f7dafcb218b13f7fe68021c71b9f7ca911ef328c5c401ed464770d145ec49272

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20-09-2024 23:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f7dafcb218b13f7fe68021c71b9f7ca911ef328c5c401ed464770d145ec49272.exe
Size

1.2MB
MD5

bb28f0fb99665e8890f228ff2d00f2e5
SHA1

f9471627997de3bd2bff5ead8ae6773b2bc0b3e9
SHA256

f7dafcb218b13f7fe68021c71b9f7ca911ef328c5c401ed464770d145ec49272
SHA512

beeae047fca275186b8e6ebfa69c63ba6a99d062ae4e1c0ce51553fdad10d64143d5848f0cc1a54135f962056f822b012e751637d1c511d951748a6920e0c475
SSDEEP

24576:OnaNgu5YyCtCCm0BmmvFimm00h2kkkkK4kXkkkkkkkkhLX3a20R0v50+YR:OnSgu5RCtCmizbazR0vk

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kmfpmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hqiqjlga.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hqiqjlga.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmpaom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jlqjkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldgnklmi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hnkdnqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	f7dafcb218b13f7fe68021c71b9f7ca911ef328c5c401ed464770d145ec49272.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hnkdnqhm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hgciff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hgciff32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iegeonpc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jimdcqom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdphjm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	f7dafcb218b13f7fe68021c71b9f7ca911ef328c5c401ed464770d145ec49272.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldgnklmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iegeonpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jimdcqom.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jlqjkk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmfpmc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdphjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hmpaom32.exe

Executes dropped EXE 11 IoCs

pid	Process
2796	Hnkdnqhm.exe
2540	Hqiqjlga.exe
2704	Hgciff32.exe
2536	Hmpaom32.exe
2144	Iegeonpc.exe
2376	Jimdcqom.exe
2852	Jlqjkk32.exe
1720	Kmfpmc32.exe
2868	Kdphjm32.exe
2740	Ldgnklmi.exe
1904	Lbjofi32.exe

Loads dropped DLL 26 IoCs

pid	Process
2496	f7dafcb218b13f7fe68021c71b9f7ca911ef328c5c401ed464770d145ec49272.exe
2496	f7dafcb218b13f7fe68021c71b9f7ca911ef328c5c401ed464770d145ec49272.exe
2796	Hnkdnqhm.exe
2796	Hnkdnqhm.exe
2540	Hqiqjlga.exe
2540	Hqiqjlga.exe
2704	Hgciff32.exe
2704	Hgciff32.exe
2536	Hmpaom32.exe
2536	Hmpaom32.exe
2144	Iegeonpc.exe
2144	Iegeonpc.exe
2376	Jimdcqom.exe
2376	Jimdcqom.exe
2852	Jlqjkk32.exe
2852	Jlqjkk32.exe
1720	Kmfpmc32.exe
1720	Kmfpmc32.exe
2868	Kdphjm32.exe
2868	Kdphjm32.exe
2740	Ldgnklmi.exe
2740	Ldgnklmi.exe
2328	WerFault.exe
2328	WerFault.exe
2328	WerFault.exe
2328	WerFault.exe

Drops file in System32 directory 33 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Jlqjkk32.exe	Jimdcqom.exe
File created	C:\Windows\SysWOW64\Cbdmhnfl.dll	Iegeonpc.exe
File created	C:\Windows\SysWOW64\Hqiqjlga.exe	Hnkdnqhm.exe
File created	C:\Windows\SysWOW64\Hmpaom32.exe	Hgciff32.exe
File created	C:\Windows\SysWOW64\Pnalcc32.dll	Hgciff32.exe
File created	C:\Windows\SysWOW64\Ldgnklmi.exe	Kdphjm32.exe
File created	C:\Windows\SysWOW64\Mmichb32.dll	f7dafcb218b13f7fe68021c71b9f7ca911ef328c5c401ed464770d145ec49272.exe
File opened for modification	C:\Windows\SysWOW64\Hgciff32.exe	Hqiqjlga.exe
File opened for modification	C:\Windows\SysWOW64\Iegeonpc.exe	Hmpaom32.exe
File created	C:\Windows\SysWOW64\Aekabb32.dll	Hmpaom32.exe
File opened for modification	C:\Windows\SysWOW64\Kmfpmc32.exe	Jlqjkk32.exe
File opened for modification	C:\Windows\SysWOW64\Hqiqjlga.exe	Hnkdnqhm.exe
File created	C:\Windows\SysWOW64\Hgciff32.exe	Hqiqjlga.exe
File created	C:\Windows\SysWOW64\Iegeonpc.exe	Hmpaom32.exe
File created	C:\Windows\SysWOW64\Hnkdnqhm.exe	f7dafcb218b13f7fe68021c71b9f7ca911ef328c5c401ed464770d145ec49272.exe
File opened for modification	C:\Windows\SysWOW64\Jimdcqom.exe	Iegeonpc.exe
File created	C:\Windows\SysWOW64\Biklma32.dll	Jimdcqom.exe
File opened for modification	C:\Windows\SysWOW64\Lbjofi32.exe	Ldgnklmi.exe
File created	C:\Windows\SysWOW64\Ggegqe32.dll	Hqiqjlga.exe
File created	C:\Windows\SysWOW64\Faibdo32.dll	Hnkdnqhm.exe
File opened for modification	C:\Windows\SysWOW64\Hmpaom32.exe	Hgciff32.exe
File created	C:\Windows\SysWOW64\Kmfpmc32.exe	Jlqjkk32.exe
File created	C:\Windows\SysWOW64\Kcadppco.dll	Jlqjkk32.exe
File created	C:\Windows\SysWOW64\Hnnikfij.dll	Kmfpmc32.exe
File opened for modification	C:\Windows\SysWOW64\Ldgnklmi.exe	Kdphjm32.exe
File created	C:\Windows\SysWOW64\Lbjofi32.exe	Ldgnklmi.exe
File opened for modification	C:\Windows\SysWOW64\Hnkdnqhm.exe	f7dafcb218b13f7fe68021c71b9f7ca911ef328c5c401ed464770d145ec49272.exe
File opened for modification	C:\Windows\SysWOW64\Jlqjkk32.exe	Jimdcqom.exe
File created	C:\Windows\SysWOW64\Kdphjm32.exe	Kmfpmc32.exe
File opened for modification	C:\Windows\SysWOW64\Kdphjm32.exe	Kmfpmc32.exe
File created	C:\Windows\SysWOW64\Cbamip32.dll	Kdphjm32.exe
File created	C:\Windows\SysWOW64\Ipafocdg.dll	Ldgnklmi.exe
File created	C:\Windows\SysWOW64\Jimdcqom.exe	Iegeonpc.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2328	1904	WerFault.exe	40

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hgciff32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldgnklmi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbjofi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iegeonpc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jimdcqom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jlqjkk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmfpmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f7dafcb218b13f7fe68021c71b9f7ca911ef328c5c401ed464770d145ec49272.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hnkdnqhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hqiqjlga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hmpaom32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdphjm32.exe

Modifies registry class 36 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hmpaom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcadppco.dll"	Jlqjkk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hnkdnqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmichb32.dll"	f7dafcb218b13f7fe68021c71b9f7ca911ef328c5c401ed464770d145ec49272.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnalcc32.dll"	Hgciff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iegeonpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Biklma32.dll"	Jimdcqom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnnikfij.dll"	Kmfpmc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kdphjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kdphjm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	f7dafcb218b13f7fe68021c71b9f7ca911ef328c5c401ed464770d145ec49272.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hqiqjlga.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jimdcqom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbamip32.dll"	Kdphjm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ldgnklmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipafocdg.dll"	Ldgnklmi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	f7dafcb218b13f7fe68021c71b9f7ca911ef328c5c401ed464770d145ec49272.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hqiqjlga.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggegqe32.dll"	Hqiqjlga.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	f7dafcb218b13f7fe68021c71b9f7ca911ef328c5c401ed464770d145ec49272.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jlqjkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ldgnklmi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	f7dafcb218b13f7fe68021c71b9f7ca911ef328c5c401ed464770d145ec49272.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Faibdo32.dll"	Hnkdnqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hnkdnqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hgciff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hmpaom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbdmhnfl.dll"	Iegeonpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jimdcqom.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jlqjkk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	f7dafcb218b13f7fe68021c71b9f7ca911ef328c5c401ed464770d145ec49272.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aekabb32.dll"	Hmpaom32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Iegeonpc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kmfpmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kmfpmc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hgciff32.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 2496 wrote to memory of 2796	2496	f7dafcb218b13f7fe68021c71b9f7ca911ef328c5c401ed464770d145ec49272.exe	30
PID 2496 wrote to memory of 2796	2496	f7dafcb218b13f7fe68021c71b9f7ca911ef328c5c401ed464770d145ec49272.exe	30
PID 2496 wrote to memory of 2796	2496	f7dafcb218b13f7fe68021c71b9f7ca911ef328c5c401ed464770d145ec49272.exe	30
PID 2496 wrote to memory of 2796	2496	f7dafcb218b13f7fe68021c71b9f7ca911ef328c5c401ed464770d145ec49272.exe	30
PID 2796 wrote to memory of 2540	2796	Hnkdnqhm.exe	31
PID 2796 wrote to memory of 2540	2796	Hnkdnqhm.exe	31
PID 2796 wrote to memory of 2540	2796	Hnkdnqhm.exe	31
PID 2796 wrote to memory of 2540	2796	Hnkdnqhm.exe	31
PID 2540 wrote to memory of 2704	2540	Hqiqjlga.exe	32
PID 2540 wrote to memory of 2704	2540	Hqiqjlga.exe	32
PID 2540 wrote to memory of 2704	2540	Hqiqjlga.exe	32
PID 2540 wrote to memory of 2704	2540	Hqiqjlga.exe	32
PID 2704 wrote to memory of 2536	2704	Hgciff32.exe	33
PID 2704 wrote to memory of 2536	2704	Hgciff32.exe	33
PID 2704 wrote to memory of 2536	2704	Hgciff32.exe	33
PID 2704 wrote to memory of 2536	2704	Hgciff32.exe	33
PID 2536 wrote to memory of 2144	2536	Hmpaom32.exe	34
PID 2536 wrote to memory of 2144	2536	Hmpaom32.exe	34
PID 2536 wrote to memory of 2144	2536	Hmpaom32.exe	34
PID 2536 wrote to memory of 2144	2536	Hmpaom32.exe	34
PID 2144 wrote to memory of 2376	2144	Iegeonpc.exe	35
PID 2144 wrote to memory of 2376	2144	Iegeonpc.exe	35
PID 2144 wrote to memory of 2376	2144	Iegeonpc.exe	35
PID 2144 wrote to memory of 2376	2144	Iegeonpc.exe	35
PID 2376 wrote to memory of 2852	2376	Jimdcqom.exe	36
PID 2376 wrote to memory of 2852	2376	Jimdcqom.exe	36
PID 2376 wrote to memory of 2852	2376	Jimdcqom.exe	36
PID 2376 wrote to memory of 2852	2376	Jimdcqom.exe	36
PID 2852 wrote to memory of 1720	2852	Jlqjkk32.exe	37
PID 2852 wrote to memory of 1720	2852	Jlqjkk32.exe	37
PID 2852 wrote to memory of 1720	2852	Jlqjkk32.exe	37
PID 2852 wrote to memory of 1720	2852	Jlqjkk32.exe	37
PID 1720 wrote to memory of 2868	1720	Kmfpmc32.exe	38
PID 1720 wrote to memory of 2868	1720	Kmfpmc32.exe	38
PID 1720 wrote to memory of 2868	1720	Kmfpmc32.exe	38
PID 1720 wrote to memory of 2868	1720	Kmfpmc32.exe	38
PID 2868 wrote to memory of 2740	2868	Kdphjm32.exe	39
PID 2868 wrote to memory of 2740	2868	Kdphjm32.exe	39
PID 2868 wrote to memory of 2740	2868	Kdphjm32.exe	39
PID 2868 wrote to memory of 2740	2868	Kdphjm32.exe	39
PID 2740 wrote to memory of 1904	2740	Ldgnklmi.exe	40
PID 2740 wrote to memory of 1904	2740	Ldgnklmi.exe	40
PID 2740 wrote to memory of 1904	2740	Ldgnklmi.exe	40
PID 2740 wrote to memory of 1904	2740	Ldgnklmi.exe	40
PID 1904 wrote to memory of 2328	1904	Lbjofi32.exe	41
PID 1904 wrote to memory of 2328	1904	Lbjofi32.exe	41
PID 1904 wrote to memory of 2328	1904	Lbjofi32.exe	41
PID 1904 wrote to memory of 2328	1904	Lbjofi32.exe	41

C:\Users\Admin\AppData\Local\Temp\f7dafcb218b13f7fe68021c71b9f7ca911ef328c5c401ed464770d145ec49272.exe
"C:\Users\Admin\AppData\Local\Temp\f7dafcb218b13f7fe68021c71b9f7ca911ef328c5c401ed464770d145ec49272.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2496
- C:\Windows\SysWOW64\Hnkdnqhm.exe
  C:\Windows\system32\Hnkdnqhm.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2796
- - C:\Windows\SysWOW64\Hqiqjlga.exe
    C:\Windows\system32\Hqiqjlga.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2540
  - - C:\Windows\SysWOW64\Hgciff32.exe
      C:\Windows\system32\Hgciff32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2704
    - - C:\Windows\SysWOW64\Hmpaom32.exe
        
        C:\Windows\system32\Hmpaom32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2536
      - C:\Windows\SysWOW64\Iegeonpc.exe
        
        C:\Windows\system32\Iegeonpc.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2144
        
        C:\Windows\SysWOW64\Jimdcqom.exe
        
        C:\Windows\system32\Jimdcqom.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2376
        
        C:\Windows\SysWOW64\Jlqjkk32.exe
        
        C:\Windows\system32\Jlqjkk32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2852
        
        C:\Windows\SysWOW64\Kmfpmc32.exe
        
        C:\Windows\system32\Kmfpmc32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1720
        
        C:\Windows\SysWOW64\Kdphjm32.exe
        
        C:\Windows\system32\Kdphjm32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2868
        
        C:\Windows\SysWOW64\Ldgnklmi.exe
        
        C:\Windows\system32\Ldgnklmi.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2740
        
        C:\Windows\SysWOW64\Lbjofi32.exe
        
        C:\Windows\system32\Lbjofi32.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1904
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1904 -s 140
        13⤵
        Loads dropped DLL
        Program crash
        
        PID:2328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aekabb32.dll

Filesize
7KB

MD5
02f712def200ac6fc306fbbf5f1a7803

SHA1
d0966b08f10aa00f08fcedca37f6c190fa9ce076

SHA256
b9fd5419b4b72707376b9ac53d30d45008003d2d4dfd94b440a0bacefa95833f

SHA512
a3e0676f6b80b743441a4ac464253fa6c7e2546ff4ba8a0f32c2ed26ee020705bcf87ab33b93cfb032b5221f28e9cb1ed4779ae8067e6458e28890a8d78619b2

Download Submit
C:\Windows\SysWOW64\Hgciff32.exe

Filesize
1.2MB

MD5
9219123ef92ee33f96e6cd623d93a9a2

SHA1
340b93a64ade6a765d0ffaedac834d4a9e9d24db

SHA256
4d3e95f669b78ef29f10fb714da0035f7fccf6ac88810c0fa5897ba909f898c9

SHA512
d6a41c1438ba66753fe21781d7fea2915e30103d5a4b2dbe1dbd9ccfbeb3899a68a970431a935ad33484278ee6d4765ed5deb2bf722ee73c37a8b1ea8fd18fc6

Download Submit
C:\Windows\SysWOW64\Hqiqjlga.exe

Filesize
1.2MB

MD5
d2ec037ec3cebe2b5562012b611b9e9f

SHA1
a25e1f0ad7e63a3cf535104b5994a58481ad61e7

SHA256
095ca75af21676bc7cb3eaaf5c40134da9b471c5bc891280ea5ee0e874796c4d

SHA512
17b60e904a86e6eaf9cd26a6317a187ee4fd3674c9bff97ec685bff8af82133d872a24b78f14ab4fadfa1ce2d586935e4bdef9401613c622cae4577e08ce14bc

Download Submit
C:\Windows\SysWOW64\Iegeonpc.exe

Filesize
1.2MB

MD5
6a2a5963ff8017d8fdfb897ce67ebb0e

SHA1
09ce1ccf202bfd9178dffea4004c6e3e6ec4aa2c

SHA256
8f433747307e4260ad5cfae3936068e653bd200a714117a257f868461cccbc8a

SHA512
374f654830e81d01d6b5d8c5805ed6406a3f27ccc38566eff27b0cb2bb6640e99b3868a8b7fdf318a99ab4d5ce38d1ae3697de28d8e65138eb2ca813c7305195

Download Submit
C:\Windows\SysWOW64\Jlqjkk32.exe

Filesize
1.2MB

MD5
e010bfecbc8c72f7f84dd0aecbc5554a

SHA1
28748ff1dddd294ee0db4103b8c71062914d68da

SHA256
f2e21addccd13a3716c80d9384abb88c2abce44f7149733929c1dbcf67386d8e

SHA512
23377f5ecdeb8b093d06cd901d769b1ef0a542fcec278be001a882132b59435a01c5e019d6d812415bb7a5fa14680b3cbe544a5f9e77551ae395f6df731c99b0

Download Submit
C:\Windows\SysWOW64\Lbjofi32.exe

Filesize
1.2MB

MD5
5b864a6ff07368e493e82814f5b8e2ac

SHA1
d0aaba22d9459de856ae6a4764588f603ebcf48d

SHA256
84dcbb236921c5b3c4fb16a72ead744205365a4d4f59af3c680acd10337f8be9

SHA512
d89aa3a3157874b1766c42df63311cecd5a5d343330adec2a3ae34e01a1bec4a0fb960da016c3ce6618776c5c2db938a945f648dea28d714a4fe961958e3783c

Download Submit
C:\Windows\SysWOW64\Ldgnklmi.exe

Filesize
1.2MB

MD5
7411585ff0b59a348f8de5f54e9da1e6

SHA1
65f9a3ef22fc6873798e9d9366bd85caecf2e87a

SHA256
00e176b56ee68ba124f0f852cba184dd6824635c82b5d9180ff9c88b00809689

SHA512
b27ca9ecd3542f06cae6615139d487f062ab94c74021862a66a793a32ac76f2ae50eddfe873e9f6fcd4366ca08951525a1607c7a7ae552d78e9fd76b89e384e4

Download Submit
\Windows\SysWOW64\Hmpaom32.exe

Filesize
1.2MB

MD5
e89bfe9e1967efd5b68ba55c16e9d13d

SHA1
2ee25d0635f3bc6f8cb461ca2c967596841f0a31

SHA256
d27e6f0f15ca589d611eb24e1f0a60093cd46041cda3b19b75dab532db440231

SHA512
63ed8aec838d7b86a5a840d7972f3034617776116906974707b520b9d1cd931b72b81222d210b463d3544415de3e31d894874db8a96e6ae332bdf706b9e8f667

Download Submit
\Windows\SysWOW64\Hnkdnqhm.exe

Filesize
1.2MB

MD5
6f787e3dc26fe351aea752fd14040f48

SHA1
f92d9e46c6bc66abe1867ba456964cb566f73511

SHA256
cfe0a4b52b40385ab307c75228b12cd74a26ddfee734f6b2a4a7d4d9261709bb

SHA512
85ce2f2acf2404ac14005e79a0458c321c636323ea65398a52d489c4ab83aa8748aa86494b50d5a8544b86340d0d9ac388d704696c5be412ca81a79863380c83

Download Submit
\Windows\SysWOW64\Jimdcqom.exe

Filesize
1.2MB

MD5
502f2e54da36acca2edac92dc4d6eac9

SHA1
bf08d4ab400835a7ad55d0f0b9086d5f0e049095

SHA256
79e8311ec5f42003e2e009676a7c4cc550c886c062e6e7b94db3e46c89fdd043

SHA512
230c415946067767ffe6db2a8dc20cb2f8ccf476ebe57097f91a2cdcf7ce4656cb748a9c349055fe91037aad2cfed2f2cd794a5ede7776d3f002898452a86153

Download Submit
\Windows\SysWOW64\Kdphjm32.exe

Filesize
1.2MB

MD5
2c433dff0af1c8cc2815d35d4415f770

SHA1
f94834349d6a2e8cfde2e0e54bf479d9e1f27810

SHA256
f8af5719c8f219e062325a20c90aec75598ebd132eac98317670df8ddde9e3c3

SHA512
5b844a88c30d2111fd3ece5f6a122f3526a2cbd2b35b92486acfaaf773de6c2f27de934eff139234e381f4a49f1b00e7a3f273cb73fb9b34008f8409d6916054

Download Submit
\Windows\SysWOW64\Kmfpmc32.exe

Filesize
1.2MB

MD5
16a5678645be3655875083d36dc14acb

SHA1
9c298065faf778f733dc1f92a47840cfddb44b4e

SHA256
638d08e97371fefcb9b2ad67085497dff94015856602141a85d241f59513cc0c

SHA512
193f3dfd82eef3192867be5adeae2f28ce5c36f0962715732b45a9264b7caaa7f894da438f0e82d126c0b2e7bbae559ad4978931aab20519f31ea8cd40f9c529

Download Submit
memory/1720-125-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1720-171-0x0000000000250000-0x0000000000294000-memory.dmp

Filesize
272KB

Download
memory/1904-165-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1904-175-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2144-120-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2144-70-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2144-78-0x0000000000450000-0x0000000000494000-memory.dmp

Filesize
272KB

Download
memory/2376-101-0x0000000000260000-0x00000000002A4000-memory.dmp

Filesize
272KB

Download
memory/2376-142-0x0000000000260000-0x00000000002A4000-memory.dmp

Filesize
272KB

Download
memory/2376-87-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2376-140-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2376-149-0x0000000000260000-0x00000000002A4000-memory.dmp

Filesize
272KB

Download
memory/2376-99-0x0000000000260000-0x00000000002A4000-memory.dmp

Filesize
272KB

Download
memory/2496-83-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2496-18-0x0000000000250000-0x0000000000294000-memory.dmp

Filesize
272KB

Download
memory/2496-0-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2496-86-0x0000000000250000-0x0000000000294000-memory.dmp

Filesize
272KB

Download
memory/2496-85-0x0000000000250000-0x0000000000294000-memory.dmp

Filesize
272KB

Download
memory/2496-17-0x0000000000250000-0x0000000000294000-memory.dmp

Filesize
272KB

Download
memory/2536-69-0x0000000000310000-0x0000000000354000-memory.dmp

Filesize
272KB

Download
memory/2536-57-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2536-118-0x0000000000310000-0x0000000000354000-memory.dmp

Filesize
272KB

Download
memory/2536-115-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2540-33-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2704-54-0x0000000000280000-0x00000000002C4000-memory.dmp

Filesize
272KB

Download
memory/2704-117-0x0000000000280000-0x00000000002C4000-memory.dmp

Filesize
272KB

Download
memory/2704-46-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2704-55-0x0000000000280000-0x00000000002C4000-memory.dmp

Filesize
272KB

Download
memory/2740-150-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2740-164-0x00000000002E0000-0x0000000000324000-memory.dmp

Filesize
272KB

Download
memory/2740-173-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2740-174-0x00000000002E0000-0x0000000000324000-memory.dmp

Filesize
272KB

Download
memory/2796-32-0x00000000002D0000-0x0000000000314000-memory.dmp

Filesize
272KB

Download
memory/2796-19-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2852-163-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2852-166-0x00000000002F0000-0x0000000000334000-memory.dmp

Filesize
272KB

Download
memory/2852-114-0x00000000002F0000-0x0000000000334000-memory.dmp

Filesize
272KB

Download
memory/2852-102-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2868-133-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2868-143-0x0000000000250000-0x0000000000294000-memory.dmp

Filesize
272KB

Download
memory/2868-172-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads