cec22e8097a67d51e082e0e9604c3c65914a89fa5980e61aee4a4dbc505bae2b

Analysis

max time kernel
240s
max time network
298s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
12/10/2023, 01:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

383c5628f6ddceb460f171ffcafa97aa_JC.exe
Size

269KB
MD5

383c5628f6ddceb460f171ffcafa97aa
SHA1

20e3802b90a76c406f41c6848098b2c3b7961269
SHA256

cec22e8097a67d51e082e0e9604c3c65914a89fa5980e61aee4a4dbc505bae2b
SHA512

af49d02c6a83f1d5fa130cc647078c255c1cbb4fb36b7f1938567dca009387cf5b5de2355d7cdddee7338f652466fecedac09cb4b72f4a75b2350e1a6c7f443c
SSDEEP

6144:nILpEBmI8HHDX4EYtCwGtMtkiXOoloMr1JeSldqP7+x55Kmj50GXoCcmASBTw2Ao:nILpmlChtMtkM71r1MSXqPix55KI5fXR

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 20 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dbnpcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ejeglg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbbdemnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gioigf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Giafmfad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Chfadndo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejcjfgbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Giafmfad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	383c5628f6ddceb460f171ffcafa97aa_JC.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfgikgjq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejeglg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gbbdemnl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	383c5628f6ddceb460f171ffcafa97aa_JC.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dbnpcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bfgikgjq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chfadndo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enjmlgoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Enjmlgoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ejcjfgbk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gioigf32.exe

Executes dropped EXE 10 IoCs

pid	Process
2616	Dbnpcn32.exe
3004	Bfgikgjq.exe
2856	Chfadndo.exe
1804	Enjmlgoj.exe
2188	Ejcjfgbk.exe
2572	Ejeglg32.exe
2704	Gbbdemnl.exe
1556	Gioigf32.exe
2056	Giafmfad.exe
584	Hblgkkfa.exe

Loads dropped DLL 24 IoCs

pid	Process
1944	383c5628f6ddceb460f171ffcafa97aa_JC.exe
1944	383c5628f6ddceb460f171ffcafa97aa_JC.exe
2616	Dbnpcn32.exe
2616	Dbnpcn32.exe
3004	Bfgikgjq.exe
3004	Bfgikgjq.exe
2856	Chfadndo.exe
2856	Chfadndo.exe
1804	Enjmlgoj.exe
1804	Enjmlgoj.exe
2188	Ejcjfgbk.exe
2188	Ejcjfgbk.exe
2572	Ejeglg32.exe
2572	Ejeglg32.exe
2704	Gbbdemnl.exe
2704	Gbbdemnl.exe
1556	Gioigf32.exe
1556	Gioigf32.exe
2056	Giafmfad.exe
2056	Giafmfad.exe
676	WerFault.exe
676	WerFault.exe
676	WerFault.exe
676	WerFault.exe

Drops file in System32 directory 30 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Enjmlgoj.exe	Chfadndo.exe
File created	C:\Windows\SysWOW64\Halhkamm.dll	Enjmlgoj.exe
File opened for modification	C:\Windows\SysWOW64\Dbnpcn32.exe	383c5628f6ddceb460f171ffcafa97aa_JC.exe
File created	C:\Windows\SysWOW64\Gcbfebbc.dll	383c5628f6ddceb460f171ffcafa97aa_JC.exe
File opened for modification	C:\Windows\SysWOW64\Chfadndo.exe	Bfgikgjq.exe
File created	C:\Windows\SysWOW64\Enjmlgoj.exe	Chfadndo.exe
File created	C:\Windows\SysWOW64\Imqkokae.dll	Bfgikgjq.exe
File created	C:\Windows\SysWOW64\Ldhhfdpd.dll	Gbbdemnl.exe
File created	C:\Windows\SysWOW64\Hblgkkfa.exe	Giafmfad.exe
File created	C:\Windows\SysWOW64\Ejcjfgbk.exe	Enjmlgoj.exe
File created	C:\Windows\SysWOW64\Giafmfad.exe	Gioigf32.exe
File opened for modification	C:\Windows\SysWOW64\Bfgikgjq.exe	Dbnpcn32.exe
File created	C:\Windows\SysWOW64\Gbbdemnl.exe	Ejeglg32.exe
File opened for modification	C:\Windows\SysWOW64\Ejcjfgbk.exe	Enjmlgoj.exe
File opened for modification	C:\Windows\SysWOW64\Ejeglg32.exe	Ejcjfgbk.exe
File created	C:\Windows\SysWOW64\Dlepoq32.dll	Ejcjfgbk.exe
File opened for modification	C:\Windows\SysWOW64\Giafmfad.exe	Gioigf32.exe
File created	C:\Windows\SysWOW64\Bfgikgjq.exe	Dbnpcn32.exe
File created	C:\Windows\SysWOW64\Gioigf32.exe	Gbbdemnl.exe
File opened for modification	C:\Windows\SysWOW64\Gioigf32.exe	Gbbdemnl.exe
File opened for modification	C:\Windows\SysWOW64\Hblgkkfa.exe	Giafmfad.exe
File created	C:\Windows\SysWOW64\Dcjpihcg.dll	Dbnpcn32.exe
File created	C:\Windows\SysWOW64\Ofenhhgl.dll	Chfadndo.exe
File opened for modification	C:\Windows\SysWOW64\Gbbdemnl.exe	Ejeglg32.exe
File created	C:\Windows\SysWOW64\Ebkgmnhl.dll	Gioigf32.exe
File created	C:\Windows\SysWOW64\Jlfkcfof.dll	Giafmfad.exe
File created	C:\Windows\SysWOW64\Dbnpcn32.exe	383c5628f6ddceb460f171ffcafa97aa_JC.exe
File created	C:\Windows\SysWOW64\Chfadndo.exe	Bfgikgjq.exe
File created	C:\Windows\SysWOW64\Ejeglg32.exe	Ejcjfgbk.exe
File created	C:\Windows\SysWOW64\Jdghjg32.dll	Ejeglg32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
676	584	WerFault.exe	36

Modifies registry class 33 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcjpihcg.dll"	Dbnpcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldhhfdpd.dll"	Gbbdemnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bfgikgjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bfgikgjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Halhkamm.dll"	Enjmlgoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ejeglg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gioigf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	383c5628f6ddceb460f171ffcafa97aa_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlfkcfof.dll"	Giafmfad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	383c5628f6ddceb460f171ffcafa97aa_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dbnpcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofenhhgl.dll"	Chfadndo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Chfadndo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Enjmlgoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Enjmlgoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gioigf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gbbdemnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	383c5628f6ddceb460f171ffcafa97aa_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	383c5628f6ddceb460f171ffcafa97aa_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imqkokae.dll"	Bfgikgjq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Chfadndo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ejcjfgbk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ejeglg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdghjg32.dll"	Ejeglg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Giafmfad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ejcjfgbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gbbdemnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcbfebbc.dll"	383c5628f6ddceb460f171ffcafa97aa_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	383c5628f6ddceb460f171ffcafa97aa_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dbnpcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlepoq32.dll"	Ejcjfgbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebkgmnhl.dll"	Gioigf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Giafmfad.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 1944 wrote to memory of 2616	1944	383c5628f6ddceb460f171ffcafa97aa_JC.exe	27
PID 1944 wrote to memory of 2616	1944	383c5628f6ddceb460f171ffcafa97aa_JC.exe	27
PID 1944 wrote to memory of 2616	1944	383c5628f6ddceb460f171ffcafa97aa_JC.exe	27
PID 1944 wrote to memory of 2616	1944	383c5628f6ddceb460f171ffcafa97aa_JC.exe	27
PID 2616 wrote to memory of 3004	2616	Dbnpcn32.exe	28
PID 2616 wrote to memory of 3004	2616	Dbnpcn32.exe	28
PID 2616 wrote to memory of 3004	2616	Dbnpcn32.exe	28
PID 2616 wrote to memory of 3004	2616	Dbnpcn32.exe	28
PID 3004 wrote to memory of 2856	3004	Bfgikgjq.exe	29
PID 3004 wrote to memory of 2856	3004	Bfgikgjq.exe	29
PID 3004 wrote to memory of 2856	3004	Bfgikgjq.exe	29
PID 3004 wrote to memory of 2856	3004	Bfgikgjq.exe	29
PID 2856 wrote to memory of 1804	2856	Chfadndo.exe	30
PID 2856 wrote to memory of 1804	2856	Chfadndo.exe	30
PID 2856 wrote to memory of 1804	2856	Chfadndo.exe	30
PID 2856 wrote to memory of 1804	2856	Chfadndo.exe	30
PID 1804 wrote to memory of 2188	1804	Enjmlgoj.exe	31
PID 1804 wrote to memory of 2188	1804	Enjmlgoj.exe	31
PID 1804 wrote to memory of 2188	1804	Enjmlgoj.exe	31
PID 1804 wrote to memory of 2188	1804	Enjmlgoj.exe	31
PID 2188 wrote to memory of 2572	2188	Ejcjfgbk.exe	32
PID 2188 wrote to memory of 2572	2188	Ejcjfgbk.exe	32
PID 2188 wrote to memory of 2572	2188	Ejcjfgbk.exe	32
PID 2188 wrote to memory of 2572	2188	Ejcjfgbk.exe	32
PID 2572 wrote to memory of 2704	2572	Ejeglg32.exe	33
PID 2572 wrote to memory of 2704	2572	Ejeglg32.exe	33
PID 2572 wrote to memory of 2704	2572	Ejeglg32.exe	33
PID 2572 wrote to memory of 2704	2572	Ejeglg32.exe	33
PID 2704 wrote to memory of 1556	2704	Gbbdemnl.exe	34
PID 2704 wrote to memory of 1556	2704	Gbbdemnl.exe	34
PID 2704 wrote to memory of 1556	2704	Gbbdemnl.exe	34
PID 2704 wrote to memory of 1556	2704	Gbbdemnl.exe	34
PID 1556 wrote to memory of 2056	1556	Gioigf32.exe	35
PID 1556 wrote to memory of 2056	1556	Gioigf32.exe	35
PID 1556 wrote to memory of 2056	1556	Gioigf32.exe	35
PID 1556 wrote to memory of 2056	1556	Gioigf32.exe	35
PID 2056 wrote to memory of 584	2056	Giafmfad.exe	36
PID 2056 wrote to memory of 584	2056	Giafmfad.exe	36
PID 2056 wrote to memory of 584	2056	Giafmfad.exe	36
PID 2056 wrote to memory of 584	2056	Giafmfad.exe	36
PID 584 wrote to memory of 676	584	Hblgkkfa.exe	37
PID 584 wrote to memory of 676	584	Hblgkkfa.exe	37
PID 584 wrote to memory of 676	584	Hblgkkfa.exe	37
PID 584 wrote to memory of 676	584	Hblgkkfa.exe	37

C:\Users\Admin\AppData\Local\Temp\383c5628f6ddceb460f171ffcafa97aa_JC.exe
"C:\Users\Admin\AppData\Local\Temp\383c5628f6ddceb460f171ffcafa97aa_JC.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1944
- C:\Windows\SysWOW64\Dbnpcn32.exe
  C:\Windows\system32\Dbnpcn32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2616
- - C:\Windows\SysWOW64\Bfgikgjq.exe
    C:\Windows\system32\Bfgikgjq.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3004
  - - C:\Windows\SysWOW64\Chfadndo.exe
      C:\Windows\system32\Chfadndo.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2856
    - - C:\Windows\SysWOW64\Enjmlgoj.exe
        
        C:\Windows\system32\Enjmlgoj.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1804
      - C:\Windows\SysWOW64\Ejcjfgbk.exe
        
        C:\Windows\system32\Ejcjfgbk.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2188
        
        C:\Windows\SysWOW64\Ejeglg32.exe
        
        C:\Windows\system32\Ejeglg32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2572
        
        C:\Windows\SysWOW64\Gbbdemnl.exe
        
        C:\Windows\system32\Gbbdemnl.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2704
        
        C:\Windows\SysWOW64\Gioigf32.exe
        
        C:\Windows\system32\Gioigf32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1556
        
        C:\Windows\SysWOW64\Giafmfad.exe
        
        C:\Windows\system32\Giafmfad.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2056
        
        C:\Windows\SysWOW64\Hblgkkfa.exe
        
        C:\Windows\system32\Hblgkkfa.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:584
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 584 -s 140
        12⤵
        Loads dropped DLL
        Program crash
        
        PID:676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bfgikgjq.exe

Filesize
269KB

MD5
6f18f649933a87d2afedbfd0ec954b9d

SHA1
cc294473622715c19c7eaa3adea51b1383f16598

SHA256
095ceac781e1a585cf95e55fb7403898962dc0a87303e6bf47863bb2188e440b

SHA512
ed023669959c9a63796291b8a12884d31394faa781d093dd49c9cbaedf496a447f41a95f4a3998f4a075ce9546310ba0b94a3e12bad9830fcf6fbaa394247ef7

Download Submit
C:\Windows\SysWOW64\Bfgikgjq.exe

Filesize
269KB

MD5
6f18f649933a87d2afedbfd0ec954b9d

SHA1
cc294473622715c19c7eaa3adea51b1383f16598

SHA256
095ceac781e1a585cf95e55fb7403898962dc0a87303e6bf47863bb2188e440b

SHA512
ed023669959c9a63796291b8a12884d31394faa781d093dd49c9cbaedf496a447f41a95f4a3998f4a075ce9546310ba0b94a3e12bad9830fcf6fbaa394247ef7

Download Submit
C:\Windows\SysWOW64\Bfgikgjq.exe

Filesize
269KB

MD5
6f18f649933a87d2afedbfd0ec954b9d

SHA1
cc294473622715c19c7eaa3adea51b1383f16598

SHA256
095ceac781e1a585cf95e55fb7403898962dc0a87303e6bf47863bb2188e440b

SHA512
ed023669959c9a63796291b8a12884d31394faa781d093dd49c9cbaedf496a447f41a95f4a3998f4a075ce9546310ba0b94a3e12bad9830fcf6fbaa394247ef7

Download Submit
C:\Windows\SysWOW64\Chfadndo.exe

Filesize
269KB

MD5
435d9555d83ef1e86376926ab2c178a5

SHA1
d6bb3a909e007a87df41bace07a06a7000b76de8

SHA256
8388e79ba7c88b7d94cfca16d7ed5a820385f44318fc913146061bf9c2eb5572

SHA512
6cea21fc9058650c732051e5a4c25232da5acbade6c1e549a3321a5a2905920cd79b22c536516f2d69562e0a016ce68354908e36abaaff117ad7579d1721c041

Download Submit
C:\Windows\SysWOW64\Chfadndo.exe

Filesize
269KB

MD5
435d9555d83ef1e86376926ab2c178a5

SHA1
d6bb3a909e007a87df41bace07a06a7000b76de8

SHA256
8388e79ba7c88b7d94cfca16d7ed5a820385f44318fc913146061bf9c2eb5572

SHA512
6cea21fc9058650c732051e5a4c25232da5acbade6c1e549a3321a5a2905920cd79b22c536516f2d69562e0a016ce68354908e36abaaff117ad7579d1721c041

Download Submit
C:\Windows\SysWOW64\Chfadndo.exe

Filesize
269KB

MD5
435d9555d83ef1e86376926ab2c178a5

SHA1
d6bb3a909e007a87df41bace07a06a7000b76de8

SHA256
8388e79ba7c88b7d94cfca16d7ed5a820385f44318fc913146061bf9c2eb5572

SHA512
6cea21fc9058650c732051e5a4c25232da5acbade6c1e549a3321a5a2905920cd79b22c536516f2d69562e0a016ce68354908e36abaaff117ad7579d1721c041

Download Submit
C:\Windows\SysWOW64\Dbnpcn32.exe

Filesize
269KB

MD5
609d94dc247c02ed581a3a648d5b3c84

SHA1
412643cf8b2bb6818fda45edf8839204d6e55fbc

SHA256
04fad1d9776bc019e229c9223ceed2894f4980b1cf2a59be865fc9e9c2de7f88

SHA512
0d13879069f74749e2c267c3b5f7f7af8dfc03a84a161596685547faa9d7c772e17397ea303e54b36153ec42083708e033c746781a94428e3b8e95d5dfdee152

Download Submit
C:\Windows\SysWOW64\Dbnpcn32.exe

Filesize
269KB

MD5
609d94dc247c02ed581a3a648d5b3c84

SHA1
412643cf8b2bb6818fda45edf8839204d6e55fbc

SHA256
04fad1d9776bc019e229c9223ceed2894f4980b1cf2a59be865fc9e9c2de7f88

SHA512
0d13879069f74749e2c267c3b5f7f7af8dfc03a84a161596685547faa9d7c772e17397ea303e54b36153ec42083708e033c746781a94428e3b8e95d5dfdee152

Download Submit
C:\Windows\SysWOW64\Dbnpcn32.exe

Filesize
269KB

MD5
609d94dc247c02ed581a3a648d5b3c84

SHA1
412643cf8b2bb6818fda45edf8839204d6e55fbc

SHA256
04fad1d9776bc019e229c9223ceed2894f4980b1cf2a59be865fc9e9c2de7f88

SHA512
0d13879069f74749e2c267c3b5f7f7af8dfc03a84a161596685547faa9d7c772e17397ea303e54b36153ec42083708e033c746781a94428e3b8e95d5dfdee152

Download Submit
C:\Windows\SysWOW64\Ejcjfgbk.exe

Filesize
269KB

MD5
700a4bdc1543ae559edad6078722d00c

SHA1
986b30b19022085376be0bd583f04f038bd771c2

SHA256
c6305396edb7ab94e027bd3cbc5c66b73e70eb3a9c39466269ae2549e40ff5f1

SHA512
07bb92172db754e9f2e1748e59d7b1c48984266f2a3c665d79b113e2cee5808303be517f1ae7fd0378af3be5a24a57e70a758b8b4904f3d389d7668b975bbc02

Download Submit
C:\Windows\SysWOW64\Ejcjfgbk.exe

Filesize
269KB

MD5
700a4bdc1543ae559edad6078722d00c

SHA1
986b30b19022085376be0bd583f04f038bd771c2

SHA256
c6305396edb7ab94e027bd3cbc5c66b73e70eb3a9c39466269ae2549e40ff5f1

SHA512
07bb92172db754e9f2e1748e59d7b1c48984266f2a3c665d79b113e2cee5808303be517f1ae7fd0378af3be5a24a57e70a758b8b4904f3d389d7668b975bbc02

Download Submit
C:\Windows\SysWOW64\Ejcjfgbk.exe

Filesize
269KB

MD5
700a4bdc1543ae559edad6078722d00c

SHA1
986b30b19022085376be0bd583f04f038bd771c2

SHA256
c6305396edb7ab94e027bd3cbc5c66b73e70eb3a9c39466269ae2549e40ff5f1

SHA512
07bb92172db754e9f2e1748e59d7b1c48984266f2a3c665d79b113e2cee5808303be517f1ae7fd0378af3be5a24a57e70a758b8b4904f3d389d7668b975bbc02

Download Submit
C:\Windows\SysWOW64\Ejeglg32.exe

Filesize
269KB

MD5
ac9262567074a7d7dd87f38f0569f5d1

SHA1
f1f56121ea3796d87b5718e14f231c4e460e671c

SHA256
b512e471b94b4cf0aece6d7634a0b2a5f69f9d77a611a4d991af1b23042d95bc

SHA512
68f23432a5cd777f35fa23d98d0138a493deeb68b83f9703c439f5c6e0e4ba293b59df982fa8590d508df1b1a390113c9c168b7ff81bbd83329fd7edeeca25a6

Download Submit
C:\Windows\SysWOW64\Ejeglg32.exe

Filesize
269KB

MD5
ac9262567074a7d7dd87f38f0569f5d1

SHA1
f1f56121ea3796d87b5718e14f231c4e460e671c

SHA256
b512e471b94b4cf0aece6d7634a0b2a5f69f9d77a611a4d991af1b23042d95bc

SHA512
68f23432a5cd777f35fa23d98d0138a493deeb68b83f9703c439f5c6e0e4ba293b59df982fa8590d508df1b1a390113c9c168b7ff81bbd83329fd7edeeca25a6

Download Submit
C:\Windows\SysWOW64\Ejeglg32.exe

Filesize
269KB

MD5
ac9262567074a7d7dd87f38f0569f5d1

SHA1
f1f56121ea3796d87b5718e14f231c4e460e671c

SHA256
b512e471b94b4cf0aece6d7634a0b2a5f69f9d77a611a4d991af1b23042d95bc

SHA512
68f23432a5cd777f35fa23d98d0138a493deeb68b83f9703c439f5c6e0e4ba293b59df982fa8590d508df1b1a390113c9c168b7ff81bbd83329fd7edeeca25a6

Download Submit
C:\Windows\SysWOW64\Enjmlgoj.exe

Filesize
269KB

MD5
caafa27bc542941cc7975ca6f28eaa24

SHA1
1cd51edc43eb588e9b5b6834a77e369c1de7963c

SHA256
4e11c3910de95872f8f13ae5d370a16d509df5677c52c35db3f68ef27468ed8d

SHA512
935d89d0479cec48d8e5a8d12841439dd6e452be824875d128fd075c04fd73a4f3f38e536767c55518490ae549c57e18c1a5757029bc616767bddeb2e70f3155

Download Submit
C:\Windows\SysWOW64\Enjmlgoj.exe

Filesize
269KB

MD5
caafa27bc542941cc7975ca6f28eaa24

SHA1
1cd51edc43eb588e9b5b6834a77e369c1de7963c

SHA256
4e11c3910de95872f8f13ae5d370a16d509df5677c52c35db3f68ef27468ed8d

SHA512
935d89d0479cec48d8e5a8d12841439dd6e452be824875d128fd075c04fd73a4f3f38e536767c55518490ae549c57e18c1a5757029bc616767bddeb2e70f3155

Download Submit
C:\Windows\SysWOW64\Enjmlgoj.exe

Filesize
269KB

MD5
caafa27bc542941cc7975ca6f28eaa24

SHA1
1cd51edc43eb588e9b5b6834a77e369c1de7963c

SHA256
4e11c3910de95872f8f13ae5d370a16d509df5677c52c35db3f68ef27468ed8d

SHA512
935d89d0479cec48d8e5a8d12841439dd6e452be824875d128fd075c04fd73a4f3f38e536767c55518490ae549c57e18c1a5757029bc616767bddeb2e70f3155

Download Submit
C:\Windows\SysWOW64\Gbbdemnl.exe

Filesize
269KB

MD5
17c0f8daf8e286579a6ead2435e4abbf

SHA1
5b30dc87b603646aea14ad875e3337b4b9eaa3ff

SHA256
4994725dae73ea133e6e40494e7df9f1244ba96fa6a8e5a0e4f89ccb92338e60

SHA512
2ab4cfdb21c87e54291ab1dcbea1d23986b7f8ff8947d2660a97239bab786e56b90d6284332bf878c0604079b3907f5b4779866b4b044c5b4575bc7e63ac6c20

Download Submit
C:\Windows\SysWOW64\Gbbdemnl.exe

Filesize
269KB

MD5
17c0f8daf8e286579a6ead2435e4abbf

SHA1
5b30dc87b603646aea14ad875e3337b4b9eaa3ff

SHA256
4994725dae73ea133e6e40494e7df9f1244ba96fa6a8e5a0e4f89ccb92338e60

SHA512
2ab4cfdb21c87e54291ab1dcbea1d23986b7f8ff8947d2660a97239bab786e56b90d6284332bf878c0604079b3907f5b4779866b4b044c5b4575bc7e63ac6c20

Download Submit
C:\Windows\SysWOW64\Gbbdemnl.exe

Filesize
269KB

MD5
17c0f8daf8e286579a6ead2435e4abbf

SHA1
5b30dc87b603646aea14ad875e3337b4b9eaa3ff

SHA256
4994725dae73ea133e6e40494e7df9f1244ba96fa6a8e5a0e4f89ccb92338e60

SHA512
2ab4cfdb21c87e54291ab1dcbea1d23986b7f8ff8947d2660a97239bab786e56b90d6284332bf878c0604079b3907f5b4779866b4b044c5b4575bc7e63ac6c20

Download Submit
C:\Windows\SysWOW64\Giafmfad.exe

Filesize
269KB

MD5
ba90511c2c3f4b764379635c64a04769

SHA1
08446a115bcb6d44d278cec4b559dfee057d3c0d

SHA256
d71149a040a50b083b47a25d77c948874b576cdbda6bbb4cb8611c088874f24f

SHA512
a6a69bcb059fcafb02954bdf34ccb94e3752c739c7fce596c155bb27b640cc034d1d59f460b92e28ceeb220df6da6a0c93329ff7c2930a37ec925bf461f7265e

Download Submit
C:\Windows\SysWOW64\Giafmfad.exe

Filesize
269KB

MD5
ba90511c2c3f4b764379635c64a04769

SHA1
08446a115bcb6d44d278cec4b559dfee057d3c0d

SHA256
d71149a040a50b083b47a25d77c948874b576cdbda6bbb4cb8611c088874f24f

SHA512
a6a69bcb059fcafb02954bdf34ccb94e3752c739c7fce596c155bb27b640cc034d1d59f460b92e28ceeb220df6da6a0c93329ff7c2930a37ec925bf461f7265e

Download Submit
C:\Windows\SysWOW64\Giafmfad.exe

Filesize
269KB

MD5
ba90511c2c3f4b764379635c64a04769

SHA1
08446a115bcb6d44d278cec4b559dfee057d3c0d

SHA256
d71149a040a50b083b47a25d77c948874b576cdbda6bbb4cb8611c088874f24f

SHA512
a6a69bcb059fcafb02954bdf34ccb94e3752c739c7fce596c155bb27b640cc034d1d59f460b92e28ceeb220df6da6a0c93329ff7c2930a37ec925bf461f7265e

Download Submit
C:\Windows\SysWOW64\Gioigf32.exe

Filesize
269KB

MD5
7007029efabff02face2676d1a97f481

SHA1
110e60afc02c1b664051933ddde202dbead6b4b5

SHA256
24234195ac28d1526f19d2911a8a2fe1892d840f84d703b146cd57920e4821f4

SHA512
9e08b555ae25c3d248743d1ec389a75810570d9b28341f4d6ee9cff248bf5faf1942abe28e44f8cca5a869c14e1b79b04c3f3b4a66bfc4e39f34534fb8e5beca

Download Submit
C:\Windows\SysWOW64\Gioigf32.exe

Filesize
269KB

MD5
7007029efabff02face2676d1a97f481

SHA1
110e60afc02c1b664051933ddde202dbead6b4b5

SHA256
24234195ac28d1526f19d2911a8a2fe1892d840f84d703b146cd57920e4821f4

SHA512
9e08b555ae25c3d248743d1ec389a75810570d9b28341f4d6ee9cff248bf5faf1942abe28e44f8cca5a869c14e1b79b04c3f3b4a66bfc4e39f34534fb8e5beca

Download Submit
C:\Windows\SysWOW64\Gioigf32.exe

Filesize
269KB

MD5
7007029efabff02face2676d1a97f481

SHA1
110e60afc02c1b664051933ddde202dbead6b4b5

SHA256
24234195ac28d1526f19d2911a8a2fe1892d840f84d703b146cd57920e4821f4

SHA512
9e08b555ae25c3d248743d1ec389a75810570d9b28341f4d6ee9cff248bf5faf1942abe28e44f8cca5a869c14e1b79b04c3f3b4a66bfc4e39f34534fb8e5beca

Download Submit
C:\Windows\SysWOW64\Halhkamm.dll

Filesize
7KB

MD5
b5fea121790e11088340b6e534fb80d8

SHA1
b2e77c2809e873b0f0fad47f057108d408be45ad

SHA256
74a73530b9ee59d3444deae47aa621c8e3d8a78e072aae8a94da2c3d789d39d3

SHA512
95d093f8f634ad99e8fe818a7504fa7aac892c3a3d023d9bb22dc3fae23ed5cc735fe0fca807e47ba9d7d7184ac3e52e606b5b85f62ff93235f6e262a4a0169e

Download Submit
C:\Windows\SysWOW64\Hblgkkfa.exe

Filesize
269KB

MD5
af3dd8b937ce8200406583c899ea9cc3

SHA1
0b1e2b2f3e27956c21390be916e09233dae372a5

SHA256
2895eaf4b1e47d005b56e1a92621e762562978656f9bb978d6820f5e74a04b0e

SHA512
42801ad02573a1a70de40fbec1d30c3baf87ae959687ca48dbcd58eac65337faa4f464c65cc8381da947470b5a389660d6064d7b202fbccac8b6c7a1703e103f

Download Submit
C:\Windows\SysWOW64\Hblgkkfa.exe

Filesize
269KB

MD5
af3dd8b937ce8200406583c899ea9cc3

SHA1
0b1e2b2f3e27956c21390be916e09233dae372a5

SHA256
2895eaf4b1e47d005b56e1a92621e762562978656f9bb978d6820f5e74a04b0e

SHA512
42801ad02573a1a70de40fbec1d30c3baf87ae959687ca48dbcd58eac65337faa4f464c65cc8381da947470b5a389660d6064d7b202fbccac8b6c7a1703e103f

Download Submit
\Windows\SysWOW64\Bfgikgjq.exe

Filesize
269KB

MD5
6f18f649933a87d2afedbfd0ec954b9d

SHA1
cc294473622715c19c7eaa3adea51b1383f16598

SHA256
095ceac781e1a585cf95e55fb7403898962dc0a87303e6bf47863bb2188e440b

SHA512
ed023669959c9a63796291b8a12884d31394faa781d093dd49c9cbaedf496a447f41a95f4a3998f4a075ce9546310ba0b94a3e12bad9830fcf6fbaa394247ef7

Download Submit
\Windows\SysWOW64\Bfgikgjq.exe

Filesize
269KB

MD5
6f18f649933a87d2afedbfd0ec954b9d

SHA1
cc294473622715c19c7eaa3adea51b1383f16598

SHA256
095ceac781e1a585cf95e55fb7403898962dc0a87303e6bf47863bb2188e440b

SHA512
ed023669959c9a63796291b8a12884d31394faa781d093dd49c9cbaedf496a447f41a95f4a3998f4a075ce9546310ba0b94a3e12bad9830fcf6fbaa394247ef7

Download Submit
\Windows\SysWOW64\Chfadndo.exe

Filesize
269KB

MD5
435d9555d83ef1e86376926ab2c178a5

SHA1
d6bb3a909e007a87df41bace07a06a7000b76de8

SHA256
8388e79ba7c88b7d94cfca16d7ed5a820385f44318fc913146061bf9c2eb5572

SHA512
6cea21fc9058650c732051e5a4c25232da5acbade6c1e549a3321a5a2905920cd79b22c536516f2d69562e0a016ce68354908e36abaaff117ad7579d1721c041

Download Submit
\Windows\SysWOW64\Chfadndo.exe

Filesize
269KB

MD5
435d9555d83ef1e86376926ab2c178a5

SHA1
d6bb3a909e007a87df41bace07a06a7000b76de8

SHA256
8388e79ba7c88b7d94cfca16d7ed5a820385f44318fc913146061bf9c2eb5572

SHA512
6cea21fc9058650c732051e5a4c25232da5acbade6c1e549a3321a5a2905920cd79b22c536516f2d69562e0a016ce68354908e36abaaff117ad7579d1721c041

Download Submit
\Windows\SysWOW64\Dbnpcn32.exe

Filesize
269KB

MD5
609d94dc247c02ed581a3a648d5b3c84

SHA1
412643cf8b2bb6818fda45edf8839204d6e55fbc

SHA256
04fad1d9776bc019e229c9223ceed2894f4980b1cf2a59be865fc9e9c2de7f88

SHA512
0d13879069f74749e2c267c3b5f7f7af8dfc03a84a161596685547faa9d7c772e17397ea303e54b36153ec42083708e033c746781a94428e3b8e95d5dfdee152

Download Submit
\Windows\SysWOW64\Dbnpcn32.exe

Filesize
269KB

MD5
609d94dc247c02ed581a3a648d5b3c84

SHA1
412643cf8b2bb6818fda45edf8839204d6e55fbc

SHA256
04fad1d9776bc019e229c9223ceed2894f4980b1cf2a59be865fc9e9c2de7f88

SHA512
0d13879069f74749e2c267c3b5f7f7af8dfc03a84a161596685547faa9d7c772e17397ea303e54b36153ec42083708e033c746781a94428e3b8e95d5dfdee152

Download Submit
\Windows\SysWOW64\Ejcjfgbk.exe

Filesize
269KB

MD5
700a4bdc1543ae559edad6078722d00c

SHA1
986b30b19022085376be0bd583f04f038bd771c2

SHA256
c6305396edb7ab94e027bd3cbc5c66b73e70eb3a9c39466269ae2549e40ff5f1

SHA512
07bb92172db754e9f2e1748e59d7b1c48984266f2a3c665d79b113e2cee5808303be517f1ae7fd0378af3be5a24a57e70a758b8b4904f3d389d7668b975bbc02

Download Submit
\Windows\SysWOW64\Ejcjfgbk.exe

Filesize
269KB

MD5
700a4bdc1543ae559edad6078722d00c

SHA1
986b30b19022085376be0bd583f04f038bd771c2

SHA256
c6305396edb7ab94e027bd3cbc5c66b73e70eb3a9c39466269ae2549e40ff5f1

SHA512
07bb92172db754e9f2e1748e59d7b1c48984266f2a3c665d79b113e2cee5808303be517f1ae7fd0378af3be5a24a57e70a758b8b4904f3d389d7668b975bbc02

Download Submit
\Windows\SysWOW64\Ejeglg32.exe

Filesize
269KB

MD5
ac9262567074a7d7dd87f38f0569f5d1

SHA1
f1f56121ea3796d87b5718e14f231c4e460e671c

SHA256
b512e471b94b4cf0aece6d7634a0b2a5f69f9d77a611a4d991af1b23042d95bc

SHA512
68f23432a5cd777f35fa23d98d0138a493deeb68b83f9703c439f5c6e0e4ba293b59df982fa8590d508df1b1a390113c9c168b7ff81bbd83329fd7edeeca25a6

Download Submit
\Windows\SysWOW64\Ejeglg32.exe

Filesize
269KB

MD5
ac9262567074a7d7dd87f38f0569f5d1

SHA1
f1f56121ea3796d87b5718e14f231c4e460e671c

SHA256
b512e471b94b4cf0aece6d7634a0b2a5f69f9d77a611a4d991af1b23042d95bc

SHA512
68f23432a5cd777f35fa23d98d0138a493deeb68b83f9703c439f5c6e0e4ba293b59df982fa8590d508df1b1a390113c9c168b7ff81bbd83329fd7edeeca25a6

Download Submit
\Windows\SysWOW64\Enjmlgoj.exe

Filesize
269KB

MD5
caafa27bc542941cc7975ca6f28eaa24

SHA1
1cd51edc43eb588e9b5b6834a77e369c1de7963c

SHA256
4e11c3910de95872f8f13ae5d370a16d509df5677c52c35db3f68ef27468ed8d

SHA512
935d89d0479cec48d8e5a8d12841439dd6e452be824875d128fd075c04fd73a4f3f38e536767c55518490ae549c57e18c1a5757029bc616767bddeb2e70f3155

Download Submit
\Windows\SysWOW64\Enjmlgoj.exe

Filesize
269KB

MD5
caafa27bc542941cc7975ca6f28eaa24

SHA1
1cd51edc43eb588e9b5b6834a77e369c1de7963c

SHA256
4e11c3910de95872f8f13ae5d370a16d509df5677c52c35db3f68ef27468ed8d

SHA512
935d89d0479cec48d8e5a8d12841439dd6e452be824875d128fd075c04fd73a4f3f38e536767c55518490ae549c57e18c1a5757029bc616767bddeb2e70f3155

Download Submit
\Windows\SysWOW64\Gbbdemnl.exe

Filesize
269KB

MD5
17c0f8daf8e286579a6ead2435e4abbf

SHA1
5b30dc87b603646aea14ad875e3337b4b9eaa3ff

SHA256
4994725dae73ea133e6e40494e7df9f1244ba96fa6a8e5a0e4f89ccb92338e60

SHA512
2ab4cfdb21c87e54291ab1dcbea1d23986b7f8ff8947d2660a97239bab786e56b90d6284332bf878c0604079b3907f5b4779866b4b044c5b4575bc7e63ac6c20

Download Submit
\Windows\SysWOW64\Gbbdemnl.exe

Filesize
269KB

MD5
17c0f8daf8e286579a6ead2435e4abbf

SHA1
5b30dc87b603646aea14ad875e3337b4b9eaa3ff

SHA256
4994725dae73ea133e6e40494e7df9f1244ba96fa6a8e5a0e4f89ccb92338e60

SHA512
2ab4cfdb21c87e54291ab1dcbea1d23986b7f8ff8947d2660a97239bab786e56b90d6284332bf878c0604079b3907f5b4779866b4b044c5b4575bc7e63ac6c20

Download Submit
\Windows\SysWOW64\Giafmfad.exe

Filesize
269KB

MD5
ba90511c2c3f4b764379635c64a04769

SHA1
08446a115bcb6d44d278cec4b559dfee057d3c0d

SHA256
d71149a040a50b083b47a25d77c948874b576cdbda6bbb4cb8611c088874f24f

SHA512
a6a69bcb059fcafb02954bdf34ccb94e3752c739c7fce596c155bb27b640cc034d1d59f460b92e28ceeb220df6da6a0c93329ff7c2930a37ec925bf461f7265e

Download Submit
\Windows\SysWOW64\Giafmfad.exe

Filesize
269KB

MD5
ba90511c2c3f4b764379635c64a04769

SHA1
08446a115bcb6d44d278cec4b559dfee057d3c0d

SHA256
d71149a040a50b083b47a25d77c948874b576cdbda6bbb4cb8611c088874f24f

SHA512
a6a69bcb059fcafb02954bdf34ccb94e3752c739c7fce596c155bb27b640cc034d1d59f460b92e28ceeb220df6da6a0c93329ff7c2930a37ec925bf461f7265e

Download Submit
\Windows\SysWOW64\Gioigf32.exe

Filesize
269KB

MD5
7007029efabff02face2676d1a97f481

SHA1
110e60afc02c1b664051933ddde202dbead6b4b5

SHA256
24234195ac28d1526f19d2911a8a2fe1892d840f84d703b146cd57920e4821f4

SHA512
9e08b555ae25c3d248743d1ec389a75810570d9b28341f4d6ee9cff248bf5faf1942abe28e44f8cca5a869c14e1b79b04c3f3b4a66bfc4e39f34534fb8e5beca

Download Submit
\Windows\SysWOW64\Gioigf32.exe

Filesize
269KB

MD5
7007029efabff02face2676d1a97f481

SHA1
110e60afc02c1b664051933ddde202dbead6b4b5

SHA256
24234195ac28d1526f19d2911a8a2fe1892d840f84d703b146cd57920e4821f4

SHA512
9e08b555ae25c3d248743d1ec389a75810570d9b28341f4d6ee9cff248bf5faf1942abe28e44f8cca5a869c14e1b79b04c3f3b4a66bfc4e39f34534fb8e5beca

Download Submit
\Windows\SysWOW64\Hblgkkfa.exe

Filesize
269KB

MD5
af3dd8b937ce8200406583c899ea9cc3

SHA1
0b1e2b2f3e27956c21390be916e09233dae372a5

SHA256
2895eaf4b1e47d005b56e1a92621e762562978656f9bb978d6820f5e74a04b0e

SHA512
42801ad02573a1a70de40fbec1d30c3baf87ae959687ca48dbcd58eac65337faa4f464c65cc8381da947470b5a389660d6064d7b202fbccac8b6c7a1703e103f

Download Submit
\Windows\SysWOW64\Hblgkkfa.exe

Filesize
269KB

MD5
af3dd8b937ce8200406583c899ea9cc3

SHA1
0b1e2b2f3e27956c21390be916e09233dae372a5

SHA256
2895eaf4b1e47d005b56e1a92621e762562978656f9bb978d6820f5e74a04b0e

SHA512
42801ad02573a1a70de40fbec1d30c3baf87ae959687ca48dbcd58eac65337faa4f464c65cc8381da947470b5a389660d6064d7b202fbccac8b6c7a1703e103f

Download Submit
\Windows\SysWOW64\Hblgkkfa.exe

Filesize
269KB

MD5
af3dd8b937ce8200406583c899ea9cc3

SHA1
0b1e2b2f3e27956c21390be916e09233dae372a5

SHA256
2895eaf4b1e47d005b56e1a92621e762562978656f9bb978d6820f5e74a04b0e

SHA512
42801ad02573a1a70de40fbec1d30c3baf87ae959687ca48dbcd58eac65337faa4f464c65cc8381da947470b5a389660d6064d7b202fbccac8b6c7a1703e103f

Download Submit
\Windows\SysWOW64\Hblgkkfa.exe

Filesize
269KB

MD5
af3dd8b937ce8200406583c899ea9cc3

SHA1
0b1e2b2f3e27956c21390be916e09233dae372a5

SHA256
2895eaf4b1e47d005b56e1a92621e762562978656f9bb978d6820f5e74a04b0e

SHA512
42801ad02573a1a70de40fbec1d30c3baf87ae959687ca48dbcd58eac65337faa4f464c65cc8381da947470b5a389660d6064d7b202fbccac8b6c7a1703e103f

Download Submit
\Windows\SysWOW64\Hblgkkfa.exe

Filesize
269KB

MD5
af3dd8b937ce8200406583c899ea9cc3

SHA1
0b1e2b2f3e27956c21390be916e09233dae372a5

SHA256
2895eaf4b1e47d005b56e1a92621e762562978656f9bb978d6820f5e74a04b0e

SHA512
42801ad02573a1a70de40fbec1d30c3baf87ae959687ca48dbcd58eac65337faa4f464c65cc8381da947470b5a389660d6064d7b202fbccac8b6c7a1703e103f

Download Submit
\Windows\SysWOW64\Hblgkkfa.exe

Filesize
269KB

MD5
af3dd8b937ce8200406583c899ea9cc3

SHA1
0b1e2b2f3e27956c21390be916e09233dae372a5

SHA256
2895eaf4b1e47d005b56e1a92621e762562978656f9bb978d6820f5e74a04b0e

SHA512
42801ad02573a1a70de40fbec1d30c3baf87ae959687ca48dbcd58eac65337faa4f464c65cc8381da947470b5a389660d6064d7b202fbccac8b6c7a1703e103f

Download Submit
memory/584-138-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1556-115-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1556-122-0x00000000002B0000-0x00000000002E6000-memory.dmp

Filesize
216KB

Download
memory/1804-146-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1804-67-0x00000000001B0000-0x00000000001E6000-memory.dmp

Filesize
216KB

Download
memory/1944-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1944-6-0x00000000001B0000-0x00000000001E6000-memory.dmp

Filesize
216KB

Download
memory/1944-143-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1944-12-0x00000000001B0000-0x00000000001E6000-memory.dmp

Filesize
216KB

Download
memory/2056-129-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2056-132-0x00000000001B0000-0x00000000001E6000-memory.dmp

Filesize
216KB

Download
memory/2188-74-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2188-81-0x0000000000220000-0x0000000000256000-memory.dmp

Filesize
216KB

Download
memory/2572-102-0x00000000002C0000-0x00000000002F6000-memory.dmp

Filesize
216KB

Download
memory/2572-95-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2616-33-0x00000000002B0000-0x00000000002E6000-memory.dmp

Filesize
216KB

Download
memory/2616-21-0x00000000002B0000-0x00000000002E6000-memory.dmp

Filesize
216KB

Download
memory/2616-19-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2704-101-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2856-145-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2856-50-0x00000000002A0000-0x00000000002D6000-memory.dmp

Filesize
216KB

Download
memory/3004-36-0x00000000002E0000-0x0000000000316000-memory.dmp

Filesize
216KB

Download
memory/3004-39-0x00000000002E0000-0x0000000000316000-memory.dmp

Filesize
216KB

Download
memory/3004-144-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads