7ceebd8c3d6580cc052edb2c444560dff903b3f92dd3ac509ed6f63d4036adc7

General

Target

20240521fa96589961b9650ea9c44268bb42f3e3icedid.exe
Size

3.2MB
MD5

fa96589961b9650ea9c44268bb42f3e3
SHA1

cbee4a701e231c64222e578daa1aed136faa7945
SHA256

7ceebd8c3d6580cc052edb2c444560dff903b3f92dd3ac509ed6f63d4036adc7
SHA512

281ed6d1fa5a101d9e7a140abc5947dbf740d571ecfe96496e70e862c690dace2feedb8a63b1aad9752d7ea2ff35e22194a2eda2ed1003f219abcff5d93d9270
SSDEEP

98304:hRwYKnNRKF1pVaNB5EwLwaL+P5zu2jNOcBWR:AnNRUHawP5zuMIIw

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 64 IoCs

Processes:

½ØÍ¼.exeHD-Frontend.exeHD-Frontend.exeHD-Frontend.exeHD-Frontend.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exe

pid	process
2644	½ØÍ¼.exe
2464	HD-Frontend.exe
2744	HD-Frontend.exe
2240	HD-Frontend.exe
2044	HD-Frontend.exe
2256	EP.exe
2292	EP.exe
2284	EP.exe
2812	EP.exe
2932	EP.exe
2324	EP.exe
760	EP.exe
596	EP.exe
2192	EP.exe
3056	EP.exe
2404	EP.exe
872	EP.exe
352	EP.exe
2288	EP.exe
1964	EP.exe
624	EP.exe
568	EP.exe
2416	EP.exe
1544	EP.exe
2972	EP.exe
1348	EP.exe
2924	EP.exe
1512	EP.exe
2252	EP.exe
1820	EP.exe
1628	EP.exe
2052	EP.exe
2652	EP.exe
2680	EP.exe
2604	EP.exe
2788	EP.exe
2456	EP.exe
2616	EP.exe
2784	EP.exe
2868	EP.exe
2736	EP.exe
2228	EP.exe
2872	EP.exe
2856	EP.exe
1128	EP.exe
1652	EP.exe
1684	EP.exe
2372	EP.exe
2188	EP.exe
2336	EP.exe
2768	EP.exe
320	EP.exe
2092	EP.exe
912	EP.exe
1696	EP.exe
2316	EP.exe
2144	EP.exe
2628	EP.exe
2632	EP.exe
1448	EP.exe
268	EP.exe
1328	EP.exe
1112	EP.exe
3024	EP.exe

Loads dropped DLL 64 IoCs

Processes:

20240521fa96589961b9650ea9c44268bb42f3e3icedid.exe½ØÍ¼.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exe

pid	process
1724	20240521fa96589961b9650ea9c44268bb42f3e3icedid.exe
2644	½ØÍ¼.exe
2644	½ØÍ¼.exe
2644	½ØÍ¼.exe
2644	½ØÍ¼.exe
2644	½ØÍ¼.exe
2644	½ØÍ¼.exe
2256	EP.exe
2256	EP.exe
2644	½ØÍ¼.exe
2292	EP.exe
2292	EP.exe
2644	½ØÍ¼.exe
2284	EP.exe
2284	EP.exe
2644	½ØÍ¼.exe
2812	EP.exe
2812	EP.exe
2644	½ØÍ¼.exe
2932	EP.exe
2932	EP.exe
2644	½ØÍ¼.exe
2324	EP.exe
2324	EP.exe
2644	½ØÍ¼.exe
760	EP.exe
760	EP.exe
2644	½ØÍ¼.exe
596	EP.exe
596	EP.exe
2644	½ØÍ¼.exe
2192	EP.exe
2192	EP.exe
2644	½ØÍ¼.exe
3056	EP.exe
3056	EP.exe
2644	½ØÍ¼.exe
2404	EP.exe
2404	EP.exe
2644	½ØÍ¼.exe
872	EP.exe
872	EP.exe
2644	½ØÍ¼.exe
352	EP.exe
352	EP.exe
2644	½ØÍ¼.exe
2288	EP.exe
2288	EP.exe
2644	½ØÍ¼.exe
1964	EP.exe
1964	EP.exe
2644	½ØÍ¼.exe
624	EP.exe
624	EP.exe
2644	½ØÍ¼.exe
568	EP.exe
568	EP.exe
2644	½ØÍ¼.exe
2416	EP.exe
2416	EP.exe
2644	½ØÍ¼.exe
1544	EP.exe
1544	EP.exe
2644	½ØÍ¼.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 3 IoCs

Processes:

20240521fa96589961b9650ea9c44268bb42f3e3icedid.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Ying-UnInstall.exe	20240521fa96589961b9650ea9c44268bb42f3e3icedid.exe
File opened for modification	C:\Windows\SysWOW64\Ying-UnInstall.exe	20240521fa96589961b9650ea9c44268bb42f3e3icedid.exe
File created	C:\Windows\SysWOW64\YingInstall\409.ini	20240521fa96589961b9650ea9c44268bb42f3e3icedid.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 11 IoCs

Processes:

20240521fa96589961b9650ea9c44268bb42f3e3icedid.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.UIF	20240521fa96589961b9650ea9c44268bb42f3e3icedid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\YingUnInstall2	20240521fa96589961b9650ea9c44268bb42f3e3icedid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YingUnInstall2\ = "Uninstall File"	20240521fa96589961b9650ea9c44268bb42f3e3icedid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\YingUnInstall2\Shell	20240521fa96589961b9650ea9c44268bb42f3e3icedid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\YingUnInstall2\Shell\Open	20240521fa96589961b9650ea9c44268bb42f3e3icedid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YingUnInstall2\Shell\Open\	20240521fa96589961b9650ea9c44268bb42f3e3icedid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.UIF\ = "YingUnInstall2"	20240521fa96589961b9650ea9c44268bb42f3e3icedid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\YingUnInstall2\DefaultIcon	20240521fa96589961b9650ea9c44268bb42f3e3icedid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YingUnInstall2\DefaultIcon\ = "C:\\Windows\\SysWow64\\Ying-UnInstall.exe,0"	20240521fa96589961b9650ea9c44268bb42f3e3icedid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\YingUnInstall2\Shell\Open\Command	20240521fa96589961b9650ea9c44268bb42f3e3icedid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YingUnInstall2\Shell\Open\Command\ = "\"C:\\Windows\\system32\\Ying-UnInstall.exe\" %1"	20240521fa96589961b9650ea9c44268bb42f3e3icedid.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

½ØÍ¼.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exe

pid	process
2644	½ØÍ¼.exe
2644	½ØÍ¼.exe
2256	EP.exe
2644	½ØÍ¼.exe
2292	EP.exe
2644	½ØÍ¼.exe
2284	EP.exe
2644	½ØÍ¼.exe
2812	EP.exe
2644	½ØÍ¼.exe
2932	EP.exe
2644	½ØÍ¼.exe
2324	EP.exe
2644	½ØÍ¼.exe
760	EP.exe
2644	½ØÍ¼.exe
596	EP.exe
2644	½ØÍ¼.exe
2192	EP.exe
2644	½ØÍ¼.exe
3056	EP.exe
2644	½ØÍ¼.exe
2404	EP.exe
2644	½ØÍ¼.exe
872	EP.exe
2644	½ØÍ¼.exe
352	EP.exe
2644	½ØÍ¼.exe
2288	EP.exe
2644	½ØÍ¼.exe
1964	EP.exe
2644	½ØÍ¼.exe
624	EP.exe
2644	½ØÍ¼.exe
568	EP.exe
2644	½ØÍ¼.exe
2416	EP.exe
2644	½ØÍ¼.exe
1544	EP.exe
2644	½ØÍ¼.exe
2972	EP.exe
2644	½ØÍ¼.exe
1348	EP.exe
2644	½ØÍ¼.exe
2924	EP.exe
2644	½ØÍ¼.exe
1512	EP.exe
2644	½ØÍ¼.exe
2252	EP.exe
2644	½ØÍ¼.exe
1820	EP.exe
2644	½ØÍ¼.exe
1628	EP.exe
2644	½ØÍ¼.exe
2052	EP.exe
2644	½ØÍ¼.exe
2652	EP.exe
2644	½ØÍ¼.exe
2680	EP.exe
2644	½ØÍ¼.exe
2604	EP.exe
2644	½ØÍ¼.exe
2788	EP.exe
2644	½ØÍ¼.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

20240521fa96589961b9650ea9c44268bb42f3e3icedid.exe

pid	process
1724	20240521fa96589961b9650ea9c44268bb42f3e3icedid.exe
1724	20240521fa96589961b9650ea9c44268bb42f3e3icedid.exe
1724	20240521fa96589961b9650ea9c44268bb42f3e3icedid.exe
1724	20240521fa96589961b9650ea9c44268bb42f3e3icedid.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

20240521fa96589961b9650ea9c44268bb42f3e3icedid.exe½ØÍ¼.exe

description	pid	process	target process
PID 1724 wrote to memory of 2644	1724	20240521fa96589961b9650ea9c44268bb42f3e3icedid.exe	½ØÍ¼.exe
PID 1724 wrote to memory of 2644	1724	20240521fa96589961b9650ea9c44268bb42f3e3icedid.exe	½ØÍ¼.exe
PID 1724 wrote to memory of 2644	1724	20240521fa96589961b9650ea9c44268bb42f3e3icedid.exe	½ØÍ¼.exe
PID 1724 wrote to memory of 2644	1724	20240521fa96589961b9650ea9c44268bb42f3e3icedid.exe	½ØÍ¼.exe
PID 2644 wrote to memory of 2464	2644	½ØÍ¼.exe	HD-Frontend.exe
PID 2644 wrote to memory of 2464	2644	½ØÍ¼.exe	HD-Frontend.exe
PID 2644 wrote to memory of 2464	2644	½ØÍ¼.exe	HD-Frontend.exe
PID 2644 wrote to memory of 2464	2644	½ØÍ¼.exe	HD-Frontend.exe
PID 2644 wrote to memory of 2240	2644	½ØÍ¼.exe	HD-Frontend.exe
PID 2644 wrote to memory of 2240	2644	½ØÍ¼.exe	HD-Frontend.exe
PID 2644 wrote to memory of 2240	2644	½ØÍ¼.exe	HD-Frontend.exe
PID 2644 wrote to memory of 2240	2644	½ØÍ¼.exe	HD-Frontend.exe
PID 2644 wrote to memory of 2256	2644	½ØÍ¼.exe	EP.exe
PID 2644 wrote to memory of 2256	2644	½ØÍ¼.exe	EP.exe
PID 2644 wrote to memory of 2256	2644	½ØÍ¼.exe	EP.exe
PID 2644 wrote to memory of 2256	2644	½ØÍ¼.exe	EP.exe
PID 2644 wrote to memory of 2292	2644	½ØÍ¼.exe	EP.exe
PID 2644 wrote to memory of 2292	2644	½ØÍ¼.exe	EP.exe
PID 2644 wrote to memory of 2292	2644	½ØÍ¼.exe	EP.exe
PID 2644 wrote to memory of 2292	2644	½ØÍ¼.exe	EP.exe
PID 2644 wrote to memory of 2284	2644	½ØÍ¼.exe	EP.exe
PID 2644 wrote to memory of 2284	2644	½ØÍ¼.exe	EP.exe
PID 2644 wrote to memory of 2284	2644	½ØÍ¼.exe	EP.exe
PID 2644 wrote to memory of 2284	2644	½ØÍ¼.exe	EP.exe
PID 2644 wrote to memory of 2812	2644	½ØÍ¼.exe	EP.exe
PID 2644 wrote to memory of 2812	2644	½ØÍ¼.exe	EP.exe
PID 2644 wrote to memory of 2812	2644	½ØÍ¼.exe	EP.exe
PID 2644 wrote to memory of 2812	2644	½ØÍ¼.exe	EP.exe
PID 2644 wrote to memory of 2932	2644	½ØÍ¼.exe	EP.exe
PID 2644 wrote to memory of 2932	2644	½ØÍ¼.exe	EP.exe
PID 2644 wrote to memory of 2932	2644	½ØÍ¼.exe	EP.exe
PID 2644 wrote to memory of 2932	2644	½ØÍ¼.exe	EP.exe
PID 2644 wrote to memory of 2324	2644	½ØÍ¼.exe	EP.exe
PID 2644 wrote to memory of 2324	2644	½ØÍ¼.exe	EP.exe
PID 2644 wrote to memory of 2324	2644	½ØÍ¼.exe	EP.exe
PID 2644 wrote to memory of 2324	2644	½ØÍ¼.exe	EP.exe
PID 2644 wrote to memory of 760	2644	½ØÍ¼.exe	EP.exe
PID 2644 wrote to memory of 760	2644	½ØÍ¼.exe	EP.exe
PID 2644 wrote to memory of 760	2644	½ØÍ¼.exe	EP.exe
PID 2644 wrote to memory of 760	2644	½ØÍ¼.exe	EP.exe
PID 2644 wrote to memory of 596	2644	½ØÍ¼.exe	EP.exe
PID 2644 wrote to memory of 596	2644	½ØÍ¼.exe	EP.exe
PID 2644 wrote to memory of 596	2644	½ØÍ¼.exe	EP.exe
PID 2644 wrote to memory of 596	2644	½ØÍ¼.exe	EP.exe
PID 2644 wrote to memory of 2192	2644	½ØÍ¼.exe	EP.exe
PID 2644 wrote to memory of 2192	2644	½ØÍ¼.exe	EP.exe
PID 2644 wrote to memory of 2192	2644	½ØÍ¼.exe	EP.exe
PID 2644 wrote to memory of 2192	2644	½ØÍ¼.exe	EP.exe
PID 2644 wrote to memory of 3056	2644	½ØÍ¼.exe	EP.exe
PID 2644 wrote to memory of 3056	2644	½ØÍ¼.exe	EP.exe
PID 2644 wrote to memory of 3056	2644	½ØÍ¼.exe	EP.exe
PID 2644 wrote to memory of 3056	2644	½ØÍ¼.exe	EP.exe
PID 2644 wrote to memory of 2404	2644	½ØÍ¼.exe	EP.exe
PID 2644 wrote to memory of 2404	2644	½ØÍ¼.exe	EP.exe
PID 2644 wrote to memory of 2404	2644	½ØÍ¼.exe	EP.exe
PID 2644 wrote to memory of 2404	2644	½ØÍ¼.exe	EP.exe
PID 2644 wrote to memory of 872	2644	½ØÍ¼.exe	EP.exe
PID 2644 wrote to memory of 872	2644	½ØÍ¼.exe	EP.exe
PID 2644 wrote to memory of 872	2644	½ØÍ¼.exe	EP.exe
PID 2644 wrote to memory of 872	2644	½ØÍ¼.exe	EP.exe
PID 2644 wrote to memory of 352	2644	½ØÍ¼.exe	EP.exe
PID 2644 wrote to memory of 352	2644	½ØÍ¼.exe	EP.exe
PID 2644 wrote to memory of 352	2644	½ØÍ¼.exe	EP.exe
PID 2644 wrote to memory of 352	2644	½ØÍ¼.exe	EP.exe

C:\Users\Admin\AppData\Local\Temp\20240521fa96589961b9650ea9c44268bb42f3e3icedid.exe
"C:\Users\Admin\AppData\Local\Temp\20240521fa96589961b9650ea9c44268bb42f3e3icedid.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1724

C:\Users\Admin\AppData\Local\Temp\½ØÍ¼.exe
C:\Users\Admin\AppData\Local\Temp\½ØÍ¼.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2644

C:\Users\Admin\AppData\Local\Temp\HD-Frontend.exe
C:\Users\Admin\AppData\Local\Temp\HD-Frontend.exe
3⤵
- Executes dropped EXE
PID:2464

C:\Users\Admin\AppData\Local\Temp\HD-Frontend.exe
C:\Users\Admin\AppData\Local\Temp\HD-Frontend.exe
3⤵
- Executes dropped EXE
PID:2240

C:\Users\Admin\AppData\Local\Temp\EP.exe
"C:\Users\Admin\AppData\Local\Temp\EP.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2256

C:\Users\Admin\AppData\Local\Temp\EP.exe
"C:\Users\Admin\AppData\Local\Temp\EP.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2292

C:\Users\Admin\AppData\Local\Temp\EP.exe
"C:\Users\Admin\AppData\Local\Temp\EP.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2284

C:\Users\Admin\AppData\Local\Temp\EP.exe
"C:\Users\Admin\AppData\Local\Temp\EP.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2812

C:\Users\Admin\AppData\Local\Temp\EP.exe
"C:\Users\Admin\AppData\Local\Temp\EP.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2932

C:\Users\Admin\AppData\Local\Temp\EP.exe
"C:\Users\Admin\AppData\Local\Temp\EP.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2324

C:\Users\Admin\AppData\Local\Temp\EP.exe
"C:\Users\Admin\AppData\Local\Temp\EP.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:760

C:\Users\Admin\AppData\Local\Temp\EP.exe
"C:\Users\Admin\AppData\Local\Temp\EP.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:596

C:\Users\Admin\AppData\Local\Temp\EP.exe
"C:\Users\Admin\AppData\Local\Temp\EP.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2192

C:\Users\Admin\AppData\Local\Temp\EP.exe
"C:\Users\Admin\AppData\Local\Temp\EP.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3056

C:\Users\Admin\AppData\Local\Temp\EP.exe
"C:\Users\Admin\AppData\Local\Temp\EP.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2404

C:\Users\Admin\AppData\Local\Temp\EP.exe
"C:\Users\Admin\AppData\Local\Temp\EP.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:872

C:\Users\Admin\AppData\Local\Temp\EP.exe
"C:\Users\Admin\AppData\Local\Temp\EP.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:352

C:\Users\Admin\AppData\Local\Temp\EP.exe
"C:\Users\Admin\AppData\Local\Temp\EP.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2288

C:\Users\Admin\AppData\Local\Temp\EP.exe
"C:\Users\Admin\AppData\Local\Temp\EP.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1964

C:\Users\Admin\AppData\Local\Temp\EP.exe
"C:\Users\Admin\AppData\Local\Temp\EP.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:624

C:\Users\Admin\AppData\Local\Temp\EP.exe
"C:\Users\Admin\AppData\Local\Temp\EP.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:568

C:\Users\Admin\AppData\Local\Temp\EP.exe
"C:\Users\Admin\AppData\Local\Temp\EP.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2416

C:\Users\Admin\AppData\Local\Temp\EP.exe
"C:\Users\Admin\AppData\Local\Temp\EP.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1544

C:\Users\Admin\AppData\Local\Temp\EP.exe
"C:\Users\Admin\AppData\Local\Temp\EP.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2972

C:\Users\Admin\AppData\Local\Temp\EP.exe
"C:\Users\Admin\AppData\Local\Temp\EP.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1348

C:\Users\Admin\AppData\Local\Temp\EP.exe
"C:\Users\Admin\AppData\Local\Temp\EP.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2924

C:\Users\Admin\AppData\Local\Temp\EP.exe
"C:\Users\Admin\AppData\Local\Temp\EP.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1512

C:\Users\Admin\AppData\Local\Temp\EP.exe
"C:\Users\Admin\AppData\Local\Temp\EP.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2252

C:\Users\Admin\AppData\Local\Temp\EP.exe
"C:\Users\Admin\AppData\Local\Temp\EP.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1820

C:\Users\Admin\AppData\Local\Temp\EP.exe
"C:\Users\Admin\AppData\Local\Temp\EP.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1628

C:\Users\Admin\AppData\Local\Temp\EP.exe
"C:\Users\Admin\AppData\Local\Temp\EP.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2052

C:\Users\Admin\AppData\Local\Temp\EP.exe
"C:\Users\Admin\AppData\Local\Temp\EP.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2652

C:\Users\Admin\AppData\Local\Temp\EP.exe
"C:\Users\Admin\AppData\Local\Temp\EP.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2680

C:\Users\Admin\AppData\Local\Temp\EP.exe
"C:\Users\Admin\AppData\Local\Temp\EP.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2604

C:\Users\Admin\AppData\Local\Temp\EP.exe
"C:\Users\Admin\AppData\Local\Temp\EP.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2788

C:\Users\Admin\AppData\Local\Temp\EP.exe
"C:\Users\Admin\AppData\Local\Temp\EP.exe"
3⤵
- Executes dropped EXE
PID:2456

C:\Users\Admin\AppData\Local\Temp\EP.exe
"C:\Users\Admin\AppData\Local\Temp\EP.exe"
3⤵
- Executes dropped EXE
PID:2616

C:\Users\Admin\AppData\Local\Temp\EP.exe
"C:\Users\Admin\AppData\Local\Temp\EP.exe"
3⤵
- Executes dropped EXE
PID:2784

C:\Users\Admin\AppData\Local\Temp\EP.exe
"C:\Users\Admin\AppData\Local\Temp\EP.exe"
3⤵
- Executes dropped EXE
PID:2868

C:\Users\Admin\AppData\Local\Temp\EP.exe
"C:\Users\Admin\AppData\Local\Temp\EP.exe"
3⤵
- Executes dropped EXE
PID:2736

C:\Users\Admin\AppData\Local\Temp\EP.exe
"C:\Users\Admin\AppData\Local\Temp\EP.exe"
3⤵
- Executes dropped EXE
PID:2228

C:\Users\Admin\AppData\Local\Temp\EP.exe
"C:\Users\Admin\AppData\Local\Temp\EP.exe"
3⤵
- Executes dropped EXE
PID:2872

C:\Users\Admin\AppData\Local\Temp\EP.exe
"C:\Users\Admin\AppData\Local\Temp\EP.exe"
3⤵
- Executes dropped EXE
PID:2856

C:\Users\Admin\AppData\Local\Temp\EP.exe
"C:\Users\Admin\AppData\Local\Temp\EP.exe"
3⤵
- Executes dropped EXE
PID:1128

C:\Users\Admin\AppData\Local\Temp\EP.exe
"C:\Users\Admin\AppData\Local\Temp\EP.exe"
3⤵
- Executes dropped EXE
PID:1652

C:\Users\Admin\AppData\Local\Temp\EP.exe
"C:\Users\Admin\AppData\Local\Temp\EP.exe"
3⤵
- Executes dropped EXE
PID:1684

C:\Users\Admin\AppData\Local\Temp\EP.exe
"C:\Users\Admin\AppData\Local\Temp\EP.exe"
3⤵
- Executes dropped EXE
PID:2372

C:\Users\Admin\AppData\Local\Temp\EP.exe
"C:\Users\Admin\AppData\Local\Temp\EP.exe"
3⤵
- Executes dropped EXE
PID:2188

C:\Users\Admin\AppData\Local\Temp\EP.exe
"C:\Users\Admin\AppData\Local\Temp\EP.exe"
3⤵
- Executes dropped EXE
PID:2336

C:\Users\Admin\AppData\Local\Temp\EP.exe
"C:\Users\Admin\AppData\Local\Temp\EP.exe"
3⤵
- Executes dropped EXE
PID:2768

C:\Users\Admin\AppData\Local\Temp\EP.exe
"C:\Users\Admin\AppData\Local\Temp\EP.exe"
3⤵
- Executes dropped EXE
PID:320

C:\Users\Admin\AppData\Local\Temp\EP.exe
"C:\Users\Admin\AppData\Local\Temp\EP.exe"
3⤵
- Executes dropped EXE
PID:2092

C:\Users\Admin\AppData\Local\Temp\EP.exe
"C:\Users\Admin\AppData\Local\Temp\EP.exe"
3⤵
- Executes dropped EXE
PID:912

C:\Users\Admin\AppData\Local\Temp\EP.exe
"C:\Users\Admin\AppData\Local\Temp\EP.exe"
3⤵
- Executes dropped EXE
PID:1696

C:\Users\Admin\AppData\Local\Temp\EP.exe
"C:\Users\Admin\AppData\Local\Temp\EP.exe"
3⤵
- Executes dropped EXE
PID:2316

C:\Users\Admin\AppData\Local\Temp\EP.exe
"C:\Users\Admin\AppData\Local\Temp\EP.exe"
3⤵
- Executes dropped EXE
PID:2144

C:\Users\Admin\AppData\Local\Temp\EP.exe
"C:\Users\Admin\AppData\Local\Temp\EP.exe"
3⤵
- Executes dropped EXE
PID:2628

C:\Users\Admin\AppData\Local\Temp\EP.exe
"C:\Users\Admin\AppData\Local\Temp\EP.exe"
3⤵
- Executes dropped EXE
PID:2632

C:\Users\Admin\AppData\Local\Temp\EP.exe
"C:\Users\Admin\AppData\Local\Temp\EP.exe"
3⤵
- Executes dropped EXE
PID:1448

C:\Users\Admin\AppData\Local\Temp\EP.exe
"C:\Users\Admin\AppData\Local\Temp\EP.exe"
3⤵
- Executes dropped EXE
PID:268

C:\Users\Admin\AppData\Local\Temp\EP.exe
"C:\Users\Admin\AppData\Local\Temp\EP.exe"
3⤵
- Executes dropped EXE
PID:1328

C:\Users\Admin\AppData\Local\Temp\EP.exe
"C:\Users\Admin\AppData\Local\Temp\EP.exe"
3⤵
- Executes dropped EXE
PID:1112

C:\Users\Admin\AppData\Local\Temp\EP.exe
"C:\Users\Admin\AppData\Local\Temp\EP.exe"
3⤵
- Executes dropped EXE
PID:3024

C:\Users\Admin\AppData\Local\Temp\EP.exe
"C:\Users\Admin\AppData\Local\Temp\EP.exe"
3⤵
PID:2156

C:\Users\Admin\AppData\Local\Temp\EP.exe
"C:\Users\Admin\AppData\Local\Temp\EP.exe"
3⤵
PID:1140

C:\Users\Admin\AppData\Local\Temp\EP.exe
"C:\Users\Admin\AppData\Local\Temp\EP.exe"
3⤵
PID:2400

C:\Users\Admin\AppData\Local\Temp\HD-Frontend.exe
"C:\Users\Admin\AppData\Local\Temp\HD-Frontend.exe" "C:\Users\Admin\AppData\Local\Temp\\C4ADC608075D476a91BF41.lnk"
1⤵
- Executes dropped EXE
PID:2744

C:\Users\Admin\AppData\Local\Temp\HD-Frontend.exe
"C:\Users\Admin\AppData\Local\Temp\HD-Frontend.exe" "C:\Users\Admin\AppData\Local\Temp\\4828F891DF9340e2A622AC.lnk"
1⤵
- Executes dropped EXE
PID:2044

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\EP.exe
Filesize
72KB

MD5
3ffb2d1b619bd7841df50aaf619922fd

SHA1
6973d1b9f33ceb741569db9d0d1fa06712a2565e

SHA256
8ce68528e25b86977f18d42c8c5dddbd6e6f24f34a340d447f4b4db0cb96bfbe

SHA512
7855b96335088bb718215eeea63d6d36c871f3f946de3de48fcc0bb7666cc61c7922f7c84d886d19c5454d283971a5e704c2cc97795c629fc20183c29040d4da

Download Submit
C:\Users\Admin\AppData\Local\Temp\FreeImage.dll
Filesize
2.5MB

MD5
a96116fdad589c4f8b2c719e20dc110c

SHA1
b0741a85eadbebbb151473f524e949d573275452

SHA256
e8b8a7c3c8d3fd8bab2720fa619f5147b4f89228b6f82ed65fba284258e79437

SHA512
8ce07212a516f0ca169ce77b3cef401c247efec6031669c21fbb2feea0103cd68cdcf577e85a8caca287338b097852e09937b1ba86b764bc79c93a272a7c9f32

Download Submit
C:\Users\Admin\AppData\Local\Temp\HD-Frontend.exe
Filesize
1.1MB

MD5
be2e5dba6d2cad5e64549f4336bd8615

SHA1
0b92e91365c3a367d108f099c2c0a04c01d45087

SHA256
d9841a11885a25607f379e829be9c20e2c79800469c3f89e6cb515608b0568de

SHA512
907bf1ac0bfa1bb9aba048437cede6794987938cfac0096814dc8de7ea2bf71a9c6ccff7a644372431c1a4d522d10eae8120335e9e45a03ec0f3e73cdedd07b8

Download Submit
C:\Users\Public\Documents\180 1.0.UIF
Filesize
8KB

MD5
9994ae32c4b68c5819c43897c281c83f

SHA1
ee1eb0be1085474d99ae54ad7e88e9e74b032c40

SHA256
c7a528b87ba2e7d615388d131b05b18f16eceb8f626c446369ac91601517c7d7

SHA512
fc1d9358cd2ee3475162afc31447c178cd916f873a3eaaae0e741a275f53f25ce269452f2b759feeb6568662542f32d46fe82dd547a27db9aeee5303a71bd745

Download Submit
\Users\Admin\AppData\Local\Temp\msvcp100.dll
Filesize
777KB

MD5
8d2c1037688f1603f78e033bad57cf20

SHA1
bb27bc4e6d91e0522950634d8fc91af63a97cd4c

SHA256
231198a7515b1d9aaece3c2d0efd2a151aab9bd3b6978588c7d2c6f085c2035e

SHA512
8d0b6887bb7017df0c078572ad76cb0adf0cb11d1a4d0eaae39d6a9b66f2d33e15002fca9c5fe326a3fa1f8ac6e91345acced92312f7feb757209886071dab90

Download Submit
\Users\Admin\AppData\Local\Temp\msvcr100.dll
Filesize
755KB

MD5
bf38660a9125935658cfa3e53fdc7d65

SHA1
0b51fb415ec89848f339f8989d323bea722bfd70

SHA256
60c06e0fa4449314da3a0a87c1a9d9577df99226f943637e06f61188e5862efa

SHA512
25f521ffe25a950d0f1a4de63b04cb62e2a3b0e72e7405799586913208bf8f8fa52aa34e96a9cc6ee47afcd41870f3aa0cd8289c53461d1b6e792d19b750c9a1

Download Submit
\Users\Admin\AppData\Local\Temp\½ØÍ¼.exe
Filesize
1.8MB

MD5
0494a252ea51e0d6f008fdfc12583d6e

SHA1
762eab09827f9e2e608c27dd38aed5b66eea48a5

SHA256
1611cee7c26200bdc2f2d293663576579cd966c912ea6e81a652a9d748e9a3f7

SHA512
4e887eb91887de53e5160666ff77a058bc27a442c545fd368c4f7889152c54d23efc19ef79aa8133e6ff6d6b7b5258979a145b954645b0830da97d79bb0c53b9

Download Submit
memory/2044-73-0x0000000000EB0000-0x0000000000FC6000-memory.dmp

Filesize
1.1MB

Download
memory/2044-100-0x0000000000EB0000-0x0000000000FC6000-memory.dmp

Filesize
1.1MB

Download
memory/2044-76-0x0000000000EB0000-0x0000000000FC6000-memory.dmp

Filesize
1.1MB

Download
memory/2240-94-0x0000000000EB0000-0x0000000000FC6000-memory.dmp

Filesize
1.1MB

Download
memory/2240-71-0x0000000000EB0000-0x0000000000FC6000-memory.dmp

Filesize
1.1MB

Download
memory/2240-69-0x0000000000EB0000-0x0000000000FC6000-memory.dmp

Filesize
1.1MB

Download
memory/2464-54-0x0000000000EB0000-0x0000000000FC6000-memory.dmp

Filesize
1.1MB

Download
memory/2464-49-0x0000000000EB0000-0x0000000000FC6000-memory.dmp

Filesize
1.1MB

Download
memory/2464-78-0x0000000000EB0000-0x0000000000FC6000-memory.dmp

Filesize
1.1MB

Download
memory/2644-40-0x0000000000190000-0x00000000001A0000-memory.dmp

Filesize
64KB

Download
memory/2644-53-0x0000000003DB0000-0x0000000003EC6000-memory.dmp

Filesize
1.1MB

Download
memory/2644-68-0x0000000003EF0000-0x0000000004006000-memory.dmp

Filesize
1.1MB

Download
memory/2644-112-0x0000000003EF0000-0x0000000004006000-memory.dmp

Filesize
1.1MB

Download
memory/2644-75-0x0000000003DB0000-0x0000000003EC6000-memory.dmp

Filesize
1.1MB

Download
memory/2644-50-0x0000000003DB0000-0x0000000003EC6000-memory.dmp

Filesize
1.1MB

Download
memory/2644-77-0x0000000003DB0000-0x0000000003EC6000-memory.dmp

Filesize
1.1MB

Download
memory/2644-101-0x0000000003EF0000-0x0000000004006000-memory.dmp

Filesize
1.1MB

Download
memory/2644-39-0x0000000000190000-0x00000000001A0000-memory.dmp

Filesize
64KB

Download
memory/2644-41-0x0000000000190000-0x00000000001A0000-memory.dmp

Filesize
64KB

Download
memory/2644-42-0x0000000000190000-0x00000000001A0000-memory.dmp

Filesize
64KB

Download
memory/2644-43-0x0000000000190000-0x00000000001A0000-memory.dmp

Filesize
64KB

Download
memory/2644-44-0x0000000000190000-0x00000000001A0000-memory.dmp

Filesize
64KB

Download
memory/2744-79-0x0000000000EB0000-0x0000000000FC6000-memory.dmp

Filesize
1.1MB

Download
memory/2744-62-0x0000000000EB0000-0x0000000000FC6000-memory.dmp

Filesize
1.1MB

Download
memory/2744-60-0x0000000000EB0000-0x0000000000FC6000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads