2682f23ed5cecfb3c44883824f811ce1cb62e5baee35c1f4639ef0f5ea958fd2

Analysis

max time kernel
120s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
26-05-2024 19:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2682f23ed5cecfb3c44883824f811ce1cb62e5baee35c1f4639ef0f5ea958fd2.exe
Size

128KB
MD5

96e48e26ddbe27eb9730302b5f0b1134
SHA1

2fc4141e06b844783ec8df238d0a9c0eac743451
SHA256

2682f23ed5cecfb3c44883824f811ce1cb62e5baee35c1f4639ef0f5ea958fd2
SHA512

a7bd9ce7a7826a7941d0e4160c5cb5900b7b6c885bdb95b1060ace8af7118e7712cfdac69a0ef233fc59d76fe4a205ed5472fefad85c7bad695ad076b394077f
SSDEEP

3072:h/g5f4nYV7qEGG32/BhHmiImXJ2fYdV46nfPyxWhj8NCM/r:hIf4nYVW5s4BhHmNEcYj9nhV8NCU

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ieqeidnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ieqeidnl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ioijbj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hnagjbdf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcnpbi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Henidd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjhhocjj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hlhaqogk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	2682f23ed5cecfb3c44883824f811ce1cb62e5baee35c1f4639ef0f5ea958fd2.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hlakpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hckcmjep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Icbimi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ioijbj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	2682f23ed5cecfb3c44883824f811ce1cb62e5baee35c1f4639ef0f5ea958fd2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hlakpp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icbimi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hjhhocjj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hodpgjha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hodpgjha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Henidd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hlhaqogk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hckcmjep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hnagjbdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hcnpbi32.exe

Executes dropped EXE 12 IoCs

pid	Process
2736	Hlakpp32.exe
2668	Hckcmjep.exe
2788	Hnagjbdf.exe
2484	Hcnpbi32.exe
2560	Hjhhocjj.exe
2520	Hodpgjha.exe
1920	Henidd32.exe
2536	Hlhaqogk.exe
1808	Icbimi32.exe
1684	Ieqeidnl.exe
1812	Ioijbj32.exe
2412	Iagfoe32.exe

Loads dropped DLL 28 IoCs

pid	Process
2776	2682f23ed5cecfb3c44883824f811ce1cb62e5baee35c1f4639ef0f5ea958fd2.exe
2776	2682f23ed5cecfb3c44883824f811ce1cb62e5baee35c1f4639ef0f5ea958fd2.exe
2736	Hlakpp32.exe
2736	Hlakpp32.exe
2668	Hckcmjep.exe
2668	Hckcmjep.exe
2788	Hnagjbdf.exe
2788	Hnagjbdf.exe
2484	Hcnpbi32.exe
2484	Hcnpbi32.exe
2560	Hjhhocjj.exe
2560	Hjhhocjj.exe
2520	Hodpgjha.exe
2520	Hodpgjha.exe
1920	Henidd32.exe
1920	Henidd32.exe
2536	Hlhaqogk.exe
2536	Hlhaqogk.exe
1808	Icbimi32.exe
1808	Icbimi32.exe
1684	Ieqeidnl.exe
1684	Ieqeidnl.exe
1812	Ioijbj32.exe
1812	Ioijbj32.exe
348	WerFault.exe
348	WerFault.exe
348	WerFault.exe
348	WerFault.exe

Drops file in System32 directory 36 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ieqeidnl.exe	Icbimi32.exe
File created	C:\Windows\SysWOW64\Ioijbj32.exe	Ieqeidnl.exe
File created	C:\Windows\SysWOW64\Henidd32.exe	Hodpgjha.exe
File opened for modification	C:\Windows\SysWOW64\Henidd32.exe	Hodpgjha.exe
File created	C:\Windows\SysWOW64\Icbimi32.exe	Hlhaqogk.exe
File created	C:\Windows\SysWOW64\Nfmjcmjd.dll	Icbimi32.exe
File created	C:\Windows\SysWOW64\Cabknqko.dll	Hlakpp32.exe
File created	C:\Windows\SysWOW64\Hcnpbi32.exe	Hnagjbdf.exe
File opened for modification	C:\Windows\SysWOW64\Hcnpbi32.exe	Hnagjbdf.exe
File created	C:\Windows\SysWOW64\Liqebf32.dll	Hjhhocjj.exe
File opened for modification	C:\Windows\SysWOW64\Iagfoe32.exe	Ioijbj32.exe
File created	C:\Windows\SysWOW64\Hckcmjep.exe	Hlakpp32.exe
File opened for modification	C:\Windows\SysWOW64\Hnagjbdf.exe	Hckcmjep.exe
File created	C:\Windows\SysWOW64\Khejeajg.dll	Hnagjbdf.exe
File opened for modification	C:\Windows\SysWOW64\Hlhaqogk.exe	Henidd32.exe
File opened for modification	C:\Windows\SysWOW64\Icbimi32.exe	Hlhaqogk.exe
File created	C:\Windows\SysWOW64\Ecmkgokh.dll	Hlhaqogk.exe
File created	C:\Windows\SysWOW64\Gjenmobn.dll	Ioijbj32.exe
File created	C:\Windows\SysWOW64\Hlakpp32.exe	2682f23ed5cecfb3c44883824f811ce1cb62e5baee35c1f4639ef0f5ea958fd2.exe
File opened for modification	C:\Windows\SysWOW64\Hlakpp32.exe	2682f23ed5cecfb3c44883824f811ce1cb62e5baee35c1f4639ef0f5ea958fd2.exe
File created	C:\Windows\SysWOW64\Anllbdkl.dll	2682f23ed5cecfb3c44883824f811ce1cb62e5baee35c1f4639ef0f5ea958fd2.exe
File created	C:\Windows\SysWOW64\Fenhecef.dll	Hcnpbi32.exe
File created	C:\Windows\SysWOW64\Hodpgjha.exe	Hjhhocjj.exe
File opened for modification	C:\Windows\SysWOW64\Hodpgjha.exe	Hjhhocjj.exe
File created	C:\Windows\SysWOW64\Pnbgan32.dll	Henidd32.exe
File created	C:\Windows\SysWOW64\Hnagjbdf.exe	Hckcmjep.exe
File created	C:\Windows\SysWOW64\Hjhhocjj.exe	Hcnpbi32.exe
File opened for modification	C:\Windows\SysWOW64\Hjhhocjj.exe	Hcnpbi32.exe
File opened for modification	C:\Windows\SysWOW64\Ioijbj32.exe	Ieqeidnl.exe
File created	C:\Windows\SysWOW64\Dgnijonn.dll	Ieqeidnl.exe
File created	C:\Windows\SysWOW64\Iagfoe32.exe	Ioijbj32.exe
File opened for modification	C:\Windows\SysWOW64\Hckcmjep.exe	Hlakpp32.exe
File created	C:\Windows\SysWOW64\Enlbgc32.dll	Hckcmjep.exe
File created	C:\Windows\SysWOW64\Hlhaqogk.exe	Henidd32.exe
File created	C:\Windows\SysWOW64\Polebcgg.dll	Hodpgjha.exe
File opened for modification	C:\Windows\SysWOW64\Ieqeidnl.exe	Icbimi32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
348	2412	WerFault.exe	39

Modifies registry class 39 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hlakpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khejeajg.dll"	Hnagjbdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hcnpbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fenhecef.dll"	Hcnpbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnbgan32.dll"	Henidd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ioijbj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	2682f23ed5cecfb3c44883824f811ce1cb62e5baee35c1f4639ef0f5ea958fd2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cabknqko.dll"	Hlakpp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hckcmjep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hjhhocjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfmjcmjd.dll"	Icbimi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anllbdkl.dll"	2682f23ed5cecfb3c44883824f811ce1cb62e5baee35c1f4639ef0f5ea958fd2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liqebf32.dll"	Hjhhocjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hjhhocjj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hlhaqogk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjenmobn.dll"	Ioijbj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	2682f23ed5cecfb3c44883824f811ce1cb62e5baee35c1f4639ef0f5ea958fd2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	2682f23ed5cecfb3c44883824f811ce1cb62e5baee35c1f4639ef0f5ea958fd2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hcnpbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Henidd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecmkgokh.dll"	Hlhaqogk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ieqeidnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ioijbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Henidd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	2682f23ed5cecfb3c44883824f811ce1cb62e5baee35c1f4639ef0f5ea958fd2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	2682f23ed5cecfb3c44883824f811ce1cb62e5baee35c1f4639ef0f5ea958fd2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hlakpp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hnagjbdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enlbgc32.dll"	Hckcmjep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hnagjbdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hodpgjha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hodpgjha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Icbimi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Icbimi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgnijonn.dll"	Ieqeidnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ieqeidnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hckcmjep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Polebcgg.dll"	Hodpgjha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hlhaqogk.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 2776 wrote to memory of 2736	2776	2682f23ed5cecfb3c44883824f811ce1cb62e5baee35c1f4639ef0f5ea958fd2.exe	28
PID 2776 wrote to memory of 2736	2776	2682f23ed5cecfb3c44883824f811ce1cb62e5baee35c1f4639ef0f5ea958fd2.exe	28
PID 2776 wrote to memory of 2736	2776	2682f23ed5cecfb3c44883824f811ce1cb62e5baee35c1f4639ef0f5ea958fd2.exe	28
PID 2776 wrote to memory of 2736	2776	2682f23ed5cecfb3c44883824f811ce1cb62e5baee35c1f4639ef0f5ea958fd2.exe	28
PID 2736 wrote to memory of 2668	2736	Hlakpp32.exe	29
PID 2736 wrote to memory of 2668	2736	Hlakpp32.exe	29
PID 2736 wrote to memory of 2668	2736	Hlakpp32.exe	29
PID 2736 wrote to memory of 2668	2736	Hlakpp32.exe	29
PID 2668 wrote to memory of 2788	2668	Hckcmjep.exe	30
PID 2668 wrote to memory of 2788	2668	Hckcmjep.exe	30
PID 2668 wrote to memory of 2788	2668	Hckcmjep.exe	30
PID 2668 wrote to memory of 2788	2668	Hckcmjep.exe	30
PID 2788 wrote to memory of 2484	2788	Hnagjbdf.exe	31
PID 2788 wrote to memory of 2484	2788	Hnagjbdf.exe	31
PID 2788 wrote to memory of 2484	2788	Hnagjbdf.exe	31
PID 2788 wrote to memory of 2484	2788	Hnagjbdf.exe	31
PID 2484 wrote to memory of 2560	2484	Hcnpbi32.exe	32
PID 2484 wrote to memory of 2560	2484	Hcnpbi32.exe	32
PID 2484 wrote to memory of 2560	2484	Hcnpbi32.exe	32
PID 2484 wrote to memory of 2560	2484	Hcnpbi32.exe	32
PID 2560 wrote to memory of 2520	2560	Hjhhocjj.exe	33
PID 2560 wrote to memory of 2520	2560	Hjhhocjj.exe	33
PID 2560 wrote to memory of 2520	2560	Hjhhocjj.exe	33
PID 2560 wrote to memory of 2520	2560	Hjhhocjj.exe	33
PID 2520 wrote to memory of 1920	2520	Hodpgjha.exe	34
PID 2520 wrote to memory of 1920	2520	Hodpgjha.exe	34
PID 2520 wrote to memory of 1920	2520	Hodpgjha.exe	34
PID 2520 wrote to memory of 1920	2520	Hodpgjha.exe	34
PID 1920 wrote to memory of 2536	1920	Henidd32.exe	35
PID 1920 wrote to memory of 2536	1920	Henidd32.exe	35
PID 1920 wrote to memory of 2536	1920	Henidd32.exe	35
PID 1920 wrote to memory of 2536	1920	Henidd32.exe	35
PID 2536 wrote to memory of 1808	2536	Hlhaqogk.exe	36
PID 2536 wrote to memory of 1808	2536	Hlhaqogk.exe	36
PID 2536 wrote to memory of 1808	2536	Hlhaqogk.exe	36
PID 2536 wrote to memory of 1808	2536	Hlhaqogk.exe	36
PID 1808 wrote to memory of 1684	1808	Icbimi32.exe	37
PID 1808 wrote to memory of 1684	1808	Icbimi32.exe	37
PID 1808 wrote to memory of 1684	1808	Icbimi32.exe	37
PID 1808 wrote to memory of 1684	1808	Icbimi32.exe	37
PID 1684 wrote to memory of 1812	1684	Ieqeidnl.exe	38
PID 1684 wrote to memory of 1812	1684	Ieqeidnl.exe	38
PID 1684 wrote to memory of 1812	1684	Ieqeidnl.exe	38
PID 1684 wrote to memory of 1812	1684	Ieqeidnl.exe	38
PID 1812 wrote to memory of 2412	1812	Ioijbj32.exe	39
PID 1812 wrote to memory of 2412	1812	Ioijbj32.exe	39
PID 1812 wrote to memory of 2412	1812	Ioijbj32.exe	39
PID 1812 wrote to memory of 2412	1812	Ioijbj32.exe	39
PID 2412 wrote to memory of 348	2412	Iagfoe32.exe	40
PID 2412 wrote to memory of 348	2412	Iagfoe32.exe	40
PID 2412 wrote to memory of 348	2412	Iagfoe32.exe	40
PID 2412 wrote to memory of 348	2412	Iagfoe32.exe	40

C:\Users\Admin\AppData\Local\Temp\2682f23ed5cecfb3c44883824f811ce1cb62e5baee35c1f4639ef0f5ea958fd2.exe
"C:\Users\Admin\AppData\Local\Temp\2682f23ed5cecfb3c44883824f811ce1cb62e5baee35c1f4639ef0f5ea958fd2.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2776
- C:\Windows\SysWOW64\Hlakpp32.exe
  C:\Windows\system32\Hlakpp32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2736
- - C:\Windows\SysWOW64\Hckcmjep.exe
    C:\Windows\system32\Hckcmjep.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2668
  - - C:\Windows\SysWOW64\Hnagjbdf.exe
      C:\Windows\system32\Hnagjbdf.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2788
    - - C:\Windows\SysWOW64\Hcnpbi32.exe
        
        C:\Windows\system32\Hcnpbi32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2484
      - C:\Windows\SysWOW64\Hjhhocjj.exe
        
        C:\Windows\system32\Hjhhocjj.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2560
        
        C:\Windows\SysWOW64\Hodpgjha.exe
        
        C:\Windows\system32\Hodpgjha.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2520
        
        C:\Windows\SysWOW64\Henidd32.exe
        
        C:\Windows\system32\Henidd32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1920
        
        C:\Windows\SysWOW64\Hlhaqogk.exe
        
        C:\Windows\system32\Hlhaqogk.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2536
        
        C:\Windows\SysWOW64\Icbimi32.exe
        
        C:\Windows\system32\Icbimi32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1808
        
        C:\Windows\SysWOW64\Ieqeidnl.exe
        
        C:\Windows\system32\Ieqeidnl.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1684
        
        C:\Windows\SysWOW64\Ioijbj32.exe
        
        C:\Windows\system32\Ioijbj32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1812
        
        C:\Windows\SysWOW64\Iagfoe32.exe
        
        C:\Windows\system32\Iagfoe32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2412
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2412 -s 140
        14⤵
        Loads dropped DLL
        Program crash
        
        PID:348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\Hckcmjep.exe

Filesize
128KB

MD5
b736ff3c12fb035b31b9c71fbd0b88db

SHA1
b067b6557bba112f46d970b009ca29e9263aedb4

SHA256
7e10ed7d19634002e9bc906429daf9e73784dd7da000b3f7133e9f41daa34aa3

SHA512
3d1395817c1326417d3e037024ee463c735c2ee2a7eca27b14bc7d1d6b0a8e1c7000618dbc0c374a0ebe070692751b37e45136c45a17569b96e879b66e0c54a1

Download Submit
\Windows\SysWOW64\Hcnpbi32.exe

Filesize
128KB

MD5
1ca469419616c3cef9cc99ed8f8aa7a7

SHA1
bb734eacbbd9677ffd9e3a0a238b1463e35bb6d8

SHA256
d7f925f99eadb56a8171b9d1fba456b82bdaa0b46e54a727062ad095a61e973c

SHA512
49aeb5c6c5cf1cc7b4eb4aec26293c5410b358bac07f0047192db737e3bccebc8a2ce848c769cc23aae971fb2e0fc0cacb9f03981e06457333aadcb71380ce7f

Download Submit
\Windows\SysWOW64\Henidd32.exe

Filesize
128KB

MD5
226f19c70cb2bee742376cf3735badef

SHA1
4754bf3a8379fb68e015988792cdb55b38eee7a9

SHA256
e05f8d71fe39385e1070dafec160d082fa59d3f27625dc311dce03124cd80633

SHA512
c7b404d4db1936cd8ba2e27b2eb4be178400f69d37b0ebec879dcc5520719fe4cc2e442293fa30b800b2089b24286741a2c8d316f49442562b7fd17bcef6729d

Download Submit
\Windows\SysWOW64\Hjhhocjj.exe

Filesize
128KB

MD5
9595cb09dcf0ed13e621738ae34bcd05

SHA1
23a8375ab2f3fb9e7f4cdbb91263c4c006207ee0

SHA256
34f79fd0335cc5fd666ba770482892c192c0bf967c8241c3947199512ca74a24

SHA512
369491818c0c386c4bedb5da3253a78fabfb580bd9a8cc88120029d1b007366bb910990a0206a6af598b73517053935b995d40fdc2d1e97384a01a75ec4c4494

Download Submit
\Windows\SysWOW64\Hlakpp32.exe

Filesize
128KB

MD5
f1fa414a0527518bfbd0300bb5ea5889

SHA1
12cb3cc6fa23ab1a3561e2952e75e2d11cb30bd3

SHA256
92d409bec4a46ff3cc2d2b655cb6f1b161b0e3aaadc96899d391919a760e7ad6

SHA512
abd9e7ca5e50084dde68f66b79efdcfaf699bf42218401c47a63ad42c24dcc9f29917b3b63ce5d7fa7e0e6963da7dfc29cc13277b941e6617b1ef42651e52c40

Download Submit
\Windows\SysWOW64\Hlhaqogk.exe

Filesize
128KB

MD5
990ec6c097c78b4266849bd0d4abd648

SHA1
87b02a5b618565ea9dd7e4e6794cf65e3d3fb4be

SHA256
62013cbcbdbd377fcd8a331cba57c8383b533151f1cb9dc57b95581a976d8cc9

SHA512
92bae92eff877d8dc88644d9f2a1e1fec9c8b2d9194ea1016b4fa9a54aa6d5cba0c3150c79e1c03db1fb52709f0491c23aa469cbf0b84573dc1c460a14446863

Download Submit
\Windows\SysWOW64\Hnagjbdf.exe

Filesize
128KB

MD5
78792db56efb818a05487377fb8ec471

SHA1
c3aa38de9ccd99f151196f3e1497ab9bff529fc4

SHA256
2362eae490291bbb38ed3d2e7502eecf5e6324276b23c8a0d4a3df0d43e97636

SHA512
7e376c3eef36e8c79affa11a4dcf17c082b6824e198e6226ca97666da6cd06d1d70cefeefc67e2ea99dca042c55dfbbcecbe5e4f85efe9d88c6521a41c97fb61

Download Submit
\Windows\SysWOW64\Hodpgjha.exe

Filesize
128KB

MD5
b9b85625be69d38d6d018d9894dc0d10

SHA1
ca8e3b6035df83b892befcc946323e76f31d3149

SHA256
4751dff0c223a24432f3dad071519be03232a8701d86723b31ca3166846fc33b

SHA512
3c975b504c41aa663bc1e58eaf3f21e0d08314f6ef0e61112a30ac53abc36359a3592ec0a3250b51c0f46759c335f6ffbdd422e01c1078b2dbaa51c9cd150789

Download Submit
\Windows\SysWOW64\Iagfoe32.exe

Filesize
128KB

MD5
62f002a6fd5a10c27f2cfccc7e453116

SHA1
10e2eb83cc9ef8324f9d2e2d2a0407a3cfeffc4c

SHA256
d8f4db9966436aa4ee940c8d9a084636a544ad625c845294dd9cd1ca02973e83

SHA512
4d98a94e9f679e3f713b7f5fe791f59181a9e9e6f46859f1627fc48c0465b5ed9419ef7e39534a5689080db49c6c8a2222df6ef92d3074653c4a759cf9dd95fc

Download Submit
\Windows\SysWOW64\Icbimi32.exe

Filesize
128KB

MD5
54c447b118bea7072c467b2774d56d74

SHA1
e3ffe422860c134410500672c009c9625375bba1

SHA256
2107479dbbf9cf868d3349481e41b6935c2cc11d4821ff07abe497b2d53dfbf8

SHA512
38e65f1e5e41cd378f03d1506dc2d5ba995ed49192528a7c6b0466ad21e7fb3584218e168ff14e399167d35c11e66edd2c4898eca840cc468a5359ece9c46332

Download Submit
\Windows\SysWOW64\Ieqeidnl.exe

Filesize
128KB

MD5
0a873dd8be828d77c6694f8e6005429b

SHA1
ed9d64ae8b03551f72fda93b9c495c7140dd5c19

SHA256
5efc80ae55872b01c7d86ce03a94cb50856ed8b5573bf4043948359ac5ff277e

SHA512
6e171c3a4f7916c0da266adde5987c91b289a8ad7bab6c408a5d2b552a4dae008b03f6b1b0f4dba1d43a5e007a697b7e4bfed818b74dd05756f00a532ff0a7e5

Download Submit
\Windows\SysWOW64\Ioijbj32.exe

Filesize
128KB

MD5
d1397f1b721c6cb3944b384f36deac9b

SHA1
5c624121e5d0a708b3915c0e044594161b58bd43

SHA256
9b10c67cc455ec78c6e1827bde048dad3ea20c3c06395cbed63abd560dfbe154

SHA512
183d85aba2451125c2be9e6f9c0f6e0d82dfbc1fc45e4f5dd5b5a04c85a3988567f8381689a040121a8b27079e90ccc911ad2f871073ba6551f4775bc7f133bd

Download Submit
memory/1684-173-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1684-132-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1808-126-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1812-145-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1812-174-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1812-156-0x0000000000300000-0x0000000000341000-memory.dmp

Filesize
260KB

Download
memory/1920-92-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1920-171-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2412-159-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2484-64-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/2484-53-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2484-168-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2520-79-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2520-170-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2536-113-0x0000000000310000-0x0000000000351000-memory.dmp

Filesize
260KB

Download
memory/2536-105-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2536-172-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2560-169-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2668-166-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2736-26-0x00000000002A0000-0x00000000002E1000-memory.dmp

Filesize
260KB

Download
memory/2736-165-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2736-27-0x00000000002A0000-0x00000000002E1000-memory.dmp

Filesize
260KB

Download
memory/2736-13-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2776-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2776-164-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2776-6-0x0000000000290000-0x00000000002D1000-memory.dmp

Filesize
260KB

Download
memory/2788-167-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2788-40-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads