7ceebd8c3d6580cc052edb2c444560dff903b3f92dd3ac509ed6f63d4036adc7

General

Target

20240521fa96589961b9650ea9c44268bb42f3e3icedid.exe
Size

3.2MB
MD5

fa96589961b9650ea9c44268bb42f3e3
SHA1

cbee4a701e231c64222e578daa1aed136faa7945
SHA256

7ceebd8c3d6580cc052edb2c444560dff903b3f92dd3ac509ed6f63d4036adc7
SHA512

281ed6d1fa5a101d9e7a140abc5947dbf740d571ecfe96496e70e862c690dace2feedb8a63b1aad9752d7ea2ff35e22194a2eda2ed1003f219abcff5d93d9270
SSDEEP

98304:hRwYKnNRKF1pVaNB5EwLwaL+P5zu2jNOcBWR:AnNRUHawP5zuMIIw

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

½ØÍ¼.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	½ØÍ¼.exe

Executes dropped EXE 64 IoCs

Processes:

½ØÍ¼.exeHD-Frontend.exeHD-Frontend.exeHD-Frontend.exeHD-Frontend.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exe

pid	process
1068	½ØÍ¼.exe
3160	HD-Frontend.exe
3224	HD-Frontend.exe
992	HD-Frontend.exe
5080	HD-Frontend.exe
2944	EP.exe
1816	EP.exe
1164	EP.exe
4584	EP.exe
4896	EP.exe
4612	EP.exe
2724	EP.exe
380	EP.exe
1420	EP.exe
2148	EP.exe
4296	EP.exe
2872	EP.exe
2792	EP.exe
1500	EP.exe
2828	EP.exe
2572	EP.exe
4528	EP.exe
3396	EP.exe
5116	EP.exe
3236	EP.exe
876	EP.exe
4864	EP.exe
4064	EP.exe
1972	EP.exe
4392	EP.exe
1456	EP.exe
1872	EP.exe
4140	EP.exe
2528	EP.exe
464	EP.exe
4664	EP.exe
3284	EP.exe
2784	EP.exe
1900	EP.exe
2184	EP.exe
4488	EP.exe
2608	EP.exe
4788	EP.exe
4100	EP.exe
2320	EP.exe
404	EP.exe
2904	EP.exe
3932	EP.exe
4092	EP.exe
3828	EP.exe
2400	EP.exe
3996	EP.exe
1740	EP.exe
2324	EP.exe
400	EP.exe
4424	EP.exe
720	EP.exe
1608	EP.exe
740	EP.exe
4800	EP.exe
5060	EP.exe
1496	EP.exe
4852	EP.exe
2448	EP.exe

Loads dropped DLL 64 IoCs

Processes:

½ØÍ¼.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exe

pid	process
1068	½ØÍ¼.exe
2944	EP.exe
2944	EP.exe
1816	EP.exe
1816	EP.exe
1164	EP.exe
1164	EP.exe
4584	EP.exe
4584	EP.exe
4896	EP.exe
4896	EP.exe
4612	EP.exe
4612	EP.exe
2724	EP.exe
2724	EP.exe
380	EP.exe
380	EP.exe
1420	EP.exe
1420	EP.exe
2148	EP.exe
2148	EP.exe
4296	EP.exe
4296	EP.exe
2872	EP.exe
2872	EP.exe
2792	EP.exe
2792	EP.exe
1500	EP.exe
1500	EP.exe
2828	EP.exe
2828	EP.exe
2572	EP.exe
2572	EP.exe
4528	EP.exe
4528	EP.exe
3396	EP.exe
3396	EP.exe
5116	EP.exe
5116	EP.exe
3236	EP.exe
3236	EP.exe
876	EP.exe
876	EP.exe
4864	EP.exe
4864	EP.exe
4064	EP.exe
4064	EP.exe
1972	EP.exe
1972	EP.exe
4392	EP.exe
4392	EP.exe
1456	EP.exe
1456	EP.exe
1872	EP.exe
1872	EP.exe
4140	EP.exe
4140	EP.exe
2528	EP.exe
2528	EP.exe
464	EP.exe
464	EP.exe
4664	EP.exe
4664	EP.exe
3284	EP.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 3 IoCs

Processes:

20240521fa96589961b9650ea9c44268bb42f3e3icedid.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Ying-UnInstall.exe	20240521fa96589961b9650ea9c44268bb42f3e3icedid.exe
File opened for modification	C:\Windows\SysWOW64\Ying-UnInstall.exe	20240521fa96589961b9650ea9c44268bb42f3e3icedid.exe
File created	C:\Windows\SysWOW64\YingInstall\409.ini	20240521fa96589961b9650ea9c44268bb42f3e3icedid.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 11 IoCs

Processes:

20240521fa96589961b9650ea9c44268bb42f3e3icedid.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\YingUnInstall2\DefaultIcon	20240521fa96589961b9650ea9c44268bb42f3e3icedid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YingUnInstall2\DefaultIcon\ = "C:\\Windows\\SysWow64\\Ying-UnInstall.exe,0"	20240521fa96589961b9650ea9c44268bb42f3e3icedid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\YingUnInstall2\Shell	20240521fa96589961b9650ea9c44268bb42f3e3icedid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\YingUnInstall2\Shell\Open	20240521fa96589961b9650ea9c44268bb42f3e3icedid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YingUnInstall2\Shell\Open\	20240521fa96589961b9650ea9c44268bb42f3e3icedid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\YingUnInstall2\Shell\Open\Command	20240521fa96589961b9650ea9c44268bb42f3e3icedid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YingUnInstall2\Shell\Open\Command\ = "\"C:\\Windows\\system32\\Ying-UnInstall.exe\" %1"	20240521fa96589961b9650ea9c44268bb42f3e3icedid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.UIF	20240521fa96589961b9650ea9c44268bb42f3e3icedid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\YingUnInstall2	20240521fa96589961b9650ea9c44268bb42f3e3icedid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YingUnInstall2\ = "Uninstall File"	20240521fa96589961b9650ea9c44268bb42f3e3icedid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.UIF\ = "YingUnInstall2"	20240521fa96589961b9650ea9c44268bb42f3e3icedid.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

½ØÍ¼.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exeEP.exe

pid	process
1068	½ØÍ¼.exe
1068	½ØÍ¼.exe
1068	½ØÍ¼.exe
1068	½ØÍ¼.exe
2944	EP.exe
2944	EP.exe
1068	½ØÍ¼.exe
1068	½ØÍ¼.exe
1816	EP.exe
1816	EP.exe
1068	½ØÍ¼.exe
1068	½ØÍ¼.exe
1164	EP.exe
1164	EP.exe
1068	½ØÍ¼.exe
1068	½ØÍ¼.exe
4584	EP.exe
4584	EP.exe
1068	½ØÍ¼.exe
1068	½ØÍ¼.exe
4896	EP.exe
4896	EP.exe
1068	½ØÍ¼.exe
1068	½ØÍ¼.exe
4612	EP.exe
4612	EP.exe
1068	½ØÍ¼.exe
1068	½ØÍ¼.exe
2724	EP.exe
2724	EP.exe
1068	½ØÍ¼.exe
1068	½ØÍ¼.exe
380	EP.exe
380	EP.exe
1068	½ØÍ¼.exe
1068	½ØÍ¼.exe
1420	EP.exe
1420	EP.exe
1068	½ØÍ¼.exe
1068	½ØÍ¼.exe
2148	EP.exe
2148	EP.exe
1068	½ØÍ¼.exe
1068	½ØÍ¼.exe
4296	EP.exe
4296	EP.exe
1068	½ØÍ¼.exe
1068	½ØÍ¼.exe
2872	EP.exe
2872	EP.exe
1068	½ØÍ¼.exe
1068	½ØÍ¼.exe
2792	EP.exe
2792	EP.exe
1068	½ØÍ¼.exe
1068	½ØÍ¼.exe
1500	EP.exe
1500	EP.exe
1068	½ØÍ¼.exe
1068	½ØÍ¼.exe
2828	EP.exe
2828	EP.exe
1068	½ØÍ¼.exe
1068	½ØÍ¼.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

½ØÍ¼.exe

pid process

1068 ½ØÍ¼.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

20240521fa96589961b9650ea9c44268bb42f3e3icedid.exe

pid	process
3232	20240521fa96589961b9650ea9c44268bb42f3e3icedid.exe
3232	20240521fa96589961b9650ea9c44268bb42f3e3icedid.exe
3232	20240521fa96589961b9650ea9c44268bb42f3e3icedid.exe
3232	20240521fa96589961b9650ea9c44268bb42f3e3icedid.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

20240521fa96589961b9650ea9c44268bb42f3e3icedid.exe½ØÍ¼.exe

description	pid	process	target process
PID 3232 wrote to memory of 1068	3232	20240521fa96589961b9650ea9c44268bb42f3e3icedid.exe	½ØÍ¼.exe
PID 3232 wrote to memory of 1068	3232	20240521fa96589961b9650ea9c44268bb42f3e3icedid.exe	½ØÍ¼.exe
PID 3232 wrote to memory of 1068	3232	20240521fa96589961b9650ea9c44268bb42f3e3icedid.exe	½ØÍ¼.exe
PID 1068 wrote to memory of 3160	1068	½ØÍ¼.exe	HD-Frontend.exe
PID 1068 wrote to memory of 3160	1068	½ØÍ¼.exe	HD-Frontend.exe
PID 1068 wrote to memory of 3160	1068	½ØÍ¼.exe	HD-Frontend.exe
PID 1068 wrote to memory of 992	1068	½ØÍ¼.exe	HD-Frontend.exe
PID 1068 wrote to memory of 992	1068	½ØÍ¼.exe	HD-Frontend.exe
PID 1068 wrote to memory of 992	1068	½ØÍ¼.exe	HD-Frontend.exe
PID 1068 wrote to memory of 2944	1068	½ØÍ¼.exe	EP.exe
PID 1068 wrote to memory of 2944	1068	½ØÍ¼.exe	EP.exe
PID 1068 wrote to memory of 2944	1068	½ØÍ¼.exe	EP.exe
PID 1068 wrote to memory of 1816	1068	½ØÍ¼.exe	EP.exe
PID 1068 wrote to memory of 1816	1068	½ØÍ¼.exe	EP.exe
PID 1068 wrote to memory of 1816	1068	½ØÍ¼.exe	EP.exe
PID 1068 wrote to memory of 1164	1068	½ØÍ¼.exe	EP.exe
PID 1068 wrote to memory of 1164	1068	½ØÍ¼.exe	EP.exe
PID 1068 wrote to memory of 1164	1068	½ØÍ¼.exe	EP.exe
PID 1068 wrote to memory of 4584	1068	½ØÍ¼.exe	EP.exe
PID 1068 wrote to memory of 4584	1068	½ØÍ¼.exe	EP.exe
PID 1068 wrote to memory of 4584	1068	½ØÍ¼.exe	EP.exe
PID 1068 wrote to memory of 4896	1068	½ØÍ¼.exe	EP.exe
PID 1068 wrote to memory of 4896	1068	½ØÍ¼.exe	EP.exe
PID 1068 wrote to memory of 4896	1068	½ØÍ¼.exe	EP.exe
PID 1068 wrote to memory of 4612	1068	½ØÍ¼.exe	EP.exe
PID 1068 wrote to memory of 4612	1068	½ØÍ¼.exe	EP.exe
PID 1068 wrote to memory of 4612	1068	½ØÍ¼.exe	EP.exe
PID 1068 wrote to memory of 2724	1068	½ØÍ¼.exe	EP.exe
PID 1068 wrote to memory of 2724	1068	½ØÍ¼.exe	EP.exe
PID 1068 wrote to memory of 2724	1068	½ØÍ¼.exe	EP.exe
PID 1068 wrote to memory of 380	1068	½ØÍ¼.exe	EP.exe
PID 1068 wrote to memory of 380	1068	½ØÍ¼.exe	EP.exe
PID 1068 wrote to memory of 380	1068	½ØÍ¼.exe	EP.exe
PID 1068 wrote to memory of 1420	1068	½ØÍ¼.exe	EP.exe
PID 1068 wrote to memory of 1420	1068	½ØÍ¼.exe	EP.exe
PID 1068 wrote to memory of 1420	1068	½ØÍ¼.exe	EP.exe
PID 1068 wrote to memory of 2148	1068	½ØÍ¼.exe	EP.exe
PID 1068 wrote to memory of 2148	1068	½ØÍ¼.exe	EP.exe
PID 1068 wrote to memory of 2148	1068	½ØÍ¼.exe	EP.exe
PID 1068 wrote to memory of 4296	1068	½ØÍ¼.exe	EP.exe
PID 1068 wrote to memory of 4296	1068	½ØÍ¼.exe	EP.exe
PID 1068 wrote to memory of 4296	1068	½ØÍ¼.exe	EP.exe
PID 1068 wrote to memory of 2872	1068	½ØÍ¼.exe	EP.exe
PID 1068 wrote to memory of 2872	1068	½ØÍ¼.exe	EP.exe
PID 1068 wrote to memory of 2872	1068	½ØÍ¼.exe	EP.exe
PID 1068 wrote to memory of 2792	1068	½ØÍ¼.exe	EP.exe
PID 1068 wrote to memory of 2792	1068	½ØÍ¼.exe	EP.exe
PID 1068 wrote to memory of 2792	1068	½ØÍ¼.exe	EP.exe
PID 1068 wrote to memory of 1500	1068	½ØÍ¼.exe	EP.exe
PID 1068 wrote to memory of 1500	1068	½ØÍ¼.exe	EP.exe
PID 1068 wrote to memory of 1500	1068	½ØÍ¼.exe	EP.exe
PID 1068 wrote to memory of 2828	1068	½ØÍ¼.exe	EP.exe
PID 1068 wrote to memory of 2828	1068	½ØÍ¼.exe	EP.exe
PID 1068 wrote to memory of 2828	1068	½ØÍ¼.exe	EP.exe
PID 1068 wrote to memory of 2572	1068	½ØÍ¼.exe	EP.exe
PID 1068 wrote to memory of 2572	1068	½ØÍ¼.exe	EP.exe
PID 1068 wrote to memory of 2572	1068	½ØÍ¼.exe	EP.exe
PID 1068 wrote to memory of 4528	1068	½ØÍ¼.exe	EP.exe
PID 1068 wrote to memory of 4528	1068	½ØÍ¼.exe	EP.exe
PID 1068 wrote to memory of 4528	1068	½ØÍ¼.exe	EP.exe
PID 1068 wrote to memory of 3396	1068	½ØÍ¼.exe	EP.exe
PID 1068 wrote to memory of 3396	1068	½ØÍ¼.exe	EP.exe
PID 1068 wrote to memory of 3396	1068	½ØÍ¼.exe	EP.exe
PID 1068 wrote to memory of 5116	1068	½ØÍ¼.exe	EP.exe

C:\Users\Admin\AppData\Local\Temp\20240521fa96589961b9650ea9c44268bb42f3e3icedid.exe
"C:\Users\Admin\AppData\Local\Temp\20240521fa96589961b9650ea9c44268bb42f3e3icedid.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3232

C:\Users\Admin\AppData\Local\Temp\½ØÍ¼.exe
C:\Users\Admin\AppData\Local\Temp\½ØÍ¼.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1068

C:\Users\Admin\AppData\Local\Temp\HD-Frontend.exe
C:\Users\Admin\AppData\Local\Temp\HD-Frontend.exe
3⤵
- Executes dropped EXE
PID:3160

C:\Users\Admin\AppData\Local\Temp\HD-Frontend.exe
C:\Users\Admin\AppData\Local\Temp\HD-Frontend.exe
3⤵
- Executes dropped EXE
PID:992

C:\Users\Admin\AppData\Local\Temp\EP.exe
"C:\Users\Admin\AppData\Local\Temp\EP.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2944

C:\Users\Admin\AppData\Local\Temp\EP.exe
"C:\Users\Admin\AppData\Local\Temp\EP.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1816

C:\Users\Admin\AppData\Local\Temp\EP.exe
"C:\Users\Admin\AppData\Local\Temp\EP.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1164

C:\Users\Admin\AppData\Local\Temp\EP.exe
"C:\Users\Admin\AppData\Local\Temp\EP.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4584

C:\Users\Admin\AppData\Local\Temp\EP.exe
"C:\Users\Admin\AppData\Local\Temp\EP.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4896

C:\Users\Admin\AppData\Local\Temp\EP.exe
"C:\Users\Admin\AppData\Local\Temp\EP.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4612

C:\Users\Admin\AppData\Local\Temp\EP.exe
"C:\Users\Admin\AppData\Local\Temp\EP.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2724

C:\Users\Admin\AppData\Local\Temp\EP.exe
"C:\Users\Admin\AppData\Local\Temp\EP.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:380

C:\Users\Admin\AppData\Local\Temp\EP.exe
"C:\Users\Admin\AppData\Local\Temp\EP.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1420

C:\Users\Admin\AppData\Local\Temp\EP.exe
"C:\Users\Admin\AppData\Local\Temp\EP.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2148

C:\Users\Admin\AppData\Local\Temp\EP.exe
"C:\Users\Admin\AppData\Local\Temp\EP.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4296

C:\Users\Admin\AppData\Local\Temp\EP.exe
"C:\Users\Admin\AppData\Local\Temp\EP.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2872

C:\Users\Admin\AppData\Local\Temp\EP.exe
"C:\Users\Admin\AppData\Local\Temp\EP.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2792

C:\Users\Admin\AppData\Local\Temp\EP.exe
"C:\Users\Admin\AppData\Local\Temp\EP.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1500

C:\Users\Admin\AppData\Local\Temp\EP.exe
"C:\Users\Admin\AppData\Local\Temp\EP.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2828

C:\Users\Admin\AppData\Local\Temp\EP.exe
"C:\Users\Admin\AppData\Local\Temp\EP.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2572

C:\Users\Admin\AppData\Local\Temp\EP.exe
"C:\Users\Admin\AppData\Local\Temp\EP.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4528

C:\Users\Admin\AppData\Local\Temp\EP.exe
"C:\Users\Admin\AppData\Local\Temp\EP.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3396

C:\Users\Admin\AppData\Local\Temp\EP.exe
"C:\Users\Admin\AppData\Local\Temp\EP.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5116

C:\Users\Admin\AppData\Local\Temp\EP.exe
"C:\Users\Admin\AppData\Local\Temp\EP.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3236

C:\Users\Admin\AppData\Local\Temp\EP.exe
"C:\Users\Admin\AppData\Local\Temp\EP.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:876

C:\Users\Admin\AppData\Local\Temp\EP.exe
"C:\Users\Admin\AppData\Local\Temp\EP.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4864

C:\Users\Admin\AppData\Local\Temp\EP.exe
"C:\Users\Admin\AppData\Local\Temp\EP.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4064

C:\Users\Admin\AppData\Local\Temp\EP.exe
"C:\Users\Admin\AppData\Local\Temp\EP.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1972

C:\Users\Admin\AppData\Local\Temp\EP.exe
"C:\Users\Admin\AppData\Local\Temp\EP.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4392

C:\Users\Admin\AppData\Local\Temp\EP.exe
"C:\Users\Admin\AppData\Local\Temp\EP.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1456

C:\Users\Admin\AppData\Local\Temp\EP.exe
"C:\Users\Admin\AppData\Local\Temp\EP.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1872

C:\Users\Admin\AppData\Local\Temp\EP.exe
"C:\Users\Admin\AppData\Local\Temp\EP.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4140

C:\Users\Admin\AppData\Local\Temp\EP.exe
"C:\Users\Admin\AppData\Local\Temp\EP.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2528

C:\Users\Admin\AppData\Local\Temp\EP.exe
"C:\Users\Admin\AppData\Local\Temp\EP.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:464

C:\Users\Admin\AppData\Local\Temp\EP.exe
"C:\Users\Admin\AppData\Local\Temp\EP.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4664

C:\Users\Admin\AppData\Local\Temp\EP.exe
"C:\Users\Admin\AppData\Local\Temp\EP.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3284

C:\Users\Admin\AppData\Local\Temp\EP.exe
"C:\Users\Admin\AppData\Local\Temp\EP.exe"
3⤵
- Executes dropped EXE
PID:2784

C:\Users\Admin\AppData\Local\Temp\EP.exe
"C:\Users\Admin\AppData\Local\Temp\EP.exe"
3⤵
- Executes dropped EXE
PID:1900

C:\Users\Admin\AppData\Local\Temp\EP.exe
"C:\Users\Admin\AppData\Local\Temp\EP.exe"
3⤵
- Executes dropped EXE
PID:2184

C:\Users\Admin\AppData\Local\Temp\EP.exe
"C:\Users\Admin\AppData\Local\Temp\EP.exe"
3⤵
- Executes dropped EXE
PID:4488

C:\Users\Admin\AppData\Local\Temp\EP.exe
"C:\Users\Admin\AppData\Local\Temp\EP.exe"
3⤵
- Executes dropped EXE
PID:2608

C:\Users\Admin\AppData\Local\Temp\EP.exe
"C:\Users\Admin\AppData\Local\Temp\EP.exe"
3⤵
- Executes dropped EXE
PID:4788

C:\Users\Admin\AppData\Local\Temp\EP.exe
"C:\Users\Admin\AppData\Local\Temp\EP.exe"
3⤵
- Executes dropped EXE
PID:4100

C:\Users\Admin\AppData\Local\Temp\EP.exe
"C:\Users\Admin\AppData\Local\Temp\EP.exe"
3⤵
- Executes dropped EXE
PID:2320

C:\Users\Admin\AppData\Local\Temp\EP.exe
"C:\Users\Admin\AppData\Local\Temp\EP.exe"
3⤵
- Executes dropped EXE
PID:404

C:\Users\Admin\AppData\Local\Temp\EP.exe
"C:\Users\Admin\AppData\Local\Temp\EP.exe"
3⤵
- Executes dropped EXE
PID:2904

C:\Users\Admin\AppData\Local\Temp\EP.exe
"C:\Users\Admin\AppData\Local\Temp\EP.exe"
3⤵
- Executes dropped EXE
PID:3932

C:\Users\Admin\AppData\Local\Temp\EP.exe
"C:\Users\Admin\AppData\Local\Temp\EP.exe"
3⤵
- Executes dropped EXE
PID:4092

C:\Users\Admin\AppData\Local\Temp\EP.exe
"C:\Users\Admin\AppData\Local\Temp\EP.exe"
3⤵
- Executes dropped EXE
PID:3828

C:\Users\Admin\AppData\Local\Temp\EP.exe
"C:\Users\Admin\AppData\Local\Temp\EP.exe"
3⤵
- Executes dropped EXE
PID:2400

C:\Users\Admin\AppData\Local\Temp\EP.exe
"C:\Users\Admin\AppData\Local\Temp\EP.exe"
3⤵
- Executes dropped EXE
PID:3996

C:\Users\Admin\AppData\Local\Temp\EP.exe
"C:\Users\Admin\AppData\Local\Temp\EP.exe"
3⤵
- Executes dropped EXE
PID:1740

C:\Users\Admin\AppData\Local\Temp\EP.exe
"C:\Users\Admin\AppData\Local\Temp\EP.exe"
3⤵
- Executes dropped EXE
PID:2324

C:\Users\Admin\AppData\Local\Temp\EP.exe
"C:\Users\Admin\AppData\Local\Temp\EP.exe"
3⤵
- Executes dropped EXE
PID:400

C:\Users\Admin\AppData\Local\Temp\EP.exe
"C:\Users\Admin\AppData\Local\Temp\EP.exe"
3⤵
- Executes dropped EXE
PID:4424

C:\Users\Admin\AppData\Local\Temp\EP.exe
"C:\Users\Admin\AppData\Local\Temp\EP.exe"
3⤵
- Executes dropped EXE
PID:720

C:\Users\Admin\AppData\Local\Temp\EP.exe
"C:\Users\Admin\AppData\Local\Temp\EP.exe"
3⤵
- Executes dropped EXE
PID:1608

C:\Users\Admin\AppData\Local\Temp\EP.exe
"C:\Users\Admin\AppData\Local\Temp\EP.exe"
3⤵
- Executes dropped EXE
PID:740

C:\Users\Admin\AppData\Local\Temp\EP.exe
"C:\Users\Admin\AppData\Local\Temp\EP.exe"
3⤵
- Executes dropped EXE
PID:4800

C:\Users\Admin\AppData\Local\Temp\EP.exe
"C:\Users\Admin\AppData\Local\Temp\EP.exe"
3⤵
- Executes dropped EXE
PID:5060

C:\Users\Admin\AppData\Local\Temp\EP.exe
"C:\Users\Admin\AppData\Local\Temp\EP.exe"
3⤵
- Executes dropped EXE
PID:1496

C:\Users\Admin\AppData\Local\Temp\EP.exe
"C:\Users\Admin\AppData\Local\Temp\EP.exe"
3⤵
- Executes dropped EXE
PID:4852

C:\Users\Admin\AppData\Local\Temp\EP.exe
"C:\Users\Admin\AppData\Local\Temp\EP.exe"
3⤵
- Executes dropped EXE
PID:2448

C:\Users\Admin\AppData\Local\Temp\EP.exe
"C:\Users\Admin\AppData\Local\Temp\EP.exe"
3⤵
PID:4236

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {c08afd90-f2a1-11d1-8455-00a0c91f3880} -Embedding
1⤵
PID:876

C:\Users\Admin\AppData\Local\Temp\HD-Frontend.exe
"C:\Users\Admin\AppData\Local\Temp\HD-Frontend.exe" "C:\Users\Admin\AppData\Local\Temp\\72FB15DBDB2D4effBE4A9C.lnk"
1⤵
- Executes dropped EXE
PID:3224

C:\Users\Admin\AppData\Local\Temp\HD-Frontend.exe
"C:\Users\Admin\AppData\Local\Temp\HD-Frontend.exe" "C:\Users\Admin\AppData\Local\Temp\\A18CBEC3655943eeBDFAA0.lnk"
1⤵
- Executes dropped EXE
PID:5080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\EP.exe

Filesize
72KB

MD5
3ffb2d1b619bd7841df50aaf619922fd

SHA1
6973d1b9f33ceb741569db9d0d1fa06712a2565e

SHA256
8ce68528e25b86977f18d42c8c5dddbd6e6f24f34a340d447f4b4db0cb96bfbe

SHA512
7855b96335088bb718215eeea63d6d36c871f3f946de3de48fcc0bb7666cc61c7922f7c84d886d19c5454d283971a5e704c2cc97795c629fc20183c29040d4da

Download Submit
C:\Users\Admin\AppData\Local\Temp\FreeImage.dll

Filesize
2.5MB

MD5
a96116fdad589c4f8b2c719e20dc110c

SHA1
b0741a85eadbebbb151473f524e949d573275452

SHA256
e8b8a7c3c8d3fd8bab2720fa619f5147b4f89228b6f82ed65fba284258e79437

SHA512
8ce07212a516f0ca169ce77b3cef401c247efec6031669c21fbb2feea0103cd68cdcf577e85a8caca287338b097852e09937b1ba86b764bc79c93a272a7c9f32

Download Submit
C:\Users\Admin\AppData\Local\Temp\HD-Frontend.exe

Filesize
1.1MB

MD5
be2e5dba6d2cad5e64549f4336bd8615

SHA1
0b92e91365c3a367d108f099c2c0a04c01d45087

SHA256
d9841a11885a25607f379e829be9c20e2c79800469c3f89e6cb515608b0568de

SHA512
907bf1ac0bfa1bb9aba048437cede6794987938cfac0096814dc8de7ea2bf71a9c6ccff7a644372431c1a4d522d10eae8120335e9e45a03ec0f3e73cdedd07b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSVCR100.dll

Filesize
755KB

MD5
bf38660a9125935658cfa3e53fdc7d65

SHA1
0b51fb415ec89848f339f8989d323bea722bfd70

SHA256
60c06e0fa4449314da3a0a87c1a9d9577df99226f943637e06f61188e5862efa

SHA512
25f521ffe25a950d0f1a4de63b04cb62e2a3b0e72e7405799586913208bf8f8fa52aa34e96a9cc6ee47afcd41870f3aa0cd8289c53461d1b6e792d19b750c9a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\msvcp100.dll

Filesize
777KB

MD5
8d2c1037688f1603f78e033bad57cf20

SHA1
bb27bc4e6d91e0522950634d8fc91af63a97cd4c

SHA256
231198a7515b1d9aaece3c2d0efd2a151aab9bd3b6978588c7d2c6f085c2035e

SHA512
8d0b6887bb7017df0c078572ad76cb0adf0cb11d1a4d0eaae39d6a9b66f2d33e15002fca9c5fe326a3fa1f8ac6e91345acced92312f7feb757209886071dab90

Download Submit
C:\Users\Admin\AppData\Local\Temp\½ØÍ¼.exe

Filesize
1.8MB

MD5
0494a252ea51e0d6f008fdfc12583d6e

SHA1
762eab09827f9e2e608c27dd38aed5b66eea48a5

SHA256
1611cee7c26200bdc2f2d293663576579cd966c912ea6e81a652a9d748e9a3f7

SHA512
4e887eb91887de53e5160666ff77a058bc27a442c545fd368c4f7889152c54d23efc19ef79aa8133e6ff6d6b7b5258979a145b954645b0830da97d79bb0c53b9

Download Submit
C:\Users\Public\Documents\180 1.0.UIF

Filesize
8KB

MD5
9994ae32c4b68c5819c43897c281c83f

SHA1
ee1eb0be1085474d99ae54ad7e88e9e74b032c40

SHA256
c7a528b87ba2e7d615388d131b05b18f16eceb8f626c446369ac91601517c7d7

SHA512
fc1d9358cd2ee3475162afc31447c178cd916f873a3eaaae0e741a275f53f25ce269452f2b759feeb6568662542f32d46fe82dd547a27db9aeee5303a71bd745

Download Submit
memory/992-85-0x00000000009F0000-0x0000000000B06000-memory.dmp

Filesize
1.1MB

Download
memory/992-64-0x00000000009F0000-0x0000000000B06000-memory.dmp

Filesize
1.1MB

Download
memory/992-66-0x00000000009F0000-0x0000000000B06000-memory.dmp

Filesize
1.1MB

Download
memory/1068-45-0x00000000031B0000-0x00000000031C0000-memory.dmp

Filesize
64KB

Download
memory/1068-72-0x00000000031B0000-0x00000000031C0000-memory.dmp

Filesize
64KB

Download
memory/3160-49-0x00000000009F0000-0x0000000000B06000-memory.dmp

Filesize
1.1MB

Download
memory/3160-51-0x00000000009F0000-0x0000000000B06000-memory.dmp

Filesize
1.1MB

Download
memory/3160-70-0x00000000009F0000-0x0000000000B06000-memory.dmp

Filesize
1.1MB

Download
memory/3224-58-0x00000000009F0000-0x0000000000B06000-memory.dmp

Filesize
1.1MB

Download
memory/3224-71-0x00000000009F0000-0x0000000000B06000-memory.dmp

Filesize
1.1MB

Download
memory/3224-59-0x00000000009F0000-0x0000000000B06000-memory.dmp

Filesize
1.1MB

Download
memory/5080-68-0x00000000009F0000-0x0000000000B06000-memory.dmp

Filesize
1.1MB

Download
memory/5080-86-0x00000000009F0000-0x0000000000B06000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads