1f2a1a9d0dc728195cb0c3a27e688bdf07a53f78597650d7507f2150a7ab4ec0

Analysis

max time kernel
139s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
18/11/2023, 01:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.a4e8994411cd8e76bb978ede58f12710.exe
Size

1.5MB
MD5

a4e8994411cd8e76bb978ede58f12710
SHA1

66de3e7dd8b9a7a81d4e744cb2985e69ec322ab0
SHA256

1f2a1a9d0dc728195cb0c3a27e688bdf07a53f78597650d7507f2150a7ab4ec0
SHA512

fdaff109da486a0975411a546e22cf03b6f73ef055b788a205700a47d3a7d175845c9b41761d945625b8aac268c0461bd836bf45d55e064f53dda387e72ccf89
SSDEEP

24576:g3x6Q2xZmk6Ux6Q2xlPh2kkkkK4kXkkkkkkkkhLX3a20R0v50+YNpsKv2EvZHp3D:5lmkIhbazR0vKLXZ

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ifmqfm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dqnjgl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbanq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbpchb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fefedmil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iedjmioj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aagkhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jojdlfeo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Egnajocq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcaipa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Famhmfkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fpkibf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Joekag32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dolmodpi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hlkfbocp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hipmfjee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qfmmplad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fdnhih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jlbejloe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bbhildae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kodnmkap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Edgbii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gifkpknp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbhboolf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dqnjgl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dggkipii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cigkdmel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fefedmil.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gifkpknp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hehkajig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Phfcipoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ggmmlamj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfaigclq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipjoja32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enopghee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Enopghee.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iojbpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jekqmhia.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmeigg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gpaihooo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iahgad32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Omalpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gimqajgh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipoheakj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpogkhnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fboecfii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Glgcbf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipjoja32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cncnob32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hecjke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Offnhpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lllagh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ecikjoep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Enemaimp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hlpfhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ahofoogd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fndpmndl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Klbnajqc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpepbgbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocdnln32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkhnjk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fbpchb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iplkpa32.exe

Executes dropped EXE 64 IoCs

pid	Process
3804	Akglloai.exe
2212	Blgifbil.exe
1332	Bdbnjdfg.exe
3968	Bdgged32.exe
4644	Cfipef32.exe
2704	Cbbnpg32.exe
4776	Dbicpfdk.exe
1284	Dheibpje.exe
2580	Dfiildio.exe
2156	Dndnpf32.exe
3592	Dkhnjk32.exe
4648	Deqcbpld.exe
2060	Enigke32.exe
3948	Emjgim32.exe
5096	Ebimgcfi.exe
4140	Enpmld32.exe
3600	Emanjldl.exe
368	Ebnfbcbc.exe
1288	Fmcjpl32.exe
3952	Fbpchb32.exe
3844	Fijkdmhn.exe
1912	Fbbpmb32.exe
2092	Fmhdkknd.exe
2100	Ffqhcq32.exe
740	Fpimlfke.exe
4128	Fefedmil.exe
632	Fpkibf32.exe
4700	Gidnkkpc.exe
4480	Gnqfcbnj.exe
2376	Gifkpknp.exe
5104	Gfjkjo32.exe
2488	Glgcbf32.exe
4152	Geohklaa.exe
1540	Gpelhd32.exe
4372	Gimqajgh.exe
824	Gojiiafp.exe
2440	Hipmfjee.exe
4816	Hbhboolf.exe
5016	Hlpfhe32.exe
4460	Hehkajig.exe
3984	Hoaojp32.exe
1648	Hmbphg32.exe
4416	Hfjdqmng.exe
540	Hlglidlo.exe
2716	Ifmqfm32.exe
1880	Iliinc32.exe
1868	Iinjhh32.exe
3320	Iojbpo32.exe
868	Iedjmioj.exe
3828	Ipjoja32.exe
804	Iefgbh32.exe
4248	Iplkpa32.exe
4972	Ieidhh32.exe
780	Ipoheakj.exe
2808	Jekqmhia.exe
3556	Jleijb32.exe
4004	Jenmcggo.exe
2576	Jpcapp32.exe
4448	Jngbjd32.exe
4276	Jcdjbk32.exe
732	Jllokajf.exe
4192	Jedccfqg.exe
348	Kpjgaoqm.exe
1052	Kegpifod.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Hfibla32.dll	Jaonbc32.exe
File opened for modification	C:\Windows\SysWOW64\Lpochfji.exe	Lckboblp.exe
File created	C:\Windows\SysWOW64\Dkjfaikb.dll	Ookoaokf.exe
File created	C:\Windows\SysWOW64\Ebdpoomj.dll	Omalpc32.exe
File created	C:\Windows\SysWOW64\Hlpfhe32.exe	Hbhboolf.exe
File created	C:\Windows\SysWOW64\Gefklj32.dll	Hoaojp32.exe
File created	C:\Windows\SysWOW64\Bcghdkpf.dll	Ieidhh32.exe
File created	C:\Windows\SysWOW64\Hhdjkflc.dll	Afockelf.exe
File created	C:\Windows\SysWOW64\Ojdgnn32.exe	Opnbae32.exe
File created	C:\Windows\SysWOW64\Nfldgk32.exe	Noblkqca.exe
File created	C:\Windows\SysWOW64\Bagmdllg.exe	Bfaigclq.exe
File created	C:\Windows\SysWOW64\Blgifbil.exe	Akglloai.exe
File created	C:\Windows\SysWOW64\Cpabibmg.dll	Hehkajig.exe
File created	C:\Windows\SysWOW64\Igcnla32.dll	Hfjdqmng.exe
File opened for modification	C:\Windows\SysWOW64\Pmblagmf.exe	Phfcipoo.exe
File created	C:\Windows\SysWOW64\Ahfmpnql.exe	Aaldccip.exe
File created	C:\Windows\SysWOW64\Gpaihooo.exe	Gaqhjggp.exe
File created	C:\Windows\SysWOW64\Blnfhilh.dll	Hecjke32.exe
File opened for modification	C:\Windows\SysWOW64\Iedjmioj.exe	Iojbpo32.exe
File opened for modification	C:\Windows\SysWOW64\Pfoann32.exe	Oabhfg32.exe
File created	C:\Windows\SysWOW64\Bfolacnc.exe	Babcil32.exe
File created	C:\Windows\SysWOW64\Jhpicj32.dll	Nagiji32.exe
File created	C:\Windows\SysWOW64\Hikemehi.dll	Cdimqm32.exe
File created	C:\Windows\SysWOW64\Ekjded32.exe	Eqdpgk32.exe
File created	C:\Windows\SysWOW64\Ehfomc32.dll	Jojdlfeo.exe
File created	C:\Windows\SysWOW64\Engdno32.dll	Afcmfe32.exe
File opened for modification	C:\Windows\SysWOW64\Enpmld32.exe	Ebimgcfi.exe
File opened for modification	C:\Windows\SysWOW64\Jedccfqg.exe	Jllokajf.exe
File created	C:\Windows\SysWOW64\Oabhfg32.exe	Ofmdio32.exe
File opened for modification	C:\Windows\SysWOW64\Khiofk32.exe	Kapfiqoj.exe
File created	C:\Windows\SysWOW64\Pabcflhd.dll	Lpepbgbd.exe
File opened for modification	C:\Windows\SysWOW64\Bfmolc32.exe	Bboffejp.exe
File created	C:\Windows\SysWOW64\Bbhildae.exe	Bagmdllg.exe
File opened for modification	C:\Windows\SysWOW64\Ebnfbcbc.exe	Emanjldl.exe
File created	C:\Windows\SysWOW64\Fgeaiknl.dll	Kncaec32.exe
File created	C:\Windows\SysWOW64\Godcje32.dll	Qmeigg32.exe
File opened for modification	C:\Windows\SysWOW64\Dqnjgl32.exe	Dolmodpi.exe
File created	C:\Windows\SysWOW64\Eohmkb32.exe	Edbiniff.exe
File opened for modification	C:\Windows\SysWOW64\Fdnhih32.exe	Fndpmndl.exe
File created	C:\Windows\SysWOW64\Iahgad32.exe	Ieagmcmq.exe
File created	C:\Windows\SysWOW64\Nqcejcha.exe	Nodiqp32.exe
File created	C:\Windows\SysWOW64\Hlglidlo.exe	Hfjdqmng.exe
File created	C:\Windows\SysWOW64\Dgfnagdi.dll	Knenkbio.exe
File created	C:\Windows\SysWOW64\Cacmpj32.exe	Ccblbb32.exe
File created	C:\Windows\SysWOW64\Ieidhh32.exe	Iplkpa32.exe
File created	C:\Windows\SysWOW64\Bknlbhhe.exe	Bacjdbch.exe
File created	C:\Windows\SysWOW64\Hmbphg32.exe	Hoaojp32.exe
File opened for modification	C:\Windows\SysWOW64\Hipmfjee.exe	Gojiiafp.exe
File created	C:\Windows\SysWOW64\Nagiji32.exe	Knenkbio.exe
File created	C:\Windows\SysWOW64\Kpjbdk32.dll	Dqpfmlce.exe
File created	C:\Windows\SysWOW64\Mnfgko32.dll	Lepleocn.exe
File created	C:\Windows\SysWOW64\Ajmladbl.exe	Apggckbf.exe
File created	C:\Windows\SysWOW64\Ejagaj32.exe	Ephbhd32.exe
File opened for modification	C:\Windows\SysWOW64\Enigke32.exe	Deqcbpld.exe
File created	C:\Windows\SysWOW64\Fefedmil.exe	Fpimlfke.exe
File created	C:\Windows\SysWOW64\Inclga32.dll	Hbgkei32.exe
File created	C:\Windows\SysWOW64\Cigkdmel.exe	Cpogkhnl.exe
File created	C:\Windows\SysWOW64\Papambbb.dll	Eqdpgk32.exe
File opened for modification	C:\Windows\SysWOW64\Fkmjaa32.exe	Fqgedh32.exe
File created	C:\Windows\SysWOW64\Gnnccl32.exe	Fajbjh32.exe
File created	C:\Windows\SysWOW64\Hhfpbpdo.exe	Hbihjifh.exe
File created	C:\Windows\SysWOW64\Afcmfe32.exe	Apjdikqd.exe
File opened for modification	C:\Windows\SysWOW64\Jekqmhia.exe	Ipoheakj.exe
File opened for modification	C:\Windows\SysWOW64\Qmgelf32.exe	Qfmmplad.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
8796	8672	WerFault.exe	362

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjpnkbfj.dll"	Lckboblp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iplkpa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dddjmo32.dll"	Pmblagmf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gaqhjggp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Joekag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ceohefin.dll"	Mcdeeq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpfohk32.dll"	Nodiqp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gifkpknp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mqnbqh32.dll"	Bacjdbch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnflfgji.dll"	Conanfli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dqnjgl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocnabm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbfpagon.dll"	Ahmjjoig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmgjnl32.dll"	Omfekbdh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	NEAS.a4e8994411cd8e76bb978ede58f12710.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gidnkkpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lblldc32.dll"	Iojbpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nodiqp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojnfihmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkopekaa.dll"	Emjgim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjpjgj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcominjm.dll"	Bagmdllg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgbanq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ipkdek32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dbicpfdk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gpelhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Accimdgp.dll"	Jekqmhia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgnomg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndjaei32.dll"	Dqnjgl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfipef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dheibpje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Omnjojpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdijliok.dll"	Blgifbil.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ahofoogd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hhdcmp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnfgko32.dll"	Lepleocn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ahmjjoig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cacckp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkekjdck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qglobbdg.dll"	Ipkdek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpldbefn.dll"	Ojnfihmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Higplnpb.dll"	Apjdikqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ahdpjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfiildio.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iedjmioj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cepjip32.dll"	Ddgibkpc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iahgad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bboffejp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfaigclq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iibjhgbi.dll"	Bdbnjdfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jekqmhia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qmgelf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ahfmpnql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dqnjgl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dagdgfkf.dll"	Ieagmcmq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcdeeq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bboffejp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egljbmnm.dll"	Dheibpje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fgiaemic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cboeco32.dll"	Gidnkkpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjidgkog.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cigkdmel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpamfo32.dll"	NEAS.a4e8994411cd8e76bb978ede58f12710.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ichqihli.dll"	Ahdpjn32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4628 wrote to memory of 3804	4628	NEAS.a4e8994411cd8e76bb978ede58f12710.exe	83
PID 4628 wrote to memory of 3804	4628	NEAS.a4e8994411cd8e76bb978ede58f12710.exe	83
PID 4628 wrote to memory of 3804	4628	NEAS.a4e8994411cd8e76bb978ede58f12710.exe	83
PID 3804 wrote to memory of 2212	3804	Akglloai.exe	84
PID 3804 wrote to memory of 2212	3804	Akglloai.exe	84
PID 3804 wrote to memory of 2212	3804	Akglloai.exe	84
PID 2212 wrote to memory of 1332	2212	Blgifbil.exe	85
PID 2212 wrote to memory of 1332	2212	Blgifbil.exe	85
PID 2212 wrote to memory of 1332	2212	Blgifbil.exe	85
PID 1332 wrote to memory of 3968	1332	Bdbnjdfg.exe	86
PID 1332 wrote to memory of 3968	1332	Bdbnjdfg.exe	86
PID 1332 wrote to memory of 3968	1332	Bdbnjdfg.exe	86
PID 3968 wrote to memory of 4644	3968	Bdgged32.exe	87
PID 3968 wrote to memory of 4644	3968	Bdgged32.exe	87
PID 3968 wrote to memory of 4644	3968	Bdgged32.exe	87
PID 4644 wrote to memory of 2704	4644	Cfipef32.exe	88
PID 4644 wrote to memory of 2704	4644	Cfipef32.exe	88
PID 4644 wrote to memory of 2704	4644	Cfipef32.exe	88
PID 2704 wrote to memory of 4776	2704	Cbbnpg32.exe	89
PID 2704 wrote to memory of 4776	2704	Cbbnpg32.exe	89
PID 2704 wrote to memory of 4776	2704	Cbbnpg32.exe	89
PID 4776 wrote to memory of 1284	4776	Dbicpfdk.exe	176
PID 4776 wrote to memory of 1284	4776	Dbicpfdk.exe	176
PID 4776 wrote to memory of 1284	4776	Dbicpfdk.exe	176
PID 1284 wrote to memory of 2580	1284	Dheibpje.exe	175
PID 1284 wrote to memory of 2580	1284	Dheibpje.exe	175
PID 1284 wrote to memory of 2580	1284	Dheibpje.exe	175
PID 2580 wrote to memory of 2156	2580	Dfiildio.exe	90
PID 2580 wrote to memory of 2156	2580	Dfiildio.exe	90
PID 2580 wrote to memory of 2156	2580	Dfiildio.exe	90
PID 2156 wrote to memory of 3592	2156	Dndnpf32.exe	173
PID 2156 wrote to memory of 3592	2156	Dndnpf32.exe	173
PID 2156 wrote to memory of 3592	2156	Dndnpf32.exe	173
PID 3592 wrote to memory of 4648	3592	Dkhnjk32.exe	172
PID 3592 wrote to memory of 4648	3592	Dkhnjk32.exe	172
PID 3592 wrote to memory of 4648	3592	Dkhnjk32.exe	172
PID 4648 wrote to memory of 2060	4648	Deqcbpld.exe	171
PID 4648 wrote to memory of 2060	4648	Deqcbpld.exe	171
PID 4648 wrote to memory of 2060	4648	Deqcbpld.exe	171
PID 2060 wrote to memory of 3948	2060	Enigke32.exe	91
PID 2060 wrote to memory of 3948	2060	Enigke32.exe	91
PID 2060 wrote to memory of 3948	2060	Enigke32.exe	91
PID 3948 wrote to memory of 5096	3948	Emjgim32.exe	169
PID 3948 wrote to memory of 5096	3948	Emjgim32.exe	169
PID 3948 wrote to memory of 5096	3948	Emjgim32.exe	169
PID 5096 wrote to memory of 4140	5096	Ebimgcfi.exe	92
PID 5096 wrote to memory of 4140	5096	Ebimgcfi.exe	92
PID 5096 wrote to memory of 4140	5096	Ebimgcfi.exe	92
PID 4140 wrote to memory of 3600	4140	Enpmld32.exe	93
PID 4140 wrote to memory of 3600	4140	Enpmld32.exe	93
PID 4140 wrote to memory of 3600	4140	Enpmld32.exe	93
PID 3600 wrote to memory of 368	3600	Emanjldl.exe	167
PID 3600 wrote to memory of 368	3600	Emanjldl.exe	167
PID 3600 wrote to memory of 368	3600	Emanjldl.exe	167
PID 368 wrote to memory of 1288	368	Ebnfbcbc.exe	166
PID 368 wrote to memory of 1288	368	Ebnfbcbc.exe	166
PID 368 wrote to memory of 1288	368	Ebnfbcbc.exe	166
PID 1288 wrote to memory of 3952	1288	Fmcjpl32.exe	165
PID 1288 wrote to memory of 3952	1288	Fmcjpl32.exe	165
PID 1288 wrote to memory of 3952	1288	Fmcjpl32.exe	165
PID 3952 wrote to memory of 3844	3952	Fbpchb32.exe	94
PID 3952 wrote to memory of 3844	3952	Fbpchb32.exe	94
PID 3952 wrote to memory of 3844	3952	Fbpchb32.exe	94
PID 3844 wrote to memory of 1912	3844	Fijkdmhn.exe	95

C:\Users\Admin\AppData\Local\Temp\NEAS.a4e8994411cd8e76bb978ede58f12710.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.a4e8994411cd8e76bb978ede58f12710.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4628
- C:\Windows\SysWOW64\Akglloai.exe
  C:\Windows\system32\Akglloai.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3804
- - C:\Windows\SysWOW64\Blgifbil.exe
    C:\Windows\system32\Blgifbil.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2212
  - - C:\Windows\SysWOW64\Bdbnjdfg.exe
      C:\Windows\system32\Bdbnjdfg.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1332
    - - C:\Windows\SysWOW64\Bdgged32.exe
        
        C:\Windows\system32\Bdgged32.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3968
      - C:\Windows\SysWOW64\Cfipef32.exe
        
        C:\Windows\system32\Cfipef32.exe
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4644
        
        C:\Windows\SysWOW64\Cbbnpg32.exe
        
        C:\Windows\system32\Cbbnpg32.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2704
        
        C:\Windows\SysWOW64\Dbicpfdk.exe
        
        C:\Windows\system32\Dbicpfdk.exe
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4776
        
        C:\Windows\SysWOW64\Dheibpje.exe
        
        C:\Windows\system32\Dheibpje.exe
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1284

C:\Windows\SysWOW64\Dndnpf32.exe
C:\Windows\system32\Dndnpf32.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2156
- C:\Windows\SysWOW64\Dkhnjk32.exe
  C:\Windows\system32\Dkhnjk32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3592

C:\Windows\SysWOW64\Emjgim32.exe
C:\Windows\system32\Emjgim32.exe
1⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3948
- C:\Windows\SysWOW64\Ebimgcfi.exe
  C:\Windows\system32\Ebimgcfi.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:5096

C:\Windows\SysWOW64\Enpmld32.exe
C:\Windows\system32\Enpmld32.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4140
- C:\Windows\SysWOW64\Emanjldl.exe
  C:\Windows\system32\Emanjldl.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3600
- - C:\Windows\SysWOW64\Ebnfbcbc.exe
    C:\Windows\system32\Ebnfbcbc.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:368

C:\Windows\SysWOW64\Fijkdmhn.exe
C:\Windows\system32\Fijkdmhn.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3844
- C:\Windows\SysWOW64\Fbbpmb32.exe
  C:\Windows\system32\Fbbpmb32.exe
  2⤵
  - Executes dropped EXE
  PID:1912
- - C:\Windows\SysWOW64\Fmhdkknd.exe
    C:\Windows\system32\Fmhdkknd.exe
    3⤵
    - Executes dropped EXE
    PID:2092
  - - C:\Windows\SysWOW64\Ffqhcq32.exe
      C:\Windows\system32\Ffqhcq32.exe
      4⤵
      Executes dropped EXE
      PID:2100
    - - C:\Windows\SysWOW64\Fpimlfke.exe
        
        C:\Windows\system32\Fpimlfke.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:740
      - C:\Windows\SysWOW64\Fefedmil.exe
        
        C:\Windows\system32\Fefedmil.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4128
        
        C:\Windows\SysWOW64\Fpkibf32.exe
        
        C:\Windows\system32\Fpkibf32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:632

C:\Windows\SysWOW64\Gfjkjo32.exe
C:\Windows\system32\Gfjkjo32.exe
1⤵
- Executes dropped EXE
PID:5104
- C:\Windows\SysWOW64\Glgcbf32.exe
  C:\Windows\system32\Glgcbf32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  PID:2488
- - C:\Windows\SysWOW64\Geohklaa.exe
    C:\Windows\system32\Geohklaa.exe
    3⤵
    - Executes dropped EXE
    PID:4152

C:\Windows\SysWOW64\Gimqajgh.exe
C:\Windows\system32\Gimqajgh.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4372
- C:\Windows\SysWOW64\Gojiiafp.exe
  C:\Windows\system32\Gojiiafp.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:824

C:\Windows\SysWOW64\Hipmfjee.exe
C:\Windows\system32\Hipmfjee.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2440
- C:\Windows\SysWOW64\Hbhboolf.exe
  C:\Windows\system32\Hbhboolf.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:4816
- - C:\Windows\SysWOW64\Hlpfhe32.exe
    C:\Windows\system32\Hlpfhe32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    PID:5016

C:\Windows\SysWOW64\Hehkajig.exe
C:\Windows\system32\Hehkajig.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4460
- C:\Windows\SysWOW64\Hoaojp32.exe
  C:\Windows\system32\Hoaojp32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:3984

C:\Windows\SysWOW64\Hmbphg32.exe
C:\Windows\system32\Hmbphg32.exe
1⤵
- Executes dropped EXE
PID:1648
- C:\Windows\SysWOW64\Hfjdqmng.exe
  C:\Windows\system32\Hfjdqmng.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:4416

C:\Windows\SysWOW64\Hlglidlo.exe
C:\Windows\system32\Hlglidlo.exe
1⤵
- Executes dropped EXE
PID:540
- C:\Windows\SysWOW64\Ifmqfm32.exe
  C:\Windows\system32\Ifmqfm32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  PID:2716

C:\Windows\SysWOW64\Iliinc32.exe
C:\Windows\system32\Iliinc32.exe
1⤵
- Executes dropped EXE
PID:1880
- C:\Windows\SysWOW64\Iinjhh32.exe
  C:\Windows\system32\Iinjhh32.exe
  2⤵
  - Executes dropped EXE
  PID:1868

C:\Windows\SysWOW64\Iedjmioj.exe
C:\Windows\system32\Iedjmioj.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:868
- C:\Windows\SysWOW64\Ipjoja32.exe
  C:\Windows\system32\Ipjoja32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  PID:3828

C:\Windows\SysWOW64\Iefgbh32.exe
C:\Windows\system32\Iefgbh32.exe
1⤵
- Executes dropped EXE
PID:804
- C:\Windows\SysWOW64\Iplkpa32.exe
  C:\Windows\system32\Iplkpa32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  PID:4248

C:\Windows\SysWOW64\Ieidhh32.exe
C:\Windows\system32\Ieidhh32.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4972
- C:\Windows\SysWOW64\Ipoheakj.exe
  C:\Windows\system32\Ipoheakj.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:780

C:\Windows\SysWOW64\Jekqmhia.exe
C:\Windows\system32\Jekqmhia.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2808
- C:\Windows\SysWOW64\Jleijb32.exe
  C:\Windows\system32\Jleijb32.exe
  2⤵
  - Executes dropped EXE
  PID:3556

C:\Windows\SysWOW64\Jpcapp32.exe
C:\Windows\system32\Jpcapp32.exe
1⤵
- Executes dropped EXE
PID:2576
- C:\Windows\SysWOW64\Jngbjd32.exe
  C:\Windows\system32\Jngbjd32.exe
  2⤵
  - Executes dropped EXE
  PID:4448
- - C:\Windows\SysWOW64\Jcdjbk32.exe
    C:\Windows\system32\Jcdjbk32.exe
    3⤵
    - Executes dropped EXE
    PID:4276

C:\Windows\SysWOW64\Jllokajf.exe
C:\Windows\system32\Jllokajf.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:732
- C:\Windows\SysWOW64\Jedccfqg.exe
  C:\Windows\system32\Jedccfqg.exe
  2⤵
  - Executes dropped EXE
  PID:4192

C:\Windows\SysWOW64\Kegpifod.exe
C:\Windows\system32\Kegpifod.exe
1⤵
- Executes dropped EXE
PID:1052
- C:\Windows\SysWOW64\Kpmdfonj.exe
  C:\Windows\system32\Kpmdfonj.exe
  2⤵
  PID:2068
- - C:\Windows\SysWOW64\Kjeiodek.exe
    C:\Windows\system32\Kjeiodek.exe
    3⤵
    PID:3036
  - - C:\Windows\SysWOW64\Kcmmhj32.exe
      C:\Windows\system32\Kcmmhj32.exe
      4⤵
      PID:832
    - - C:\Windows\SysWOW64\Kncaec32.exe
        
        C:\Windows\system32\Kncaec32.exe
        5⤵
        Drops file in System32 directory
        
        PID:1580
      - C:\Windows\SysWOW64\Kodnmkap.exe
        
        C:\Windows\system32\Kodnmkap.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2760
        
        C:\Windows\SysWOW64\Knenkbio.exe
        
        C:\Windows\system32\Knenkbio.exe
        7⤵
        Drops file in System32 directory
        
        PID:4532
        
        C:\Windows\SysWOW64\Nagiji32.exe
        
        C:\Windows\system32\Nagiji32.exe
        8⤵
        Drops file in System32 directory
        
        PID:3832
        
        C:\Windows\SysWOW64\Omnjojpo.exe
        
        C:\Windows\system32\Omnjojpo.exe
        9⤵
        Modifies registry class
        
        PID:4740
        
        C:\Windows\SysWOW64\Offnhpfo.exe
        
        C:\Windows\system32\Offnhpfo.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4568
        
        C:\Windows\SysWOW64\Opnbae32.exe
        
        C:\Windows\system32\Opnbae32.exe
        11⤵
        Drops file in System32 directory
        
        PID:3908
        
        C:\Windows\SysWOW64\Ojdgnn32.exe
        
        C:\Windows\system32\Ojdgnn32.exe
        12⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\Oanokhdb.exe
        
        C:\Windows\system32\Oanokhdb.exe
        13⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\Ofmdio32.exe
        
        C:\Windows\system32\Ofmdio32.exe
        14⤵
        Drops file in System32 directory
        
        PID:4452
        
        C:\Windows\SysWOW64\Oabhfg32.exe
        
        C:\Windows\system32\Oabhfg32.exe
        15⤵
        Drops file in System32 directory
        
        PID:3688
        
        C:\Windows\SysWOW64\Pfoann32.exe
        
        C:\Windows\system32\Pfoann32.exe
        16⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\Paeelgnj.exe
        
        C:\Windows\system32\Paeelgnj.exe
        17⤵
        
        PID:864
        
        C:\Windows\SysWOW64\Pfandnla.exe
        
        C:\Windows\system32\Pfandnla.exe
        18⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\Ppjbmc32.exe
        
        C:\Windows\system32\Ppjbmc32.exe
        19⤵
        
        PID:852
        
        C:\Windows\SysWOW64\Pjpfjl32.exe
        
        C:\Windows\system32\Pjpfjl32.exe
        20⤵
        
        PID:748
        
        C:\Windows\SysWOW64\Pplobcpp.exe
        
        C:\Windows\system32\Pplobcpp.exe
        21⤵
        
        PID:4612
        
        C:\Windows\SysWOW64\Pmpolgoi.exe
        
        C:\Windows\system32\Pmpolgoi.exe
        22⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\Phfcipoo.exe
        
        C:\Windows\system32\Phfcipoo.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3212
        
        C:\Windows\SysWOW64\Pmblagmf.exe
        
        C:\Windows\system32\Pmblagmf.exe
        24⤵
        Modifies registry class
        
        PID:3772
        
        C:\Windows\SysWOW64\Pdmdnadc.exe
        
        C:\Windows\system32\Pdmdnadc.exe
        25⤵
        
        PID:4764
        
        C:\Windows\SysWOW64\Qmeigg32.exe
        
        C:\Windows\system32\Qmeigg32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5084
        
        C:\Windows\SysWOW64\Qfmmplad.exe
        
        C:\Windows\system32\Qfmmplad.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:636
        
        C:\Windows\SysWOW64\Qmgelf32.exe
        
        C:\Windows\system32\Qmgelf32.exe
        28⤵
        Modifies registry class
        
        PID:1176
        
        C:\Windows\SysWOW64\Ahmjjoig.exe
        
        C:\Windows\system32\Ahmjjoig.exe
        29⤵
        Modifies registry class
        
        PID:2592
        
        C:\Windows\SysWOW64\Aaenbd32.exe
        
        C:\Windows\system32\Aaenbd32.exe
        30⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\Ahofoogd.exe
        
        C:\Windows\system32\Ahofoogd.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5132
        
        C:\Windows\SysWOW64\Aagkhd32.exe
        
        C:\Windows\system32\Aagkhd32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5172
        
        C:\Windows\SysWOW64\Akpoaj32.exe
        
        C:\Windows\system32\Akpoaj32.exe
        33⤵
        
        PID:5236
        
        C:\Windows\SysWOW64\Ahdpjn32.exe
        
        C:\Windows\system32\Ahdpjn32.exe
        34⤵
        Modifies registry class
        
        PID:5288
        
        C:\Windows\SysWOW64\Aaldccip.exe
        
        C:\Windows\system32\Aaldccip.exe
        35⤵
        Drops file in System32 directory
        
        PID:5332
        
        C:\Windows\SysWOW64\Ahfmpnql.exe
        
        C:\Windows\system32\Ahfmpnql.exe
        36⤵
        Modifies registry class
        
        PID:5380
        
        C:\Windows\SysWOW64\Aaoaic32.exe
        
        C:\Windows\system32\Aaoaic32.exe
        37⤵
        
        PID:5420
        
        C:\Windows\SysWOW64\Bgkiaj32.exe
        
        C:\Windows\system32\Bgkiaj32.exe
        38⤵
        
        PID:5464
        
        C:\Windows\SysWOW64\Baannc32.exe
        
        C:\Windows\system32\Baannc32.exe
        39⤵
        
        PID:5508
        
        C:\Windows\SysWOW64\Bhkfkmmg.exe
        
        C:\Windows\system32\Bhkfkmmg.exe
        40⤵
        
        PID:5552
        
        C:\Windows\SysWOW64\Bacjdbch.exe
        
        C:\Windows\system32\Bacjdbch.exe
        41⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5604
        
        C:\Windows\SysWOW64\Bknlbhhe.exe
        
        C:\Windows\system32\Bknlbhhe.exe
        42⤵
        
        PID:5644
        
        C:\Windows\SysWOW64\Bhblllfo.exe
        
        C:\Windows\system32\Bhblllfo.exe
        43⤵
        
        PID:5696
        
        C:\Windows\SysWOW64\Boldhf32.exe
        
        C:\Windows\system32\Boldhf32.exe
        44⤵
        
        PID:5756
        
        C:\Windows\SysWOW64\Cdimqm32.exe
        
        C:\Windows\system32\Cdimqm32.exe
        45⤵
        Drops file in System32 directory
        
        PID:5800
        
        C:\Windows\SysWOW64\Conanfli.exe
        
        C:\Windows\system32\Conanfli.exe
        46⤵
        Modifies registry class
        
        PID:5856
        
        C:\Windows\SysWOW64\Chfegk32.exe
        
        C:\Windows\system32\Chfegk32.exe
        47⤵
        
        PID:5896
        
        C:\Windows\SysWOW64\Cncnob32.exe
        
        C:\Windows\system32\Cncnob32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5948
        
        C:\Windows\SysWOW64\Chiblk32.exe
        
        C:\Windows\system32\Chiblk32.exe
        49⤵
        
        PID:5988
        
        C:\Windows\SysWOW64\Caageq32.exe
        
        C:\Windows\system32\Caageq32.exe
        50⤵
        
        PID:6048
        
        C:\Windows\SysWOW64\Cgnomg32.exe
        
        C:\Windows\system32\Cgnomg32.exe
        51⤵
        Modifies registry class
        
        PID:6112
        
        C:\Windows\SysWOW64\Cacckp32.exe
        
        C:\Windows\system32\Cacckp32.exe
        52⤵
        Modifies registry class
        
        PID:5140
        
        C:\Windows\SysWOW64\Cgqlcg32.exe
        
        C:\Windows\system32\Cgqlcg32.exe
        53⤵
        
        PID:5224
        
        C:\Windows\SysWOW64\Dafppp32.exe
        
        C:\Windows\system32\Dafppp32.exe
        54⤵
        
        PID:5328
        
        C:\Windows\SysWOW64\Dgcihgaj.exe
        
        C:\Windows\system32\Dgcihgaj.exe
        55⤵
        
        PID:5460
        
        C:\Windows\SysWOW64\Ddgibkpc.exe
        
        C:\Windows\system32\Ddgibkpc.exe
        56⤵
        Modifies registry class
        
        PID:5560
        
        C:\Windows\SysWOW64\Dolmodpi.exe
        
        C:\Windows\system32\Dolmodpi.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5564
        
        C:\Windows\SysWOW64\Dqnjgl32.exe
        
        C:\Windows\system32\Dqnjgl32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5636
        
        C:\Windows\SysWOW64\Dkcndeen.exe
        
        C:\Windows\system32\Dkcndeen.exe
        59⤵
        
        PID:5744
        
        C:\Windows\SysWOW64\Dqpfmlce.exe
        
        C:\Windows\system32\Dqpfmlce.exe
        60⤵
        Drops file in System32 directory
        
        PID:5796
        
        C:\Windows\SysWOW64\Dkekjdck.exe
        
        C:\Windows\system32\Dkekjdck.exe
        61⤵
        Modifies registry class
        
        PID:5836
        
        C:\Windows\SysWOW64\Ddnobj32.exe
        
        C:\Windows\system32\Ddnobj32.exe
        62⤵
        
        PID:5980
        
        C:\Windows\SysWOW64\Dkhgod32.exe
        
        C:\Windows\system32\Dkhgod32.exe
        63⤵
        
        PID:6104
        
        C:\Windows\SysWOW64\Eqdpgk32.exe
        
        C:\Windows\system32\Eqdpgk32.exe
        64⤵
        Drops file in System32 directory
        
        PID:5124
        
        C:\Windows\SysWOW64\Ekjded32.exe
        
        C:\Windows\system32\Ekjded32.exe
        65⤵
        
        PID:5320
        
        C:\Windows\SysWOW64\Edbiniff.exe
        
        C:\Windows\system32\Edbiniff.exe
        66⤵
        Drops file in System32 directory
        
        PID:4068
        
        C:\Windows\SysWOW64\Eohmkb32.exe
        
        C:\Windows\system32\Eohmkb32.exe
        67⤵
        
        PID:5584
        
        C:\Windows\SysWOW64\Ehpadhll.exe
        
        C:\Windows\system32\Ehpadhll.exe
        68⤵
        
        PID:5840
        
        C:\Windows\SysWOW64\Eojiqb32.exe
        
        C:\Windows\system32\Eojiqb32.exe
        69⤵
        
        PID:5920
        
        C:\Windows\SysWOW64\Edgbii32.exe
        
        C:\Windows\system32\Edgbii32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5228
        
        C:\Windows\SysWOW64\Eomffaag.exe
        
        C:\Windows\system32\Eomffaag.exe
        71⤵
        
        PID:5192
        
        C:\Windows\SysWOW64\Eiekog32.exe
        
        C:\Windows\system32\Eiekog32.exe
        72⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\Fooclapd.exe
        
        C:\Windows\system32\Fooclapd.exe
        73⤵
        
        PID:5792
        
        C:\Windows\SysWOW64\Figgdg32.exe
        
        C:\Windows\system32\Figgdg32.exe
        74⤵
        
        PID:6056
        
        C:\Windows\SysWOW64\Fndpmndl.exe
        
        C:\Windows\system32\Fndpmndl.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5516
        
        C:\Windows\SysWOW64\Fdnhih32.exe
        
        C:\Windows\system32\Fdnhih32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5748
        
        C:\Windows\SysWOW64\Fkhpfbce.exe
        
        C:\Windows\system32\Fkhpfbce.exe
        77⤵
        
        PID:960
        
        C:\Windows\SysWOW64\Feqeog32.exe
        
        C:\Windows\system32\Feqeog32.exe
        78⤵
        
        PID:5872
        
        C:\Windows\SysWOW64\Fkjmlaac.exe
        
        C:\Windows\system32\Fkjmlaac.exe
        79⤵
        
        PID:5632
        
        C:\Windows\SysWOW64\Fqgedh32.exe
        
        C:\Windows\system32\Fqgedh32.exe
        80⤵
        Drops file in System32 directory
        
        PID:5784
        
        C:\Windows\SysWOW64\Fkmjaa32.exe
        
        C:\Windows\system32\Fkmjaa32.exe
        81⤵
        
        PID:6192
        
        C:\Windows\SysWOW64\Fajbjh32.exe
        
        C:\Windows\system32\Fajbjh32.exe
        82⤵
        Drops file in System32 directory
        
        PID:6236
        
        C:\Windows\SysWOW64\Gnnccl32.exe
        
        C:\Windows\system32\Gnnccl32.exe
        83⤵
        
        PID:6288
        
        C:\Windows\SysWOW64\Gicgpelg.exe
        
        C:\Windows\system32\Gicgpelg.exe
        84⤵
        
        PID:6328
        
        C:\Windows\SysWOW64\Gnpphljo.exe
        
        C:\Windows\system32\Gnpphljo.exe
        85⤵
        
        PID:6376
        
        C:\Windows\SysWOW64\Gkdpbpih.exe
        
        C:\Windows\system32\Gkdpbpih.exe
        86⤵
        
        PID:6420
        
        C:\Windows\SysWOW64\Gaqhjggp.exe
        
        C:\Windows\system32\Gaqhjggp.exe
        87⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6464
        
        C:\Windows\SysWOW64\Gpaihooo.exe
        
        C:\Windows\system32\Gpaihooo.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6508
        
        C:\Windows\SysWOW64\Ggmmlamj.exe
        
        C:\Windows\system32\Ggmmlamj.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6548
        
        C:\Windows\SysWOW64\Gaebef32.exe
        
        C:\Windows\system32\Gaebef32.exe
        90⤵
        
        PID:6584
        
        C:\Windows\SysWOW64\Hlkfbocp.exe
        
        C:\Windows\system32\Hlkfbocp.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6628
        
        C:\Windows\SysWOW64\Hecjke32.exe
        
        C:\Windows\system32\Hecjke32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6668
        
        C:\Windows\SysWOW64\Hbgkei32.exe
        
        C:\Windows\system32\Hbgkei32.exe
        93⤵
        Drops file in System32 directory
        
        PID:6708
        
        C:\Windows\SysWOW64\Hhdcmp32.exe
        
        C:\Windows\system32\Hhdcmp32.exe
        94⤵
        Modifies registry class
        
        PID:6756
        
        C:\Windows\SysWOW64\Hbihjifh.exe
        
        C:\Windows\system32\Hbihjifh.exe
        95⤵
        Drops file in System32 directory
        
        PID:6804
        
        C:\Windows\SysWOW64\Hhfpbpdo.exe
        
        C:\Windows\system32\Hhfpbpdo.exe
        96⤵
        
        PID:6860
        
        C:\Windows\SysWOW64\Hbldphde.exe
        
        C:\Windows\system32\Hbldphde.exe
        97⤵
        
        PID:6908
        
        C:\Windows\SysWOW64\Hldiinke.exe
        
        C:\Windows\system32\Hldiinke.exe
        98⤵
        
        PID:6952
        
        C:\Windows\SysWOW64\Haaaaeim.exe
        
        C:\Windows\system32\Haaaaeim.exe
        99⤵
        
        PID:7008
        
        C:\Windows\SysWOW64\Ilfennic.exe
        
        C:\Windows\system32\Ilfennic.exe
        100⤵
        
        PID:7052
        
        C:\Windows\SysWOW64\Iacngdgj.exe
        
        C:\Windows\system32\Iacngdgj.exe
        101⤵
        
        PID:7096
        
        C:\Windows\SysWOW64\Ipdndloi.exe
        
        C:\Windows\system32\Ipdndloi.exe
        102⤵
        
        PID:7136
        
        C:\Windows\SysWOW64\Ieagmcmq.exe
        
        C:\Windows\system32\Ieagmcmq.exe
        103⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5548
        
        C:\Windows\SysWOW64\Iahgad32.exe
        
        C:\Windows\system32\Iahgad32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6204
        
        C:\Windows\SysWOW64\Iolhkh32.exe
        
        C:\Windows\system32\Iolhkh32.exe
        105⤵
        
        PID:6268
        
        C:\Windows\SysWOW64\Ipkdek32.exe
        
        C:\Windows\system32\Ipkdek32.exe
        106⤵
        Modifies registry class
        
        PID:6336
        
        C:\Windows\SysWOW64\Iehmmb32.exe
        
        C:\Windows\system32\Iehmmb32.exe
        107⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\Jlbejloe.exe
        
        C:\Windows\system32\Jlbejloe.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6452
        
        C:\Windows\SysWOW64\Jaonbc32.exe
        
        C:\Windows\system32\Jaonbc32.exe
        109⤵
        Drops file in System32 directory
        
        PID:6536
        
        C:\Windows\SysWOW64\Jhifomdj.exe
        
        C:\Windows\system32\Jhifomdj.exe
        110⤵
        
        PID:6608
        
        C:\Windows\SysWOW64\Jaajhb32.exe
        
        C:\Windows\system32\Jaajhb32.exe
        111⤵
        
        PID:6692
        
        C:\Windows\SysWOW64\Joekag32.exe
        
        C:\Windows\system32\Joekag32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6792
        
        C:\Windows\SysWOW64\Jhnojl32.exe
        
        C:\Windows\system32\Jhnojl32.exe
        113⤵
        
        PID:6876
        
        C:\Windows\SysWOW64\Jbccge32.exe
        
        C:\Windows\system32\Jbccge32.exe
        114⤵
        
        PID:6948
        
        C:\Windows\SysWOW64\Jojdlfeo.exe
        
        C:\Windows\system32\Jojdlfeo.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7020
        
        C:\Windows\SysWOW64\Kolabf32.exe
        
        C:\Windows\system32\Kolabf32.exe
        116⤵
        
        PID:7088
        
        C:\Windows\SysWOW64\Kefiopki.exe
        
        C:\Windows\system32\Kefiopki.exe
        117⤵
        
        PID:7144
        
        C:\Windows\SysWOW64\Kplmliko.exe
        
        C:\Windows\system32\Kplmliko.exe
        118⤵
        
        PID:6168
        
        C:\Windows\SysWOW64\Klbnajqc.exe
        
        C:\Windows\system32\Klbnajqc.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6308
        
        C:\Windows\SysWOW64\Kapfiqoj.exe
        
        C:\Windows\system32\Kapfiqoj.exe
        120⤵
        Drops file in System32 directory
        
        PID:6412
        
        C:\Windows\SysWOW64\Khiofk32.exe
        
        C:\Windows\system32\Khiofk32.exe
        121⤵
        
        PID:6544
        
        C:\Windows\SysWOW64\Kcoccc32.exe
        
        C:\Windows\system32\Kcoccc32.exe
        122⤵
        
        PID:6624
        
        C:\Windows\SysWOW64\Klggli32.exe
        
        C:\Windows\system32\Klggli32.exe
        123⤵
        
        PID:6704
        
        C:\Windows\SysWOW64\Lepleocn.exe
        
        C:\Windows\system32\Lepleocn.exe
        124⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6852
        
        C:\Windows\SysWOW64\Lpepbgbd.exe
        
        C:\Windows\system32\Lpepbgbd.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6992
        
        C:\Windows\SysWOW64\Lllagh32.exe
        
        C:\Windows\system32\Lllagh32.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7084
        
        C:\Windows\SysWOW64\Laiipofp.exe
        
        C:\Windows\system32\Laiipofp.exe
        127⤵
        
        PID:5884
        
        C:\Windows\SysWOW64\Lomjicei.exe
        
        C:\Windows\system32\Lomjicei.exe
        128⤵
        
        PID:6320
        
        C:\Windows\SysWOW64\Lckboblp.exe
        
        C:\Windows\system32\Lckboblp.exe
        129⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6500
        
        C:\Windows\SysWOW64\Lpochfji.exe
        
        C:\Windows\system32\Lpochfji.exe
        130⤵
        
        PID:6700
        
        C:\Windows\SysWOW64\Mcoljagj.exe
        
        C:\Windows\system32\Mcoljagj.exe
        131⤵
        
        PID:6892
        
        C:\Windows\SysWOW64\Mjidgkog.exe
        
        C:\Windows\system32\Mjidgkog.exe
        132⤵
        Modifies registry class
        
        PID:7040
        
        C:\Windows\SysWOW64\Mcaipa32.exe
        
        C:\Windows\system32\Mcaipa32.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6260
        
        C:\Windows\SysWOW64\Mhoahh32.exe
        
        C:\Windows\system32\Mhoahh32.exe
        134⤵
        
        PID:6656
        
        C:\Windows\SysWOW64\Mcdeeq32.exe
        
        C:\Windows\system32\Mcdeeq32.exe
        135⤵
        Modifies registry class
        
        PID:7060
        
        C:\Windows\SysWOW64\Mhanngbl.exe
        
        C:\Windows\system32\Mhanngbl.exe
        136⤵
        
        PID:6636
        
        C:\Windows\SysWOW64\Mcfbkpab.exe
        
        C:\Windows\system32\Mcfbkpab.exe
        137⤵
        
        PID:7172
        
        C:\Windows\SysWOW64\Mjpjgj32.exe
        
        C:\Windows\system32\Mjpjgj32.exe
        138⤵
        Modifies registry class
        
        PID:7232
        
        C:\Windows\SysWOW64\Nblolm32.exe
        
        C:\Windows\system32\Nblolm32.exe
        139⤵
        
        PID:7304
        
        C:\Windows\SysWOW64\Nqmojd32.exe
        
        C:\Windows\system32\Nqmojd32.exe
        140⤵
        
        PID:7356
        
        C:\Windows\SysWOW64\Nfihbk32.exe
        
        C:\Windows\system32\Nfihbk32.exe
        141⤵
        
        PID:7408
        
        C:\Windows\SysWOW64\Noblkqca.exe
        
        C:\Windows\system32\Noblkqca.exe
        142⤵
        Drops file in System32 directory
        
        PID:7448
        
        C:\Windows\SysWOW64\Nfldgk32.exe
        
        C:\Windows\system32\Nfldgk32.exe
        143⤵
        
        PID:7496
        
        C:\Windows\SysWOW64\Nodiqp32.exe
        
        C:\Windows\system32\Nodiqp32.exe
        144⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7536
        
        C:\Windows\SysWOW64\Nqcejcha.exe
        
        C:\Windows\system32\Nqcejcha.exe
        145⤵
        
        PID:7576
        
        C:\Windows\SysWOW64\Nbebbk32.exe
        
        C:\Windows\system32\Nbebbk32.exe
        146⤵
        
        PID:7624
        
        C:\Windows\SysWOW64\Nmjfodne.exe
        
        C:\Windows\system32\Nmjfodne.exe
        147⤵
        
        PID:7676
        
        C:\Windows\SysWOW64\Ocdnln32.exe
        
        C:\Windows\system32\Ocdnln32.exe
        148⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7720
        
        C:\Windows\SysWOW64\Ojnfihmo.exe
        
        C:\Windows\system32\Ojnfihmo.exe
        149⤵
        Modifies registry class
        
        PID:7760
        
        C:\Windows\SysWOW64\Ookoaokf.exe
        
        C:\Windows\system32\Ookoaokf.exe
        150⤵
        Drops file in System32 directory
        
        PID:7808
        
        C:\Windows\SysWOW64\Ojqcnhkl.exe
        
        C:\Windows\system32\Ojqcnhkl.exe
        151⤵
        
        PID:7852
        
        C:\Windows\SysWOW64\Oblhcj32.exe
        
        C:\Windows\system32\Oblhcj32.exe
        152⤵
        
        PID:7892
        
        C:\Windows\SysWOW64\Omalpc32.exe
        
        C:\Windows\system32\Omalpc32.exe
        153⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7932
        
        C:\Windows\SysWOW64\Obnehj32.exe
        
        C:\Windows\system32\Obnehj32.exe
        154⤵
        
        PID:7980
        
        C:\Windows\SysWOW64\Oihmedma.exe
        
        C:\Windows\system32\Oihmedma.exe
        155⤵
        
        PID:8024
        
        C:\Windows\SysWOW64\Ocnabm32.exe
        
        C:\Windows\system32\Ocnabm32.exe
        156⤵
        Modifies registry class
        
        PID:8068
        
        C:\Windows\SysWOW64\Omfekbdh.exe
        
        C:\Windows\system32\Omfekbdh.exe
        157⤵
        Modifies registry class
        
        PID:8104
        
        C:\Windows\SysWOW64\Pbcncibp.exe
        
        C:\Windows\system32\Pbcncibp.exe
        158⤵
        
        PID:8144
        
        C:\Windows\SysWOW64\Ppgomnai.exe
        
        C:\Windows\system32\Ppgomnai.exe
        159⤵
        
        PID:7188
        
        C:\Windows\SysWOW64\Qikbaaml.exe
        
        C:\Windows\system32\Qikbaaml.exe
        160⤵
        
        PID:7288
        
        C:\Windows\SysWOW64\Apeknk32.exe
        
        C:\Windows\system32\Apeknk32.exe
        161⤵
        
        PID:7400
        
        C:\Windows\SysWOW64\Afockelf.exe
        
        C:\Windows\system32\Afockelf.exe
        162⤵
        Drops file in System32 directory
        
        PID:7456
        
        C:\Windows\SysWOW64\Apggckbf.exe
        
        C:\Windows\system32\Apggckbf.exe
        163⤵
        Drops file in System32 directory
        
        PID:7524
        
        C:\Windows\SysWOW64\Ajmladbl.exe
        
        C:\Windows\system32\Ajmladbl.exe
        164⤵
        
        PID:7620
        
        C:\Windows\SysWOW64\Apjdikqd.exe
        
        C:\Windows\system32\Apjdikqd.exe
        165⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7656
        
        C:\Windows\SysWOW64\Afcmfe32.exe
        
        C:\Windows\system32\Afcmfe32.exe
        166⤵
        Drops file in System32 directory
        
        PID:7704
        
        C:\Windows\SysWOW64\Abjmkf32.exe
        
        C:\Windows\system32\Abjmkf32.exe
        167⤵
        
        PID:7792
        
        C:\Windows\SysWOW64\Aalmimfd.exe
        
        C:\Windows\system32\Aalmimfd.exe
        168⤵
        
        PID:7884
        
        C:\Windows\SysWOW64\Bmbnnn32.exe
        
        C:\Windows\system32\Bmbnnn32.exe
        169⤵
        
        PID:7948
        
        C:\Windows\SysWOW64\Bboffejp.exe
        
        C:\Windows\system32\Bboffejp.exe
        170⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:8032
        
        C:\Windows\SysWOW64\Bfmolc32.exe
        
        C:\Windows\system32\Bfmolc32.exe
        171⤵
        
        PID:8096
        
        C:\Windows\SysWOW64\Babcil32.exe
        
        C:\Windows\system32\Babcil32.exe
        172⤵
        Drops file in System32 directory
        
        PID:4224
        
        C:\Windows\SysWOW64\Bfolacnc.exe
        
        C:\Windows\system32\Bfolacnc.exe
        173⤵
        
        PID:7284
        
        C:\Windows\SysWOW64\Bphqji32.exe
        
        C:\Windows\system32\Bphqji32.exe
        174⤵
        
        PID:7464
        
        C:\Windows\SysWOW64\Bfaigclq.exe
        
        C:\Windows\system32\Bfaigclq.exe
        175⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:7584
        
        C:\Windows\SysWOW64\Bagmdllg.exe
        
        C:\Windows\system32\Bagmdllg.exe
        176⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7700
        
        C:\Windows\SysWOW64\Bbhildae.exe
        
        C:\Windows\system32\Bbhildae.exe
        177⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7864
        
        C:\Windows\SysWOW64\Cdhffg32.exe
        
        C:\Windows\system32\Cdhffg32.exe
        178⤵
        
        PID:7960
        
        C:\Windows\SysWOW64\Cpogkhnl.exe
        
        C:\Windows\system32\Cpogkhnl.exe
        179⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:8088
        
        C:\Windows\SysWOW64\Cigkdmel.exe
        
        C:\Windows\system32\Cigkdmel.exe
        180⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:8140
        
        C:\Windows\SysWOW64\Ccppmc32.exe
        
        C:\Windows\system32\Ccppmc32.exe
        181⤵
        
        PID:7460
        
        C:\Windows\SysWOW64\Cmedjl32.exe
        
        C:\Windows\system32\Cmedjl32.exe
        182⤵
        
        PID:7560
        
        C:\Windows\SysWOW64\Ccblbb32.exe
        
        C:\Windows\system32\Ccblbb32.exe
        183⤵
        Drops file in System32 directory
        
        PID:7804
        
        C:\Windows\SysWOW64\Cacmpj32.exe
        
        C:\Windows\system32\Cacmpj32.exe
        184⤵
        
        PID:7888
        
        C:\Windows\SysWOW64\Dgpeha32.exe
        
        C:\Windows\system32\Dgpeha32.exe
        185⤵
        
        PID:8076
        
        C:\Windows\SysWOW64\Dgbanq32.exe
        
        C:\Windows\system32\Dgbanq32.exe
        186⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7332
        
        C:\Windows\SysWOW64\Dkpjdo32.exe
        
        C:\Windows\system32\Dkpjdo32.exe
        187⤵
        
        PID:7776
        
        C:\Windows\SysWOW64\Dajbaika.exe
        
        C:\Windows\system32\Dajbaika.exe
        188⤵
        
        PID:7924
        
        C:\Windows\SysWOW64\Dggkipii.exe
        
        C:\Windows\system32\Dggkipii.exe
        189⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7520
        
        C:\Windows\SysWOW64\Dpopbepi.exe
        
        C:\Windows\system32\Dpopbepi.exe
        190⤵
        
        PID:7972
        
        C:\Windows\SysWOW64\Djgdkk32.exe
        
        C:\Windows\system32\Djgdkk32.exe
        191⤵
        
        PID:7192
        
        C:\Windows\SysWOW64\Enemaimp.exe
        
        C:\Windows\system32\Enemaimp.exe
        192⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5816
        
        C:\Windows\SysWOW64\Egnajocq.exe
        
        C:\Windows\system32\Egnajocq.exe
        193⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7920
        
        C:\Windows\SysWOW64\Eaceghcg.exe
        
        C:\Windows\system32\Eaceghcg.exe
        194⤵
        
        PID:7352
        
        C:\Windows\SysWOW64\Ejojljqa.exe
        
        C:\Windows\system32\Ejojljqa.exe
        195⤵
        
        PID:7772
        
        C:\Windows\SysWOW64\Ephbhd32.exe
        
        C:\Windows\system32\Ephbhd32.exe
        196⤵
        Drops file in System32 directory
        
        PID:5820
        
        C:\Windows\SysWOW64\Ejagaj32.exe
        
        C:\Windows\system32\Ejagaj32.exe
        197⤵
        
        PID:8196
        
        C:\Windows\SysWOW64\Ecikjoep.exe
        
        C:\Windows\system32\Ecikjoep.exe
        198⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8244
        
        C:\Windows\SysWOW64\Enopghee.exe
        
        C:\Windows\system32\Enopghee.exe
        199⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8288
        
        C:\Windows\SysWOW64\Fclhpo32.exe
        
        C:\Windows\system32\Fclhpo32.exe
        200⤵
        
        PID:8332
        
        C:\Windows\SysWOW64\Famhmfkl.exe
        
        C:\Windows\system32\Famhmfkl.exe
        201⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8372
        
        C:\Windows\SysWOW64\Fgiaemic.exe
        
        C:\Windows\system32\Fgiaemic.exe
        202⤵
        Modifies registry class
        
        PID:8416
        
        C:\Windows\SysWOW64\Fboecfii.exe
        
        C:\Windows\system32\Fboecfii.exe
        203⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8484
        
        C:\Windows\SysWOW64\Fjjjgh32.exe
        
        C:\Windows\system32\Fjjjgh32.exe
        204⤵
        
        PID:8528
        
        C:\Windows\SysWOW64\Fcbnpnme.exe
        
        C:\Windows\system32\Fcbnpnme.exe
        205⤵
        
        PID:8576
        
        C:\Windows\SysWOW64\Fbdnne32.exe
        
        C:\Windows\system32\Fbdnne32.exe
        206⤵
        
        PID:8624
        
        C:\Windows\SysWOW64\Gddgpqbe.exe
        
        C:\Windows\system32\Gddgpqbe.exe
        207⤵
        
        PID:8672
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8672 -s 408
        208⤵
        Program crash
        
        PID:8796

C:\Windows\SysWOW64\Kpjgaoqm.exe
C:\Windows\system32\Kpjgaoqm.exe
1⤵
- Executes dropped EXE
PID:348

C:\Windows\SysWOW64\Jenmcggo.exe
C:\Windows\system32\Jenmcggo.exe
1⤵
- Executes dropped EXE
PID:4004

C:\Windows\SysWOW64\Iojbpo32.exe
C:\Windows\system32\Iojbpo32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3320

C:\Windows\SysWOW64\Gpelhd32.exe
C:\Windows\system32\Gpelhd32.exe
1⤵
- Executes dropped EXE
- Modifies registry class
PID:1540

C:\Windows\SysWOW64\Gifkpknp.exe
C:\Windows\system32\Gifkpknp.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2376

C:\Windows\SysWOW64\Gnqfcbnj.exe
C:\Windows\system32\Gnqfcbnj.exe
1⤵
- Executes dropped EXE
PID:4480

C:\Windows\SysWOW64\Gidnkkpc.exe
C:\Windows\system32\Gidnkkpc.exe
1⤵
- Executes dropped EXE
- Modifies registry class
PID:4700

C:\Windows\SysWOW64\Fbpchb32.exe
C:\Windows\system32\Fbpchb32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3952

C:\Windows\SysWOW64\Fmcjpl32.exe
C:\Windows\system32\Fmcjpl32.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1288

C:\Windows\SysWOW64\Enigke32.exe
C:\Windows\system32\Enigke32.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2060

C:\Windows\SysWOW64\Deqcbpld.exe
C:\Windows\system32\Deqcbpld.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4648

C:\Windows\SysWOW64\Dfiildio.exe
C:\Windows\system32\Dfiildio.exe
1⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 8672 -ip 8672
1⤵
PID:8760

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7284

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:7792

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:7288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Akglloai.exe

Filesize
1.5MB

MD5
58a1c44b99634aace526a7dcfa91555b

SHA1
a98a77f960730e374d5ed353bd8edaed8d601bbf

SHA256
ccd491ce0303dfd9375d9eabe1158d9317e09eb703983c86109de04a92c9385a

SHA512
7438f6858f3c40f5601e1368e058630cc16925ebd0271636fa5a3a8a87e6391e12f2a220f5fe02f7351ce71feba1d7a617e5cbf4b7002df201e91a3dcd9e969b

Download Submit
C:\Windows\SysWOW64\Akglloai.exe

Filesize
1.5MB

MD5
58a1c44b99634aace526a7dcfa91555b

SHA1
a98a77f960730e374d5ed353bd8edaed8d601bbf

SHA256
ccd491ce0303dfd9375d9eabe1158d9317e09eb703983c86109de04a92c9385a

SHA512
7438f6858f3c40f5601e1368e058630cc16925ebd0271636fa5a3a8a87e6391e12f2a220f5fe02f7351ce71feba1d7a617e5cbf4b7002df201e91a3dcd9e969b

Download Submit
C:\Windows\SysWOW64\Bdbnjdfg.exe

Filesize
1.5MB

MD5
bdbb2d8a6e24fc9c3e46d8846d73e20c

SHA1
8b1b1c5c0e217f451017380064d9c327b3a6e569

SHA256
2089fa16fd97a4a3cc10d3d9de05cf3e53920d697653039094bd34e09b9c1059

SHA512
556ee250493092271d30ed30c679ef14c9987ab05f76ba6e4f2948effb7a85ff02a56190e849474c7f62352b17512c2716bf5c2ebd8d99deb49a875c100e40fc

Download Submit
C:\Windows\SysWOW64\Bdbnjdfg.exe

Filesize
1.5MB

MD5
bdbb2d8a6e24fc9c3e46d8846d73e20c

SHA1
8b1b1c5c0e217f451017380064d9c327b3a6e569

SHA256
2089fa16fd97a4a3cc10d3d9de05cf3e53920d697653039094bd34e09b9c1059

SHA512
556ee250493092271d30ed30c679ef14c9987ab05f76ba6e4f2948effb7a85ff02a56190e849474c7f62352b17512c2716bf5c2ebd8d99deb49a875c100e40fc

Download Submit
C:\Windows\SysWOW64\Bdgged32.exe

Filesize
1.5MB

MD5
85c9319f6fef8c8b62e259c3cda18791

SHA1
947856fb87f1cb4dcffc9bc109f416399870d73e

SHA256
5b2fd2e1c89e21b6569a8c92757299551eb11435641e699cd0876a90abdcaab7

SHA512
96da775c66fe3c0b674e4e4718536d90b50e57748c8b08f4ac554ce19e1f528f4eca7fe43e05dbbb92d25d9cd811701a000ffae55d3681e9dd7d05c0c388a0da

Download Submit
C:\Windows\SysWOW64\Bdgged32.exe

Filesize
1.5MB

MD5
85c9319f6fef8c8b62e259c3cda18791

SHA1
947856fb87f1cb4dcffc9bc109f416399870d73e

SHA256
5b2fd2e1c89e21b6569a8c92757299551eb11435641e699cd0876a90abdcaab7

SHA512
96da775c66fe3c0b674e4e4718536d90b50e57748c8b08f4ac554ce19e1f528f4eca7fe43e05dbbb92d25d9cd811701a000ffae55d3681e9dd7d05c0c388a0da

Download Submit
C:\Windows\SysWOW64\Blgifbil.exe

Filesize
1.5MB

MD5
5f09da7f46421a7d6c30a26905b234f3

SHA1
ebb031599d6b9dba9bba19626b6a5012d0bfcace

SHA256
66c8703fb210cf59c2ba907cb96fa79070b6dac5f97c7e41b48ffa3737c779f6

SHA512
5f3bd5547ca6c1ace8b30ed425d5ef33043ed1271dc8c68e41b28973d913b857e35b71e9c9ab7e4e2e2469e62a1f41b9bf44fe85da608d75ced5bd2a122dde82

Download Submit
C:\Windows\SysWOW64\Blgifbil.exe

Filesize
1.5MB

MD5
5f09da7f46421a7d6c30a26905b234f3

SHA1
ebb031599d6b9dba9bba19626b6a5012d0bfcace

SHA256
66c8703fb210cf59c2ba907cb96fa79070b6dac5f97c7e41b48ffa3737c779f6

SHA512
5f3bd5547ca6c1ace8b30ed425d5ef33043ed1271dc8c68e41b28973d913b857e35b71e9c9ab7e4e2e2469e62a1f41b9bf44fe85da608d75ced5bd2a122dde82

Download Submit
C:\Windows\SysWOW64\Cbbnpg32.exe

Filesize
1.5MB

MD5
34e8988a45a38c04705380fa4c235c0c

SHA1
a8b86b4544e8885fbc330bb0e6bd869df6b74918

SHA256
52c771c7450ac8c2e4639fd533468e3311813afdfc6ab8bad141b9f1e146cd1b

SHA512
95f5763652b245f3bfdd34328e8b4dd13766bfa94d834f77f3d6d1b5648927fe0fff841f530d1b7b45774d8f9949df673b9f53b3286acbcf14582283493f3cf4

Download Submit
C:\Windows\SysWOW64\Cbbnpg32.exe

Filesize
1.5MB

MD5
34e8988a45a38c04705380fa4c235c0c

SHA1
a8b86b4544e8885fbc330bb0e6bd869df6b74918

SHA256
52c771c7450ac8c2e4639fd533468e3311813afdfc6ab8bad141b9f1e146cd1b

SHA512
95f5763652b245f3bfdd34328e8b4dd13766bfa94d834f77f3d6d1b5648927fe0fff841f530d1b7b45774d8f9949df673b9f53b3286acbcf14582283493f3cf4

Download Submit
C:\Windows\SysWOW64\Cdhffg32.exe

Filesize
1.5MB

MD5
b18c8f9bf47433867b0900387ffe1ea4

SHA1
145119621e70a56ea71cd5e4ec90bee58b07fb51

SHA256
62783b89313217ebea8f1cf7654c2ace6cde3ff9d794bfc900649dfe4b89aaae

SHA512
264ac4af7396a39501262c05565024d2bb835211d3b4a17d011c69530d5f602831b9f603b43d29cf8da023660bd53197b67d170d0032959c62f909ed30d5b0e4

Download Submit
C:\Windows\SysWOW64\Cfipef32.exe

Filesize
1.5MB

MD5
54654d42c7fad9eaeba846cba344f1b0

SHA1
dde51375072d13c92d71d2f37441750d3265418a

SHA256
ce246b791d5d90c92e3e7f9b9f4a8b80e58bb0c394208d2fa9565f76e95a0234

SHA512
c8da470337fec90efec22305942a190dbee5efb96cca8a0d52912d008a8ad587fa7ed27b0bac116b3a38a26b2a1840c48f8900411dcea0f9317f94765be4aa56

Download Submit
C:\Windows\SysWOW64\Cfipef32.exe

Filesize
1.5MB

MD5
54654d42c7fad9eaeba846cba344f1b0

SHA1
dde51375072d13c92d71d2f37441750d3265418a

SHA256
ce246b791d5d90c92e3e7f9b9f4a8b80e58bb0c394208d2fa9565f76e95a0234

SHA512
c8da470337fec90efec22305942a190dbee5efb96cca8a0d52912d008a8ad587fa7ed27b0bac116b3a38a26b2a1840c48f8900411dcea0f9317f94765be4aa56

Download Submit
C:\Windows\SysWOW64\Dbicpfdk.exe

Filesize
1.5MB

MD5
55fe0b2e02f352c35593d84e07697c9d

SHA1
8dcc54e40c68e047e783a99ba7dc6c5e23fc9f51

SHA256
142c15a0b1ff2084202f3c50b4bbc4c231a420b56a10989139ae48b9dcfca53e

SHA512
f1ca6dc81a9b3531d3d32a0b134ee6c7ed533883284724b028d5b0048e1bee401c746b099d0ce2cc9df7e43bdbb110df6d46e4bf113722adc9535184c867587e

Download Submit
C:\Windows\SysWOW64\Dbicpfdk.exe

Filesize
1.5MB

MD5
55fe0b2e02f352c35593d84e07697c9d

SHA1
8dcc54e40c68e047e783a99ba7dc6c5e23fc9f51

SHA256
142c15a0b1ff2084202f3c50b4bbc4c231a420b56a10989139ae48b9dcfca53e

SHA512
f1ca6dc81a9b3531d3d32a0b134ee6c7ed533883284724b028d5b0048e1bee401c746b099d0ce2cc9df7e43bdbb110df6d46e4bf113722adc9535184c867587e

Download Submit
C:\Windows\SysWOW64\Deqcbpld.exe

Filesize
1.5MB

MD5
a2c8612efa044c9dd50309f972702687

SHA1
5195f5367678bd09cdfb22fa2f47859b86402866

SHA256
8ccdc3dc68feed499b5670e20483a186f0581c397e4d523d398cf8bcf45ac1f9

SHA512
ae228db87df49ce8b6af38317845d461bb6eb28779a2f224917d76da048886d7878d8ece92a001b499260d6f141867e63da05405639ed027a4c40bdf4a78584d

Download Submit
C:\Windows\SysWOW64\Deqcbpld.exe

Filesize
1.5MB

MD5
a2c8612efa044c9dd50309f972702687

SHA1
5195f5367678bd09cdfb22fa2f47859b86402866

SHA256
8ccdc3dc68feed499b5670e20483a186f0581c397e4d523d398cf8bcf45ac1f9

SHA512
ae228db87df49ce8b6af38317845d461bb6eb28779a2f224917d76da048886d7878d8ece92a001b499260d6f141867e63da05405639ed027a4c40bdf4a78584d

Download Submit
C:\Windows\SysWOW64\Dfiildio.exe

Filesize
1.5MB

MD5
799128c894747e2f32cab2c72f77ad93

SHA1
c346353315bfe5aaac6432afd87e7dc4ba2f4014

SHA256
c9d931ce31ef08bc5ec14dd71781b128d7f43dcce146b3930412daa6d5408c74

SHA512
a925d40da5d089d23b6a47ab6674ac1daa6eaaf2b25486611fee2b267fcacfc28e3e238b124b0fabfd52c4007eb7dc95a09f62e4f73e6e38546bd60a2428df76

Download Submit
C:\Windows\SysWOW64\Dfiildio.exe

Filesize
1.5MB

MD5
799128c894747e2f32cab2c72f77ad93

SHA1
c346353315bfe5aaac6432afd87e7dc4ba2f4014

SHA256
c9d931ce31ef08bc5ec14dd71781b128d7f43dcce146b3930412daa6d5408c74

SHA512
a925d40da5d089d23b6a47ab6674ac1daa6eaaf2b25486611fee2b267fcacfc28e3e238b124b0fabfd52c4007eb7dc95a09f62e4f73e6e38546bd60a2428df76

Download Submit
C:\Windows\SysWOW64\Dheibpje.exe

Filesize
1.5MB

MD5
487abedb1b9be2aa6951cec2af55aa63

SHA1
edc360147b80572b3df47d6e96128a958b19a5c3

SHA256
2520fb6406673494bdd5eb3a9dddc030a722b80df7dbe570262aa317a7aa1cad

SHA512
659db97a6176a23708adc8625e8cc5793c3a401f4d2453a5fdf63c8bac08d0d2a888c0229020bd8ab79d834894fee2bbb4aa6b6c78cabdfaae8946380b12880d

Download Submit
C:\Windows\SysWOW64\Dheibpje.exe

Filesize
1.5MB

MD5
487abedb1b9be2aa6951cec2af55aa63

SHA1
edc360147b80572b3df47d6e96128a958b19a5c3

SHA256
2520fb6406673494bdd5eb3a9dddc030a722b80df7dbe570262aa317a7aa1cad

SHA512
659db97a6176a23708adc8625e8cc5793c3a401f4d2453a5fdf63c8bac08d0d2a888c0229020bd8ab79d834894fee2bbb4aa6b6c78cabdfaae8946380b12880d

Download Submit
C:\Windows\SysWOW64\Djgdkk32.exe

Filesize
1.5MB

MD5
4a34e36ed6c272d4452df00a74555d53

SHA1
c6cb3390041de165daee1b989cf9bbe77a94c9db

SHA256
464a8467b19875c62b472eb5aa0a38d53050660a5ec43277288d7da1eeed7937

SHA512
427bf5dc695b0a7861e74a8f34c8f1c1c24841397f021cf35af734c2c03dd90b692148972004f10525d3668306d4ddd301e3b6660909ba0abf31c1594797ca70

Download Submit
C:\Windows\SysWOW64\Dkhnjk32.exe

Filesize
1.5MB

MD5
add2492d39060aa3da7eb2d8a39fa977

SHA1
248c9524d93db55a95c6bbd8925d4ee02d3f83b4

SHA256
e29fa7979a58486dcc9f830a666b5b8fdfcbb71f59e22c4560922d3a49376c82

SHA512
23daf58fba922b4468f1fb5891dba4a2741ef2aafd1da233fc02563e18e54c92dec618280ecfa0818d9fe327554544e65c6b7fd6299ce45a9525f7f255b4d356

Download Submit
C:\Windows\SysWOW64\Dkhnjk32.exe

Filesize
1.5MB

MD5
add2492d39060aa3da7eb2d8a39fa977

SHA1
248c9524d93db55a95c6bbd8925d4ee02d3f83b4

SHA256
e29fa7979a58486dcc9f830a666b5b8fdfcbb71f59e22c4560922d3a49376c82

SHA512
23daf58fba922b4468f1fb5891dba4a2741ef2aafd1da233fc02563e18e54c92dec618280ecfa0818d9fe327554544e65c6b7fd6299ce45a9525f7f255b4d356

Download Submit
C:\Windows\SysWOW64\Dndnpf32.exe

Filesize
1.5MB

MD5
08839c08baf6a1d3c0fd7af4d87bb0e0

SHA1
95a72ce85285541b4541e5eea405d4be79d2b972

SHA256
91699d44a427cb59a8def2cdd21ea16defc210f176af8211fe2893369edaf194

SHA512
925453986008d5c60d60a3877e85531d77c2c8dc63b08dba1a8bb8639935d23c23f3321cc97fe049ad4b92315858ee6c09d10291b8e9d59ad9189ba5c8892f59

Download Submit
C:\Windows\SysWOW64\Dndnpf32.exe

Filesize
1.5MB

MD5
08839c08baf6a1d3c0fd7af4d87bb0e0

SHA1
95a72ce85285541b4541e5eea405d4be79d2b972

SHA256
91699d44a427cb59a8def2cdd21ea16defc210f176af8211fe2893369edaf194

SHA512
925453986008d5c60d60a3877e85531d77c2c8dc63b08dba1a8bb8639935d23c23f3321cc97fe049ad4b92315858ee6c09d10291b8e9d59ad9189ba5c8892f59

Download Submit
C:\Windows\SysWOW64\Ebimgcfi.exe

Filesize
1.5MB

MD5
ee52d765caa11862fc07b735d527286f

SHA1
138b99fb984fabbde69f76f377f731298b8fee11

SHA256
e0c8b648d93e9238919a6f00a4d3414878cecb3d823ecae4456a51c004bfde0a

SHA512
30dedd0c5529b8f1c94faf83a3ce962a751fbc621dda218e76e614783c3d9df35bc7f7fef967fb2c99a7ff99896056bb767111af61f2a9f266bd798db6830929

Download Submit
C:\Windows\SysWOW64\Ebimgcfi.exe

Filesize
1.5MB

MD5
ee52d765caa11862fc07b735d527286f

SHA1
138b99fb984fabbde69f76f377f731298b8fee11

SHA256
e0c8b648d93e9238919a6f00a4d3414878cecb3d823ecae4456a51c004bfde0a

SHA512
30dedd0c5529b8f1c94faf83a3ce962a751fbc621dda218e76e614783c3d9df35bc7f7fef967fb2c99a7ff99896056bb767111af61f2a9f266bd798db6830929

Download Submit
C:\Windows\SysWOW64\Ebnfbcbc.exe

Filesize
1.5MB

MD5
b241803afaa0d1ba9f5f25e7819cb54a

SHA1
734feabfdeb0de5476a7d0d91bbe50407ceca17d

SHA256
444203d4c8f1d429e236d4cab6b6eb52714494ef82b4ad7490fea3dce84a499c

SHA512
faf83c6eea769c73dd422ccf66f66f2db39fa7098f49fc6ad07eaa31d5b1b6360012925875deb85008671d8993a0246a724bc7239ce822a4d104b88047b5fdf6

Download Submit
C:\Windows\SysWOW64\Ebnfbcbc.exe

Filesize
1.5MB

MD5
b241803afaa0d1ba9f5f25e7819cb54a

SHA1
734feabfdeb0de5476a7d0d91bbe50407ceca17d

SHA256
444203d4c8f1d429e236d4cab6b6eb52714494ef82b4ad7490fea3dce84a499c

SHA512
faf83c6eea769c73dd422ccf66f66f2db39fa7098f49fc6ad07eaa31d5b1b6360012925875deb85008671d8993a0246a724bc7239ce822a4d104b88047b5fdf6

Download Submit
C:\Windows\SysWOW64\Emanjldl.exe

Filesize
1.5MB

MD5
9ec60c59cefa1aaa16a305133f12c0be

SHA1
a85cc05f1d6171ee9087297b549200a724ea5720

SHA256
a44dd2062163ebf45cdd6a9cb78f78939b14ad955c0a8223ac81396d44a4a002

SHA512
e10715adb6ff099681c5a788e992b7a24706a96e710298606902e493bc20320476804e1bb450cc30cd2c893f7f6d3c350f7e71e99a36b112739466e50d73ef22

Download Submit
C:\Windows\SysWOW64\Emanjldl.exe

Filesize
1.5MB

MD5
9ec60c59cefa1aaa16a305133f12c0be

SHA1
a85cc05f1d6171ee9087297b549200a724ea5720

SHA256
a44dd2062163ebf45cdd6a9cb78f78939b14ad955c0a8223ac81396d44a4a002

SHA512
e10715adb6ff099681c5a788e992b7a24706a96e710298606902e493bc20320476804e1bb450cc30cd2c893f7f6d3c350f7e71e99a36b112739466e50d73ef22

Download Submit
C:\Windows\SysWOW64\Emjgim32.exe

Filesize
1.5MB

MD5
fec1fd23bb9bc17cfcc262589b7dd99d

SHA1
5453cb192cbd06c3df91ce207fcee45810df3357

SHA256
70f4ecf094bbe6dc954894144eb1d542410e2ee31fd62a557dd85fd535daa05e

SHA512
9ec5cd4a128a4c9f29dd5e2a15b081f6dbe444fc471929fad49e7f50a4e3e2b803da041e13d7002f4d08ad49f88c3bc394c600f908982a2be1aa07b85f2130ee

Download Submit
C:\Windows\SysWOW64\Emjgim32.exe

Filesize
1.5MB

MD5
fec1fd23bb9bc17cfcc262589b7dd99d

SHA1
5453cb192cbd06c3df91ce207fcee45810df3357

SHA256
70f4ecf094bbe6dc954894144eb1d542410e2ee31fd62a557dd85fd535daa05e

SHA512
9ec5cd4a128a4c9f29dd5e2a15b081f6dbe444fc471929fad49e7f50a4e3e2b803da041e13d7002f4d08ad49f88c3bc394c600f908982a2be1aa07b85f2130ee

Download Submit
C:\Windows\SysWOW64\Enigke32.exe

Filesize
1.5MB

MD5
579c82175039778ab4d4bcf7dc881790

SHA1
352add3ee06b005f11f3b916dbb9f390d6f4e8cb

SHA256
1569d984320e9c8b9695aa5c8611d93291cb8a9146e4c34ceeb6b8997c6f3fb0

SHA512
30da6517678fa482a832be21177375e8f00f69f4e939911e821db421f051a3c2cdbba05b512accdf1bc8fd57f71ad077dfce7990e2e1f06e068819b75a54d878

Download Submit
C:\Windows\SysWOW64\Enigke32.exe

Filesize
1.5MB

MD5
579c82175039778ab4d4bcf7dc881790

SHA1
352add3ee06b005f11f3b916dbb9f390d6f4e8cb

SHA256
1569d984320e9c8b9695aa5c8611d93291cb8a9146e4c34ceeb6b8997c6f3fb0

SHA512
30da6517678fa482a832be21177375e8f00f69f4e939911e821db421f051a3c2cdbba05b512accdf1bc8fd57f71ad077dfce7990e2e1f06e068819b75a54d878

Download Submit
C:\Windows\SysWOW64\Enpmld32.exe

Filesize
1.5MB

MD5
e3d331e8e3abb1f8d96da45654ae0240

SHA1
b7fbbf7a6e29a9fb7d6a526e054a3d61e9edf1db

SHA256
db129795088f42f7830f0ad41d2aa3713256cb7c6db4407571b026bc118de270

SHA512
2295429fbeb1e9965bfdfcfa8a6b67aed653b7e46b031e069e3fb362495a0f68428df52d5222a9636e6e954eb0bd8d65dc7b1961fb866a53f8421bfeb885dd7a

Download Submit
C:\Windows\SysWOW64\Enpmld32.exe

Filesize
1.5MB

MD5
e3d331e8e3abb1f8d96da45654ae0240

SHA1
b7fbbf7a6e29a9fb7d6a526e054a3d61e9edf1db

SHA256
db129795088f42f7830f0ad41d2aa3713256cb7c6db4407571b026bc118de270

SHA512
2295429fbeb1e9965bfdfcfa8a6b67aed653b7e46b031e069e3fb362495a0f68428df52d5222a9636e6e954eb0bd8d65dc7b1961fb866a53f8421bfeb885dd7a

Download Submit
C:\Windows\SysWOW64\Fbbpmb32.exe

Filesize
1.5MB

MD5
046820eab8de548b04a577021163888e

SHA1
f573acd8fbd8ef710681ea4577287fb7c963dfce

SHA256
8fe0fb2bffb2ee51db766e3d78033482cad9e5278dead4e3574df7a4880521b4

SHA512
e9e17364dd0b9f97462828e902f9272e7e5f525333b3a5a7f6e766a0c2633705621e106260c97acc4bc2071fa4986b5363bf7b64af669a042ec7a4e5d8882b8d

Download Submit
C:\Windows\SysWOW64\Fbbpmb32.exe

Filesize
1.5MB

MD5
046820eab8de548b04a577021163888e

SHA1
f573acd8fbd8ef710681ea4577287fb7c963dfce

SHA256
8fe0fb2bffb2ee51db766e3d78033482cad9e5278dead4e3574df7a4880521b4

SHA512
e9e17364dd0b9f97462828e902f9272e7e5f525333b3a5a7f6e766a0c2633705621e106260c97acc4bc2071fa4986b5363bf7b64af669a042ec7a4e5d8882b8d

Download Submit
C:\Windows\SysWOW64\Fbdnne32.exe

Filesize
1.5MB

MD5
6d511d5a2fa4a3f5b23c078adcf95952

SHA1
a8917e120e2bd65111c8fa2bf65a0406d3468c79

SHA256
223bf8cdaff4f39710f2f7856ca55582271bc61b9c27d49e474da632ce133ac5

SHA512
f7f3645cd3df986558e56d71278c57f8dfc4a7a98efc4dd5daa45c421e3ae4da33706723cf44ae49c9bede0e42dc35f21ef84d0ccb1ef2215530a8b5d7b93e20

Download Submit
C:\Windows\SysWOW64\Fbpchb32.exe

Filesize
1.5MB

MD5
8936b7b63d7809bdcda3850de66012a0

SHA1
d1f57495b0e0c163ddbbd3951746de8a7eef62e7

SHA256
b82729417ddf118538eb12489944d032674eab9b183dbfa545307d8be0ecdf29

SHA512
db5b91be1aa56358d5e05663ff9613d5155a878a61c9a6a93360050f8bdb9ac447cd701e08cc19234f9e01158a8f5074fb8f006c166ce20345e655daf96fa694

Download Submit
C:\Windows\SysWOW64\Fbpchb32.exe

Filesize
1.5MB

MD5
8936b7b63d7809bdcda3850de66012a0

SHA1
d1f57495b0e0c163ddbbd3951746de8a7eef62e7

SHA256
b82729417ddf118538eb12489944d032674eab9b183dbfa545307d8be0ecdf29

SHA512
db5b91be1aa56358d5e05663ff9613d5155a878a61c9a6a93360050f8bdb9ac447cd701e08cc19234f9e01158a8f5074fb8f006c166ce20345e655daf96fa694

Download Submit
C:\Windows\SysWOW64\Fefedmil.exe

Filesize
1.5MB

MD5
9f84e2dfd0195d2a2f745e6eb1d6ed74

SHA1
d9e75b9f1fa7b71c7484ec48c84e8e60883ef94e

SHA256
565284564fd71c22be92fd387f13cc0488cacc068ad3ba482c6d84921d5a5ade

SHA512
d55333a8ffeed3b328f4f20a07109f1d335da7d0f29d9c8a28bbc8506b0cd65e322ed26e1d6a49a8030b1262f9abea27bcdcfea664947ba4d406468899a2bfdd

Download Submit
C:\Windows\SysWOW64\Fefedmil.exe

Filesize
1.5MB

MD5
9f84e2dfd0195d2a2f745e6eb1d6ed74

SHA1
d9e75b9f1fa7b71c7484ec48c84e8e60883ef94e

SHA256
565284564fd71c22be92fd387f13cc0488cacc068ad3ba482c6d84921d5a5ade

SHA512
d55333a8ffeed3b328f4f20a07109f1d335da7d0f29d9c8a28bbc8506b0cd65e322ed26e1d6a49a8030b1262f9abea27bcdcfea664947ba4d406468899a2bfdd

Download Submit
C:\Windows\SysWOW64\Ffqhcq32.exe

Filesize
1.5MB

MD5
aa704b1bf32e03c3903a854b612cedfa

SHA1
ffb388d23cb20ebdd6891da5c440e3682c89544d

SHA256
b4b8629f12c7297ab66ca12ef9a4e89c5d41154cd8b3426821fb9e3754bf535a

SHA512
bae0a901ebe2d0e6c2d960f9b4d8038edd40562fc073067f875b7c39ce707a8cea8c94da43cec2d7dd6ef6d4d3e265055b70589e6bebf35e1dc1c83ea05954ed

Download Submit
C:\Windows\SysWOW64\Ffqhcq32.exe

Filesize
1.5MB

MD5
aa704b1bf32e03c3903a854b612cedfa

SHA1
ffb388d23cb20ebdd6891da5c440e3682c89544d

SHA256
b4b8629f12c7297ab66ca12ef9a4e89c5d41154cd8b3426821fb9e3754bf535a

SHA512
bae0a901ebe2d0e6c2d960f9b4d8038edd40562fc073067f875b7c39ce707a8cea8c94da43cec2d7dd6ef6d4d3e265055b70589e6bebf35e1dc1c83ea05954ed

Download Submit
C:\Windows\SysWOW64\Fijkdmhn.exe

Filesize
1.5MB

MD5
4db49a3f73b5391d01d826a6981cf425

SHA1
94c5fa5481026b79372bc7dcfe99844eddb2e82a

SHA256
e642fa34c50406e527d9643e1be45aee56686656345b8f9fddd21fc6ca1e9e90

SHA512
bd088f2171ec81ad02bb17e03007e9d066bd05d130b67ac60fd17c1a709e3e435ce555e59c6abcaf0ff111acb9f110a948eebf085f098ab13400bb8b6cc902b5

Download Submit
C:\Windows\SysWOW64\Fijkdmhn.exe

Filesize
1.5MB

MD5
4db49a3f73b5391d01d826a6981cf425

SHA1
94c5fa5481026b79372bc7dcfe99844eddb2e82a

SHA256
e642fa34c50406e527d9643e1be45aee56686656345b8f9fddd21fc6ca1e9e90

SHA512
bd088f2171ec81ad02bb17e03007e9d066bd05d130b67ac60fd17c1a709e3e435ce555e59c6abcaf0ff111acb9f110a948eebf085f098ab13400bb8b6cc902b5

Download Submit
C:\Windows\SysWOW64\Fmcjpl32.exe

Filesize
1.5MB

MD5
b30389b9c42c3e411023c20b2950166e

SHA1
840bba4df79c8081a18450453fa2733fcffbbfa1

SHA256
72321f2287853d291c5a33f7a2df538c5c3eb5e9bcdf87c643f8510d55c07b97

SHA512
2510f2687e1a26e9a375c57d8b632ffd3e3c5b1ffaf0415365e8532cee2db8740e6ace6c0fef747b493970864359715982c9ce63d6d03b0885a0d87d0bdbb2b1

Download Submit
C:\Windows\SysWOW64\Fmcjpl32.exe

Filesize
1.5MB

MD5
b30389b9c42c3e411023c20b2950166e

SHA1
840bba4df79c8081a18450453fa2733fcffbbfa1

SHA256
72321f2287853d291c5a33f7a2df538c5c3eb5e9bcdf87c643f8510d55c07b97

SHA512
2510f2687e1a26e9a375c57d8b632ffd3e3c5b1ffaf0415365e8532cee2db8740e6ace6c0fef747b493970864359715982c9ce63d6d03b0885a0d87d0bdbb2b1

Download Submit
C:\Windows\SysWOW64\Fmhdkknd.exe

Filesize
1.5MB

MD5
b98a42c857aaf107f3fdb19a872694f5

SHA1
53b88a2a2d1646f6761201ff0e898fda0c4ee439

SHA256
341e2ca53ea35993a71854bda041b2cb3dfafb16979bd7ac1f98e3dec1c34aba

SHA512
b28bdd2a4b25b87977acece58c3cac43fc83e7a70314f29198a4306d4e8a4692b986b668afd4bc9f907e3a7263d3aff6be890e5dbac5c66b171c7acb54bc5c17

Download Submit
C:\Windows\SysWOW64\Fmhdkknd.exe

Filesize
1.5MB

MD5
b98a42c857aaf107f3fdb19a872694f5

SHA1
53b88a2a2d1646f6761201ff0e898fda0c4ee439

SHA256
341e2ca53ea35993a71854bda041b2cb3dfafb16979bd7ac1f98e3dec1c34aba

SHA512
b28bdd2a4b25b87977acece58c3cac43fc83e7a70314f29198a4306d4e8a4692b986b668afd4bc9f907e3a7263d3aff6be890e5dbac5c66b171c7acb54bc5c17

Download Submit
C:\Windows\SysWOW64\Fpimlfke.exe

Filesize
1.5MB

MD5
c0319b753dbe8787573fa76d48c6533e

SHA1
8b0a814f555aadc0a6423bfeb10be03b1afb9130

SHA256
8283044937ab8714cf3d6858e1a2a3f27e5a6c6ed5601cb53afc16ba10935e7f

SHA512
7c4385b8a3815c626671733ded4dd4bc2bb6e1a1a19756ac8068beca89e3bda77ebca84d83fb11536ee2970050062a0fb46a4c3b6417d23c76bb2ed672d0c6bc

Download Submit
C:\Windows\SysWOW64\Fpimlfke.exe

Filesize
1.5MB

MD5
c0319b753dbe8787573fa76d48c6533e

SHA1
8b0a814f555aadc0a6423bfeb10be03b1afb9130

SHA256
8283044937ab8714cf3d6858e1a2a3f27e5a6c6ed5601cb53afc16ba10935e7f

SHA512
7c4385b8a3815c626671733ded4dd4bc2bb6e1a1a19756ac8068beca89e3bda77ebca84d83fb11536ee2970050062a0fb46a4c3b6417d23c76bb2ed672d0c6bc

Download Submit
C:\Windows\SysWOW64\Fpkibf32.exe

Filesize
1.5MB

MD5
edb7e158cc1a5c0340c1e6d8c1956246

SHA1
eebbc62179ff3b909c54072014d71cf621897c16

SHA256
a28dbed2405ffa0fbba58d9e2a0876f955f05c234a8e80c324bdaa27ac26a8ba

SHA512
232be804259a25e05ca76643fc08545a1613a5b97a3fb1477c5972f8cd5a2e6f93cde975bf85b80b4f1d4f334531d01467391bf5c7d7d2f857280bbbf00ae787

Download Submit
C:\Windows\SysWOW64\Fpkibf32.exe

Filesize
1.5MB

MD5
edb7e158cc1a5c0340c1e6d8c1956246

SHA1
eebbc62179ff3b909c54072014d71cf621897c16

SHA256
a28dbed2405ffa0fbba58d9e2a0876f955f05c234a8e80c324bdaa27ac26a8ba

SHA512
232be804259a25e05ca76643fc08545a1613a5b97a3fb1477c5972f8cd5a2e6f93cde975bf85b80b4f1d4f334531d01467391bf5c7d7d2f857280bbbf00ae787

Download Submit
C:\Windows\SysWOW64\Gfjkjo32.exe

Filesize
1.5MB

MD5
e9b93c159da8aedeb31ba195e1d155fd

SHA1
a8b3a37d8efa0e5122a6620ffd3a3ef34f1269c4

SHA256
15916be1c7a895ddb0bc8948a649a57884c14e3e1a770f42cd13d1fa63617b90

SHA512
5f0aad3f6ad2ec480b6357cf2781a0aa86dbbe6435e25746bffa4156466a5f897c8831def2d5a952b3c8f700cb2ed4b2b895b503727157b9244aa33341081b08

Download Submit
C:\Windows\SysWOW64\Gfjkjo32.exe

Filesize
1.5MB

MD5
e9b93c159da8aedeb31ba195e1d155fd

SHA1
a8b3a37d8efa0e5122a6620ffd3a3ef34f1269c4

SHA256
15916be1c7a895ddb0bc8948a649a57884c14e3e1a770f42cd13d1fa63617b90

SHA512
5f0aad3f6ad2ec480b6357cf2781a0aa86dbbe6435e25746bffa4156466a5f897c8831def2d5a952b3c8f700cb2ed4b2b895b503727157b9244aa33341081b08

Download Submit
C:\Windows\SysWOW64\Gidnkkpc.exe

Filesize
1.5MB

MD5
048272305b3d96f3b189a89eeb873775

SHA1
c29e62ecb049b6c510b739200e54ca4a28fb4c44

SHA256
219827f430238e14e97aa468f3e0633493ca13b0f6d085dcd93ed3e6a50872d8

SHA512
a0db7cdead446ac32af3f1db66066a684a7b128e563426a8c904b49d302fd054cc1237cc79bba976988a1d321c5723f3bc09b936b6d28e0391c4ca595f84b527

Download Submit
C:\Windows\SysWOW64\Gidnkkpc.exe

Filesize
1.5MB

MD5
048272305b3d96f3b189a89eeb873775

SHA1
c29e62ecb049b6c510b739200e54ca4a28fb4c44

SHA256
219827f430238e14e97aa468f3e0633493ca13b0f6d085dcd93ed3e6a50872d8

SHA512
a0db7cdead446ac32af3f1db66066a684a7b128e563426a8c904b49d302fd054cc1237cc79bba976988a1d321c5723f3bc09b936b6d28e0391c4ca595f84b527

Download Submit
C:\Windows\SysWOW64\Gifkpknp.exe

Filesize
1.5MB

MD5
d6aaf197c12d46df8646857cc98cec93

SHA1
6274c771ecf6a15cbf5a9ecf31b27adb9e80dcb5

SHA256
3bf3db09a44d6a678b726ce041a6ddcc5c9a134b5eecbfd13d61b44c043ac937

SHA512
ab5846639b7b521975e14099aae341fa645328ad7050d6bc5b02e316b38bfe9472ec9d43464ef33ce19a84901e389cc2d4c1516a68766b87ed777be09ca44c7e

Download Submit
C:\Windows\SysWOW64\Gifkpknp.exe

Filesize
1.5MB

MD5
d6aaf197c12d46df8646857cc98cec93

SHA1
6274c771ecf6a15cbf5a9ecf31b27adb9e80dcb5

SHA256
3bf3db09a44d6a678b726ce041a6ddcc5c9a134b5eecbfd13d61b44c043ac937

SHA512
ab5846639b7b521975e14099aae341fa645328ad7050d6bc5b02e316b38bfe9472ec9d43464ef33ce19a84901e389cc2d4c1516a68766b87ed777be09ca44c7e

Download Submit
C:\Windows\SysWOW64\Glgcbf32.exe

Filesize
1.5MB

MD5
897965dcc1535f4af519565b389e5e8a

SHA1
2932d2c1a47c5cd3e67c8b53016a39ec20abcd3f

SHA256
33d2d257627d5b9e1c4a8650016ab8f998f06c80511ede117706c6a87d2a6b97

SHA512
da1e687b430064358072d195bdb7e490f93a5d6d4549fc06a76a6df48c08a10ba84d29aa97f7a7bc4211903c1047e7dad5bddd4deca488da741010b24b3def40

Download Submit
C:\Windows\SysWOW64\Glgcbf32.exe

Filesize
1.5MB

MD5
897965dcc1535f4af519565b389e5e8a

SHA1
2932d2c1a47c5cd3e67c8b53016a39ec20abcd3f

SHA256
33d2d257627d5b9e1c4a8650016ab8f998f06c80511ede117706c6a87d2a6b97

SHA512
da1e687b430064358072d195bdb7e490f93a5d6d4549fc06a76a6df48c08a10ba84d29aa97f7a7bc4211903c1047e7dad5bddd4deca488da741010b24b3def40

Download Submit
C:\Windows\SysWOW64\Gnqfcbnj.exe

Filesize
1.5MB

MD5
21e96ac0cbfa9b8fc63f42443b2be46f

SHA1
ad59247fd171c90f0089b08961b19902764ac222

SHA256
844df5ddef9593fba64a585f18670c76c903b1e8036aad35297aaf97cbe83ac9

SHA512
e321c3aa0c514304b3a83125884dec325d019bb8c5ed04001f0e756e0b53720eb45b0eac32a7ad24057e49c890af672a552168e1f5ec1e3204c33312d2bd3c3a

Download Submit
C:\Windows\SysWOW64\Gnqfcbnj.exe

Filesize
1.5MB

MD5
21e96ac0cbfa9b8fc63f42443b2be46f

SHA1
ad59247fd171c90f0089b08961b19902764ac222

SHA256
844df5ddef9593fba64a585f18670c76c903b1e8036aad35297aaf97cbe83ac9

SHA512
e321c3aa0c514304b3a83125884dec325d019bb8c5ed04001f0e756e0b53720eb45b0eac32a7ad24057e49c890af672a552168e1f5ec1e3204c33312d2bd3c3a

Download Submit
C:\Windows\SysWOW64\Lpochfji.exe

Filesize
1.5MB

MD5
6cffcbdd4ffa998c6b25005cd76afa99

SHA1
c6a32cf2154f266e0fd9007ebf3d6eadd3ba7a45

SHA256
eaa751d2dd6771494796161c9b6083665d20729438be4b10e8fc498b528e3f68

SHA512
64a7aefcb3dece927688511bcadca7d821965cf96a6ef68dcf20d856b780cae1cad9664fc30f32737dc7f5e2f24b444fe58bbfd5e892c59b00f6cc3d234610fc

Download Submit
C:\Windows\SysWOW64\Nagiji32.exe

Filesize
1.5MB

MD5
df2b7eb499e52abac826dd25918fafe5

SHA1
3fbed71d821177d1b146bea56462b0beefc33afb

SHA256
2e22464ad10171c49368e5838ef9270d352439873124f1aed94b41a5f1383854

SHA512
8a35affdea463b175906f7c1c726a06cb286bc79de44a28b244d21a7d6bc89cf0966b20b5b0eea7e61527428e963476a3fa592722b1d9a9d92119fe8b718e069

Download Submit
C:\Windows\SysWOW64\Pfandnla.exe

Filesize
1.5MB

MD5
44152557ef0836fd3f98c1fe249ac06e

SHA1
1fdfeef39d4a70276e097ad03ec1757ba4f98ccd

SHA256
c8e03c06fbae1758f8412be376321baeb782ef832b0a4d0d2e2fc65e8980b7b7

SHA512
27f5df79fabc5bed9acdde9367cad849419c7d556ae563e68cd1b80edc74463e02e310939cd50beed3b605c8cd82ee189c1e7bc2d254038cb8a3787a2a537c2f

Download Submit
memory/368-434-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/540-460-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/632-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/732-477-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/740-441-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/780-470-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/804-467-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/824-452-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/868-465-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1284-69-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1288-435-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1332-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1332-686-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1540-450-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1648-458-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1868-463-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1880-462-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1912-438-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2060-105-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2060-839-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2092-439-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2100-440-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2156-86-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2212-21-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2376-446-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2440-453-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2488-448-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2576-474-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2580-77-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2704-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2704-744-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2716-461-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2808-471-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3320-464-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3556-472-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3592-106-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3600-433-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3804-10-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3804-667-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3828-466-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3844-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3948-430-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3952-436-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3968-699-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3968-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3984-457-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4004-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4128-442-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4140-432-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4152-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4248-468-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4276-476-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4372-451-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4416-459-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4448-475-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4460-456-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4480-445-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4628-1-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4628-83-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4628-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4644-719-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4644-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4648-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4700-444-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4776-780-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4776-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4816-454-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4972-469-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5016-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5096-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5104-447-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads