922-A51D-73F3C3A32AF7}\AppID RunDll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8A4280AD-9B37-4922-A51D-73F3C3A32AF7}\ = "CBHelper Object" RunDll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CE82AFC1-5E4B-4F19-A3E3-4FFF55F3D279}\ = "IBHelper" RunDll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8A4280AD-9B37-4922-A51D-73F3C3A32AF7}\VersionIndependentProgID RunDll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CE82AFC1-5E4B-4F19-A3E3-4FFF55F3D279} RunDll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B46D3E4A-3F54-497D-AFFD-464AAE8098EF}\1.0\HELPDIR RunDll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CE82AFC1-5E4B-4F19-A3E3-4FFF55F3D279}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" RunDll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8A4280AD-9B37-4922-A51D-73F3C3A32AF7} RunDll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8A4280AD-9B37-4922-A51D-73F3C3A32AF7}\ProgID\ = "cfsbho.BHelper.1" RunDll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CE82AFC1-5E4B-4F19-A3E3-4FFF55F3D279} RunDll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8A4280AD-9B37-4922-A51D-73F3C3A32AF7}\TypeLib RunDll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CE82AFC1-5E4B-4F19-A3E3-4FFF55F3D279}\ProxyStubClsid32 RunDll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\cfsbho.DLL\AppID RunDll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8A4280AD-9B37-4922-A51D-73F3C3A32AF7}\VersionIndependentProgID\ = "cfsbho.BHelper" RunDll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B46D3E4A-3F54-497D-AFFD-464AAE8098EF}\1.0\FLAGS\ = "0" RunDll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B46D3E4A-3F54-497D-AFFD-464AAE8098EF}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\msibm\\cfsbho.dll" RunDll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\cfsbho.BHelper.1 RunDll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\cfsbho.BHelper\CLSID RunDll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\cfsbho.BHelper\CLSID\ = "{8A4280AD-9B37-4922-A51D-73F3C3A32AF7}" RunDll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\cfsbho.BHelper\CurVer RunDll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B46D3E4A-3F54-497D-AFFD-464AAE8098EF}\1.0\ = "cfsbho 1.0 ÀàÐÍ¿â" RunDll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8A4280AD-9B37-4922-A51D-73F3C3A32AF7}\TypeLib\ = "{B46D3E4A-3F54-497D-AFFD-464AAE8098EF}" RunDll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CE82AFC1-5E4B-4F19-A3E3-4FFF55F3D279}\ = "IBHelper" RunDll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CE82AFC1-5E4B-4F19-A3E3-4FFF55F3D279}\TypeLib\Version = "1.0" RunDll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B46D3E4A-3F54-497D-AFFD-464AAE8098EF}\1.0\0\win32 RunDll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{B46D3E4A-3F54-497D-AFFD-464AAE8098EF}\ = "cfsbho" RunDll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CE82AFC1-5E4B-4F19-A3E3-4FFF55F3D279}\TypeLib\ = "{B46D3E4A-3F54-497D-AFFD-464AAE8098EF}" RunDll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\cfsbho.BHelper RunDll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B46D3E4A-3F54-497D-AFFD-464AAE8098EF}\1.0\0 RunDll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CE82AFC1-5E4B-4F19-A3E3-4FFF55F3D279}\TypeLib RunDll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CE82AFC1-5E4B-4F19-A3E3-4FFF55F3D279}\TypeLib\Version = "1.0" RunDll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{B46D3E4A-3F54-497D-AFFD-464AAE8098EF} RunDll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\cfsbho.DLL RunDll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\cfsbho.BHelper.1\ = "CBHelper Object" RunDll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\cfsbho.BHelper\ = "CBHelper Object" RunDll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8A4280AD-9B37-4922-A51D-73F3C3A32AF7}\Programmable RunDll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CE82AFC1-5E4B-4F19-A3E3-4FFF55F3D279}\ProxyStubClsid32 RunDll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8A4280AD-9B37-4922-A51D-73F3C3A32AF7}\ProgID RunDll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B46D3E4A-3F54-497D-AFFD-464AAE8098EF}\1.0 RunDll32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1208 RunDll32.exe 1208 RunDll32.exe 1208 RunDll32.exe 1208 RunDll32.exe 1208 RunDll32.exe 1208 RunDll32.exe 1208 RunDll32.exe 1208 RunDll32.exe 1208 RunDll32.exe 1208 RunDll32.exe 1208 RunDll32.exe 1208 RunDll32.exe 1208 RunDll32.exe 1208 RunDll32.exe 1208 RunDll32.exe 1208 RunDll32.exe 1208 RunDll32.exe 1208 RunDll32.exe 1208 RunDll32.exe 1208 RunDll32.exe 1208 RunDll32.exe 1208 RunDll32.exe 1208 RunDll32.exe 1208 RunDll32.exe 1208 RunDll32.exe 1208 RunDll32.exe 1208 RunDll32.exe 1208 RunDll32.exe 1208 RunDll32.exe 1208 RunDll32.exe 1208 RunDll32.exe 1208 RunDll32.exe 1208 RunDll32.exe 1208 RunDll32.exe 1208 RunDll32.exe 1208 RunDll32.exe 1208 RunDll32.exe 1208 RunDll32.exe 1208 RunDll32.exe 1208 RunDll32.exe 1208 RunDll32.exe 1208 RunDll32.exe 1208 RunDll32.exe 1208 RunDll32.exe 1208 RunDll32.exe 1208 RunDll32.exe 1208 RunDll32.exe 1208 RunDll32.exe 1208 RunDll32.exe 1208 RunDll32.exe 1208 RunDll32.exe 1208 RunDll32.exe 1208 RunDll32.exe 1208 RunDll32.exe 1208 RunDll32.exe 1208 RunDll32.exe 1208 RunDll32.exe 1208 RunDll32.exe 1208 RunDll32.exe 1208 RunDll32.exe 1208 RunDll32.exe 1208 RunDll32.exe 1208 RunDll32.exe 1208 RunDll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1208 RunDll32.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 4728 wrote to memory of 3304 4728 duisc.exe 84 PID 4728 wrote to memory of 3304 4728 duisc.exe 84 PID 4728 wrote to memory of 3304 4728 duisc.exe 84 PID 4728 wrote to memory of 2728 4728 duisc.exe 85 PID 4728 wrote to memory of 2728 4728 duisc.exe 85 PID 4728 wrote to memory of 2728 4728 duisc.exe 85 PID 4728 wrote to memory of 4796 4728 duisc.exe 86 PID 4728 wrote to memory of 4796 4728 duisc.exe 86 PID 4728 wrote to memory of 4796 4728 duisc.exe 86 PID 4728 wrote to memory of 1208 4728 duisc.exe 87 PID 4728 wrote to memory of 1208 4728 duisc.exe 87 PID 4728 wrote to memory of 1208 4728 duisc.exe 87 PID 1208 wrote to memory of 3456 1208 RunDll32.exe 46 PID 1208 wrote to memory of 4796 1208 RunDll32.exe 86 PID 1208 wrote to memory of 780 1208 RunDll32.exe 11 PID 1208 wrote to memory of 3456 1208 RunDll32.exe 46
Processes
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p1⤵PID:780
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3456
-
C:\Users\Admin\AppData\Local\Temp\duisc.exe"C:\Users\Admin\AppData\Local\Temp\duisc.exe"2⤵
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4728 -
C:\Windows\SysWOW64\msibm\CFSQdll.exeC:\Windows\system32\msibm\CFSQdll.exe 203⤵
- Executes dropped EXE
PID:3304
-
-
C:\Windows\SysWOW64\Rundll32.exeRundll32.exe C:\Windows\system32\msibm\cfsbho.dll,firstGenGuid3⤵
- Loads dropped DLL
- Drops file in System32 directory
PID:2728
-
-
C:\Windows\SysWOW64\RunDll32.exeRunDll32.exe C:\Windows\system32\msibm\cfsbho.dll,regUser3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Modifies registry class
PID:4796
-
-
C:\Windows\SysWOW64\RunDll32.exeRunDll32.exe C:\Windows\system32\msibm\cfsys.DLL,cfs3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1208
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
36B
MD5439b576b10b1f3c3d234efa11f25320e
SHA1cf32b1b645e477e3b668c5dbb40335ccd210d98e
SHA256a9db00075e8cd3bb95e01e3cfaefee16735fc5634d9135f8ec85ff5297083292
SHA5120668d5f8318bb5bcf388898680a7dba74b2f4c3abc1740dbf07c756cb5248b9db7568d6d1b2f2a671e33c85b4c5429fe4e9e562f4074b1f6e62b20ccf972e12d
-
Filesize
6B
MD567235f0ee23bb5d9bfe272daec727c3a
SHA12020834bddfd82c85922ba6293277dd4047ec127
SHA2564c31b850b9373f1a31705b3327cc8b0ac529a6a7aa5c86979c51b422d6a1afcc
SHA51218e0adde1f8d4f9f5c51e74cbbb7c71c6843870f3e99f2e6ce81f92d3c1bd83a35116ba1f99b6582aae0c4dde83f616b5490cc12871e5cd3e54222e0ec219017
-
Filesize
22KB
MD5445bf68113cac1d07e9a516b7ed830f0
SHA11598230ef36de04c49dd2e686f900945e9cb7fe1
SHA256bf1c8e186191be9fc93626424b834982b7fa1fde7e8f659fbb72982991746f90
SHA5123919c36ecf075d35051e185b8254acbeeed54a1c76004dae5ba3f09fab4bec50e6c29622269c1c892e927e52cff8dd8a5f7851e780d9a67d58b369bbff194184
-
Filesize
14KB
MD5379f4f2560c2d11838676ffcabeee8dd
SHA1b88999a424f7306eb2000955f5d8f1424160d1b2
SHA25665aaaad675bda642ae296a89a6a4da29693ed094c5db200470f32637164820c3
SHA5124861bb5ad9d1eacc6d92ec8554b81c25c5be3544d93c1200b7784cf2aaa2ea32247d13cfebdecfbc8bd637959643e5808922cf2b57685057f36cdaf3a196f22d
-
Filesize
130KB
MD5f967f2d1ae78ae5b5008dc6de13682b7
SHA116ce4cba1d7fc76365952b14292671e47b1d1e4e
SHA256ce884173c8d8a900ab2b1cb1926b0ea87a74263be6065a4cb38a374682e0b260
SHA51273e5257cc94efee13805ea2565ce7b5999dca52ace55562bdae656d73a1b5b839fc80f4939369540a65c50bd09d0a3061085ec12fea1f7da7c1a77ca279d5e3e
-
Filesize
72KB
MD587355014fd31dd1047b4086640f9c14a
SHA1bde3383df2421d40c1f7ccbb909156dccc847d14
SHA2565f8d5ad410b926f70edb694028802548d6d1d6c656a5daa1f0cda6613d14e2a3
SHA512603ef15ea81be5cb39c7b3eeec2202e0100e9d111696cc3de640d18a7b69691d6069c6ab27d72f565a210cdbad11a2332d0c6b211c8d24560efd5674059c09b5
-
Filesize
187KB
MD56d7a20743ac066b025c09a4499448264
SHA15c15f4ae14c6c80c98ab97d2b98284598b9c3a21
SHA2566331da561903d8d7fe6eca059899f85956a69786f43d01dfd96c19c85b181473
SHA5121e8f0dc039838ee809403336a031f1b2940e90c531e170b3d42a189491766df182b2d40d7f238cfd2ce5d6c1949a403c590d258c5cb2fd8004e0c2aebac1949d
-
Filesize
161B
MD5e0782089e9f016369e89a4ec36474355
SHA1a364f107081a899aea66ed73403dfc19041ea3f5
SHA256c09efa49ecdb14dbd0dae118f3ba4ac30ecb4fe2db9e5bfe2874403733e99d46
SHA512fff1a002e575ecf1f43573e2278f246ee72d007ac008f81717ecd0a9a003e969d2e91a28019e29912ed4741f1f3d9bed43adc14bfa48d80bd471df47825b9cfe
-
Filesize
44KB
MD55ad7b028f0431453d05d5bedcdee3574
SHA1c9f14c3530391461b74a4da359e1d0b7fdffad12
SHA256d6a2fdaebae37652ae308a0103285eefc266081cda2114873cdba0d159f0159f
SHA51222fd3a8e1fc8dedc8062905d4a81d3806c62eb10ce15468f6ec835dd8d6b6295dd17300a38fc02b6d1f7feef46045aea6d1bbbf334507bb34779ea7dd0aeaf9c
-
Filesize
160B
MD57ba5508ca1abca116183c1dcdbcf31d2
SHA1c006df723e7ce851387345efe880c2fb7796d330
SHA2560057b6b6acd17a102867a24e4927cdc487db31930c8769ad5271497757546e3e
SHA51231dae4340d02815a0529cabe88fcad6a1e127776076d6172a1d7a76ed54cd0ecb86fec9aede5db9bf37278b47de857bc4c738d2fa30bfb635181492f8a8bd21b
-
Filesize
36B
MD54598dce7e912594e979a182c22add795
SHA18d47611a92f24ebce64c89dcf87fcb24e5853ad1
SHA256c3620c80e1ac2b335c512f650fe2a7b88f319f2d482d19cf5078eae83eb56a66
SHA512f3e49d7249a0e92b564b2d786baae3501f36b794c2e0729a40b2f224247467499b8f39e34ae63cdcd59cee8d701b500a78ba386a0bc4c62f05c2ea80b82c9b52
-
Filesize
3B
MD588d01685b67f611b42c5f0d4812a362b
SHA183384a4e3c734850de97cd8e3630b983f5fe2a37
SHA2562691b1e337eb42cde24d4c61b8fd95fe7d5906e7720d4ad6807dd34377a9275c
SHA512a0b6e6d60281a435e3463dcd7af04a8777ec7d883805c08c0529967affb26faca1d91c675866c24a096f2dd7852115b5caf8e50522e43d789ce3d088af4ca0ca