d1d4631bedf1d1a950e301b6c32fab15d9e8d5ecd19aabd650bc1199e6996716

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
24-05-2024 03:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d1d4631bedf1d1a950e301b6c32fab15d9e8d5ecd19aabd650bc1199e6996716.exe
Size

224KB
MD5

57af7fd9485f2d2f5fc279a69339d175
SHA1

6185c0f02f629fc1ce39fe89e3d39afafb25880d
SHA256

d1d4631bedf1d1a950e301b6c32fab15d9e8d5ecd19aabd650bc1199e6996716
SHA512

caca3f3bc3d685dc865227a92947e16ac30363158161835ef8d57ad534907749cf940cb8bf4b0a8bdec14a8eb67a08975103cbebc8cbc7e7f7a2c968a40030d0
SSDEEP

6144:qW27moZmSCE4f9FIUpOVw86CmOJfTo9FIUIhrcflDML:qW2Sv0aAD6RrI1+lDML

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 18 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

d1d4631bedf1d1a950e301b6c32fab15d9e8d5ecd19aabd650bc1199e6996716.exeHcifgjgc.exeHiekid32.exeIcbimi32.exeHpmgqnfl.exeHgilchkf.exeHjjddchg.exeIhoafpmp.exeHpapln32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	d1d4631bedf1d1a950e301b6c32fab15d9e8d5ecd19aabd650bc1199e6996716.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hcifgjgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hiekid32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Icbimi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	d1d4631bedf1d1a950e301b6c32fab15d9e8d5ecd19aabd650bc1199e6996716.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpmgqnfl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hiekid32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hgilchkf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjjddchg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcifgjgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hpmgqnfl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hgilchkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hjjddchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ihoafpmp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpapln32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hpapln32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icbimi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ihoafpmp.exe

Executes dropped EXE 9 IoCs

Processes:

Hcifgjgc.exeHpmgqnfl.exeHiekid32.exeHgilchkf.exeHpapln32.exeHjjddchg.exeIcbimi32.exeIhoafpmp.exeIagfoe32.exe

pid	process
2896	Hcifgjgc.exe
2836	Hpmgqnfl.exe
2652	Hiekid32.exe
2508	Hgilchkf.exe
2708	Hpapln32.exe
2556	Hjjddchg.exe
1644	Icbimi32.exe
1680	Ihoafpmp.exe
2572	Iagfoe32.exe

Loads dropped DLL 22 IoCs

Processes:

d1d4631bedf1d1a950e301b6c32fab15d9e8d5ecd19aabd650bc1199e6996716.exeHcifgjgc.exeHpmgqnfl.exeHiekid32.exeHgilchkf.exeHpapln32.exeHjjddchg.exeIcbimi32.exeIhoafpmp.exeWerFault.exe

pid	process
2060	d1d4631bedf1d1a950e301b6c32fab15d9e8d5ecd19aabd650bc1199e6996716.exe
2060	d1d4631bedf1d1a950e301b6c32fab15d9e8d5ecd19aabd650bc1199e6996716.exe
2896	Hcifgjgc.exe
2896	Hcifgjgc.exe
2836	Hpmgqnfl.exe
2836	Hpmgqnfl.exe
2652	Hiekid32.exe
2652	Hiekid32.exe
2508	Hgilchkf.exe
2508	Hgilchkf.exe
2708	Hpapln32.exe
2708	Hpapln32.exe
2556	Hjjddchg.exe
2556	Hjjddchg.exe
1644	Icbimi32.exe
1644	Icbimi32.exe
1680	Ihoafpmp.exe
1680	Ihoafpmp.exe
2248	WerFault.exe
2248	WerFault.exe
2248	WerFault.exe
2248	WerFault.exe

Drops file in System32 directory 27 IoCs

Processes:

Hcifgjgc.exeIcbimi32.exeIhoafpmp.exeHgilchkf.exeHpapln32.exeHjjddchg.exeHpmgqnfl.exed1d4631bedf1d1a950e301b6c32fab15d9e8d5ecd19aabd650bc1199e6996716.exeHiekid32.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\Hpmgqnfl.exe	Hcifgjgc.exe
File created	C:\Windows\SysWOW64\Ihoafpmp.exe	Icbimi32.exe
File opened for modification	C:\Windows\SysWOW64\Ihoafpmp.exe	Icbimi32.exe
File opened for modification	C:\Windows\SysWOW64\Iagfoe32.exe	Ihoafpmp.exe
File opened for modification	C:\Windows\SysWOW64\Hpapln32.exe	Hgilchkf.exe
File created	C:\Windows\SysWOW64\Glqllcbf.dll	Hgilchkf.exe
File opened for modification	C:\Windows\SysWOW64\Hjjddchg.exe	Hpapln32.exe
File created	C:\Windows\SysWOW64\Icbimi32.exe	Hjjddchg.exe
File created	C:\Windows\SysWOW64\Amammd32.dll	Icbimi32.exe
File created	C:\Windows\SysWOW64\Hgpdcgoc.dll	Hcifgjgc.exe
File opened for modification	C:\Windows\SysWOW64\Hiekid32.exe	Hpmgqnfl.exe
File created	C:\Windows\SysWOW64\Mhfkbo32.dll	Hpapln32.exe
File created	C:\Windows\SysWOW64\Ecmkgokh.dll	Hjjddchg.exe
File created	C:\Windows\SysWOW64\Hcifgjgc.exe	d1d4631bedf1d1a950e301b6c32fab15d9e8d5ecd19aabd650bc1199e6996716.exe
File opened for modification	C:\Windows\SysWOW64\Hcifgjgc.exe	d1d4631bedf1d1a950e301b6c32fab15d9e8d5ecd19aabd650bc1199e6996716.exe
File opened for modification	C:\Windows\SysWOW64\Hgilchkf.exe	Hiekid32.exe
File created	C:\Windows\SysWOW64\Gknfklng.dll	Hpmgqnfl.exe
File created	C:\Windows\SysWOW64\Hgilchkf.exe	Hiekid32.exe
File created	C:\Windows\SysWOW64\Nbniiffi.dll	Hiekid32.exe
File created	C:\Windows\SysWOW64\Hpapln32.exe	Hgilchkf.exe
File created	C:\Windows\SysWOW64\Hpmgqnfl.exe	Hcifgjgc.exe
File created	C:\Windows\SysWOW64\Iagfoe32.exe	Ihoafpmp.exe
File created	C:\Windows\SysWOW64\Gjenmobn.dll	Ihoafpmp.exe
File created	C:\Windows\SysWOW64\Hiekid32.exe	Hpmgqnfl.exe
File created	C:\Windows\SysWOW64\Hjjddchg.exe	Hpapln32.exe
File opened for modification	C:\Windows\SysWOW64\Icbimi32.exe	Hjjddchg.exe
File created	C:\Windows\SysWOW64\Fealjk32.dll	d1d4631bedf1d1a950e301b6c32fab15d9e8d5ecd19aabd650bc1199e6996716.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2248 2572 WerFault.exe Iagfoe32.exe

pid	pid_target	process	target process
2248	2572	WerFault.exe	Iagfoe32.exe

Modifies registry class 30 IoCs

Processes:

d1d4631bedf1d1a950e301b6c32fab15d9e8d5ecd19aabd650bc1199e6996716.exeHiekid32.exeHjjddchg.exeIcbimi32.exeHpmgqnfl.exeHgilchkf.exeHpapln32.exeHcifgjgc.exeIhoafpmp.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fealjk32.dll"	d1d4631bedf1d1a950e301b6c32fab15d9e8d5ecd19aabd650bc1199e6996716.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hiekid32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecmkgokh.dll"	Hjjddchg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Icbimi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	d1d4631bedf1d1a950e301b6c32fab15d9e8d5ecd19aabd650bc1199e6996716.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gknfklng.dll"	Hpmgqnfl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hiekid32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbniiffi.dll"	Hiekid32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	d1d4631bedf1d1a950e301b6c32fab15d9e8d5ecd19aabd650bc1199e6996716.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	d1d4631bedf1d1a950e301b6c32fab15d9e8d5ecd19aabd650bc1199e6996716.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glqllcbf.dll"	Hgilchkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhfkbo32.dll"	Hpapln32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgpdcgoc.dll"	Hcifgjgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hpmgqnfl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hpapln32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hcifgjgc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hgilchkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hjjddchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hpapln32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amammd32.dll"	Icbimi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ihoafpmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	d1d4631bedf1d1a950e301b6c32fab15d9e8d5ecd19aabd650bc1199e6996716.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	d1d4631bedf1d1a950e301b6c32fab15d9e8d5ecd19aabd650bc1199e6996716.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hcifgjgc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hjjddchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjenmobn.dll"	Ihoafpmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hpmgqnfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hgilchkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Icbimi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ihoafpmp.exe

Suspicious use of WriteProcessMemory 40 IoCs

Processes:

d1d4631bedf1d1a950e301b6c32fab15d9e8d5ecd19aabd650bc1199e6996716.exeHcifgjgc.exeHpmgqnfl.exeHiekid32.exeHgilchkf.exeHpapln32.exeHjjddchg.exeIcbimi32.exeIhoafpmp.exeIagfoe32.exe

description	pid	process	target process
PID 2060 wrote to memory of 2896	2060	d1d4631bedf1d1a950e301b6c32fab15d9e8d5ecd19aabd650bc1199e6996716.exe	Hcifgjgc.exe
PID 2060 wrote to memory of 2896	2060	d1d4631bedf1d1a950e301b6c32fab15d9e8d5ecd19aabd650bc1199e6996716.exe	Hcifgjgc.exe
PID 2060 wrote to memory of 2896	2060	d1d4631bedf1d1a950e301b6c32fab15d9e8d5ecd19aabd650bc1199e6996716.exe	Hcifgjgc.exe
PID 2060 wrote to memory of 2896	2060	d1d4631bedf1d1a950e301b6c32fab15d9e8d5ecd19aabd650bc1199e6996716.exe	Hcifgjgc.exe
PID 2896 wrote to memory of 2836	2896	Hcifgjgc.exe	Hpmgqnfl.exe
PID 2896 wrote to memory of 2836	2896	Hcifgjgc.exe	Hpmgqnfl.exe
PID 2896 wrote to memory of 2836	2896	Hcifgjgc.exe	Hpmgqnfl.exe
PID 2896 wrote to memory of 2836	2896	Hcifgjgc.exe	Hpmgqnfl.exe
PID 2836 wrote to memory of 2652	2836	Hpmgqnfl.exe	Hiekid32.exe
PID 2836 wrote to memory of 2652	2836	Hpmgqnfl.exe	Hiekid32.exe
PID 2836 wrote to memory of 2652	2836	Hpmgqnfl.exe	Hiekid32.exe
PID 2836 wrote to memory of 2652	2836	Hpmgqnfl.exe	Hiekid32.exe
PID 2652 wrote to memory of 2508	2652	Hiekid32.exe	Hgilchkf.exe
PID 2652 wrote to memory of 2508	2652	Hiekid32.exe	Hgilchkf.exe
PID 2652 wrote to memory of 2508	2652	Hiekid32.exe	Hgilchkf.exe
PID 2652 wrote to memory of 2508	2652	Hiekid32.exe	Hgilchkf.exe
PID 2508 wrote to memory of 2708	2508	Hgilchkf.exe	Hpapln32.exe
PID 2508 wrote to memory of 2708	2508	Hgilchkf.exe	Hpapln32.exe
PID 2508 wrote to memory of 2708	2508	Hgilchkf.exe	Hpapln32.exe
PID 2508 wrote to memory of 2708	2508	Hgilchkf.exe	Hpapln32.exe
PID 2708 wrote to memory of 2556	2708	Hpapln32.exe	Hjjddchg.exe
PID 2708 wrote to memory of 2556	2708	Hpapln32.exe	Hjjddchg.exe
PID 2708 wrote to memory of 2556	2708	Hpapln32.exe	Hjjddchg.exe
PID 2708 wrote to memory of 2556	2708	Hpapln32.exe	Hjjddchg.exe
PID 2556 wrote to memory of 1644	2556	Hjjddchg.exe	Icbimi32.exe
PID 2556 wrote to memory of 1644	2556	Hjjddchg.exe	Icbimi32.exe
PID 2556 wrote to memory of 1644	2556	Hjjddchg.exe	Icbimi32.exe
PID 2556 wrote to memory of 1644	2556	Hjjddchg.exe	Icbimi32.exe
PID 1644 wrote to memory of 1680	1644	Icbimi32.exe	Ihoafpmp.exe
PID 1644 wrote to memory of 1680	1644	Icbimi32.exe	Ihoafpmp.exe
PID 1644 wrote to memory of 1680	1644	Icbimi32.exe	Ihoafpmp.exe
PID 1644 wrote to memory of 1680	1644	Icbimi32.exe	Ihoafpmp.exe
PID 1680 wrote to memory of 2572	1680	Ihoafpmp.exe	Iagfoe32.exe
PID 1680 wrote to memory of 2572	1680	Ihoafpmp.exe	Iagfoe32.exe
PID 1680 wrote to memory of 2572	1680	Ihoafpmp.exe	Iagfoe32.exe
PID 1680 wrote to memory of 2572	1680	Ihoafpmp.exe	Iagfoe32.exe
PID 2572 wrote to memory of 2248	2572	Iagfoe32.exe	WerFault.exe
PID 2572 wrote to memory of 2248	2572	Iagfoe32.exe	WerFault.exe
PID 2572 wrote to memory of 2248	2572	Iagfoe32.exe	WerFault.exe
PID 2572 wrote to memory of 2248	2572	Iagfoe32.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\d1d4631bedf1d1a950e301b6c32fab15d9e8d5ecd19aabd650bc1199e6996716.exe
"C:\Users\Admin\AppData\Local\Temp\d1d4631bedf1d1a950e301b6c32fab15d9e8d5ecd19aabd650bc1199e6996716.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2060

C:\Windows\SysWOW64\Hcifgjgc.exe
C:\Windows\system32\Hcifgjgc.exe
2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2896

C:\Windows\SysWOW64\Hpmgqnfl.exe
C:\Windows\system32\Hpmgqnfl.exe
3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2836

C:\Windows\SysWOW64\Hiekid32.exe
C:\Windows\system32\Hiekid32.exe
4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2652

C:\Windows\SysWOW64\Hgilchkf.exe
C:\Windows\system32\Hgilchkf.exe
5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2508

C:\Windows\SysWOW64\Hpapln32.exe
C:\Windows\system32\Hpapln32.exe
6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2708

C:\Windows\SysWOW64\Hjjddchg.exe
C:\Windows\system32\Hjjddchg.exe
7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2556

C:\Windows\SysWOW64\Icbimi32.exe
C:\Windows\system32\Icbimi32.exe
8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1644

C:\Windows\SysWOW64\Ihoafpmp.exe
C:\Windows\system32\Ihoafpmp.exe
9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1680

C:\Windows\SysWOW64\Iagfoe32.exe
C:\Windows\system32\Iagfoe32.exe
10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2572 -s 140
11⤵
- Loads dropped DLL
- Program crash
PID:2248

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Glqllcbf.dll
Filesize
7KB

MD5
2273622f3801457d5084b699abf4dd4c

SHA1
72c374164152c15ecb8ca0bdda7694a9205afe21

SHA256
97f3beda90cd074434054c4c7a3bd5ff96e5276fddef4240e4db3b9c1c1b8ca8

SHA512
a055c62a1b60cf388a515a721c7378328158f680ffeb7afc8c3099f0bd2c725012e0d561265538ff716a34e77b88ec0bf1adba2f2e4d589d0b6a5b4122bf1ed7

Download Submit
\Windows\SysWOW64\Hcifgjgc.exe
Filesize
224KB

MD5
8c85906f1623e8cbd4b07f6e2a7fd187

SHA1
3dda2ce7636bef39f40c27a8b97f0dec8e58e94b

SHA256
4ffcae4b3d0bd76b13e5f378efa4738846ced6c16dff8bdf1909c260fe036e5f

SHA512
39b59c7f49de1f3639614376c5d989d845b076c46d6a39c477aae4a0d5d488139585ef384c9ec015ed2b435564387d95416de92e0d18d893ff774e603d0fa7e5

Download Submit
\Windows\SysWOW64\Hgilchkf.exe
Filesize
224KB

MD5
87b835d550d139c7441a74d4d99475ce

SHA1
a9d0f1aa577257196392678102b2955f111fdea6

SHA256
3cb4d21681f4c693c4922afae8134bc432a5372aa226077e8c66e68e663f5668

SHA512
33c454d6a9a09221de4b1ce4c7260f1eeb0a50182f58becb034bcc2dd351ccfce7f47c9042c21232962d1f1d19778986c5433c114e1847352208fa514dfc8d8b

Download Submit
\Windows\SysWOW64\Hiekid32.exe
Filesize
224KB

MD5
d1e2d852b4f9be692247870b9301c1db

SHA1
16bfc202be839c5fd6a5e93af9902af31c16ee52

SHA256
4c7487ea3a3f865619426c63db4cab98dd611f53b5aaf25ccc45bc2de9e97bbb

SHA512
4f6b53a266ad300580b967484fa2ca7aaead407e5f59b647dd6679673ded1758ff46a8cc0dee0e9ec235755cd36cda33edda44be3abd3722a2554f95bde00373

Download Submit
\Windows\SysWOW64\Hjjddchg.exe
Filesize
224KB

MD5
aeb1223fc95e36f2b10b0e3b487b8420

SHA1
976920c024058a412e63f0238667f152ed56949f

SHA256
f68e1e15268f2b7f19b73344297be80c268c3642cdc800d41d08be4189c5ae35

SHA512
4c88b1db13e7c1a7f28612b06b45fa8b5008a898c0d8029962144f2241982defffeae1a12fe2b97e14d2e561a038fcec139943d974f9b50eec6ecab666bf2325

Download Submit
\Windows\SysWOW64\Hpapln32.exe
Filesize
224KB

MD5
0f24a545ce591e3c33498f3df4419f49

SHA1
13c4692ceeb7b8f5b579a875d89242b65bc5858a

SHA256
dfa759901b1d58df3d3ed4a4a342151ec8755044a7b4e47e56f504eb35c016a0

SHA512
e7e2decdabdc6c549380006a74444f32351c61955dad251baf1c6ec4d8e5e8aff09eca8f6f02be36dc994dbfe74e1c7fd3b2da32c26b086a7c9aeb2fec759b24

Download Submit
\Windows\SysWOW64\Hpmgqnfl.exe
Filesize
224KB

MD5
d2380f75a51c4118c7a3d81d98067b42

SHA1
bf0f6f86e0a827430973a18c4d642a6fedb0b476

SHA256
04c47b5143092e04f86e81b4029b86764856a65c6a8244792f73609badea71bc

SHA512
7fe94ac0165b9398c618ed7f8d4211d7bb948112a789454340f85752b8606e59c1db5fd135d82101d8ddce619adab5114f340590e9f34bc9c065dfe7acaf9c4f

Download Submit
\Windows\SysWOW64\Iagfoe32.exe
Filesize
224KB

MD5
eeea6fe15e606819c9bee67ba04804c6

SHA1
4abfb0058f86ecc24322626310fccbccbca87392

SHA256
4aa735131027d3a21f1df01918d856d5df10127fdd4be9539e1c8aec9b02c16a

SHA512
36e6104e8917d686c256b51846fdf779e184d9ad5c6636214e872903ab1559bfa3594411a188750c35789e945075817705c5d2f49ea309c96f7a0053272b08ad

Download Submit
\Windows\SysWOW64\Icbimi32.exe
Filesize
224KB

MD5
e6a7ce124625abf7dc4fd1a76dcfd712

SHA1
5cd40ded9eed9711d518a48868051a5461463bc2

SHA256
d586a1906f874164ca023007b88586f98789b930d85648b9717382189f165724

SHA512
481427b1c02242908779437cbb8a27af38b9c5eb2ecf61da30d923b0a3b7701e7cde0db39a9d82e13db2f7ec5953ef8b29cb16c54eb1df7ed3574bec6bf8f3bd

Download Submit
\Windows\SysWOW64\Ihoafpmp.exe
Filesize
224KB

MD5
30048ea7acfd115a74cbd37171b4f8cf

SHA1
2b4c4e7b96eeacf57fb1b61472e8a033f8b65191

SHA256
ec88d8c9242ec7965e91611f02105c8f8784efa356d7418c0106691100967b41

SHA512
896ecfb82ef1bec5c1630f06127dd45b1f6e39f8b185a7cd142c863130d46317199f76286892dc3f3625ce1e2e27957b7818655699c541a9b0d903fbb7016e8a

Download Submit
memory/1644-134-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1644-107-0x0000000000260000-0x0000000000299000-memory.dmp

Filesize
228KB

Download
memory/1680-121-0x0000000000300000-0x0000000000339000-memory.dmp

Filesize
228KB

Download
memory/1680-135-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1680-120-0x0000000000300000-0x0000000000339000-memory.dmp

Filesize
228KB

Download
memory/1680-108-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2060-127-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2060-6-0x0000000000350000-0x0000000000389000-memory.dmp

Filesize
228KB

Download
memory/2060-0-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2508-131-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2508-65-0x0000000000250000-0x0000000000289000-memory.dmp

Filesize
228KB

Download
memory/2508-55-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2556-93-0x0000000000300000-0x0000000000339000-memory.dmp

Filesize
228KB

Download
memory/2556-133-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2556-81-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2652-42-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2652-130-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2708-132-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2836-129-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2836-28-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2836-38-0x00000000002D0000-0x0000000000309000-memory.dmp

Filesize
228KB

Download
memory/2836-40-0x00000000002D0000-0x0000000000309000-memory.dmp

Filesize
228KB

Download
memory/2896-128-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2896-13-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2896-20-0x0000000000250000-0x0000000000289000-memory.dmp

Filesize
228KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads