Analysis Overview
SHA256
f34d1e06fe517a516581cf1569849cb4b4c98e156ed9a82c200e671dfb960a63
Threat Level: Shows suspicious behavior
The file StarOptimizer1.2.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Detects Pyinstaller
Unsigned PE
Enumerates physical storage devices
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Modifies registry class
Suspicious behavior: GetForegroundWindowSpam
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-20 02:01
Signatures
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-20 02:01
Reported
2024-06-20 02:03
Platform
win7-20240419-en
Max time kernel
122s
Max time network
123s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\StarOptimizer1.2.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1576 wrote to memory of 2208 | N/A | C:\Users\Admin\AppData\Local\Temp\StarOptimizer1.2.exe | C:\Users\Admin\AppData\Local\Temp\StarOptimizer1.2.exe |
| PID 1576 wrote to memory of 2208 | N/A | C:\Users\Admin\AppData\Local\Temp\StarOptimizer1.2.exe | C:\Users\Admin\AppData\Local\Temp\StarOptimizer1.2.exe |
| PID 1576 wrote to memory of 2208 | N/A | C:\Users\Admin\AppData\Local\Temp\StarOptimizer1.2.exe | C:\Users\Admin\AppData\Local\Temp\StarOptimizer1.2.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\StarOptimizer1.2.exe
"C:\Users\Admin\AppData\Local\Temp\StarOptimizer1.2.exe"
C:\Users\Admin\AppData\Local\Temp\StarOptimizer1.2.exe
"C:\Users\Admin\AppData\Local\Temp\StarOptimizer1.2.exe"
Network
Files
C:\Users\Admin\AppData\Local\Temp\_MEI15762\python39.dll
| MD5 | 2135da9f78a8ef80850fa582df2c7239 |
| SHA1 | aac6ad3054de6566851cae75215bdeda607821c4 |
| SHA256 | 324963a39b8fd045ff634bb3271508dab5098b4d99e85e7648d0b47c32dc85c3 |
| SHA512 | 423b03990d6aa9375ce10e6b62ffdb7e1e2f20a62d248aac822eb9d973ae2bf35deddd2550a4a0e17c51ad9f1e4f86443ca8f94050e0986daa345d30181a2369 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-20 02:01
Reported
2024-06-20 02:03
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
151s
Command Line
Signatures
Loads dropped DLL
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2280 wrote to memory of 1924 | N/A | C:\Users\Admin\AppData\Local\Temp\StarOptimizer1.2.exe | C:\Users\Admin\AppData\Local\Temp\StarOptimizer1.2.exe |
| PID 2280 wrote to memory of 1924 | N/A | C:\Users\Admin\AppData\Local\Temp\StarOptimizer1.2.exe | C:\Users\Admin\AppData\Local\Temp\StarOptimizer1.2.exe |
| PID 1924 wrote to memory of 1904 | N/A | C:\Users\Admin\AppData\Local\Temp\StarOptimizer1.2.exe | C:\Windows\system32\cmd.exe |
| PID 1924 wrote to memory of 1904 | N/A | C:\Users\Admin\AppData\Local\Temp\StarOptimizer1.2.exe | C:\Windows\system32\cmd.exe |
| PID 1924 wrote to memory of 1896 | N/A | C:\Users\Admin\AppData\Local\Temp\StarOptimizer1.2.exe | C:\Windows\system32\cmd.exe |
| PID 1924 wrote to memory of 1896 | N/A | C:\Users\Admin\AppData\Local\Temp\StarOptimizer1.2.exe | C:\Windows\system32\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\StarOptimizer1.2.exe
"C:\Users\Admin\AppData\Local\Temp\StarOptimizer1.2.exe"
C:\Users\Admin\AppData\Local\Temp\StarOptimizer1.2.exe
"C:\Users\Admin\AppData\Local\Temp\StarOptimizer1.2.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "pip install colorama"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "pip install psutil"
Network
| Country | Destination | Domain | Proto |
| US | 23.53.113.159:80 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\_MEI22802\python39.dll
| MD5 | 2135da9f78a8ef80850fa582df2c7239 |
| SHA1 | aac6ad3054de6566851cae75215bdeda607821c4 |
| SHA256 | 324963a39b8fd045ff634bb3271508dab5098b4d99e85e7648d0b47c32dc85c3 |
| SHA512 | 423b03990d6aa9375ce10e6b62ffdb7e1e2f20a62d248aac822eb9d973ae2bf35deddd2550a4a0e17c51ad9f1e4f86443ca8f94050e0986daa345d30181a2369 |
C:\Users\Admin\AppData\Local\Temp\_MEI22802\VCRUNTIME140.dll
| MD5 | f34eb034aa4a9735218686590cba2e8b |
| SHA1 | 2bc20acdcb201676b77a66fa7ec6b53fa2644713 |
| SHA256 | 9d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1 |
| SHA512 | d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af |
C:\Users\Admin\AppData\Local\Temp\_MEI22802\base_library.zip
| MD5 | 136ed5b9ea66abf60efa4e7040c601a4 |
| SHA1 | bc34be582b0d93e0d09f24a3d1ca476d68d63b56 |
| SHA256 | 1d65a1aa5567fed89c66fd813a5136b47e706e8d7f95d7d8eef656013ddd23a4 |
| SHA512 | c00d7b22317b870211a333e0cb4bc4e2ba39aa1b9b08a83b20d978ba8f65ca04629b2d96fb943a906561a684f68bfa613110e234478f9dabad6f15c3a56ba89f |
C:\Users\Admin\AppData\Local\Temp\_MEI22802\_ctypes.pyd
| MD5 | a1e9b3cc6b942251568e59fd3c342205 |
| SHA1 | 3c5aaa6d011b04250f16986b3422f87a60326834 |
| SHA256 | a8703f949c9520b76cb1875d1176a23a2b3ef1d652d6dfac6e1de46dc08b2aa3 |
| SHA512 | 2015b2ae1b17afc0f28c4af9cedf7d0b6219c4c257dd0c89328e5bd3eee35e2df63ef4fccb3ee38e7e65f01233d7b97fc363c0eae0cfa7754612c80564360d6f |
C:\Users\Admin\AppData\Local\Temp\_MEI22802\libffi-7.dll
| MD5 | eef7981412be8ea459064d3090f4b3aa |
| SHA1 | c60da4830ce27afc234b3c3014c583f7f0a5a925 |
| SHA256 | f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081 |
| SHA512 | dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016 |
C:\Users\Admin\AppData\Local\Temp\_MEI22802\_bz2.pyd
| MD5 | b024a6f227eafa8d43edfc1a560fe651 |
| SHA1 | 92451be6a2a6bfc4a8de8ad3559ba4a25d409f2e |
| SHA256 | c0dd9496b19ba9536a78a43a97704e7d4bef3c901d196ed385e771366682819d |
| SHA512 | b9edb6d0f1472dd01969e6f160b41c1e7e935d4eebcaf08554195eb85d91c19ff1bfbc150773f197462e582c6d31f12bd0304f636eb4f189ed3ed976824b283e |
C:\Users\Admin\AppData\Local\Temp\_MEI22802\_lzma.pyd
| MD5 | 77b78b43d58fe7ce9eb2fbb1420889fa |
| SHA1 | de55ce88854e314697fa54703a2cd6cc970f3111 |
| SHA256 | 6e571d93ce55d09583ec91c607883a43c1da3d4d36794d68c6ecd6bea4ab466a |
| SHA512 | 7b03b7d3f2fd9b51391de08e69ca9156a0232b56f210878a488b9d5a19492ab5880f45d9407331360fbe543a52c03d68f68da4387bf6a13b20ec903a7b081846 |
C:\Users\Admin\AppData\Local\Temp\_MEI22802\libcrypto-1_1.dll
| MD5 | ab01c808bed8164133e5279595437d3d |
| SHA1 | 0f512756a8db22576ec2e20cf0cafec7786fb12b |
| SHA256 | 9c0a0a11629cced6a064932e95a0158ee936739d75a56338702fed97cb0bad55 |
| SHA512 | 4043cda02f6950abdc47413cfd8a0ba5c462f16bcd4f339f9f5a690823f4d0916478cab5cae81a3d5b03a8a196e17a716b06afee3f92dec3102e3bbc674774f2 |
C:\Users\Admin\AppData\Local\Temp\_MEI22802\_uuid.pyd
| MD5 | d7074a9d35ed4ff90b93660ed4f1ba75 |
| SHA1 | 418f4e62c61b30aece854551a5b629d23eaad010 |
| SHA256 | c4ce019fbd541918d3e7ddf7845bf0449068fc7eee3b57da730860fc7741d561 |
| SHA512 | 6cf06012683aa4fbd85341e496434add21eaa6c72b8100a4ea2539702062860f97ab8b324064ad0689faa81762f4961d956047130d8a14a543ccf0c57a05173c |
C:\Users\Admin\AppData\Local\Temp\_MEI22802\_tkinter.pyd
| MD5 | 77cf63868cae43963b69b4561114cd19 |
| SHA1 | 6975afa15fde28279ede93c78d78847ed58d6221 |
| SHA256 | 313fb33e72028fcc893ec7874e0c825c035cdcebe1b5b7c7d8d11ef3ad1b354f |
| SHA512 | fcf92377b07a2979b87cce7f545dd5f34df8739e2634d889077a10bb4441853b24a9427fa92ed5cb4694e71ef6421f89e1106bd689f94d11d839e29f576af514 |
C:\Users\Admin\AppData\Local\Temp\_MEI22802\pyexpat.pyd
| MD5 | 3ee5ec36b631c2352cd8bd2e4b58b37f |
| SHA1 | d6ddab5eb14226fea6e5212382b5dd39aa50df97 |
| SHA256 | f32af8a21c016702647a83661eb4460bac7c791754cb1faaf1c4d096a94cd7cb |
| SHA512 | 873f72bc481bf6c55cdd00e97ea0e5946f466790f3319374b1c15772d4abdc7f394defd2cb130323fff2169380b0cda7319bb2b19f87ed5dfa479635f4b21317 |
C:\Users\Admin\AppData\Local\Temp\_MEI22802\_socket.pyd
| MD5 | cd56f508e7c305d4bfdeb820ecf3a323 |
| SHA1 | 711c499bcf780611a815afa7374358bbfd22fcc9 |
| SHA256 | 9e97b782b55400e5a914171817714bbbc713c0a396e30496c645fc82835e4b34 |
| SHA512 | e937c322c78e40947c70413404beba52d3425945b75255590dedf84ee429f685e0e5bc86ad468044925fbc59cf7ec8698a5472dd4f05b4363da30de04f9609a5 |
C:\Users\Admin\AppData\Local\Temp\_MEI22802\pywin32_system32\pywintypes39.dll
| MD5 | f20fd2e2ac9058a9fd227172f8ff2c12 |
| SHA1 | 89eba891352be46581b94a17db7c2ede9a39ab01 |
| SHA256 | 20bde8e50e42f7aabf59106eea238fcc0dece0c6e362c0a7feeb004ab981db8a |
| SHA512 | 42a86fa192aea7adb4283dc48a323a4f687dad40060ea3ffddcd8fd7670bb535d31a7764706e5c5473da28399fec048ae714a111ee238bb25e1aad03e12078d4 |
C:\Users\Admin\AppData\Local\Temp\_MEI22802\pywin32_system32\pythoncom39.dll
| MD5 | 8d4cd39cf6b1e5d3743ac1bcdcab4f12 |
| SHA1 | 2ecfd93164920a60c273b1d000df14351816dbd7 |
| SHA256 | 0789f9321abfa3a6403a483cb3ba684da5cfc39d26195fce8669a77c6367c413 |
| SHA512 | 7734d61b7b2c5f829d05488b26d958b85d0cf87776b91e8a63b58debf5d32db42bc2d203cc5a27ab426672c282bf95b41b8429ee3ea1f0e0d9ca55f9f68e77bd |
C:\Users\Admin\AppData\Local\Temp\_MEI22802\win32\win32api.pyd
| MD5 | 05e4b3b876e5fa6a2b8951f764559623 |
| SHA1 | 4ad50f70eef4feaa9d051c2f161fbac8a862a4bc |
| SHA256 | a52f8bd28b5b9558cde10333ce452a7d6f338ce1005a2b8451755005868e4a98 |
| SHA512 | 5648306af7c056c9250731b7d5a508664294bbb8ba865f9dc06fd7216adf7b8cc31b1cfbc0175c7f2752680744f6546a1959e7f7d1ec7a8a845f75642ce034d9 |
C:\Users\Admin\AppData\Local\Temp\_MEI22802\_hashlib.pyd
| MD5 | 69dc506cf2fa3da9d0caba05fca6a35d |
| SHA1 | 33b24abb7b1d68d3b0315be7f8f49de50c9bdcb6 |
| SHA256 | c5b8c4582e201fef2d8cb2c8672d07b86dec31afb4a17b758dbfb2cff163b12f |
| SHA512 | 0009ec88134e25325a47b8b358da0fed8bb34fe80602e08a60686f6029b80f4287d33adb66ef41435d11d6edff86a88916f776eeaf2d1cb72035783f109ca1ff |
C:\Users\Admin\AppData\Local\Temp\_MEI22802\VCRUNTIME140_1.dll
| MD5 | 135359d350f72ad4bf716b764d39e749 |
| SHA1 | 2e59d9bbcce356f0fece56c9c4917a5cacec63d7 |
| SHA256 | 34048abaa070ecc13b318cea31425f4ca3edd133d350318ac65259e6058c8b32 |
| SHA512 | cf23513d63ab2192c78cae98bd3fea67d933212b630be111fa7e03be3e92af38e247eb2d3804437fd0fda70fdc87916cd24cf1d3911e9f3bfb2cc4ab72b459ba |
C:\Users\Admin\AppData\Local\Temp\_MEI22802\tk86t.dll
| MD5 | 4b6270a72579b38c1cc83f240fb08360 |
| SHA1 | 1a161a014f57fe8aa2fadaab7bc4f9faaac368de |
| SHA256 | cd2f60075064dfc2e65c88b239a970cb4bd07cb3eec7cc26fb1bf978d4356b08 |
| SHA512 | 0c81434d8c205892bba8a4c93ff8fc011fb8cfb72cfec172cf69093651b86fd9837050bd0636315840290b28af83e557f2205a03e5c344239356874fce0c72b9 |
C:\Users\Admin\AppData\Local\Temp\_MEI22802\select.pyd
| MD5 | 35bb285678b249770dda3f8a15724593 |
| SHA1 | a91031d56097a4cbf800a6960e229e689ba63099 |
| SHA256 | 71ed480da28968a7fd07934e222ae87d943677468936fd419803280d0cad07f3 |
| SHA512 | 956759742b4b47609a57273b1ea7489ce39e29ebced702245a9665bb0479ba7d42c053e40c6dc446d5b0f95f8cc3f2267af56ccaaaf06e6875c94d4e3f3b6094 |
C:\Users\Admin\AppData\Local\Temp\_MEI22802\_ssl.pyd
| MD5 | 70014e88ecf3133b7be097536f77b459 |
| SHA1 | 5d75675bb35ba6fae774937789491e051e62a252 |
| SHA256 | d318795c98c5f3c127c8e47220a92acba0736daf31bab0dc9c7e6c3513bb2aa3 |
| SHA512 | aa59b32c9164afca1b799e389c7087e95eeaa543790b6f590f9e30aa13b7fdb8cc83d0ef6351f0b578a4da636f4ca1e6dfe4558dcf3a813b744a80f7392aa462 |
C:\Users\Admin\AppData\Local\Temp\_MEI22802\_queue.pyd
| MD5 | 328e41b501a51b58644c7c6930b03234 |
| SHA1 | bc09f8b62fec750a48bafd9db3494d2f30f7bd54 |
| SHA256 | 2782cf3c04801ede65011be282e99cd34d163b2b2b2333fd3147b33f7d5e72ab |
| SHA512 | c6e6e6bca0e9c4e84f7c07541995a7ee4960da095329f69120ba631c3c3e07c0441cf2612d9dcc3d062c779aec7d4e6a00f71f57cc32e2a980a1e3574b67d248 |
C:\Users\Admin\AppData\Local\Temp\_MEI22802\_decimal.pyd
| MD5 | ff0bf710eb2d7817c49e1f4e21502073 |
| SHA1 | 26d4499af20aa2d154eb75835f6729004b4f079f |
| SHA256 | c6eb532da62a115ae75f58766b632e005140a2e7c9c67a77564f1804685a377f |
| SHA512 | 6cc6a2cc986c84c00a51e1823de4eb56672b36f6ff4c4b23f43c93fd39d68fd99d5b51df6374e7b7f89ac945c0b421bb6bade9a458dd43c3d9721aadbbcd2315 |
C:\Users\Admin\AppData\Local\Temp\_MEI22802\unicodedata.pyd
| MD5 | 3ba2a20dda6d1b4670767455bbe32870 |
| SHA1 | 7c98221bc6ed763030087b1f33fb83eac2823ea4 |
| SHA256 | 3a0987025f1cf2111dc6e4f59402073ba123d7436d809ee4198b4e7bfb8cb868 |
| SHA512 | 0688f8af3359a8571bef2a89efabc2dbf26f3f5c6220932a4e7df2e33fac95cafee8b80796346ba698e6bf43630b8069f56538b95a8ff62ec21d629787ca5cd1 |
C:\Users\Admin\AppData\Local\Temp\_MEI22802\tcl86t.dll
| MD5 | 75909678c6a79ca2ca780a1ceb00232e |
| SHA1 | 39ddbeb1c288335abe910a5011d7034345425f7d |
| SHA256 | fbfd065f861ec0a90dd513bc209c56bbc23c54d2839964a0ec2df95848af7860 |
| SHA512 | 91689413826d3b2e13fc7f579a71b676547bc4c06d2bb100b4168def12ab09b65359d1612b31a15d21cb55147bbab4934e6711351a0440c1533fb94fe53313bf |
C:\Users\Admin\AppData\Local\Temp\_MEI22802\libssl-1_1.dll
| MD5 | de72697933d7673279fb85fd48d1a4dd |
| SHA1 | 085fd4c6fb6d89ffcc9b2741947b74f0766fc383 |
| SHA256 | ed1c8769f5096afd000fc730a37b11177fcf90890345071ab7fbceac684d571f |
| SHA512 | 0fd4678c65da181d7c27b19056d5ab0e5dd0e9714e9606e524cdad9e46ec4d0b35fe22d594282309f718b30e065f6896674d3edce6b3b0c8eb637a3680715c2c |
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-20 02:01
Reported
2024-06-20 02:03
Platform
win7-20240611-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\pyc_auto_file | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\pyc_auto_file\shell | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\pyc_auto_file\ | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\.pyc | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\.pyc\ = "pyc_auto_file" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\pyc_auto_file\shell\Read | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\pyc_auto_file\shell\Read\command | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\pyc_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 816 wrote to memory of 2708 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 816 wrote to memory of 2708 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 816 wrote to memory of 2708 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2708 wrote to memory of 2564 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2708 wrote to memory of 2564 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2708 wrote to memory of 2564 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2708 wrote to memory of 2564 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\message (14).pyc"
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\message (14).pyc
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\message (14).pyc"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | f495ab76a4af30588f6feaf8f8105f52 |
| SHA1 | 430b915edf6bcaba5f29e357b0ed8ef43b2b2c4d |
| SHA256 | 59c408fa99dbdfc08567ac41c17ab22afc11d81417bbfe35b8e21edb5c2a46ca |
| SHA512 | 6cea4afeca9789fb2ee401aad65222939a9673b079f68ba90a0ff5e7850cc5d4a8b5dd48747729c0d9819ae8b7f6238328e9af07a5b99a9e2d8227eef689d079 |
Analysis: behavioral4
Detonation Overview
Submitted
2024-06-20 02:01
Reported
2024-06-20 02:03
Platform
win10v2004-20240508-en
Max time kernel
44s
Max time network
49s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\message (14).pyc"
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding