Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
02/06/2024, 01:39
Static task
static1
Behavioral task
behavioral1
Sample
b5df680f8cbbcdb69345e94a932ea140715233d220c7e2141ec411252eb7192d.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
b5df680f8cbbcdb69345e94a932ea140715233d220c7e2141ec411252eb7192d.exe
Resource
win10v2004-20240426-en
General
-
Target
b5df680f8cbbcdb69345e94a932ea140715233d220c7e2141ec411252eb7192d.exe
-
Size
72KB
-
MD5
22131c8f5aa2359437f1d2ff46e1b77f
-
SHA1
387fe8d9cce803ab25b9f900c39f0e4bb6045143
-
SHA256
b5df680f8cbbcdb69345e94a932ea140715233d220c7e2141ec411252eb7192d
-
SHA512
df1cfb1ecb87b1e6aef45ae61ed2aac4cd943af423d507e4393acf6701f25dfabffb6b9f4cfa30943e06786bec29a481394db432e229ad6cd4ee344673cecac1
-
SSDEEP
1536:0oNJ5Vi85oWPAf23geJ4T/gm+YSPgUN3QivEtA:06iG5oVeJ4ThSPgU5QJA
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdhbam32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnagjbdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hcifgjgc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Henidd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Henidd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjhhocjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjhhocjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hlfdkoin.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhmepp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hhmepp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iaeiieeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iaeiieeb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlfdkoin.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad b5df680f8cbbcdb69345e94a932ea140715233d220c7e2141ec411252eb7192d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" b5df680f8cbbcdb69345e94a932ea140715233d220c7e2141ec411252eb7192d.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcifgjgc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdhbam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hnagjbdf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpocfncj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpocfncj.exe -
Executes dropped EXE 10 IoCs
pid Process 2216 Hcifgjgc.exe 2544 Hdhbam32.exe 2556 Hnagjbdf.exe 2560 Hpocfncj.exe 2688 Hjhhocjj.exe 1520 Hlfdkoin.exe 1920 Henidd32.exe 2796 Hhmepp32.exe 2628 Iaeiieeb.exe 320 Iagfoe32.exe -
Loads dropped DLL 24 IoCs
pid Process 2192 b5df680f8cbbcdb69345e94a932ea140715233d220c7e2141ec411252eb7192d.exe 2192 b5df680f8cbbcdb69345e94a932ea140715233d220c7e2141ec411252eb7192d.exe 2216 Hcifgjgc.exe 2216 Hcifgjgc.exe 2544 Hdhbam32.exe 2544 Hdhbam32.exe 2556 Hnagjbdf.exe 2556 Hnagjbdf.exe 2560 Hpocfncj.exe 2560 Hpocfncj.exe 2688 Hjhhocjj.exe 2688 Hjhhocjj.exe 1520 Hlfdkoin.exe 1520 Hlfdkoin.exe 1920 Henidd32.exe 1920 Henidd32.exe 2796 Hhmepp32.exe 2796 Hhmepp32.exe 2628 Iaeiieeb.exe 2628 Iaeiieeb.exe 2604 WerFault.exe 2604 WerFault.exe 2604 WerFault.exe 2604 WerFault.exe -
Drops file in System32 directory 30 IoCs
description ioc Process File created C:\Windows\SysWOW64\Hcifgjgc.exe b5df680f8cbbcdb69345e94a932ea140715233d220c7e2141ec411252eb7192d.exe File created C:\Windows\SysWOW64\Polebcgg.dll Hlfdkoin.exe File created C:\Windows\SysWOW64\Hhmepp32.exe Henidd32.exe File opened for modification C:\Windows\SysWOW64\Iaeiieeb.exe Hhmepp32.exe File opened for modification C:\Windows\SysWOW64\Hcifgjgc.exe b5df680f8cbbcdb69345e94a932ea140715233d220c7e2141ec411252eb7192d.exe File created C:\Windows\SysWOW64\Hpocfncj.exe Hnagjbdf.exe File created C:\Windows\SysWOW64\Hlfdkoin.exe Hjhhocjj.exe File created C:\Windows\SysWOW64\Iaeiieeb.exe Hhmepp32.exe File created C:\Windows\SysWOW64\Iagfoe32.exe Iaeiieeb.exe File created C:\Windows\SysWOW64\Hciofb32.dll Hnagjbdf.exe File created C:\Windows\SysWOW64\Ndabhn32.dll Hcifgjgc.exe File opened for modification C:\Windows\SysWOW64\Hpocfncj.exe Hnagjbdf.exe File created C:\Windows\SysWOW64\Fealjk32.dll b5df680f8cbbcdb69345e94a932ea140715233d220c7e2141ec411252eb7192d.exe File created C:\Windows\SysWOW64\Hdhbam32.exe Hcifgjgc.exe File opened for modification C:\Windows\SysWOW64\Hnagjbdf.exe Hdhbam32.exe File opened for modification C:\Windows\SysWOW64\Hlfdkoin.exe Hjhhocjj.exe File created C:\Windows\SysWOW64\Gmibbifn.dll Hhmepp32.exe File opened for modification C:\Windows\SysWOW64\Hdhbam32.exe Hcifgjgc.exe File created C:\Windows\SysWOW64\Enlbgc32.dll Hdhbam32.exe File opened for modification C:\Windows\SysWOW64\Hhmepp32.exe Henidd32.exe File created C:\Windows\SysWOW64\Gjenmobn.dll Iaeiieeb.exe File created C:\Windows\SysWOW64\Bdhaablp.dll Henidd32.exe File opened for modification C:\Windows\SysWOW64\Iagfoe32.exe Iaeiieeb.exe File created C:\Windows\SysWOW64\Hnagjbdf.exe Hdhbam32.exe File created C:\Windows\SysWOW64\Hjhhocjj.exe Hpocfncj.exe File created C:\Windows\SysWOW64\Oiogaqdb.dll Hjhhocjj.exe File created C:\Windows\SysWOW64\Henidd32.exe Hlfdkoin.exe File opened for modification C:\Windows\SysWOW64\Henidd32.exe Hlfdkoin.exe File opened for modification C:\Windows\SysWOW64\Hjhhocjj.exe Hpocfncj.exe File created C:\Windows\SysWOW64\Fenhecef.dll Hpocfncj.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2604 320 WerFault.exe 37 -
Modifies registry class 33 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID b5df680f8cbbcdb69345e94a932ea140715233d220c7e2141ec411252eb7192d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" b5df680f8cbbcdb69345e94a932ea140715233d220c7e2141ec411252eb7192d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hcifgjgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hjhhocjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdhaablp.dll" Henidd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndabhn32.dll" Hcifgjgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hciofb32.dll" Hnagjbdf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hpocfncj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iaeiieeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fenhecef.dll" Hpocfncj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Henidd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hhmepp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 b5df680f8cbbcdb69345e94a932ea140715233d220c7e2141ec411252eb7192d.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node b5df680f8cbbcdb69345e94a932ea140715233d220c7e2141ec411252eb7192d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fealjk32.dll" b5df680f8cbbcdb69345e94a932ea140715233d220c7e2141ec411252eb7192d.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hcifgjgc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hnagjbdf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hjhhocjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iaeiieeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oiogaqdb.dll" Hjhhocjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hpocfncj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hlfdkoin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmibbifn.dll" Hhmepp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hlfdkoin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Polebcgg.dll" Hlfdkoin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Henidd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} b5df680f8cbbcdb69345e94a932ea140715233d220c7e2141ec411252eb7192d.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hdhbam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enlbgc32.dll" Hdhbam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hdhbam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hnagjbdf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hhmepp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjenmobn.dll" Iaeiieeb.exe -
Suspicious use of WriteProcessMemory 44 IoCs
description pid Process procid_target PID 2192 wrote to memory of 2216 2192 b5df680f8cbbcdb69345e94a932ea140715233d220c7e2141ec411252eb7192d.exe 28 PID 2192 wrote to memory of 2216 2192 b5df680f8cbbcdb69345e94a932ea140715233d220c7e2141ec411252eb7192d.exe 28 PID 2192 wrote to memory of 2216 2192 b5df680f8cbbcdb69345e94a932ea140715233d220c7e2141ec411252eb7192d.exe 28 PID 2192 wrote to memory of 2216 2192 b5df680f8cbbcdb69345e94a932ea140715233d220c7e2141ec411252eb7192d.exe 28 PID 2216 wrote to memory of 2544 2216 Hcifgjgc.exe 29 PID 2216 wrote to memory of 2544 2216 Hcifgjgc.exe 29 PID 2216 wrote to memory of 2544 2216 Hcifgjgc.exe 29 PID 2216 wrote to memory of 2544 2216 Hcifgjgc.exe 29 PID 2544 wrote to memory of 2556 2544 Hdhbam32.exe 30 PID 2544 wrote to memory of 2556 2544 Hdhbam32.exe 30 PID 2544 wrote to memory of 2556 2544 Hdhbam32.exe 30 PID 2544 wrote to memory of 2556 2544 Hdhbam32.exe 30 PID 2556 wrote to memory of 2560 2556 Hnagjbdf.exe 31 PID 2556 wrote to memory of 2560 2556 Hnagjbdf.exe 31 PID 2556 wrote to memory of 2560 2556 Hnagjbdf.exe 31 PID 2556 wrote to memory of 2560 2556 Hnagjbdf.exe 31 PID 2560 wrote to memory of 2688 2560 Hpocfncj.exe 32 PID 2560 wrote to memory of 2688 2560 Hpocfncj.exe 32 PID 2560 wrote to memory of 2688 2560 Hpocfncj.exe 32 PID 2560 wrote to memory of 2688 2560 Hpocfncj.exe 32 PID 2688 wrote to memory of 1520 2688 Hjhhocjj.exe 33 PID 2688 wrote to memory of 1520 2688 Hjhhocjj.exe 33 PID 2688 wrote to memory of 1520 2688 Hjhhocjj.exe 33 PID 2688 wrote to memory of 1520 2688 Hjhhocjj.exe 33 PID 1520 wrote to memory of 1920 1520 Hlfdkoin.exe 34 PID 1520 wrote to memory of 1920 1520 Hlfdkoin.exe 34 PID 1520 wrote to memory of 1920 1520 Hlfdkoin.exe 34 PID 1520 wrote to memory of 1920 1520 Hlfdkoin.exe 34 PID 1920 wrote to memory of 2796 1920 Henidd32.exe 35 PID 1920 wrote to memory of 2796 1920 Henidd32.exe 35 PID 1920 wrote to memory of 2796 1920 Henidd32.exe 35 PID 1920 wrote to memory of 2796 1920 Henidd32.exe 35 PID 2796 wrote to memory of 2628 2796 Hhmepp32.exe 36 PID 2796 wrote to memory of 2628 2796 Hhmepp32.exe 36 PID 2796 wrote to memory of 2628 2796 Hhmepp32.exe 36 PID 2796 wrote to memory of 2628 2796 Hhmepp32.exe 36 PID 2628 wrote to memory of 320 2628 Iaeiieeb.exe 37 PID 2628 wrote to memory of 320 2628 Iaeiieeb.exe 37 PID 2628 wrote to memory of 320 2628 Iaeiieeb.exe 37 PID 2628 wrote to memory of 320 2628 Iaeiieeb.exe 37 PID 320 wrote to memory of 2604 320 Iagfoe32.exe 38 PID 320 wrote to memory of 2604 320 Iagfoe32.exe 38 PID 320 wrote to memory of 2604 320 Iagfoe32.exe 38 PID 320 wrote to memory of 2604 320 Iagfoe32.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\b5df680f8cbbcdb69345e94a932ea140715233d220c7e2141ec411252eb7192d.exe"C:\Users\Admin\AppData\Local\Temp\b5df680f8cbbcdb69345e94a932ea140715233d220c7e2141ec411252eb7192d.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\SysWOW64\Hcifgjgc.exeC:\Windows\system32\Hcifgjgc.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Windows\SysWOW64\Hdhbam32.exeC:\Windows\system32\Hdhbam32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\SysWOW64\Hnagjbdf.exeC:\Windows\system32\Hnagjbdf.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\SysWOW64\Hpocfncj.exeC:\Windows\system32\Hpocfncj.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Windows\SysWOW64\Hjhhocjj.exeC:\Windows\system32\Hjhhocjj.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\Hlfdkoin.exeC:\Windows\system32\Hlfdkoin.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1520 -
C:\Windows\SysWOW64\Henidd32.exeC:\Windows\system32\Henidd32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Windows\SysWOW64\Hhmepp32.exeC:\Windows\system32\Hhmepp32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\SysWOW64\Iaeiieeb.exeC:\Windows\system32\Iaeiieeb.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\Iagfoe32.exeC:\Windows\system32\Iagfoe32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:320 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 320 -s 14012⤵
- Loads dropped DLL
- Program crash
PID:2604
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
72KB
MD5491b86b554058a17ccc64ba52781f5e5
SHA157f31b36760e585828369ccba17aaf04f85d901b
SHA256a1bb41e82694046f48e57293b320b1f42513ba9619cc44126568624c39a70be1
SHA5121537951c68c4eef73bf036b14e45254aed39cc4f239f7a77d01e2b90f69c58a8ed33b2e546a0cea491a804cbb7710ac6613ac1b56f9b1b3facd456a31852170d
-
Filesize
72KB
MD560e3ebcd6fb63702844d80fc6e15309d
SHA1b30d0c79ecdbf2ee7d1599dce6c1887061709b77
SHA25614fdb1a116d653165893ccafba9ecab31089a8a1cab2ef2d73c7ed2ee500d330
SHA5122335751ea041711ebf33d58b2e306ccdbf79ee5916662d050a2a197354cd5cac6868afd3286ecf3db1a93e360e2cc0ffe90288ea724ca976084dcb95777b1172
-
Filesize
72KB
MD551dde2e64588784ec42312b6c01f6ad9
SHA140815c71829ca09793baa884f72d01bd81786ce1
SHA25682e032528b1a02c1d6d0a0d2cc068d0b3100a7d6353e2673719212905a0f5f62
SHA5126d74c56948160c912f58d573f4b9edefd4b006c6d343d7017f16b739039463ab0eeb1ab4a3f5dffc6893145f45edebea4b62404260be57da559288358b0636ea
-
Filesize
72KB
MD526d1b000948765a8ab8dad62adfa680d
SHA10dd5a29742d3bd222a3d76b433ecb25570a7e4e4
SHA25638963e1136c979025075863ca62fb16917db8c0b5ee3b4caae85d90e5cbde565
SHA5127628227133fcc346b9efbe8cb5ff013bea6a08a50f2110c1b7ab7b2886fdc31d30a63201dcc7c7f2238a52718241c8c4e521ae4f01d1457357c29b3ef6aee2f6
-
Filesize
72KB
MD5b799c3886f3319337669dedbb5c08528
SHA1546e8b15c0b754c87f06e0d1293b3c475f55296b
SHA256a280cefd0c677327af1fd31c7704d8ae912625a41b3383d9a9f67d9fbb7baba2
SHA512c4af0890bb59d102e65357cbf5bdeacfb436602a76d595bab984512561bd868012d67de99b704b89496a66306018c1c10e236d1ed38289591419b22b6e6ed232
-
Filesize
72KB
MD5e497eab10e5ef8adf7c9da127959d8fa
SHA16c0772c5556a5dce86cfeb98ecdbb402a0cf2ae0
SHA2561f72a7eff202843ff36fa051124cc23d565b4dbe914cf33e9e4131fe6b958f81
SHA512da9af60ab56b54467357391c48b6b37ad7b4ef96758bb3ce7e5372d2eec0dd84c0ea8649d43b4ec05aaf77752e144ffcd754aeab629da1d1eb991f3c204ac1d6
-
Filesize
72KB
MD546151dd064cd6b0b11f17c061f706a59
SHA1cba74916b316ad20c1c920e1885d800270359874
SHA256b34bd7b26b8825c05fc90abde3b766ba1066ffec48c6a7509e95eca61ddd82aa
SHA512bc1316244467f40f1d95d27d0abf44e42ae6f8d44765862d98ab19f58ecef468338351266c9b9d322334a9c22398a2bc327d033820303648262c5d25edc3c6b3
-
Filesize
72KB
MD544058acdd599e14517052c863e3c61eb
SHA12ac43adf1a75cce10f7a0eabe9c9a9a834bf3e20
SHA256b6e9747b66ab9115fc1f37b47dc9d47ec536a19b0f4bd1842654189317a3fe82
SHA5125bbbdd660edb48b4d05d8eaba49d7a2b173f386dd547dfb5eb3385a1e3ba3c3d0858450645426a2bf0d96bd788af66a34854a76d102bfe4aeef87721b2b7210b
-
Filesize
72KB
MD58ea3fca9c6f4a9684074e92eac29d444
SHA1176cc9c55e3d1012d7cbf826107cf416ca1d212f
SHA256de5f60ddc1d0cd8014fe6e8751a197c10d6bc83303d1f1a5b1271b1c1109e94f
SHA512a542cb3eaa3969fec303849a1f8ab644a23f453c0eca930eab6bd1bcb937bf0aa5a49ba5aca0df9c7ba9d6eb2758d13d0cfae4cefaba8feed5aec359eb661901
-
Filesize
72KB
MD5912c568f311d5bbf458dbb221e6a52a3
SHA1f17585ae452ec820df26390ba2c50f7da50f8ec4
SHA256eaa4804eb459c233523caf087a682246051fbf05df075d4c3dc3187353dfa492
SHA51284f7c2a72535bf66e255b1e4ac735697c0115ab9e2b8a5b04342eefb5b728b57e2636ebb3c5b9414ec3900808daaebc02c69cc846e63e0e01810beb7b5c57f81