e4507d1269e99b7c2430087a7ede90cb6658f7b738e6dab1746d3ea89ffc2fff

Analysis

max time kernel
0s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
10/01/2024, 17:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e2095e85a992ae5b29ddd8ee6e8a3e8c.exe
Size

107KB
MD5

e2095e85a992ae5b29ddd8ee6e8a3e8c
SHA1

f2f18ae23c3f6abd5033acf5291d99f9971b07de
SHA256

e4507d1269e99b7c2430087a7ede90cb6658f7b738e6dab1746d3ea89ffc2fff
SHA512

070b51a8b47ab789b0dc56045b606d64fe0d300b61328463439b11973a4ac8f0b4f3f0933b5cea633d573455a27124fb6c54f46b0c903fe5c2d20aa5b1940a6d
SSDEEP

1536:BO9TT7QlrPLfr0+71T6Djr2LYaIZTJ+7LhkiB0MPiKeEAgHD/Chx3y:ozQRPUWyjIYaMU7uihJ5233y

Score

10^/10

backdoor dropper persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 20 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	e2095e85a992ae5b29ddd8ee6e8a3e8c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gqkhjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gcidfi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gameonno.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gqkhjn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcidfi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbldaffp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hclakimb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	e2095e85a992ae5b29ddd8ee6e8a3e8c.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmaioo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hclakimb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjfihc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hjfihc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hboagf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gbldaffp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjclbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gjclbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gmaioo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gameonno.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hboagf32.exe

Malware Dropper & Backdoor - Berbew 18 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

resource	yara_rule
behavioral2/files/0x00060000000232fd-884.dat	family_berbew
behavioral2/files/0x000600000002336b-1237.dat	family_berbew
behavioral2/files/0x0006000000023301-897.dat	family_berbew
behavioral2/files/0x00060000000232f3-853.dat	family_berbew
behavioral2/files/0x0006000000023224-113.dat	family_berbew
behavioral2/files/0x0006000000023222-104.dat	family_berbew
behavioral2/files/0x0006000000023220-95.dat	family_berbew
behavioral2/files/0x000600000002321e-88.dat	family_berbew
behavioral2/files/0x000600000002321c-80.dat	family_berbew
behavioral2/files/0x000600000002321a-72.dat	family_berbew
behavioral2/files/0x0006000000023218-64.dat	family_berbew
behavioral2/files/0x0006000000023216-56.dat	family_berbew
behavioral2/files/0x0006000000023214-48.dat	family_berbew
behavioral2/files/0x0006000000023212-40.dat	family_berbew
behavioral2/files/0x000600000002320f-32.dat	family_berbew
behavioral2/files/0x000600000002320d-24.dat	family_berbew
behavioral2/files/0x0007000000023208-15.dat	family_berbew
behavioral2/files/0x000600000001e5df-8.dat	family_berbew

Executes dropped EXE 10 IoCs

pid	Process
4344	Gqkhjn32.exe
4048	Gcidfi32.exe
1672	Gbldaffp.exe
2468	Gjclbc32.exe
2920	Gmaioo32.exe
4700	Gameonno.exe
3204	Hclakimb.exe
1424	Hboagf32.exe
1564	Hjfihc32.exe
3660	Hihicplj.exe

Drops file in System32 directory 30 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Hboagf32.exe	Hclakimb.exe
File opened for modification	C:\Windows\SysWOW64\Hboagf32.exe	Hclakimb.exe
File opened for modification	C:\Windows\SysWOW64\Hjfihc32.exe	Hboagf32.exe
File created	C:\Windows\SysWOW64\Gqkhjn32.exe	e2095e85a992ae5b29ddd8ee6e8a3e8c.exe
File opened for modification	C:\Windows\SysWOW64\Gmaioo32.exe	Gjclbc32.exe
File opened for modification	C:\Windows\SysWOW64\Gameonno.exe	Gmaioo32.exe
File created	C:\Windows\SysWOW64\Jdkhlo32.dll	Gmaioo32.exe
File created	C:\Windows\SysWOW64\Eagncfoj.dll	Hclakimb.exe
File created	C:\Windows\SysWOW64\Hihicplj.exe	Hjfihc32.exe
File created	C:\Windows\SysWOW64\Adakia32.dll	Hjfihc32.exe
File created	C:\Windows\SysWOW64\Gpkqnp32.dll	Gcidfi32.exe
File created	C:\Windows\SysWOW64\Gjclbc32.exe	Gbldaffp.exe
File created	C:\Windows\SysWOW64\Hjfihc32.exe	Hboagf32.exe
File opened for modification	C:\Windows\SysWOW64\Gqkhjn32.exe	e2095e85a992ae5b29ddd8ee6e8a3e8c.exe
File created	C:\Windows\SysWOW64\Dkfpkkqa.dll	Gjclbc32.exe
File opened for modification	C:\Windows\SysWOW64\Gjclbc32.exe	Gbldaffp.exe
File created	C:\Windows\SysWOW64\Gameonno.exe	Gmaioo32.exe
File opened for modification	C:\Windows\SysWOW64\Hclakimb.exe	Gameonno.exe
File opened for modification	C:\Windows\SysWOW64\Gcidfi32.exe	Gqkhjn32.exe
File opened for modification	C:\Windows\SysWOW64\Gbldaffp.exe	Gcidfi32.exe
File created	C:\Windows\SysWOW64\Gmaioo32.exe	Gjclbc32.exe
File created	C:\Windows\SysWOW64\Hclakimb.exe	Gameonno.exe
File created	C:\Windows\SysWOW64\Gbajhpfb.dll	e2095e85a992ae5b29ddd8ee6e8a3e8c.exe
File created	C:\Windows\SysWOW64\Adijolgl.dll	Gqkhjn32.exe
File opened for modification	C:\Windows\SysWOW64\Hihicplj.exe	Hjfihc32.exe
File created	C:\Windows\SysWOW64\Qbplof32.dll	Gbldaffp.exe
File created	C:\Windows\SysWOW64\Cgkghl32.dll	Gameonno.exe
File created	C:\Windows\SysWOW64\Lgabcngj.dll	Hboagf32.exe
File created	C:\Windows\SysWOW64\Gcidfi32.exe	Gqkhjn32.exe
File created	C:\Windows\SysWOW64\Gbldaffp.exe	Gcidfi32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7276	8164	WerFault.exe	84

Modifies registry class 33 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gqkhjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gqkhjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkfpkkqa.dll"	Gjclbc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gbldaffp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgkghl32.dll"	Gameonno.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hclakimb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	e2095e85a992ae5b29ddd8ee6e8a3e8c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gameonno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eagncfoj.dll"	Hclakimb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgabcngj.dll"	Hboagf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	e2095e85a992ae5b29ddd8ee6e8a3e8c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gbldaffp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hboagf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adakia32.dll"	Hjfihc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gjclbc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	e2095e85a992ae5b29ddd8ee6e8a3e8c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbajhpfb.dll"	e2095e85a992ae5b29ddd8ee6e8a3e8c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpkqnp32.dll"	Gcidfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qbplof32.dll"	Gbldaffp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gmaioo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hjfihc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	e2095e85a992ae5b29ddd8ee6e8a3e8c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gcidfi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gjclbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdkhlo32.dll"	Gmaioo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	e2095e85a992ae5b29ddd8ee6e8a3e8c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adijolgl.dll"	Gqkhjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hboagf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hjfihc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gcidfi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gmaioo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gameonno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hclakimb.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 2300 wrote to memory of 4344	2300	e2095e85a992ae5b29ddd8ee6e8a3e8c.exe	210
PID 2300 wrote to memory of 4344	2300	e2095e85a992ae5b29ddd8ee6e8a3e8c.exe	210
PID 2300 wrote to memory of 4344	2300	e2095e85a992ae5b29ddd8ee6e8a3e8c.exe	210
PID 4344 wrote to memory of 4048	4344	Gqkhjn32.exe	209
PID 4344 wrote to memory of 4048	4344	Gqkhjn32.exe	209
PID 4344 wrote to memory of 4048	4344	Gqkhjn32.exe	209
PID 4048 wrote to memory of 1672	4048	Gcidfi32.exe	208
PID 4048 wrote to memory of 1672	4048	Gcidfi32.exe	208
PID 4048 wrote to memory of 1672	4048	Gcidfi32.exe	208
PID 1672 wrote to memory of 2468	1672	Gbldaffp.exe	207
PID 1672 wrote to memory of 2468	1672	Gbldaffp.exe	207
PID 1672 wrote to memory of 2468	1672	Gbldaffp.exe	207
PID 2468 wrote to memory of 2920	2468	Gjclbc32.exe	206
PID 2468 wrote to memory of 2920	2468	Gjclbc32.exe	206
PID 2468 wrote to memory of 2920	2468	Gjclbc32.exe	206
PID 2920 wrote to memory of 4700	2920	Gmaioo32.exe	205
PID 2920 wrote to memory of 4700	2920	Gmaioo32.exe	205
PID 2920 wrote to memory of 4700	2920	Gmaioo32.exe	205
PID 4700 wrote to memory of 3204	4700	Gameonno.exe	15
PID 4700 wrote to memory of 3204	4700	Gameonno.exe	15
PID 4700 wrote to memory of 3204	4700	Gameonno.exe	15
PID 3204 wrote to memory of 1424	3204	Hclakimb.exe	204
PID 3204 wrote to memory of 1424	3204	Hclakimb.exe	204
PID 3204 wrote to memory of 1424	3204	Hclakimb.exe	204
PID 1424 wrote to memory of 1564	1424	Hboagf32.exe	16
PID 1424 wrote to memory of 1564	1424	Hboagf32.exe	16
PID 1424 wrote to memory of 1564	1424	Hboagf32.exe	16
PID 1564 wrote to memory of 3660	1564	Hjfihc32.exe	203
PID 1564 wrote to memory of 3660	1564	Hjfihc32.exe	203
PID 1564 wrote to memory of 3660	1564	Hjfihc32.exe	203

C:\Users\Admin\AppData\Local\Temp\e2095e85a992ae5b29ddd8ee6e8a3e8c.exe
"C:\Users\Admin\AppData\Local\Temp\e2095e85a992ae5b29ddd8ee6e8a3e8c.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2300
- C:\Windows\SysWOW64\Gqkhjn32.exe
  C:\Windows\system32\Gqkhjn32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4344

C:\Windows\SysWOW64\Hclakimb.exe
C:\Windows\system32\Hclakimb.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3204
- C:\Windows\SysWOW64\Hboagf32.exe
  C:\Windows\system32\Hboagf32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1424

C:\Windows\SysWOW64\Hjfihc32.exe
C:\Windows\system32\Hjfihc32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1564
- C:\Windows\SysWOW64\Hihicplj.exe
  C:\Windows\system32\Hihicplj.exe
  2⤵
  - Executes dropped EXE
  PID:3660

C:\Windows\SysWOW64\Hjmoibog.exe
C:\Windows\system32\Hjmoibog.exe
1⤵
PID:1936
- C:\Windows\SysWOW64\Hmklen32.exe
  C:\Windows\system32\Hmklen32.exe
  2⤵
  PID:3272

C:\Windows\SysWOW64\Iakaql32.exe
C:\Windows\system32\Iakaql32.exe
1⤵
PID:1548
- C:\Windows\SysWOW64\Ipnalhii.exe
  C:\Windows\system32\Ipnalhii.exe
  2⤵
  PID:2020

C:\Windows\SysWOW64\Ifhiib32.exe
C:\Windows\system32\Ifhiib32.exe
1⤵
PID:3376
- C:\Windows\SysWOW64\Iiffen32.exe
  C:\Windows\system32\Iiffen32.exe
  2⤵
  PID:2808

C:\Windows\SysWOW64\Imdnklfp.exe
C:\Windows\system32\Imdnklfp.exe
1⤵
PID:1108
- C:\Windows\SysWOW64\Iapjlk32.exe
  C:\Windows\system32\Iapjlk32.exe
  2⤵
  PID:3752
- - C:\Windows\SysWOW64\Idofhfmm.exe
    C:\Windows\system32\Idofhfmm.exe
    3⤵
    PID:5144

C:\Windows\SysWOW64\Ijhodq32.exe
C:\Windows\system32\Ijhodq32.exe
1⤵
PID:5232
- C:\Windows\SysWOW64\Iikopmkd.exe
  C:\Windows\system32\Iikopmkd.exe
  2⤵
  PID:5276

C:\Windows\SysWOW64\Imgkql32.exe
C:\Windows\system32\Imgkql32.exe
1⤵
PID:5324
- C:\Windows\SysWOW64\Ipegmg32.exe
  C:\Windows\system32\Ipegmg32.exe
  2⤵
  PID:5368

C:\Windows\SysWOW64\Ibccic32.exe
C:\Windows\system32\Ibccic32.exe
1⤵
PID:5456
- C:\Windows\SysWOW64\Ijkljp32.exe
  C:\Windows\system32\Ijkljp32.exe
  2⤵
  PID:5512

C:\Windows\SysWOW64\Jaedgjjd.exe
C:\Windows\system32\Jaedgjjd.exe
1⤵
PID:5596
- C:\Windows\SysWOW64\Jdcpcf32.exe
  C:\Windows\system32\Jdcpcf32.exe
  2⤵
  PID:5640

C:\Windows\SysWOW64\Jfaloa32.exe
C:\Windows\system32\Jfaloa32.exe
1⤵
PID:5684
- C:\Windows\SysWOW64\Jjmhppqd.exe
  C:\Windows\system32\Jjmhppqd.exe
  2⤵
  PID:5728

C:\Windows\SysWOW64\Jmkdlkph.exe
C:\Windows\system32\Jmkdlkph.exe
1⤵
PID:5768
- C:\Windows\SysWOW64\Jagqlj32.exe
  C:\Windows\system32\Jagqlj32.exe
  2⤵
  PID:5808

C:\Windows\SysWOW64\Jpjqhgol.exe
C:\Windows\system32\Jpjqhgol.exe
1⤵
PID:5856
- C:\Windows\SysWOW64\Jbhmdbnp.exe
  C:\Windows\system32\Jbhmdbnp.exe
  2⤵
  PID:5900

C:\Windows\SysWOW64\Jfdida32.exe
C:\Windows\system32\Jfdida32.exe
1⤵
PID:5940
- C:\Windows\SysWOW64\Jibeql32.exe
  C:\Windows\system32\Jibeql32.exe
  2⤵
  PID:5984

C:\Windows\SysWOW64\Jmnaakne.exe
C:\Windows\system32\Jmnaakne.exe
1⤵
PID:6028
- C:\Windows\SysWOW64\Jaimbj32.exe
  C:\Windows\system32\Jaimbj32.exe
  2⤵
  PID:6072

C:\Windows\SysWOW64\Jbkjjblm.exe
C:\Windows\system32\Jbkjjblm.exe
1⤵
PID:5128
- C:\Windows\SysWOW64\Jfffjqdf.exe
  C:\Windows\system32\Jfffjqdf.exe
  2⤵
  PID:5216
- - C:\Windows\SysWOW64\Jidbflcj.exe
    C:\Windows\system32\Jidbflcj.exe
    3⤵
    PID:5312

C:\Windows\SysWOW64\Jaljgidl.exe
C:\Windows\system32\Jaljgidl.exe
1⤵
PID:5376
- C:\Windows\SysWOW64\Jdjfcecp.exe
  C:\Windows\system32\Jdjfcecp.exe
  2⤵
  PID:5424

C:\Windows\SysWOW64\Jbmfoa32.exe
C:\Windows\system32\Jbmfoa32.exe
1⤵
PID:5500
- C:\Windows\SysWOW64\Jfhbppbc.exe
  C:\Windows\system32\Jfhbppbc.exe
  2⤵
  PID:5576

C:\Windows\SysWOW64\Jigollag.exe
C:\Windows\system32\Jigollag.exe
1⤵
PID:5716
- C:\Windows\SysWOW64\Jangmibi.exe
  C:\Windows\system32\Jangmibi.exe
  2⤵
  PID:5788

C:\Windows\SysWOW64\Jdmcidam.exe
C:\Windows\system32\Jdmcidam.exe
1⤵
PID:5924
- C:\Windows\SysWOW64\Jbocea32.exe
  C:\Windows\system32\Jbocea32.exe
  2⤵
  PID:5996

C:\Windows\SysWOW64\Jkfkfohj.exe
C:\Windows\system32\Jkfkfohj.exe
1⤵
PID:6080
- C:\Windows\SysWOW64\Jiikak32.exe
  C:\Windows\system32\Jiikak32.exe
  2⤵
  PID:5140

C:\Windows\SysWOW64\Kmegbjgn.exe
C:\Windows\system32\Kmegbjgn.exe
1⤵
PID:5256
- C:\Windows\SysWOW64\Kpccnefa.exe
  C:\Windows\system32\Kpccnefa.exe
  2⤵
  PID:5396

C:\Windows\SysWOW64\Kbapjafe.exe
C:\Windows\system32\Kbapjafe.exe
1⤵
PID:5612
- C:\Windows\SysWOW64\Kkihknfg.exe
  C:\Windows\system32\Kkihknfg.exe
  2⤵
  PID:5756
- - C:\Windows\SysWOW64\Kilhgk32.exe
    C:\Windows\system32\Kilhgk32.exe
    3⤵
    PID:5892

C:\Windows\SysWOW64\Kpepcedo.exe
C:\Windows\system32\Kpepcedo.exe
1⤵
PID:5976
- C:\Windows\SysWOW64\Kdaldd32.exe
  C:\Windows\system32\Kdaldd32.exe
  2⤵
  PID:5260

C:\Windows\SysWOW64\Kkkdan32.exe
C:\Windows\system32\Kkkdan32.exe
1⤵
PID:5908
- C:\Windows\SysWOW64\Kinemkko.exe
  C:\Windows\system32\Kinemkko.exe
  2⤵
  PID:6104

C:\Windows\SysWOW64\Kaemnhla.exe
C:\Windows\system32\Kaemnhla.exe
1⤵
PID:5504
- C:\Windows\SysWOW64\Kphmie32.exe
  C:\Windows\system32\Kphmie32.exe
  2⤵
  PID:5796

C:\Windows\SysWOW64\Kgbefoji.exe
C:\Windows\system32\Kgbefoji.exe
1⤵
PID:5608
- C:\Windows\SysWOW64\Kknafn32.exe
  C:\Windows\system32\Kknafn32.exe
  2⤵
  PID:5356

C:\Windows\SysWOW64\Kmlnbi32.exe
C:\Windows\system32\Kmlnbi32.exe
1⤵
PID:5628
- C:\Windows\SysWOW64\Kpjjod32.exe
  C:\Windows\system32\Kpjjod32.exe
  2⤵
  PID:6208

C:\Windows\SysWOW64\Kdffocib.exe
C:\Windows\system32\Kdffocib.exe
1⤵
PID:6248
- C:\Windows\SysWOW64\Kcifkp32.exe
  C:\Windows\system32\Kcifkp32.exe
  2⤵
  PID:6284

C:\Windows\SysWOW64\Kgdbkohf.exe
C:\Windows\system32\Kgdbkohf.exe
1⤵
PID:6328
- C:\Windows\SysWOW64\Kibnhjgj.exe
  C:\Windows\system32\Kibnhjgj.exe
  2⤵
  PID:6368

C:\Windows\SysWOW64\Kmnjhioc.exe
C:\Windows\system32\Kmnjhioc.exe
1⤵
PID:6408
- C:\Windows\SysWOW64\Kpmfddnf.exe
  C:\Windows\system32\Kpmfddnf.exe
  2⤵
  PID:6448

C:\Windows\SysWOW64\Kgfoan32.exe
C:\Windows\system32\Kgfoan32.exe
1⤵
PID:6528
- C:\Windows\SysWOW64\Kkbkamnl.exe
  C:\Windows\system32\Kkbkamnl.exe
  2⤵
  PID:6580
- - C:\Windows\SysWOW64\Ldkojb32.exe
    C:\Windows\system32\Ldkojb32.exe
    3⤵
    PID:6620

C:\Windows\SysWOW64\Lgikfn32.exe
C:\Windows\system32\Lgikfn32.exe
1⤵
PID:6664
- C:\Windows\SysWOW64\Lkdggmlj.exe
  C:\Windows\system32\Lkdggmlj.exe
  2⤵
  PID:6704

C:\Windows\SysWOW64\Lmccchkn.exe
C:\Windows\system32\Lmccchkn.exe
1⤵
PID:6748
- C:\Windows\SysWOW64\Laopdgcg.exe
  C:\Windows\system32\Laopdgcg.exe
  2⤵
  PID:6796

C:\Windows\SysWOW64\Lpappc32.exe
C:\Windows\system32\Lpappc32.exe
1⤵
PID:6844
- C:\Windows\SysWOW64\Lcpllo32.exe
  C:\Windows\system32\Lcpllo32.exe
  2⤵
  PID:6888

C:\Windows\SysWOW64\Lkgdml32.exe
C:\Windows\system32\Lkgdml32.exe
1⤵
PID:6976
- C:\Windows\SysWOW64\Lijdhiaa.exe
  C:\Windows\system32\Lijdhiaa.exe
  2⤵
  PID:7016

C:\Windows\SysWOW64\Laalifad.exe
C:\Windows\system32\Laalifad.exe
1⤵
PID:7100
- C:\Windows\SysWOW64\Lpcmec32.exe
  C:\Windows\system32\Lpcmec32.exe
  2⤵
  PID:7144

C:\Windows\SysWOW64\Lcbiao32.exe
C:\Windows\system32\Lcbiao32.exe
1⤵
PID:5844
- C:\Windows\SysWOW64\Lgneampk.exe
  C:\Windows\system32\Lgneampk.exe
  2⤵
  PID:6240

C:\Windows\SysWOW64\Laciofpa.exe
C:\Windows\system32\Laciofpa.exe
1⤵
PID:6524
- C:\Windows\SysWOW64\Ldaeka32.exe
  C:\Windows\system32\Ldaeka32.exe
  2⤵
  PID:6588

C:\Windows\SysWOW64\Lcdegnep.exe
C:\Windows\system32\Lcdegnep.exe
1⤵
PID:6648
- C:\Windows\SysWOW64\Lklnhlfb.exe
  C:\Windows\system32\Lklnhlfb.exe
  2⤵
  PID:6732

C:\Windows\SysWOW64\Ljnnch32.exe
C:\Windows\system32\Ljnnch32.exe
1⤵
PID:6784
- C:\Windows\SysWOW64\Laefdf32.exe
  C:\Windows\system32\Laefdf32.exe
  2⤵
  PID:6884

C:\Windows\SysWOW64\Lddbqa32.exe
C:\Windows\system32\Lddbqa32.exe
1⤵
PID:6944
- C:\Windows\SysWOW64\Lcgblncm.exe
  C:\Windows\system32\Lcgblncm.exe
  2⤵
  PID:7024

C:\Windows\SysWOW64\Lknjmkdo.exe
C:\Windows\system32\Lknjmkdo.exe
1⤵
PID:7092
- C:\Windows\SysWOW64\Mjqjih32.exe
  C:\Windows\system32\Mjqjih32.exe
  2⤵
  PID:5992
- - C:\Windows\SysWOW64\Mahbje32.exe
    C:\Windows\system32\Mahbje32.exe
    3⤵
    PID:6256

C:\Windows\SysWOW64\Mdfofakp.exe
C:\Windows\system32\Mdfofakp.exe
1⤵
PID:6392
- C:\Windows\SysWOW64\Mgekbljc.exe
  C:\Windows\system32\Mgekbljc.exe
  2⤵
  PID:6484
- - C:\Windows\SysWOW64\Mjcgohig.exe
    C:\Windows\system32\Mjcgohig.exe
    3⤵
    PID:6476

C:\Windows\SysWOW64\Majopeii.exe
C:\Windows\system32\Majopeii.exe
1⤵
PID:6692
- C:\Windows\SysWOW64\Mdiklqhm.exe
  C:\Windows\system32\Mdiklqhm.exe
  2⤵
  PID:6840

C:\Windows\SysWOW64\Mgghhlhq.exe
C:\Windows\system32\Mgghhlhq.exe
1⤵
PID:6824
- C:\Windows\SysWOW64\Mnapdf32.exe
  C:\Windows\system32\Mnapdf32.exe
  2⤵
  PID:7052

C:\Windows\SysWOW64\Mamleegg.exe
C:\Windows\system32\Mamleegg.exe
1⤵
PID:6064
- C:\Windows\SysWOW64\Mdkhapfj.exe
  C:\Windows\system32\Mdkhapfj.exe
  2⤵
  PID:6276

C:\Windows\SysWOW64\Mcnhmm32.exe
C:\Windows\system32\Mcnhmm32.exe
1⤵
PID:6640
- C:\Windows\SysWOW64\Mkepnjng.exe
  C:\Windows\system32\Mkepnjng.exe
  2⤵
  PID:4988

C:\Windows\SysWOW64\Mjhqjg32.exe
C:\Windows\system32\Mjhqjg32.exe
1⤵
PID:6776
- C:\Windows\SysWOW64\Maohkd32.exe
  C:\Windows\system32\Maohkd32.exe
  2⤵
  PID:7088
- - C:\Windows\SysWOW64\Mdmegp32.exe
    C:\Windows\system32\Mdmegp32.exe
    3⤵
    PID:6316

C:\Windows\SysWOW64\Mjjmog32.exe
C:\Windows\system32\Mjjmog32.exe
1⤵
PID:6656
- C:\Windows\SysWOW64\Mnfipekh.exe
  C:\Windows\system32\Mnfipekh.exe
  2⤵
  PID:6788

C:\Windows\SysWOW64\Mpdelajl.exe
C:\Windows\system32\Mpdelajl.exe
1⤵
PID:7084
- C:\Windows\SysWOW64\Mdpalp32.exe
  C:\Windows\system32\Mdpalp32.exe
  2⤵
  PID:6876

C:\Windows\SysWOW64\Mcbahlip.exe
C:\Windows\system32\Mcbahlip.exe
1⤵
PID:5168
- C:\Windows\SysWOW64\Nkjjij32.exe
  C:\Windows\system32\Nkjjij32.exe
  2⤵
  PID:6736

C:\Windows\SysWOW64\Njljefql.exe
C:\Windows\system32\Njljefql.exe
1⤵
PID:7184
- C:\Windows\SysWOW64\Nacbfdao.exe
  C:\Windows\system32\Nacbfdao.exe
  2⤵
  PID:7228

C:\Windows\SysWOW64\Nqfbaq32.exe
C:\Windows\system32\Nqfbaq32.exe
1⤵
PID:7264
- C:\Windows\SysWOW64\Nceonl32.exe
  C:\Windows\system32\Nceonl32.exe
  2⤵
  PID:7312

C:\Windows\SysWOW64\Ngpjnkpf.exe
C:\Windows\system32\Ngpjnkpf.exe
1⤵
PID:7356
- C:\Windows\SysWOW64\Njogjfoj.exe
  C:\Windows\system32\Njogjfoj.exe
  2⤵
  PID:7396

C:\Windows\SysWOW64\Nnjbke32.exe
C:\Windows\system32\Nnjbke32.exe
1⤵
PID:7440
- C:\Windows\SysWOW64\Nafokcol.exe
  C:\Windows\system32\Nafokcol.exe
  2⤵
  PID:7476

C:\Windows\SysWOW64\Nddkgonp.exe
C:\Windows\system32\Nddkgonp.exe
1⤵
PID:7520
- C:\Windows\SysWOW64\Ncgkcl32.exe
  C:\Windows\system32\Ncgkcl32.exe
  2⤵
  PID:7560

C:\Windows\SysWOW64\Ngcgcjnc.exe
C:\Windows\system32\Ngcgcjnc.exe
1⤵
PID:7596
- C:\Windows\SysWOW64\Njacpf32.exe
  C:\Windows\system32\Njacpf32.exe
  2⤵
  PID:7644

C:\Windows\SysWOW64\Nqklmpdd.exe
C:\Windows\system32\Nqklmpdd.exe
1⤵
PID:7728
- C:\Windows\SysWOW64\Ndghmo32.exe
  C:\Windows\system32\Ndghmo32.exe
  2⤵
  PID:7772

C:\Windows\SysWOW64\Ncihikcg.exe
C:\Windows\system32\Ncihikcg.exe
1⤵
PID:7816
- C:\Windows\SysWOW64\Ngedij32.exe
  C:\Windows\system32\Ngedij32.exe
  2⤵
  PID:7864

C:\Windows\SysWOW64\Nnolfdcn.exe
C:\Windows\system32\Nnolfdcn.exe
1⤵
PID:7944
- C:\Windows\SysWOW64\Nbkhfc32.exe
  C:\Windows\system32\Nbkhfc32.exe
  2⤵
  PID:7992

C:\Windows\SysWOW64\Nkcmohbg.exe
C:\Windows\system32\Nkcmohbg.exe
1⤵
PID:8164
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 8164 -s 400
  2⤵
  - Program crash
  PID:7276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 200 -p 8164 -ip 8164
1⤵
PID:7220

C:\Windows\SysWOW64\Ncldnkae.exe
C:\Windows\system32\Ncldnkae.exe
1⤵
PID:8116

C:\Windows\SysWOW64\Ndidbn32.exe
C:\Windows\system32\Ndidbn32.exe
1⤵
PID:8076

C:\Windows\SysWOW64\Nqmhbpba.exe
C:\Windows\system32\Nqmhbpba.exe
1⤵
PID:8032

C:\Windows\SysWOW64\Njcpee32.exe
C:\Windows\system32\Njcpee32.exe
1⤵
PID:7904

C:\Windows\SysWOW64\Nnmopdep.exe
C:\Windows\system32\Nnmopdep.exe
1⤵
PID:7684

C:\Windows\SysWOW64\Lnhmng32.exe
C:\Windows\system32\Lnhmng32.exe
1⤵
PID:6456

C:\Windows\SysWOW64\Lilanioo.exe
C:\Windows\system32\Lilanioo.exe
1⤵
PID:6400

C:\Windows\SysWOW64\Lkiqbl32.exe
C:\Windows\system32\Lkiqbl32.exe
1⤵
PID:6324

C:\Windows\SysWOW64\Lnepih32.exe
C:\Windows\system32\Lnepih32.exe
1⤵
PID:7060

C:\Windows\SysWOW64\Lgkhlnbn.exe
C:\Windows\system32\Lgkhlnbn.exe
1⤵
PID:6932

C:\Windows\SysWOW64\Kdhbec32.exe
C:\Windows\system32\Kdhbec32.exe
1⤵
PID:6492

C:\Windows\SysWOW64\Kbfiep32.exe
C:\Windows\system32\Kbfiep32.exe
1⤵
PID:6060

C:\Windows\SysWOW64\Kgphpo32.exe
C:\Windows\system32\Kgphpo32.exe
1⤵
PID:5680

C:\Windows\SysWOW64\Kbdmpqcb.exe
C:\Windows\system32\Kbdmpqcb.exe
1⤵
PID:5472

C:\Windows\SysWOW64\Kacphh32.exe
C:\Windows\system32\Kacphh32.exe
1⤵
PID:6004

C:\Windows\SysWOW64\Kdopod32.exe
C:\Windows\system32\Kdopod32.exe
1⤵
PID:5496

C:\Windows\SysWOW64\Jpaghf32.exe
C:\Windows\system32\Jpaghf32.exe
1⤵
PID:5876

C:\Windows\SysWOW64\Jkdnpo32.exe
C:\Windows\system32\Jkdnpo32.exe
1⤵
PID:5648

C:\Windows\SysWOW64\Jdhine32.exe
C:\Windows\system32\Jdhine32.exe
1⤵
PID:6116

C:\Windows\SysWOW64\Iinlemia.exe
C:\Windows\system32\Iinlemia.exe
1⤵
PID:5556

C:\Windows\SysWOW64\Idacmfkj.exe
C:\Windows\system32\Idacmfkj.exe
1⤵
PID:5412

C:\Windows\SysWOW64\Ifmcdblq.exe
C:\Windows\system32\Ifmcdblq.exe
1⤵
PID:5184

C:\Windows\SysWOW64\Iiibkn32.exe
C:\Windows\system32\Iiibkn32.exe
1⤵
PID:1972

C:\Windows\SysWOW64\Ifjfnb32.exe
C:\Windows\system32\Ifjfnb32.exe
1⤵
PID:4100

C:\Windows\SysWOW64\Ibojncfj.exe
C:\Windows\system32\Ibojncfj.exe
1⤵
PID:1608

C:\Windows\SysWOW64\Icljbg32.exe
C:\Windows\system32\Icljbg32.exe
1⤵
PID:3720

C:\Windows\SysWOW64\Iannfk32.exe
C:\Windows\system32\Iannfk32.exe
1⤵
PID:2812

C:\Windows\SysWOW64\Ibmmhdhm.exe
C:\Windows\system32\Ibmmhdhm.exe
1⤵
PID:1356

C:\Windows\SysWOW64\Ijaida32.exe
C:\Windows\system32\Ijaida32.exe
1⤵
PID:3236

C:\Windows\SysWOW64\Ibjqcd32.exe
C:\Windows\system32\Ibjqcd32.exe
1⤵
PID:512

C:\Windows\SysWOW64\Icgqggce.exe
C:\Windows\system32\Icgqggce.exe
1⤵
PID:2652

C:\Windows\SysWOW64\Haidklda.exe
C:\Windows\system32\Haidklda.exe
1⤵
PID:880

C:\Windows\SysWOW64\Hibljoco.exe
C:\Windows\system32\Hibljoco.exe
1⤵
PID:1516

C:\Windows\SysWOW64\Hjolnb32.exe
C:\Windows\system32\Hjolnb32.exe
1⤵
PID:3560

C:\Windows\SysWOW64\Hcedaheh.exe
C:\Windows\system32\Hcedaheh.exe
1⤵
PID:2204

C:\Windows\SysWOW64\Hpihai32.exe
C:\Windows\system32\Hpihai32.exe
1⤵
PID:2036

C:\Windows\SysWOW64\Hbeghene.exe
C:\Windows\system32\Hbeghene.exe
1⤵
PID:3520

C:\Windows\SysWOW64\Hccglh32.exe
C:\Windows\system32\Hccglh32.exe
1⤵
PID:4384

C:\Windows\SysWOW64\Hadkpm32.exe
C:\Windows\system32\Hadkpm32.exe
1⤵
PID:3008

C:\Windows\SysWOW64\Hjjbcbqj.exe
C:\Windows\system32\Hjjbcbqj.exe
1⤵
PID:624

C:\Windows\SysWOW64\Hbckbepg.exe
C:\Windows\system32\Hbckbepg.exe
1⤵
PID:5028

C:\Windows\SysWOW64\Hpenfjad.exe
C:\Windows\system32\Hpenfjad.exe
1⤵
PID:2708

C:\Windows\SysWOW64\Habnjm32.exe
C:\Windows\system32\Habnjm32.exe
1⤵
PID:632

C:\Windows\SysWOW64\Hikfip32.exe
C:\Windows\system32\Hikfip32.exe
1⤵
PID:3612

C:\Windows\SysWOW64\Hfljmdjc.exe
C:\Windows\system32\Hfljmdjc.exe
1⤵
PID:2436

C:\Windows\SysWOW64\Hcnnaikp.exe
C:\Windows\system32\Hcnnaikp.exe
1⤵
PID:552

C:\Windows\SysWOW64\Hapaemll.exe
C:\Windows\system32\Hapaemll.exe
1⤵
PID:3764

C:\Windows\SysWOW64\Gameonno.exe
C:\Windows\system32\Gameonno.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4700

C:\Windows\SysWOW64\Gmaioo32.exe
C:\Windows\system32\Gmaioo32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2920

C:\Windows\SysWOW64\Gjclbc32.exe
C:\Windows\system32\Gjclbc32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2468

C:\Windows\SysWOW64\Gbldaffp.exe
C:\Windows\system32\Gbldaffp.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1672

C:\Windows\SysWOW64\Gcidfi32.exe
C:\Windows\system32\Gcidfi32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Gameonno.exe

Filesize
107KB

MD5
b3f550a2f74a99418b2dd7717135b512

SHA1
c6d41bebadc1a6252b02cb66c65f017cfc5e0ca4

SHA256
2d547e528c6285b15d90c01ffae0dc64280c6ec57ef716f52642e7a6b0a15463

SHA512
22f04f27653009f54b4ad146bb446d32accaaa396e054befa02a443ff5e08b5bb6969599a174b6f0e782106e618dc9b4ea7bf41862a0b61ec99a917c4eb4ec85

Download Submit
C:\Windows\SysWOW64\Gbldaffp.exe

Filesize
107KB

MD5
0d58d3ca7686a82f9549cf5e757f5240

SHA1
45b3ae44b1f206dd6b962fcc8774f9399d82a7e9

SHA256
fe06a0b61e5d326ef408033a22e1568ed25b51eae7ed4fcd7f1b80852fbfb55a

SHA512
d77a622c5e53eacae396d4bb49d4497fe0632bc6ecfb05c3f1e0cba26cefb3486e88cb4e15f9e409e57cfbec837ebef0c6b04df518b4f85f866d8bdf424c8d43

Download Submit
C:\Windows\SysWOW64\Gcidfi32.exe

Filesize
107KB

MD5
030f0eb70bcee6edd9fb23b133d3413c

SHA1
b2d9e98238ca9ca71fe02344a2931d48ec9543b6

SHA256
ce0319f33f8cd3c8ad0ae2c8bf0ccf89855aec4264bc5975036da280f776409e

SHA512
69bcb76edd61f7f4c051d71edf026fc98a232b35feb51f412f1374236c0a8fe79757794ebfd3b4a10bfca490942038e9f319bc5b9b17d4cd150adebaaa6aeb7b

Download Submit
C:\Windows\SysWOW64\Gjclbc32.exe

Filesize
107KB

MD5
24da6b511865dda1f3179299de54a36f

SHA1
44d3386275754bb373a82e5c11d8ee4ee97882b6

SHA256
3ecc013e38944234f3a15fa44d0f51da97130c517a0af571b5c8e4faaf9cf796

SHA512
28d31aa4d1adf36c952637ff92845bd82f35015e40e012b055e4530af84539cfd00fa7d6f9fc04a26f7bef15208289fca52777aaf79c50d5a833a4eff5141d52

Download Submit
C:\Windows\SysWOW64\Gmaioo32.exe

Filesize
107KB

MD5
c67b20c9a909f8e2967bb38a6bd4f74e

SHA1
bb6a8e5a55086b3b30bfa69f592521934fb613e4

SHA256
6d878aef12b03e1e57347740155e3cd799291dcda0215fd61a849f1d65bb2261

SHA512
bdf7955fed82490c882e073e46ed850c21f8680add690106230bea84ca7e75c525e8ab4a1f0ed791beb3f4ad08e70087efae094bbcdf9e7a6033c0cc9cd3374d

Download Submit
C:\Windows\SysWOW64\Gqkhjn32.exe

Filesize
107KB

MD5
08efb90fa494e2d5f49b48ff599ba300

SHA1
6d3253ab03f397142cc364efe6e2d933ad061f17

SHA256
0e152cc228c94f76cec4ab082c682a4a175986595508efc82825ad213ac5bd3c

SHA512
54021f82ebc6ed984f81c8c3af93d27568447569b57561a0b89524f1a8516cdaa95167a8936741338a182e0cec1dc184defa6f0621cf85066fd63a4196bee601

Download Submit
C:\Windows\SysWOW64\Hapaemll.exe

Filesize
107KB

MD5
64d47d80277b8d644ff7a64fbf294471

SHA1
0228c1bd32d6d0a7d199af85cc16ace13dbea20f

SHA256
4f72cd6748c21dc33cfa34f66c2d119ec193da275ccd708a5d05385af0a4e54d

SHA512
ad69ad27bb34d8fde8567d76050c1543e157bf0bd50a581e4c18264593bc5d12ad7cfaa6f699e1632235ede2d77707876b9f5012ea0619ee58b8b4a6e1a89808

Download Submit
C:\Windows\SysWOW64\Hboagf32.exe

Filesize
107KB

MD5
071225016869c44dcf61fbbc235c7809

SHA1
4d023a34bd1c262d5655c1939caf22c03cbd4717

SHA256
e67040690466f82e5d5fcec725d7b8a1bf0b5efba565d343883be57b3796702e

SHA512
4bc068872639abf0dfc44dca7f3c6c65d207bf546c916ba32c1cea4af69646ab9fae94e2a80f611ab29030a82c667d670cdc1dc31bdcdc613b62d897a2c40a1b

Download Submit
C:\Windows\SysWOW64\Hclakimb.exe

Filesize
107KB

MD5
5971217ddbf7033749017750a4a1a0c0

SHA1
33a95e459a6fa5a2480cff1ad0fb9b5e8484664d

SHA256
53eda9fabdf10c24cab333650e4d900ea85ff224cdb49e0c5d7eba002ac3062e

SHA512
14acec9c6ec7f437e27c8d8fe078a922ae5f10fc7f511effce6fcce3f2ad62b5367dde93b50a6b528a216ae46db6a3c9a7ba3d9cd11d03b12f30784071251ca7

Download Submit
C:\Windows\SysWOW64\Hcnnaikp.exe

Filesize
107KB

MD5
f1c8f33d43c3e2dc807b7e396fd01a06

SHA1
f9786952a301583742b21fb67fee6448067cc230

SHA256
8df741b6664dfd945549dce2d3d106dbb3d8282ee0bf743a9c48397bad6ecb7f

SHA512
3a04c28e6fbe55e34d8ed5b70a68edc5b11e3ad10d7b848da34f20681cfc6b99b4367fdca977c935787a58f18f0f33959553378d695f61302f166c3f166d45cc

Download Submit
C:\Windows\SysWOW64\Hfljmdjc.exe

Filesize
107KB

MD5
bd62489e2460a7eef12b7a27e07f4576

SHA1
5ca8b07b04f0bdc2a59462d928f208e93245ad84

SHA256
b99bc614783f7b60aa5c709a7372725287e29bb804431cbd61d1b29ce02c1b96

SHA512
80b1586e1021d367a4c0232410705f260ede5f395bcbe67252f2778a976b0ace783618175f7e55f324a4c391d02a7828a7c1d50b816af2a681b39bf89d61d1a4

Download Submit
C:\Windows\SysWOW64\Hihicplj.exe

Filesize
107KB

MD5
80723dd2a3cde948cb3c10fbdc7ff753

SHA1
70c3fa15de9f1b472502c0b7898a05d692c0081a

SHA256
1cfd514461a7eeeb643736ac7565a7a5868bc29d7cdf98975165df52ee1b6010

SHA512
e38a994efeb029889dfcb7f8b301ee922f0040fa6b883e8698be91ead2ffaf29cf5b354eed0c29b4ba4b09e75cc7446d9ede5bd03f2d8c32cbf583648d42e3ac

Download Submit
C:\Windows\SysWOW64\Hikfip32.exe

Filesize
107KB

MD5
2e9717e1efe8def3803449ea5b0711d1

SHA1
66571afaecb36d91504bf86e55577583f96dd5ed

SHA256
2a4b914b906eeba38c49dcb9f1fc96129c5d26bce863e9a6a5de041298744f36

SHA512
753fb9ba81b70e01910b61b5229f967f6398b57480f06b60bd33db561e044e73bd533ee8d83988855afb7d9ef957bb38d6a6aa18f0a8116b04c1f4c24ad09474

Download Submit
C:\Windows\SysWOW64\Hjfihc32.exe

Filesize
107KB

MD5
7d3a9dfced6c2899ddd16a9ea011b14a

SHA1
b0798068c0c293a5024b34a767731ed15e46c46c

SHA256
98d788cdf9d4294991b9d6b36fe551224446c40dfbe56babe2f9eeb47e1520d2

SHA512
011f9be701842675b3093eca85305e9bd9e6c1afe2274f21b31f3a2dcff9d6d083a67a2b98cb7d74085ea76c5b8e0d08e1421359bd59e5648e996700fe2fbd6d

Download Submit
C:\Windows\SysWOW64\Laalifad.exe

Filesize
107KB

MD5
5335a15377a72befc04ebbffb4037a48

SHA1
8c525d48aac7409483483829db0969ea936c8f70

SHA256
b8a5a8a09366a47293dc047c3be1712bd97736dcb1379544e4a1ca7f8ed954ba

SHA512
3bfaf8d69028d9f6a21bf943728fc2b55732a9003b55126f335d2c4d7949e271ea6df3a04a4db9111524a512f96aa40a0eb5f69b7df68b81dd2e3e1ca129f3a4

Download Submit
C:\Windows\SysWOW64\Laciofpa.exe

Filesize
107KB

MD5
9f782b813649a721aef5863bd0e42b33

SHA1
8912f8c94670421983bf4af9ce406e5663261e81

SHA256
12952f2675b8657182955ca788894f08ac1b1d6d3f71257f94f23af3e28cc4e2

SHA512
c96232e52d25c731e1db8c95faaba090e629b3b12a233e4c6db20e4271d219f16881f634fa1d848c2ed8c1740db2b9d0980bfe24157020ab6e9d41c0d27d22d6

Download Submit
C:\Windows\SysWOW64\Lilanioo.exe

Filesize
107KB

MD5
91134aa0f04a40daf6c2c43f4178f940

SHA1
b2fc5009780fc0657c5291c95be79f825025b280

SHA256
5d77298f76c47167165f1ea18bb1df798a546ad477a4c008f19c0a9bf8929a5b

SHA512
6ef2226f02c7f70fe4168b24c73f98e75b596f856f3e2914f684d8da31aa1c27581b8773fa4e8e371620b5ebc745474e2685f64ae27ed772d92bd626c55f3d45

Download Submit
C:\Windows\SysWOW64\Ndidbn32.exe

Filesize
107KB

MD5
a5b3153a94081fa50130f3366249428e

SHA1
c7544ed1deb48da8e5594968b5b6f208ff6be812

SHA256
5d37376089f508b7834682fba5228b7be73def8021a45318f0d875534c1cfa55

SHA512
2df7053610f31663c4efbbdcd7dee6bc6016dfd388686cf1c5f14844a2d6e3d4a666e1a8c30b988e59f00c68ede01db6e3947fc6af2d053796b03548a61c5423

Download Submit
memory/512-264-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/552-184-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/552-97-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/624-150-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/624-237-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/632-127-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/632-210-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/880-243-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1356-286-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1424-65-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1424-149-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1516-233-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1548-279-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1564-77-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1608-324-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1672-105-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1672-25-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1936-273-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1936-189-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1972-336-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2020-280-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2036-207-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2204-296-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2204-212-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2300-0-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2300-5-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2436-193-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2436-108-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2468-33-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2468-114-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2652-322-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2652-247-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2708-136-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2808-304-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2812-306-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2920-45-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3008-246-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3008-158-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3204-140-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3204-61-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3236-265-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3236-331-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3272-198-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3376-297-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3520-261-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3520-177-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3560-220-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3560-299-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3612-119-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3612-202-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3660-165-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3660-81-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3720-312-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3764-175-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3764-89-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4048-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4100-325-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4344-16-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4384-167-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4384-255-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4700-49-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4700-135-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5028-141-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5028-228-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads