eac7449216789b5503645e105eb4a0f34ce268b68571f397e9d16d289858eee7

Analysis

max time kernel
143s
max time network
128s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 04:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eac7449216789b5503645e105eb4a0f34ce268b68571f397e9d16d289858eee7.exe
Size

768KB
MD5

e6fbb38404645abc774745c856828c84
SHA1

5769c64c1b66b4a0e73f1dfba803c7a4941e0bb5
SHA256

eac7449216789b5503645e105eb4a0f34ce268b68571f397e9d16d289858eee7
SHA512

676006735ee18e7c9eccb3ba8464035387909d9261018d3c95974f86f42ca99e1762cd1950f1326811ae3aecb061a876a45b122ca037ea9ba257e4dd54586607
SSDEEP

12288:xuQ4v+6IvYvc6IveDVqvQ6IvTPh2kkkkK4kXkkkkkkkkl888888888888888888d:xuQF3q5hPPh2kkkkK4kXkkkkkkkkH

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 18 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Ggpimica.exeHcifgjgc.exeHobcak32.exeHcplhi32.exeGacpdbej.exeHiqbndpb.exeHggomh32.exeeac7449216789b5503645e105eb4a0f34ce268b68571f397e9d16d289858eee7.exeGldkfl32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ggpimica.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcifgjgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hobcak32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcplhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hcplhi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gacpdbej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gacpdbej.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hiqbndpb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hggomh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hggomh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hobcak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	eac7449216789b5503645e105eb4a0f34ce268b68571f397e9d16d289858eee7.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gldkfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ggpimica.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hcifgjgc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	eac7449216789b5503645e105eb4a0f34ce268b68571f397e9d16d289858eee7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gldkfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hiqbndpb.exe

Executes dropped EXE 9 IoCs

Processes:

Gldkfl32.exeGacpdbej.exeGgpimica.exeHiqbndpb.exeHcifgjgc.exeHggomh32.exeHobcak32.exeHcplhi32.exeIagfoe32.exe

pid process

1996 Gldkfl32.exe
2612 Gacpdbej.exe
2920 Ggpimica.exe
2760 Hiqbndpb.exe
2228 Hcifgjgc.exe
2520 Hggomh32.exe
2300 Hobcak32.exe
2696 Hcplhi32.exe
1804 Iagfoe32.exe

pid	process
1996	Gldkfl32.exe
2612	Gacpdbej.exe
2920	Ggpimica.exe
2760	Hiqbndpb.exe
2228	Hcifgjgc.exe
2520	Hggomh32.exe
2300	Hobcak32.exe
2696	Hcplhi32.exe
1804	Iagfoe32.exe

Loads dropped DLL 22 IoCs

Processes:

eac7449216789b5503645e105eb4a0f34ce268b68571f397e9d16d289858eee7.exeGldkfl32.exeGacpdbej.exeGgpimica.exeHiqbndpb.exeHcifgjgc.exeHggomh32.exeHobcak32.exeHcplhi32.exeWerFault.exe

pid	process
1936	eac7449216789b5503645e105eb4a0f34ce268b68571f397e9d16d289858eee7.exe
1936	eac7449216789b5503645e105eb4a0f34ce268b68571f397e9d16d289858eee7.exe
1996	Gldkfl32.exe
1996	Gldkfl32.exe
2612	Gacpdbej.exe
2612	Gacpdbej.exe
2920	Ggpimica.exe
2920	Ggpimica.exe
2760	Hiqbndpb.exe
2760	Hiqbndpb.exe
2228	Hcifgjgc.exe
2228	Hcifgjgc.exe
2520	Hggomh32.exe
2520	Hggomh32.exe
2300	Hobcak32.exe
2300	Hobcak32.exe
2696	Hcplhi32.exe
2696	Hcplhi32.exe
2388	WerFault.exe
2388	WerFault.exe
2388	WerFault.exe
2388	WerFault.exe

Drops file in System32 directory 27 IoCs

Processes:

Hiqbndpb.exeHggomh32.exeeac7449216789b5503645e105eb4a0f34ce268b68571f397e9d16d289858eee7.exeHobcak32.exeHcifgjgc.exeGacpdbej.exeGgpimica.exeGldkfl32.exeHcplhi32.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\Hcifgjgc.exe	Hiqbndpb.exe
File created	C:\Windows\SysWOW64\Hobcak32.exe	Hggomh32.exe
File created	C:\Windows\SysWOW64\Nokeef32.dll	Hggomh32.exe
File created	C:\Windows\SysWOW64\Pnnclg32.dll	eac7449216789b5503645e105eb4a0f34ce268b68571f397e9d16d289858eee7.exe
File opened for modification	C:\Windows\SysWOW64\Hcplhi32.exe	Hobcak32.exe
File created	C:\Windows\SysWOW64\Bhpdae32.dll	Hcifgjgc.exe
File created	C:\Windows\SysWOW64\Lponfjoo.dll	Hobcak32.exe
File created	C:\Windows\SysWOW64\Ggpimica.exe	Gacpdbej.exe
File opened for modification	C:\Windows\SysWOW64\Hiqbndpb.exe	Ggpimica.exe
File created	C:\Windows\SysWOW64\Fealjk32.dll	Hiqbndpb.exe
File created	C:\Windows\SysWOW64\Hggomh32.exe	Hcifgjgc.exe
File opened for modification	C:\Windows\SysWOW64\Hggomh32.exe	Hcifgjgc.exe
File created	C:\Windows\SysWOW64\Gldkfl32.exe	eac7449216789b5503645e105eb4a0f34ce268b68571f397e9d16d289858eee7.exe
File opened for modification	C:\Windows\SysWOW64\Gldkfl32.exe	eac7449216789b5503645e105eb4a0f34ce268b68571f397e9d16d289858eee7.exe
File created	C:\Windows\SysWOW64\Gacpdbej.exe	Gldkfl32.exe
File created	C:\Windows\SysWOW64\Hcifgjgc.exe	Hiqbndpb.exe
File created	C:\Windows\SysWOW64\Hcplhi32.exe	Hobcak32.exe
File opened for modification	C:\Windows\SysWOW64\Iagfoe32.exe	Hcplhi32.exe
File created	C:\Windows\SysWOW64\Gjenmobn.dll	Hcplhi32.exe
File opened for modification	C:\Windows\SysWOW64\Gacpdbej.exe	Gldkfl32.exe
File created	C:\Windows\SysWOW64\Elpbcapg.dll	Gldkfl32.exe
File created	C:\Windows\SysWOW64\Njgcpp32.dll	Gacpdbej.exe
File created	C:\Windows\SysWOW64\Hiqbndpb.exe	Ggpimica.exe
File created	C:\Windows\SysWOW64\Omabcb32.dll	Ggpimica.exe
File opened for modification	C:\Windows\SysWOW64\Hobcak32.exe	Hggomh32.exe
File opened for modification	C:\Windows\SysWOW64\Ggpimica.exe	Gacpdbej.exe
File created	C:\Windows\SysWOW64\Iagfoe32.exe	Hcplhi32.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process

2388 1804 WerFault.exe

pid	pid_target	process
2388	1804	WerFault.exe

Modifies registry class 30 IoCs

Processes:

Hiqbndpb.exeHobcak32.exeGacpdbej.exeGgpimica.exeHcifgjgc.exeeac7449216789b5503645e105eb4a0f34ce268b68571f397e9d16d289858eee7.exeHggomh32.exeHcplhi32.exeGldkfl32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hiqbndpb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hobcak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njgcpp32.dll"	Gacpdbej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gacpdbej.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ggpimica.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hcifgjgc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	eac7449216789b5503645e105eb4a0f34ce268b68571f397e9d16d289858eee7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnnclg32.dll"	eac7449216789b5503645e105eb4a0f34ce268b68571f397e9d16d289858eee7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hcifgjgc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hggomh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hobcak32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	eac7449216789b5503645e105eb4a0f34ce268b68571f397e9d16d289858eee7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	eac7449216789b5503645e105eb4a0f34ce268b68571f397e9d16d289858eee7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gacpdbej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fealjk32.dll"	Hiqbndpb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hcplhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjenmobn.dll"	Hcplhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	eac7449216789b5503645e105eb4a0f34ce268b68571f397e9d16d289858eee7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gldkfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ggpimica.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	eac7449216789b5503645e105eb4a0f34ce268b68571f397e9d16d289858eee7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omabcb32.dll"	Ggpimica.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hiqbndpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokeef32.dll"	Hggomh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lponfjoo.dll"	Hobcak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elpbcapg.dll"	Gldkfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hcplhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gldkfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhpdae32.dll"	Hcifgjgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hggomh32.exe

Suspicious use of WriteProcessMemory 40 IoCs

Processes:

eac7449216789b5503645e105eb4a0f34ce268b68571f397e9d16d289858eee7.exeGldkfl32.exeGacpdbej.exeGgpimica.exeHiqbndpb.exeHcifgjgc.exeHggomh32.exeHobcak32.exeHcplhi32.exeIagfoe32.exe

description	pid	process	target process
PID 1936 wrote to memory of 1996	1936	eac7449216789b5503645e105eb4a0f34ce268b68571f397e9d16d289858eee7.exe	Gldkfl32.exe
PID 1936 wrote to memory of 1996	1936	eac7449216789b5503645e105eb4a0f34ce268b68571f397e9d16d289858eee7.exe	Gldkfl32.exe
PID 1936 wrote to memory of 1996	1936	eac7449216789b5503645e105eb4a0f34ce268b68571f397e9d16d289858eee7.exe	Gldkfl32.exe
PID 1936 wrote to memory of 1996	1936	eac7449216789b5503645e105eb4a0f34ce268b68571f397e9d16d289858eee7.exe	Gldkfl32.exe
PID 1996 wrote to memory of 2612	1996	Gldkfl32.exe	Gacpdbej.exe
PID 1996 wrote to memory of 2612	1996	Gldkfl32.exe	Gacpdbej.exe
PID 1996 wrote to memory of 2612	1996	Gldkfl32.exe	Gacpdbej.exe
PID 1996 wrote to memory of 2612	1996	Gldkfl32.exe	Gacpdbej.exe
PID 2612 wrote to memory of 2920	2612	Gacpdbej.exe	Ggpimica.exe
PID 2612 wrote to memory of 2920	2612	Gacpdbej.exe	Ggpimica.exe
PID 2612 wrote to memory of 2920	2612	Gacpdbej.exe	Ggpimica.exe
PID 2612 wrote to memory of 2920	2612	Gacpdbej.exe	Ggpimica.exe
PID 2920 wrote to memory of 2760	2920	Ggpimica.exe	Hiqbndpb.exe
PID 2920 wrote to memory of 2760	2920	Ggpimica.exe	Hiqbndpb.exe
PID 2920 wrote to memory of 2760	2920	Ggpimica.exe	Hiqbndpb.exe
PID 2920 wrote to memory of 2760	2920	Ggpimica.exe	Hiqbndpb.exe
PID 2760 wrote to memory of 2228	2760	Hiqbndpb.exe	Hcifgjgc.exe
PID 2760 wrote to memory of 2228	2760	Hiqbndpb.exe	Hcifgjgc.exe
PID 2760 wrote to memory of 2228	2760	Hiqbndpb.exe	Hcifgjgc.exe
PID 2760 wrote to memory of 2228	2760	Hiqbndpb.exe	Hcifgjgc.exe
PID 2228 wrote to memory of 2520	2228	Hcifgjgc.exe	Hggomh32.exe
PID 2228 wrote to memory of 2520	2228	Hcifgjgc.exe	Hggomh32.exe
PID 2228 wrote to memory of 2520	2228	Hcifgjgc.exe	Hggomh32.exe
PID 2228 wrote to memory of 2520	2228	Hcifgjgc.exe	Hggomh32.exe
PID 2520 wrote to memory of 2300	2520	Hggomh32.exe	Hobcak32.exe
PID 2520 wrote to memory of 2300	2520	Hggomh32.exe	Hobcak32.exe
PID 2520 wrote to memory of 2300	2520	Hggomh32.exe	Hobcak32.exe
PID 2520 wrote to memory of 2300	2520	Hggomh32.exe	Hobcak32.exe
PID 2300 wrote to memory of 2696	2300	Hobcak32.exe	Hcplhi32.exe
PID 2300 wrote to memory of 2696	2300	Hobcak32.exe	Hcplhi32.exe
PID 2300 wrote to memory of 2696	2300	Hobcak32.exe	Hcplhi32.exe
PID 2300 wrote to memory of 2696	2300	Hobcak32.exe	Hcplhi32.exe
PID 2696 wrote to memory of 1804	2696	Hcplhi32.exe	Iagfoe32.exe
PID 2696 wrote to memory of 1804	2696	Hcplhi32.exe	Iagfoe32.exe
PID 2696 wrote to memory of 1804	2696	Hcplhi32.exe	Iagfoe32.exe
PID 2696 wrote to memory of 1804	2696	Hcplhi32.exe	Iagfoe32.exe
PID 1804 wrote to memory of 2388	1804	Iagfoe32.exe	WerFault.exe
PID 1804 wrote to memory of 2388	1804	Iagfoe32.exe	WerFault.exe
PID 1804 wrote to memory of 2388	1804	Iagfoe32.exe	WerFault.exe
PID 1804 wrote to memory of 2388	1804	Iagfoe32.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\eac7449216789b5503645e105eb4a0f34ce268b68571f397e9d16d289858eee7.exe
"C:\Users\Admin\AppData\Local\Temp\eac7449216789b5503645e105eb4a0f34ce268b68571f397e9d16d289858eee7.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1936

C:\Windows\SysWOW64\Gldkfl32.exe
C:\Windows\system32\Gldkfl32.exe
2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1996

C:\Windows\SysWOW64\Gacpdbej.exe
C:\Windows\system32\Gacpdbej.exe
3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2612

C:\Windows\SysWOW64\Ggpimica.exe
C:\Windows\system32\Ggpimica.exe
4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2920

C:\Windows\SysWOW64\Hiqbndpb.exe
C:\Windows\system32\Hiqbndpb.exe
5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2760

C:\Windows\SysWOW64\Hcifgjgc.exe
C:\Windows\system32\Hcifgjgc.exe
6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2228

C:\Windows\SysWOW64\Hggomh32.exe
C:\Windows\system32\Hggomh32.exe
7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2520

C:\Windows\SysWOW64\Hobcak32.exe
C:\Windows\system32\Hobcak32.exe
8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2300

C:\Windows\SysWOW64\Hcplhi32.exe
C:\Windows\system32\Hcplhi32.exe
9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2696

C:\Windows\SysWOW64\Iagfoe32.exe
C:\Windows\system32\Iagfoe32.exe
10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1804 -s 140
11⤵
- Loads dropped DLL
- Program crash
PID:2388

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Hcifgjgc.exe
Filesize
768KB

MD5
5040f628e6eb38eb0f538d5de8793d2e

SHA1
d8bbc089e34f4f1a18bb88d8f09248b9a93ecf35

SHA256
1530e0e85018ec1914fff148072debba8c4bba87059fdec8c39958c3a4293c23

SHA512
141f3d24866a48190bc325e1f092a134b9e5e3a3d2cdac055fd5b88313820e47a5793a49f081ddc5bff94dd2ddc849756816a57f496255789ea9d77ffa624c1a

Download Submit
C:\Windows\SysWOW64\Hcplhi32.exe
Filesize
768KB

MD5
3219d9171c9e417d2a63b595212f4e87

SHA1
d561df465783e913f321805655cc800da8162032

SHA256
a8c4b6120ba482db66fdbc9da2c6dd8f54d423e3a349728811f7a629356a97f2

SHA512
b3cdf13d4e773230e6bcfa7d98d64f059242b9a5c291bf6d76f92af5d8c27aaa52978c2a60c728a4cb61ac2cb261a042025cc7a2fdca87863b90d4a4a7e6d0f9

Download Submit
C:\Windows\SysWOW64\Hggomh32.exe
Filesize
768KB

MD5
9a62b336978b5b20b4ebb0c24eea4ed8

SHA1
016fa2820b676c858426ea6fc492d8db30a1caf9

SHA256
e24f109dee54336a1b8c76a8887f8371667a6cfb5782d6dfccb53e059723857e

SHA512
49f3ec4a5f0e0dea7938d44755844d1f69e22679d310bf53bcec65adecfa5d2daef8b804f6eee31a3b6c12f5870834d2951e4f89508466f2258e2ff0a696a778

Download Submit
C:\Windows\SysWOW64\Iagfoe32.exe
Filesize
768KB

MD5
23ce969642c555fa45315c89f00ca187

SHA1
f360214c650721aa5740ff27679ac2c36be0fb7c

SHA256
575d80a238f08151ae985b9d1a392d549be6d3c8e0761b821f068091ea304ac3

SHA512
15269a4f6c2d08edad2f4e085f2e0233614db1b0e66cc0104a23d2405304f361b72f077dedc61383a5d4a171b929b19e283ee876de2c2491577a7adc2d78ad1c

Download Submit
\Windows\SysWOW64\Gacpdbej.exe
Filesize
768KB

MD5
bad98aa38a8fa9b00679a658db699e3a

SHA1
bc42a96b7724f4056063ac712c76163a0efee117

SHA256
c33a916da56e68359f89a2998c5827cc2efcbb94a0bd9febab8205428dd20d6b

SHA512
6967cdf4a491a02e3d4b5e6614475dd60c1222720e1bc30bb492dedf2966e2118c8da7ac86a085dd4bafdcb3ad9cf0319ee944fcc7f3a9253b9fc87955bdd9cc

Download Submit
\Windows\SysWOW64\Ggpimica.exe
Filesize
768KB

MD5
6738551ce540b73f0c12b96da71393df

SHA1
31ed1d03ac8368e61cd03a1d1afc9a202538b5ff

SHA256
24bfb139c0c62967c58ef11db1695be9224c0e3dfecee0ae104d462a516e81ce

SHA512
134b52cbf85368e665e3260262dc4cdf530d16b89b2a7f16ee9c44bf3d5fdfc22b1ccbae1f33ecfab61c7c1b75bfae5716aa81ce4ec0ec8bb2f93e0b84b8c83d

Download Submit
\Windows\SysWOW64\Gldkfl32.exe
Filesize
768KB

MD5
942a651359ffba90712f35a54e8d4b0a

SHA1
c4ec97e213cb1f66d9ee36385edeeac75c4e8f56

SHA256
4a52dd8de78ba6f49eec34f1eb1d774e9adfda402988c4a52c389f109a77c930

SHA512
91c1ca2dc2e324a01acf95a018e12cae089b7f15aa79810d3941590b4402ef8534be9ed13bfe2cf89ef4d193356af22edc2e54e000da938356d2536bb464d309

Download Submit
\Windows\SysWOW64\Hiqbndpb.exe
Filesize
768KB

MD5
aa3bafcabdb5de5e630e11a1f2aced46

SHA1
76ed948e0215e99dcc7a453e1b154a6775a89f54

SHA256
b5d6d239dec765be74f362ecd2c776da1978e8b539a67a56336c06cc1818d73e

SHA512
1f3e52663e0ac02b9b0984558d6a10bc7dbb2d6aed86cc4149c3963c609b72359a141363fab469462b426983c0f7611a31516fee73db14e00c688b8476f245fe

Download Submit
\Windows\SysWOW64\Hobcak32.exe
Filesize
768KB

MD5
4a700494462ef221ae4f34448d8e66d6

SHA1
52b101d3d0100584aedb0f25657769a10efb405d

SHA256
9b4af65094acbf8ebc63435bf74b0359e46458f27bb7815a3fffb80de8d02990

SHA512
32fd736b951ad50e8755de5e6e2605780f5f2c2512cac078afe878465c95f84417a9a6d13c43517d3bd418929dc5fe424ec823c36854944b658896b7ed874101

Download Submit
memory/1804-126-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1804-140-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1936-13-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/1936-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1936-131-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1936-6-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/1996-27-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/1996-132-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1996-26-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/2228-82-0x0000000000280000-0x00000000002B3000-memory.dmp

Filesize
204KB

Download
memory/2228-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2228-69-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2300-138-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2300-110-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2300-111-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2300-98-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2520-137-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2520-97-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2520-83-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2520-96-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2612-28-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2612-133-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2612-41-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2696-115-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2696-139-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2760-68-0x00000000005D0000-0x0000000000603000-memory.dmp

Filesize
204KB

Download
memory/2760-135-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2920-50-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2920-134-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2920-42-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads