6139bf2d6bb894586db7756a04b90cf5a2ba0cb5abfc13b34fa37ee8c053e7d0

Analysis

max time kernel
143s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10/04/2024, 22:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6139bf2d6bb894586db7756a04b90cf5a2ba0cb5abfc13b34fa37ee8c053e7d0.exe
Size

55KB
MD5

cdfb886fec8aa87df4d8cde2382a6565
SHA1

39c33580688f7cca3c3ce92371a8aaf92e2730f4
SHA256

6139bf2d6bb894586db7756a04b90cf5a2ba0cb5abfc13b34fa37ee8c053e7d0
SHA512

46a9fb8cb601ae68728009216b442705e8689735328800014bba83856d290722a7e7266299bdbf74fed2750946c7f85bef6e784902d8407a87c03b0e62eb143f
SSDEEP

768:KEh5/Hi1FazbP7P4oc4AdfD6bkPGWlN5up8kFF+SBm0q5SIl/1H5+jowjv2aX+v9:KEC1FezPgdGo+tn+SBm0MbEjdjvM087

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mofmobmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fdmaoahm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmhhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofgdcipq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckdkhq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dinael32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpjfgf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fcekfnkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	6139bf2d6bb894586db7756a04b90cf5a2ba0cb5abfc13b34fa37ee8c053e7d0.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjocbhbo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqeioiam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipgkjlmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mokfja32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcfidb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddifgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hbldphde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Omdieb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dknnoofg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hppeim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Keifdpif.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgdemb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjdpelnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpjjmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fjmfmh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qpcecb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ehlhih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iijfhbhl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eaceghcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qjiipk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Modpib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ljbnfleo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cogddd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqgedh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pblajhje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ecbeip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mokfja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eqncnj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bapgdm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baepolni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Llcghg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjoppf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckidcpjl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hiacacpg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Khiofk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pblajhje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calfpk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkbgjo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqncnj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbenoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Keifdpif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bapgdm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddmhhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Egcaod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jhnojl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dinael32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjmjdm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjbcplpe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ciihjmcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eaceghcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Doccpcja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lplfcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mfkkqmiq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oophlo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmggingc.exe

Executes dropped EXE 64 IoCs

pid	Process
736	Pjmjdm32.exe
4592	Pjbcplpe.exe
640	Pjdpelnc.exe
3628	Qobhkjdi.exe
4560	Qpcecb32.exe
1912	Qjiipk32.exe
4048	Cpbjkn32.exe
212	Cogddd32.exe
2020	Dhphmj32.exe
2204	Ddgibkpc.exe
1400	Ddifgk32.exe
2960	Damfao32.exe
1900	Dqbcbkab.exe
1288	Doccpcja.exe
3880	Ehlhih32.exe
836	Egcaod32.exe
3140	Eqncnj32.exe
2092	Foapaa32.exe
4360	Fqeioiam.exe
4776	Fqgedh32.exe
448	Feenjgfq.exe
4712	Gnnccl32.exe
936	Ganldgib.exe
4608	Gihpkd32.exe
1328	Gacepg32.exe
2244	Gngeik32.exe
4012	Hbenoi32.exe
3544	Hiacacpg.exe
4192	Hbihjifh.exe
1468	Hbldphde.exe
1028	Hppeim32.exe
4736	Ilfennic.exe
2980	Iijfhbhl.exe
3792	Ipgkjlmg.exe
4912	Ipkdek32.exe
3904	Joqafgni.exe
2208	Jldbpl32.exe
3808	Jemfhacc.exe
1680	Joekag32.exe
5004	Jhnojl32.exe
1844	Johggfha.exe
4716	Jojdlfeo.exe
1424	Kiphjo32.exe
672	Kheekkjl.exe
3128	Keifdpif.exe
4732	Koajmepf.exe
1496	Khiofk32.exe
556	Lhnhajba.exe
624	Lcfidb32.exe
5012	Lpjjmg32.exe
832	Ljbnfleo.exe
2592	Lplfcf32.exe
3912	Llcghg32.exe
1164	Mfkkqmiq.exe
2816	Modpib32.exe
436	Mofmobmo.exe
3324	Mcdeeq32.exe
4988	Mokfja32.exe
404	Nfgklkoc.exe
1696	Nckkfp32.exe
2768	Nmcpoedn.exe
2316	Niojoeel.exe
5036	Obgohklm.exe
4924	Oqhoeb32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Doccpcja.exe	Dqbcbkab.exe
File opened for modification	C:\Windows\SysWOW64\Obgohklm.exe	Niojoeel.exe
File opened for modification	C:\Windows\SysWOW64\Ddgibkpc.exe	Dhphmj32.exe
File created	C:\Windows\SysWOW64\Eqncnj32.exe	Egcaod32.exe
File created	C:\Windows\SysWOW64\Falmlm32.dll	Joekag32.exe
File created	C:\Windows\SysWOW64\Khiofk32.exe	Koajmepf.exe
File created	C:\Windows\SysWOW64\Podbibma.dll	Aalmimfd.exe
File created	C:\Windows\SysWOW64\Keiifian.dll	Pjdpelnc.exe
File created	C:\Windows\SysWOW64\Cogddd32.exe	Cpbjkn32.exe
File created	C:\Windows\SysWOW64\Jldbpl32.exe	Joqafgni.exe
File created	C:\Windows\SysWOW64\Keifdpif.exe	Kheekkjl.exe
File opened for modification	C:\Windows\SysWOW64\Mcdeeq32.exe	Mofmobmo.exe
File opened for modification	C:\Windows\SysWOW64\Hbldphde.exe	Hbihjifh.exe
File opened for modification	C:\Windows\SysWOW64\Cancekeo.exe	Ckdkhq32.exe
File created	C:\Windows\SysWOW64\Dgihop32.exe	Dkbgjo32.exe
File created	C:\Windows\SysWOW64\Gihpkd32.exe	Ganldgib.exe
File created	C:\Windows\SysWOW64\Pjoppf32.exe	Pmkofa32.exe
File created	C:\Windows\SysWOW64\Fiplni32.dll	Cancekeo.exe
File created	C:\Windows\SysWOW64\Ddmhhd32.exe	Dgihop32.exe
File created	C:\Windows\SysWOW64\Fcekfnkb.exe	Fjmfmh32.exe
File created	C:\Windows\SysWOW64\Ddgibkpc.exe	Dhphmj32.exe
File created	C:\Windows\SysWOW64\Cmmdfp32.dll	Damfao32.exe
File created	C:\Windows\SysWOW64\Cidcnbjk.dll	Foapaa32.exe
File created	C:\Windows\SysWOW64\Eafbac32.dll	Cdhffg32.exe
File created	C:\Windows\SysWOW64\Ckdkhq32.exe	Calfpk32.exe
File opened for modification	C:\Windows\SysWOW64\Cpbjkn32.exe	Qjiipk32.exe
File created	C:\Windows\SysWOW64\Feenjgfq.exe	Fqgedh32.exe
File created	C:\Windows\SysWOW64\Bkfmmb32.dll	Nfgklkoc.exe
File opened for modification	C:\Windows\SysWOW64\Oikjkc32.exe	Omdieb32.exe
File created	C:\Windows\SysWOW64\Ephbhd32.exe	Eaceghcg.exe
File opened for modification	C:\Windows\SysWOW64\Fcekfnkb.exe	Fjmfmh32.exe
File created	C:\Windows\SysWOW64\Nmcpoedn.exe	Nckkfp32.exe
File opened for modification	C:\Windows\SysWOW64\Nmcpoedn.exe	Nckkfp32.exe
File created	C:\Windows\SysWOW64\Ijgiemgc.dll	Bapgdm32.exe
File created	C:\Windows\SysWOW64\Dknnoofg.exe	Dinael32.exe
File created	C:\Windows\SysWOW64\Dhphmj32.exe	Cogddd32.exe
File opened for modification	C:\Windows\SysWOW64\Fqgedh32.exe	Fqeioiam.exe
File created	C:\Windows\SysWOW64\Eecgicmp.dll	Fqgedh32.exe
File created	C:\Windows\SysWOW64\Gnobcjlg.dll	Gnnccl32.exe
File created	C:\Windows\SysWOW64\Mfkkqmiq.exe	Llcghg32.exe
File opened for modification	C:\Windows\SysWOW64\Aplaoj32.exe	Afcmfe32.exe
File created	C:\Windows\SysWOW64\Johggfha.exe	Jhnojl32.exe
File created	C:\Windows\SysWOW64\Lkjaaljm.dll	Johggfha.exe
File created	C:\Windows\SysWOW64\Hjcbmgnb.dll	Nmcpoedn.exe
File opened for modification	C:\Windows\SysWOW64\Ofgdcipq.exe	Oqklkbbi.exe
File created	C:\Windows\SysWOW64\Dccfme32.dll	Cdaile32.exe
File created	C:\Windows\SysWOW64\Bfcklp32.dll	Fqeioiam.exe
File created	C:\Windows\SysWOW64\Joekag32.exe	Jemfhacc.exe
File created	C:\Windows\SysWOW64\Pbjddh32.exe	Pjoppf32.exe
File created	C:\Windows\SysWOW64\Calfpk32.exe	Cdhffg32.exe
File opened for modification	C:\Windows\SysWOW64\Ddmhhd32.exe	Dgihop32.exe
File created	C:\Windows\SysWOW64\Gmefoohh.dll	Feenjgfq.exe
File opened for modification	C:\Windows\SysWOW64\Ilfennic.exe	Hppeim32.exe
File created	C:\Windows\SysWOW64\Llcghg32.exe	Lplfcf32.exe
File opened for modification	C:\Windows\SysWOW64\Pjoppf32.exe	Pmkofa32.exe
File created	C:\Windows\SysWOW64\Fjmfmh32.exe	Fdmaoahm.exe
File opened for modification	C:\Windows\SysWOW64\Pjdpelnc.exe	Pjbcplpe.exe
File created	C:\Windows\SysWOW64\Mpiedk32.dll	Pmphaaln.exe
File opened for modification	C:\Windows\SysWOW64\Hbenoi32.exe	Gngeik32.exe
File created	C:\Windows\SysWOW64\Hbldphde.exe	Hbihjifh.exe
File created	C:\Windows\SysWOW64\Ngcglo32.dll	Jemfhacc.exe
File created	C:\Windows\SysWOW64\Pnlhmpgg.dll	Bgdemb32.exe
File created	C:\Windows\SysWOW64\Cdaile32.exe	Ckidcpjl.exe
File opened for modification	C:\Windows\SysWOW64\Dgihop32.exe	Dkbgjo32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5248	5920	WerFault.exe	204

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qpcecb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlofiddl.dll"	Hbldphde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jojdlfeo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oikjkc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clbidkde.dll"	Ckidcpjl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddmhhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fdmaoahm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Calfpk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjdpelnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjdpelnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Falmlm32.dll"	Joekag32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kiphjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oqklkbbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhnoigkk.dll"	Omdieb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leeigm32.dll"	Pmbegqjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cpbjkn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hbldphde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Koajmepf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mokfja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Omdieb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Faagecfk.dll"	Ciihjmcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckidcpjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nmcpoedn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkbgjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfcklp32.dll"	Fqeioiam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecfjqmbc.dll"	Mokfja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmkofa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fachkklb.dll"	Fjmfmh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eafbac32.dll"	Cdhffg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ehlhih32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ganldgib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ieicjl32.dll"	Jldbpl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jemfhacc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncbegn32.dll"	Lplfcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npakijcp.dll"	Modpib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oophlo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckdkhq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnakbdid.dll"	Dknnoofg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnhpfk32.dll"	Dgihop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdaile32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pneall32.dll"	Pjbcplpe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eqncnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hbldphde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngcglo32.dll"	Jemfhacc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kheekkjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Obgohklm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Omdieb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehenqf32.dll"	Dqbcbkab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lhnhajba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqolaipg.dll"	Niojoeel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oqklkbbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdhffg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkodmbe.dll"	Dpjfgf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eaceghcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	6139bf2d6bb894586db7756a04b90cf5a2ba0cb5abfc13b34fa37ee8c053e7d0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpkhqmjb.dll"	Qjiipk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jldbpl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elckbhbj.dll"	Lcfidb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmhbqbae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmladm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpbdco32.dll"	Hbihjifh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Baepolni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ciihjmcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jodamh32.dll"	Ephbhd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4664 wrote to memory of 736	4664	6139bf2d6bb894586db7756a04b90cf5a2ba0cb5abfc13b34fa37ee8c053e7d0.exe	91
PID 4664 wrote to memory of 736	4664	6139bf2d6bb894586db7756a04b90cf5a2ba0cb5abfc13b34fa37ee8c053e7d0.exe	91
PID 4664 wrote to memory of 736	4664	6139bf2d6bb894586db7756a04b90cf5a2ba0cb5abfc13b34fa37ee8c053e7d0.exe	91
PID 736 wrote to memory of 4592	736	Pjmjdm32.exe	92
PID 736 wrote to memory of 4592	736	Pjmjdm32.exe	92
PID 736 wrote to memory of 4592	736	Pjmjdm32.exe	92
PID 4592 wrote to memory of 640	4592	Pjbcplpe.exe	93
PID 4592 wrote to memory of 640	4592	Pjbcplpe.exe	93
PID 4592 wrote to memory of 640	4592	Pjbcplpe.exe	93
PID 640 wrote to memory of 3628	640	Pjdpelnc.exe	94
PID 640 wrote to memory of 3628	640	Pjdpelnc.exe	94
PID 640 wrote to memory of 3628	640	Pjdpelnc.exe	94
PID 3628 wrote to memory of 4560	3628	Qobhkjdi.exe	95
PID 3628 wrote to memory of 4560	3628	Qobhkjdi.exe	95
PID 3628 wrote to memory of 4560	3628	Qobhkjdi.exe	95
PID 4560 wrote to memory of 1912	4560	Qpcecb32.exe	96
PID 4560 wrote to memory of 1912	4560	Qpcecb32.exe	96
PID 4560 wrote to memory of 1912	4560	Qpcecb32.exe	96
PID 1912 wrote to memory of 4048	1912	Qjiipk32.exe	97
PID 1912 wrote to memory of 4048	1912	Qjiipk32.exe	97
PID 1912 wrote to memory of 4048	1912	Qjiipk32.exe	97
PID 4048 wrote to memory of 212	4048	Cpbjkn32.exe	98
PID 4048 wrote to memory of 212	4048	Cpbjkn32.exe	98
PID 4048 wrote to memory of 212	4048	Cpbjkn32.exe	98
PID 212 wrote to memory of 2020	212	Cogddd32.exe	99
PID 212 wrote to memory of 2020	212	Cogddd32.exe	99
PID 212 wrote to memory of 2020	212	Cogddd32.exe	99
PID 2020 wrote to memory of 2204	2020	Dhphmj32.exe	100
PID 2020 wrote to memory of 2204	2020	Dhphmj32.exe	100
PID 2020 wrote to memory of 2204	2020	Dhphmj32.exe	100
PID 2204 wrote to memory of 1400	2204	Ddgibkpc.exe	101
PID 2204 wrote to memory of 1400	2204	Ddgibkpc.exe	101
PID 2204 wrote to memory of 1400	2204	Ddgibkpc.exe	101
PID 1400 wrote to memory of 2960	1400	Ddifgk32.exe	102
PID 1400 wrote to memory of 2960	1400	Ddifgk32.exe	102
PID 1400 wrote to memory of 2960	1400	Ddifgk32.exe	102
PID 2960 wrote to memory of 1900	2960	Damfao32.exe	103
PID 2960 wrote to memory of 1900	2960	Damfao32.exe	103
PID 2960 wrote to memory of 1900	2960	Damfao32.exe	103
PID 1900 wrote to memory of 1288	1900	Dqbcbkab.exe	104
PID 1900 wrote to memory of 1288	1900	Dqbcbkab.exe	104
PID 1900 wrote to memory of 1288	1900	Dqbcbkab.exe	104
PID 1288 wrote to memory of 3880	1288	Doccpcja.exe	105
PID 1288 wrote to memory of 3880	1288	Doccpcja.exe	105
PID 1288 wrote to memory of 3880	1288	Doccpcja.exe	105
PID 3880 wrote to memory of 836	3880	Ehlhih32.exe	106
PID 3880 wrote to memory of 836	3880	Ehlhih32.exe	106
PID 3880 wrote to memory of 836	3880	Ehlhih32.exe	106
PID 836 wrote to memory of 3140	836	Egcaod32.exe	107
PID 836 wrote to memory of 3140	836	Egcaod32.exe	107
PID 836 wrote to memory of 3140	836	Egcaod32.exe	107
PID 3140 wrote to memory of 2092	3140	Eqncnj32.exe	108
PID 3140 wrote to memory of 2092	3140	Eqncnj32.exe	108
PID 3140 wrote to memory of 2092	3140	Eqncnj32.exe	108
PID 2092 wrote to memory of 4360	2092	Foapaa32.exe	109
PID 2092 wrote to memory of 4360	2092	Foapaa32.exe	109
PID 2092 wrote to memory of 4360	2092	Foapaa32.exe	109
PID 4360 wrote to memory of 4776	4360	Fqeioiam.exe	110
PID 4360 wrote to memory of 4776	4360	Fqeioiam.exe	110
PID 4360 wrote to memory of 4776	4360	Fqeioiam.exe	110
PID 4776 wrote to memory of 448	4776	Fqgedh32.exe	111
PID 4776 wrote to memory of 448	4776	Fqgedh32.exe	111
PID 4776 wrote to memory of 448	4776	Fqgedh32.exe	111
PID 448 wrote to memory of 4712	448	Feenjgfq.exe	112

C:\Users\Admin\AppData\Local\Temp\6139bf2d6bb894586db7756a04b90cf5a2ba0cb5abfc13b34fa37ee8c053e7d0.exe
"C:\Users\Admin\AppData\Local\Temp\6139bf2d6bb894586db7756a04b90cf5a2ba0cb5abfc13b34fa37ee8c053e7d0.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4664
- C:\Windows\SysWOW64\Pjmjdm32.exe
  C:\Windows\system32\Pjmjdm32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:736
- - C:\Windows\SysWOW64\Pjbcplpe.exe
    C:\Windows\system32\Pjbcplpe.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4592
  - - C:\Windows\SysWOW64\Pjdpelnc.exe
      C:\Windows\system32\Pjdpelnc.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:640
    - - C:\Windows\SysWOW64\Qobhkjdi.exe
        
        C:\Windows\system32\Qobhkjdi.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3628
      - C:\Windows\SysWOW64\Qpcecb32.exe
        
        C:\Windows\system32\Qpcecb32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4560
        
        C:\Windows\SysWOW64\Qjiipk32.exe
        
        C:\Windows\system32\Qjiipk32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1912
        
        C:\Windows\SysWOW64\Cpbjkn32.exe
        
        C:\Windows\system32\Cpbjkn32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4048
        
        C:\Windows\SysWOW64\Cogddd32.exe
        
        C:\Windows\system32\Cogddd32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:212
        
        C:\Windows\SysWOW64\Dhphmj32.exe
        
        C:\Windows\system32\Dhphmj32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2020
        
        C:\Windows\SysWOW64\Ddgibkpc.exe
        
        C:\Windows\system32\Ddgibkpc.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2204
        
        C:\Windows\SysWOW64\Ddifgk32.exe
        
        C:\Windows\system32\Ddifgk32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1400
        
        C:\Windows\SysWOW64\Damfao32.exe
        
        C:\Windows\system32\Damfao32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2960
        
        C:\Windows\SysWOW64\Dqbcbkab.exe
        
        C:\Windows\system32\Dqbcbkab.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1900
        
        C:\Windows\SysWOW64\Doccpcja.exe
        
        C:\Windows\system32\Doccpcja.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1288
        
        C:\Windows\SysWOW64\Ehlhih32.exe
        
        C:\Windows\system32\Ehlhih32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3880
        
        C:\Windows\SysWOW64\Egcaod32.exe
        
        C:\Windows\system32\Egcaod32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:836
        
        C:\Windows\SysWOW64\Eqncnj32.exe
        
        C:\Windows\system32\Eqncnj32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3140
        
        C:\Windows\SysWOW64\Foapaa32.exe
        
        C:\Windows\system32\Foapaa32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2092
        
        C:\Windows\SysWOW64\Fqeioiam.exe
        
        C:\Windows\system32\Fqeioiam.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4360
        
        C:\Windows\SysWOW64\Fqgedh32.exe
        
        C:\Windows\system32\Fqgedh32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4776
        
        C:\Windows\SysWOW64\Feenjgfq.exe
        
        C:\Windows\system32\Feenjgfq.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:448
        
        C:\Windows\SysWOW64\Gnnccl32.exe
        
        C:\Windows\system32\Gnnccl32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4712
        
        C:\Windows\SysWOW64\Ganldgib.exe
        
        C:\Windows\system32\Ganldgib.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:936
        
        C:\Windows\SysWOW64\Gihpkd32.exe
        
        C:\Windows\system32\Gihpkd32.exe
        25⤵
        Executes dropped EXE
        
        PID:4608
        
        C:\Windows\SysWOW64\Gacepg32.exe
        
        C:\Windows\system32\Gacepg32.exe
        26⤵
        Executes dropped EXE
        
        PID:1328
        
        C:\Windows\SysWOW64\Gngeik32.exe
        
        C:\Windows\system32\Gngeik32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2244
        
        C:\Windows\SysWOW64\Hbenoi32.exe
        
        C:\Windows\system32\Hbenoi32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4012
        
        C:\Windows\SysWOW64\Hiacacpg.exe
        
        C:\Windows\system32\Hiacacpg.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3544
        
        C:\Windows\SysWOW64\Hbihjifh.exe
        
        C:\Windows\system32\Hbihjifh.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4192
        
        C:\Windows\SysWOW64\Hbldphde.exe
        
        C:\Windows\system32\Hbldphde.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1468
        
        C:\Windows\SysWOW64\Hppeim32.exe
        
        C:\Windows\system32\Hppeim32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1028
        
        C:\Windows\SysWOW64\Ilfennic.exe
        
        C:\Windows\system32\Ilfennic.exe
        33⤵
        Executes dropped EXE
        
        PID:4736
        
        C:\Windows\SysWOW64\Iijfhbhl.exe
        
        C:\Windows\system32\Iijfhbhl.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2980
        
        C:\Windows\SysWOW64\Ipgkjlmg.exe
        
        C:\Windows\system32\Ipgkjlmg.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3792
        
        C:\Windows\SysWOW64\Ipkdek32.exe
        
        C:\Windows\system32\Ipkdek32.exe
        36⤵
        Executes dropped EXE
        
        PID:4912
        
        C:\Windows\SysWOW64\Joqafgni.exe
        
        C:\Windows\system32\Joqafgni.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3904
        
        C:\Windows\SysWOW64\Jldbpl32.exe
        
        C:\Windows\system32\Jldbpl32.exe
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2208
        
        C:\Windows\SysWOW64\Jemfhacc.exe
        
        C:\Windows\system32\Jemfhacc.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3808
        
        C:\Windows\SysWOW64\Joekag32.exe
        
        C:\Windows\system32\Joekag32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1680
        
        C:\Windows\SysWOW64\Jhnojl32.exe
        
        C:\Windows\system32\Jhnojl32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5004
        
        C:\Windows\SysWOW64\Johggfha.exe
        
        C:\Windows\system32\Johggfha.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1844
        
        C:\Windows\SysWOW64\Jojdlfeo.exe
        
        C:\Windows\system32\Jojdlfeo.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4716
        
        C:\Windows\SysWOW64\Kiphjo32.exe
        
        C:\Windows\system32\Kiphjo32.exe
        44⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1424
        
        C:\Windows\SysWOW64\Kheekkjl.exe
        
        C:\Windows\system32\Kheekkjl.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:672
        
        C:\Windows\SysWOW64\Keifdpif.exe
        
        C:\Windows\system32\Keifdpif.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3128
        
        C:\Windows\SysWOW64\Koajmepf.exe
        
        C:\Windows\system32\Koajmepf.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4732
        
        C:\Windows\SysWOW64\Khiofk32.exe
        
        C:\Windows\system32\Khiofk32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1496
        
        C:\Windows\SysWOW64\Lhnhajba.exe
        
        C:\Windows\system32\Lhnhajba.exe
        49⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:556
        
        C:\Windows\SysWOW64\Lcfidb32.exe
        
        C:\Windows\system32\Lcfidb32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:624
        
        C:\Windows\SysWOW64\Lpjjmg32.exe
        
        C:\Windows\system32\Lpjjmg32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5012
        
        C:\Windows\SysWOW64\Ljbnfleo.exe
        
        C:\Windows\system32\Ljbnfleo.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:832
        
        C:\Windows\SysWOW64\Lplfcf32.exe
        
        C:\Windows\system32\Lplfcf32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2592
        
        C:\Windows\SysWOW64\Llcghg32.exe
        
        C:\Windows\system32\Llcghg32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3912
        
        C:\Windows\SysWOW64\Mfkkqmiq.exe
        
        C:\Windows\system32\Mfkkqmiq.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1164
        
        C:\Windows\SysWOW64\Modpib32.exe
        
        C:\Windows\system32\Modpib32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2816
        
        C:\Windows\SysWOW64\Mofmobmo.exe
        
        C:\Windows\system32\Mofmobmo.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:436
        
        C:\Windows\SysWOW64\Mcdeeq32.exe
        
        C:\Windows\system32\Mcdeeq32.exe
        58⤵
        Executes dropped EXE
        
        PID:3324
        
        C:\Windows\SysWOW64\Mokfja32.exe
        
        C:\Windows\system32\Mokfja32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4988
        
        C:\Windows\SysWOW64\Nfgklkoc.exe
        
        C:\Windows\system32\Nfgklkoc.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:404
        
        C:\Windows\SysWOW64\Nckkfp32.exe
        
        C:\Windows\system32\Nckkfp32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1696
        
        C:\Windows\SysWOW64\Nmcpoedn.exe
        
        C:\Windows\system32\Nmcpoedn.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2768
        
        C:\Windows\SysWOW64\Niojoeel.exe
        
        C:\Windows\system32\Niojoeel.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2316
        
        C:\Windows\SysWOW64\Obgohklm.exe
        
        C:\Windows\system32\Obgohklm.exe
        64⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5036
        
        C:\Windows\SysWOW64\Oqhoeb32.exe
        
        C:\Windows\system32\Oqhoeb32.exe
        65⤵
        Executes dropped EXE
        
        PID:4924
        
        C:\Windows\SysWOW64\Oqklkbbi.exe
        
        C:\Windows\system32\Oqklkbbi.exe
        66⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1180
        
        C:\Windows\SysWOW64\Ofgdcipq.exe
        
        C:\Windows\system32\Ofgdcipq.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4324
        
        C:\Windows\SysWOW64\Oophlo32.exe
        
        C:\Windows\system32\Oophlo32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4252
        
        C:\Windows\SysWOW64\Omdieb32.exe
        
        C:\Windows\system32\Omdieb32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1120
        
        C:\Windows\SysWOW64\Oikjkc32.exe
        
        C:\Windows\system32\Oikjkc32.exe
        70⤵
        Modifies registry class
        
        PID:4784
        
        C:\Windows\SysWOW64\Pmhbqbae.exe
        
        C:\Windows\system32\Pmhbqbae.exe
        71⤵
        Modifies registry class
        
        PID:4720
        
        C:\Windows\SysWOW64\Pmkofa32.exe
        
        C:\Windows\system32\Pmkofa32.exe
        72⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:376
        
        C:\Windows\SysWOW64\Pjoppf32.exe
        
        C:\Windows\system32\Pjoppf32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4460
        
        C:\Windows\SysWOW64\Pbjddh32.exe
        
        C:\Windows\system32\Pbjddh32.exe
        74⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\Pmphaaln.exe
        
        C:\Windows\system32\Pmphaaln.exe
        75⤵
        Drops file in System32 directory
        
        PID:2296
        
        C:\Windows\SysWOW64\Pblajhje.exe
        
        C:\Windows\system32\Pblajhje.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4292
        
        C:\Windows\SysWOW64\Pmbegqjk.exe
        
        C:\Windows\system32\Pmbegqjk.exe
        77⤵
        Modifies registry class
        
        PID:2504
        
        C:\Windows\SysWOW64\Qikbaaml.exe
        
        C:\Windows\system32\Qikbaaml.exe
        78⤵
        
        PID:1116
        
        C:\Windows\SysWOW64\Afcmfe32.exe
        
        C:\Windows\system32\Afcmfe32.exe
        79⤵
        Drops file in System32 directory
        
        PID:4672
        
        C:\Windows\SysWOW64\Aplaoj32.exe
        
        C:\Windows\system32\Aplaoj32.exe
        80⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\Aalmimfd.exe
        
        C:\Windows\system32\Aalmimfd.exe
        81⤵
        Drops file in System32 directory
        
        PID:4476
        
        C:\Windows\SysWOW64\Bapgdm32.exe
        
        C:\Windows\system32\Bapgdm32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2656
        
        C:\Windows\SysWOW64\Bmggingc.exe
        
        C:\Windows\system32\Bmggingc.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5160
        
        C:\Windows\SysWOW64\Baepolni.exe
        
        C:\Windows\system32\Baepolni.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5216
        
        C:\Windows\SysWOW64\Bmladm32.exe
        
        C:\Windows\system32\Bmladm32.exe
        85⤵
        Modifies registry class
        
        PID:5256
        
        C:\Windows\SysWOW64\Bgdemb32.exe
        
        C:\Windows\system32\Bgdemb32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5296
        
        C:\Windows\SysWOW64\Cdhffg32.exe
        
        C:\Windows\system32\Cdhffg32.exe
        87⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5336
        
        C:\Windows\SysWOW64\Calfpk32.exe
        
        C:\Windows\system32\Calfpk32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5376
        
        C:\Windows\SysWOW64\Ckdkhq32.exe
        
        C:\Windows\system32\Ckdkhq32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5416
        
        C:\Windows\SysWOW64\Cancekeo.exe
        
        C:\Windows\system32\Cancekeo.exe
        90⤵
        Drops file in System32 directory
        
        PID:5464
        
        C:\Windows\SysWOW64\Ciihjmcj.exe
        
        C:\Windows\system32\Ciihjmcj.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5528
        
        C:\Windows\SysWOW64\Ckidcpjl.exe
        
        C:\Windows\system32\Ckidcpjl.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5588
        
        C:\Windows\SysWOW64\Cdaile32.exe
        
        C:\Windows\system32\Cdaile32.exe
        93⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5636
        
        C:\Windows\SysWOW64\Dinael32.exe
        
        C:\Windows\system32\Dinael32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5688
        
        C:\Windows\SysWOW64\Dknnoofg.exe
        
        C:\Windows\system32\Dknnoofg.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5736
        
        C:\Windows\SysWOW64\Dpjfgf32.exe
        
        C:\Windows\system32\Dpjfgf32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5804
        
        C:\Windows\SysWOW64\Dajbaika.exe
        
        C:\Windows\system32\Dajbaika.exe
        97⤵
        
        PID:5856
        
        C:\Windows\SysWOW64\Dkbgjo32.exe
        
        C:\Windows\system32\Dkbgjo32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5908
        
        C:\Windows\SysWOW64\Dgihop32.exe
        
        C:\Windows\system32\Dgihop32.exe
        99⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5968
        
        C:\Windows\SysWOW64\Ddmhhd32.exe
        
        C:\Windows\system32\Ddmhhd32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6036
        
        C:\Windows\SysWOW64\Enemaimp.exe
        
        C:\Windows\system32\Enemaimp.exe
        101⤵
        
        PID:6088
        
        C:\Windows\SysWOW64\Ecbeip32.exe
        
        C:\Windows\system32\Ecbeip32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6136
        
        C:\Windows\SysWOW64\Eaceghcg.exe
        
        C:\Windows\system32\Eaceghcg.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5188
        
        C:\Windows\SysWOW64\Ephbhd32.exe
        
        C:\Windows\system32\Ephbhd32.exe
        104⤵
        Modifies registry class
        
        PID:5284
        
        C:\Windows\SysWOW64\Eahobg32.exe
        
        C:\Windows\system32\Eahobg32.exe
        105⤵
        
        PID:5360
        
        C:\Windows\SysWOW64\Ekqckmfb.exe
        
        C:\Windows\system32\Ekqckmfb.exe
        106⤵
        
        PID:5448
        
        C:\Windows\SysWOW64\Fdmaoahm.exe
        
        C:\Windows\system32\Fdmaoahm.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5600
        
        C:\Windows\SysWOW64\Fjmfmh32.exe
        
        C:\Windows\system32\Fjmfmh32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5680
        
        C:\Windows\SysWOW64\Fcekfnkb.exe
        
        C:\Windows\system32\Fcekfnkb.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5752
        
        C:\Windows\SysWOW64\Fjocbhbo.exe
        
        C:\Windows\system32\Fjocbhbo.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5840
        
        C:\Windows\SysWOW64\Gddgpqbe.exe
        
        C:\Windows\system32\Gddgpqbe.exe
        111⤵
        
        PID:5920
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5920 -s 408
        112⤵
        Program crash
        
        PID:5248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 5920 -ip 5920
1⤵
PID:6084

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4292 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8
1⤵
PID:4484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aalmimfd.exe

Filesize
55KB

MD5
e19c1aa58fdc3755b0ceae4ceacf4bc8

SHA1
f2e1c618015ade1516749d958f5b4efa56d3fb8a

SHA256
906c8e2b6a83e39714b359106fb37b1f252995a69e63cf39956485cded1bfb0b

SHA512
815108327992f045a14a136c1665b7e5e7ea42b9f2a6cbafb0408169ec4c458f924a790d57681bd21fec6acfe4e0c4136dfefb69dd9ad67113cd2017f8804ea9

Download Submit
C:\Windows\SysWOW64\Cogddd32.exe

Filesize
55KB

MD5
1ce5a83531fa5265261c55131ddf439f

SHA1
4cae64f349e7ca0a6cdbba362104f48ab4342ba2

SHA256
cfd7da1ddf578573417a0aed6c8fb34a3d9d94d6ad6f067b85424c955a561ee7

SHA512
ecbe583cb97b437ee1973c2c9ac65f5e915fd490c719a711d916c71002e808426773b8f3e1c801afa0926894646f8933a86dce6a835f34c428d718b32bb6af13

Download Submit
C:\Windows\SysWOW64\Cpbjkn32.exe

Filesize
55KB

MD5
d9598f5a113442fc5b9c051c7db61784

SHA1
73062defcd545a0e405e17ee3d3c72c8f4a35133

SHA256
74eb940eaf798d7ca8830b28790d4a2c670ab9e1790e31517f98e670d72604ba

SHA512
8908300aec7d96fc9e9985ec059e52ca467030a20b888a75e69b4a003db0eaed7a88691adc27002680f5a12a346178b8be49f57f93bccc11e0e205fe9d9d5543

Download Submit
C:\Windows\SysWOW64\Damfao32.exe

Filesize
55KB

MD5
09de1af14ef15e658efed790f4b23cd0

SHA1
49a7fc806a5c5ba5944aede3a381714ca5116afb

SHA256
1fa3ee06fb7e6f90ed716b90672068e39111768e9ae4a0835bcb420dc82c4935

SHA512
663b4ebbbc51585a9fbac21a676af2ac7771bb79f0cf247707f9d67b2cb4370d57b0ede92e9dda456eac6f104b99acca45f1bc082865c388e4969c7eab665088

Download Submit
C:\Windows\SysWOW64\Ddgibkpc.exe

Filesize
55KB

MD5
b628e9ef90eee67bf42ef3c1f0b70a79

SHA1
a31c112bac87c0902b8b4bca0d5ee4762e7f6a6d

SHA256
223deaa235f638d2528553f5214edd6a5982c671694eeba9c54e4dc309caebae

SHA512
e415c8176e5375b613c397c41b2bd362c8ff1ab6f316b4096a326ae89cef17fcc3021afe84bcd4842364008156bd6b2874f7c549a40d97345e485525b6ecfb6c

Download Submit
C:\Windows\SysWOW64\Ddifgk32.exe

Filesize
55KB

MD5
7a4e64a94cb26970d5cd4e35b0d04e86

SHA1
f3c378afea14c1258e225b622173d35df389a27e

SHA256
b32b627dbb3fad83e2b5ba9ef8d4b029f6df196047c5178cc012154234bcaff2

SHA512
cfd36dacb4b7c0842949e2fae58a68d5a7499b3bb55943cee715dbfa71024bdadd8d3048a594e050a2ead363eeff49c60dbf67dc16bec443420824f230e995a9

Download Submit
C:\Windows\SysWOW64\Dhphmj32.exe

Filesize
55KB

MD5
da890dca24182d817dc5104c5498a3d0

SHA1
dec8fc856ec57c835c3458ca5540366f0b0fe1a0

SHA256
dc00c751c93bded6f7db114bf97ef145d708ac3a76afd251212aa1c958a14bd0

SHA512
ed8539ba963ba4a1dea55bdc278fe846b7f389c9fc506ee30062be1b6bfdfceaefda43f187e00370ad2ccddb302349f0d37fb89f4c971c038d5429b36740bf6c

Download Submit
C:\Windows\SysWOW64\Doccpcja.exe

Filesize
55KB

MD5
4119dff0e23d09abd71f2e206fc8efc5

SHA1
d94882ce969e8a8eefa6b45640e36569af3b48e2

SHA256
0d953d607fc2dc64359140fcec4a4f8bf88cd1e1650691c3ac8bdee5bb24f137

SHA512
6cd13f506133eef39cfc86d766b948d6141386c2615433aa4b0d66f2c348a12c7adafe281f3db965aa7316242512106d1c1732e203a468c845998065ab2123ad

Download Submit
C:\Windows\SysWOW64\Dqbcbkab.exe

Filesize
55KB

MD5
12faf4b5796f9afadb85b5644c167d92

SHA1
7209d498a5bad7083f5d6d8f9938593b68f9a51e

SHA256
5ee55763dd7b214ecd0c72035f78f9b505ebdb07c158056a6c86b0e8185333d6

SHA512
08ddccb4d3a456cf5a0308c19e4ee35dd44b24bfe6a982b39059dc224c765e1af49429d5444896a9f93775b0581f713fe0261fcdd0be850849f0b7689031eefd

Download Submit
C:\Windows\SysWOW64\Egcaod32.exe

Filesize
55KB

MD5
c570d18d7f09847b24563e970c3d09c8

SHA1
6150a6daa62cef40ecfc013cace7adce61239f6c

SHA256
d7bda6181c6ae2da19711eae3949326203f54d48dfcf1e932eb1fc670ec1d8c1

SHA512
a0592f7113ce5a01cfc632804a92d04408ada5e7bfab804f95c7ddc413e249a0dd4b11c3513aa16599b385148089c2a798c542a5c8c14a7ab01736c64576aea6

Download Submit
C:\Windows\SysWOW64\Ehlhih32.exe

Filesize
55KB

MD5
9403838bc09404102f26b9f2f8c9470c

SHA1
ed33070a441b6abaa0764364b16c4f2c2ff65a3a

SHA256
dee033c8efcef7a133c8b43e17a0d028a56c337220f9e3778a875014fdf305b3

SHA512
854fa90a4760cd305bc3431ab685b4673016d011c1da27c2001890c9004b86c5f964cf977f2b2b5b146619efeea759f46d1e5db6938dfdbe10d5ae24e8919ee9

Download Submit
C:\Windows\SysWOW64\Eqncnj32.exe

Filesize
55KB

MD5
f71c421fea8594372b1b0e0084207259

SHA1
e2b1e38ac1ea09a24b19643c046fd01e3228a86d

SHA256
3983a5e11c6d85f6adc51501aadd23145e12a2036d7ae4a89e3cd50a256530ac

SHA512
fd7aee083666b8c3fe05fae8659a1d52bd2986185df21a72e3bb525eb99a76a0218d14eeb6546dd6c37064a112b0ce468e13dc0cd55e65fa02bf2d33ab083da1

Download Submit
C:\Windows\SysWOW64\Feenjgfq.exe

Filesize
55KB

MD5
c5cdd1632f2458987bced62ff5700196

SHA1
04954242cb0df5b78f8d657d0b3efbaeff33043e

SHA256
e2bf0c4a7b26416900744d944fbcd1cba2189fb20631a6b3db683966a5085f20

SHA512
6a8d34ae7b2f65b4c2bcd721a0d3e728c7eab3e80286bc5e5b998d38965a32869a0ad97eb1ada11de7ae3787c680b6ed7824c5d93cde36fcf83a3c340520aef1

Download Submit
C:\Windows\SysWOW64\Foapaa32.exe

Filesize
55KB

MD5
93039bd85d67669a9492ff2635bc76c3

SHA1
4d5f84a411fd945b695d003ea62d72ae47754998

SHA256
cbc3ad96a949026903fdd8699099a1b93735fb33ee3d417599bc906599dd178f

SHA512
692104f7b38c0d2dba4e3e6d5368714101d961f0e4fd47e1521eac05aa60f258845164a3b557440f652f93f9aaafe746f0334a7e39d62e9e1dcc18ae59c8e89d

Download Submit
C:\Windows\SysWOW64\Fqeioiam.exe

Filesize
55KB

MD5
c5e7f781207d37a320cf43c3f48aa086

SHA1
ca4b99a3be46bc9a4734a9600b28fc3b252a7712

SHA256
b18e3c1132f809bd2961054d741242c8b089e718fd1bfa849939dab78810bdbe

SHA512
4f5067d3098cc9f5c2c3abc440e61515affbf165ac70266ed320ed72c53f9b7cf6cff2621814e5e8da79d5c0c2de0271037d91b68891de5ee565e5ffea79d7ee

Download Submit
C:\Windows\SysWOW64\Fqgedh32.exe

Filesize
55KB

MD5
3cc7d379d9d8a327323e11ca6d81cf7f

SHA1
8512223a25bf2ecd50258d4d574d8f1c8a78178b

SHA256
356a37b0aeeb8e0e604dc64a1e6f566b8ef166fd4cb73246479fc765824d9074

SHA512
29c47f3d70d064bf3db7823586c27ee72b2401cb5cda774a069ffac7fe157a57cff440880a49e179d80276921f4bc82dee2180e4a062185a778e01ef797be78b

Download Submit
C:\Windows\SysWOW64\Gacepg32.exe

Filesize
55KB

MD5
66cc8505d5db86e80fa928ab5d615040

SHA1
8574d3f67fe53fa58bc3bc6fa45786244ad273e7

SHA256
ef913500d3347dc330f0e811acf4e9f3cbdfc2b4a81f4e0a7d1e26c04e6102b2

SHA512
6a63fecca5e4277ce281b22bd49f54af9b88312629466a7ceefb5eda57eebc00ff3d7e52c5b7d73571af8b375e77068d1b1d757124346685c7304a83de2aa445

Download Submit
C:\Windows\SysWOW64\Ganldgib.exe

Filesize
55KB

MD5
31cbdd97726b300af5f39eaa19e530d4

SHA1
47dbbfd040fdc87367b10b8b4a3a2d49f29e64cc

SHA256
826f52ae4bab6b2a35578db88ecc1e12ab7b6ade80d41e0c3d489b428d3b4ac6

SHA512
9e17ebae0ce79b5d0f2f0872cce15ed8713bafe0e0b7431802966db1450c6267425913d3cbc0a29d872b800b4c56c7fbf8defc903826e554dba6b88207882d69

Download Submit
C:\Windows\SysWOW64\Gihpkd32.exe

Filesize
55KB

MD5
ee0c0cb1ab2c6d225aba02aebe146630

SHA1
442cc751fd9f3e3a2b97741db89b6c610bf342c0

SHA256
f06a5bcc62b729389a12716eb04241848c77468774472f3bbe147e2ad39644be

SHA512
ff2fdf7f83b360731f6fbebf0d14e41116be349bec412a6b12e35cbde15ced13f197f8a2c975090f1a57c52e192171fa6d85e1d8bf91bf5241a9fe6cf53597a1

Download Submit
C:\Windows\SysWOW64\Gngeik32.exe

Filesize
55KB

MD5
75a046031ff4332d08fefde1abeda18e

SHA1
b0a0bf31c1617d8abde74724edb14d965bf49fb7

SHA256
66249e33bcfcfe9c91d764195b95348ed0592da63cca4c4d032b783149d5f952

SHA512
737a3b1b62d0bc1a9aa77fbfaeb5886b993b22fc60d5eb460d5774d113a9ab81b66093ae1f1ee54a253ff805996f57c9c7bb58dc464d9c2fc450a294200ff362

Download Submit
C:\Windows\SysWOW64\Gnnccl32.exe

Filesize
55KB

MD5
ae6d36bde9496608eb4a3b14dd02910a

SHA1
7f33bbf4547c4b16fa64d094e9551a91831e3b00

SHA256
213dbfaf647d6b9cf41dbcb82fa27fb769d3f3ab267f7c7ffcef6c7269a0b891

SHA512
b4f5704b7516aa508bc3fdd036a12409cde485600bfa78cf797768bf821533e6ff280cedcd33dfba8ca2cef978c2ba44cde5152f275bfa669361094f7d58b8c9

Download Submit
C:\Windows\SysWOW64\Hbenoi32.exe

Filesize
55KB

MD5
daf42b11f257742c9fffdccbb1498111

SHA1
e7561aa4f76226e7d28423db638e7037ae0f0c87

SHA256
9238f79e5d3765c93a80fa073d5c5c9d25f0e449cb54eda61f6b6f7eae9a709a

SHA512
6f19d6af3726c9a1d35af3b9e014655e8895db9d21dd64b7554bfee6f7531db9e57d9ab4411445d79993bb722b7a558760c84e014541863ea0b98afd9d5b16af

Download Submit
C:\Windows\SysWOW64\Hbihjifh.exe

Filesize
55KB

MD5
616090ca563812f1eccc9ef1cf79e252

SHA1
f9ee852d9d1b740ad95602736b7b084044bada67

SHA256
473677fdbade8938cd13286ee70c6619095d6ecc3ff67fd5f0c6dd1194d42dda

SHA512
1f65fd165b3222704d4eecbd39f3e2539f05f9481c1ccbabad98e0b49a34df7fc08417f8aef3a3ab27fccd9106f4631887a3068f243c196d6c94e95446d08de5

Download Submit
C:\Windows\SysWOW64\Hbldphde.exe

Filesize
55KB

MD5
4a9d799042f2494e9cf1713eff51d455

SHA1
b04358f04bf9b60d1686a433c48fce2fd3d57123

SHA256
f7e9f516863458b383799eeef1d7d2b7da78456d963f9afcb8e01175766f714c

SHA512
b076f7cf56d81cfa32daa3a3bf753904d1bd28f7eb02fdc3bb6c58d901153a2e04ef0b5b9d83352eb54bd7b4570b3787e860b539a039a8214089affb253de4db

Download Submit
C:\Windows\SysWOW64\Hiacacpg.exe

Filesize
55KB

MD5
fedc437029c25c921f1cbac56dfb7688

SHA1
82672b0efe2e612204108b9de5519d643c2fbb8b

SHA256
0629f9edc1648fe97734161aa25aeaf081aeec43f725b104351ccbeb0864d35d

SHA512
1da06723c431a83c65f51fa177ce710d48393eb503380bd0aaabe863e03f86457e4e7a5484f9e98b35595e1172c97b416657b548947b55956f7255c9349fc578

Download Submit
C:\Windows\SysWOW64\Hppeim32.exe

Filesize
55KB

MD5
185734b98660afd8c3921cfb0177c545

SHA1
e17db5013240d2c93a3e8303dd13d6d49a178a64

SHA256
1b1b535015c1db3bccecb4f7269f241d1f823388bb8dfa3e77514210c7bfb612

SHA512
742cd6aade7142e6e9bbb83d082dc176fe07e1e58a45a4285cdc2e2b768dcb242ce01a2fb54d4a16b36de07e40ee8bc1986de68c9c069b9dc63e7b4340e93d52

Download Submit
C:\Windows\SysWOW64\Ilfennic.exe

Filesize
55KB

MD5
bce218327c18864d4174808ebe20c7e2

SHA1
701a5ccf05f497023d5ef6ff294981647c292e8d

SHA256
8d9dd860558f951d2d0dfe1bc355379eb6f7803052ac56c39ff38f5aded097a1

SHA512
6143b7e6b89bbcdda42bf304183f2a37f210d692f0aa2a3f49b480bad27a4be3b0ec5bb91f5a06fc5e3d19b4a36c29823f9c8c5950434bc7ba946a529ba38bc2

Download Submit
C:\Windows\SysWOW64\Lhnhajba.exe

Filesize
55KB

MD5
151a6965b658f403c3739f612884e3ad

SHA1
8c6c67be95264713cf57e7fae009bf8f597659b0

SHA256
3e9b6db7a40c87341b6a26cb9622527232d93b307de81ac834b8ac35acd275d9

SHA512
c086bc7f6198912baef8130af36db22153ee08442c6f3bc9992b1b843566f6fc6e626e9e87b69bf7ad9f753d5068b604eb27fe51add35d791e70696a6f306839

Download Submit
C:\Windows\SysWOW64\Mofmobmo.exe

Filesize
55KB

MD5
5621c33af8a05465edad18611224c39c

SHA1
cac81d4b2f892af8b6b960de4538381423d60be4

SHA256
b5671a6ed351f4c470b5bd4e8ccb3d5b8c3cf098a1dce242be1ba9f6c7deb3fa

SHA512
5bdfc5a80d306d8487e2fee864089cd2b2db7bfd890c6fc94cd3788df069d6335a3d0298e0c882b4e14166ef0e168a9d5c0f9319e439a22798c3f58625ce6fa6

Download Submit
C:\Windows\SysWOW64\Nfgklkoc.exe

Filesize
55KB

MD5
d6f577024fe0c7e91d46677c108338f4

SHA1
479f033627bacba5a6589a583e49556fcbf998bd

SHA256
6249a2a20d78f71c89096fb78d9af1b3a833242021b744b40cb054f142e389df

SHA512
6f278408f99447073c9a9368cfd7c6d97b5d7777803bd83365f221cd16e4870a64a518124a4e10c57142bea0e2e50526609725adf7df8deb520bc06616e2d941

Download Submit
C:\Windows\SysWOW64\Nmcpoedn.exe

Filesize
55KB

MD5
f961d6bc4220e3820103d5869db3c487

SHA1
2806853c121ac58068a97887abc2327d6e4026a0

SHA256
8b0c5b22766777f60888bd96dd52f68c6dbf98556f86ff3a58806e794049785a

SHA512
3986a4a9e30755b4a88bdb27fef678c29163967c5475526442c8ba4825624316c8cda8c60bb545860063d066222a92d4df85d8262493679f3f8610d25c309b7e

Download Submit
C:\Windows\SysWOW64\Pjbcplpe.exe

Filesize
55KB

MD5
f458a6f3a7ffc9e67d2e19027c12b4da

SHA1
e9fc094f9d3a86a8b7b731181d30854b4abd28fd

SHA256
aaa11eda32f1020ada20273f9b9f40d98395f4d00158d21db8c98f40db784fc9

SHA512
d9b431553a2c40d4d67822d5c5a08787d05681db9bc429e55010a825e68be0d07194d3d3f077e206ab2375b9342dfbe0361bae8cd4c37bd43870b6c34bd2fb92

Download Submit
C:\Windows\SysWOW64\Pjdpelnc.exe

Filesize
55KB

MD5
4dd5ee2c4b7d4d87a7c1c8a9dbc288c9

SHA1
924e89ac2c25612b4ed4e03c3bf046d570cbb075

SHA256
8ebff06d0a7700aaf75d2695ef7af1f5b445161d626f750a03061cc1f37603c0

SHA512
581a452eafe73b9dbcafad2d816cce0e1858a701bba2ff10320bddea41588d43b684a7445ea8440d5381b4888a97a7742667901b612ec5af98459e8a21d68d43

Download Submit
C:\Windows\SysWOW64\Pjmjdm32.exe

Filesize
55KB

MD5
ba1f143d5322503f22a12e5504b79cdb

SHA1
053ad95ec93a089dc9017b357f8c234f5c7e9c3d

SHA256
ec3315896fff5109f4f7e1a4d0ac582b7243f0f315d270137ed16e48bab616a6

SHA512
4b240f17ca74678b8a64b199d3a08e15b33af295d38695b74e325efdff27bde04efe59295df47af1127d3a93f57928be82003c9c33c9744436f3800419b77c39

Download Submit
C:\Windows\SysWOW64\Pmhbqbae.exe

Filesize
55KB

MD5
5425000835dabd767480720d7ef691b8

SHA1
0ec91f42bd8f44624d854981777d110fb6a4e570

SHA256
6e1a022d90863a15447ff1ffc5a4afceb6be64e811b6918f33b29cec8ccf5537

SHA512
06e6929df5520579edf20070b49e05c851fd6ad270925f516947350641a526c1651c5924988198c1f6e50acffcc84ed27959dbbe0ca278a468f70c35fe7bc5a9

Download Submit
C:\Windows\SysWOW64\Qjiipk32.exe

Filesize
55KB

MD5
6a6ea1f304b8f7a3f576b4a45e827d6d

SHA1
08182213ddf7ef27ff5b1b66f226d049d2910fda

SHA256
aa15426600fff1fb919f164cccc82115cf9de8309e121baa44a2ec073e008823

SHA512
201d99d7f5a23e9420266333068a07c84ccf79c30afb7a79fdf9ef3cd70ebc1bea66eae6937af8fdd3cf9430686655d2822ab770607b9d30d224cd5cc3a8d7af

Download Submit
C:\Windows\SysWOW64\Qobhkjdi.exe

Filesize
55KB

MD5
cd9c4a5c336b21b8ce4d34497efac795

SHA1
b6582961c85a14696f010b950faa5c4807604d80

SHA256
9c7f0c20f4810e919d2c9da18656da8a9592f2ed2bae90de177b59dd2f28c94c

SHA512
02a755bb9d89f93933224f21625564a55c3c4ebb531ca8774456546c5c4df12d5a5491243f7e96af26aaa302cf79c8f6a7ab2434e9a1b806efc4788147866b8b

Download Submit
C:\Windows\SysWOW64\Qpcecb32.exe

Filesize
55KB

MD5
888a1d30281103eb7ab2bd66eef0e40b

SHA1
70547150badba81ded2a121ed00fee22dc1c2499

SHA256
7191cc4daae80c2c81e42bbeedc4481ca0a2c2dd4597f7974431bf05c72cf5cf

SHA512
e9d2e54350e042a63cb473e635a818fc5ec3afc3449325ea82e4c87b97329074ae277e8008647aabd301d1fb001c44df7252215d9b820ad39201a0348935a751

Download Submit
memory/212-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/404-419-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/436-401-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/448-167-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/556-352-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/624-358-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/640-23-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/640-517-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/672-328-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/736-491-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/736-7-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/832-370-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/836-127-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/936-183-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1028-780-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1028-248-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1164-389-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1288-112-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1328-200-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1400-87-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1424-322-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1468-239-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1496-346-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1680-303-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1696-425-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1844-310-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1900-103-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1912-526-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1912-48-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2020-71-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2092-144-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2204-79-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2208-286-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2244-207-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2316-437-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2592-376-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2768-431-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2816-395-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2960-95-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2980-262-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3128-334-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3140-135-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3324-407-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3544-224-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3628-32-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3628-522-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3792-268-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3808-296-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3880-119-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3904-280-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3912-388-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4012-215-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4048-55-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4192-231-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4360-152-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4560-525-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4560-39-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4592-15-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4592-503-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4608-191-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4664-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4664-382-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4712-175-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4716-320-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4732-340-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4736-256-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4776-159-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4912-274-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4988-413-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5004-308-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5012-364-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5036-443-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5336-814-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5636-808-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5968-802-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/6088-800-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads