Malware Analysis Report

2025-03-14 22:27

Sample ID 240407-3chnnahf2t
Target 907dd6fa9a521211d55df07e6acce1dc64dedbbed440e35dfb2e305b67e1e196
SHA256 907dd6fa9a521211d55df07e6acce1dc64dedbbed440e35dfb2e305b67e1e196
Tags
persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

907dd6fa9a521211d55df07e6acce1dc64dedbbed440e35dfb2e305b67e1e196

Threat Level: Known bad

The file 907dd6fa9a521211d55df07e6acce1dc64dedbbed440e35dfb2e305b67e1e196 was found to be: Known bad.

Malicious Activity Summary

persistence

Adds autorun key to be loaded by Explorer.exe on startup

Loads dropped DLL

Executes dropped EXE

Drops file in System32 directory

Program crash

Unsigned PE

Suspicious use of WriteProcessMemory

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-07 23:22

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-07 23:22

Reported

2024-04-07 23:24

Platform

win10v2004-20240226-en

Max time kernel

93s

Max time network

95s

Command Line

"C:\Users\Admin\AppData\Local\Temp\907dd6fa9a521211d55df07e6acce1dc64dedbbed440e35dfb2e305b67e1e196.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Laefdf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mkepnjng.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nnhfee32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ibjqcd32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jdemhe32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lknjmkdo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mpdelajl.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nqfbaq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kkkdan32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kipabjil.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mjcgohig.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Njljefql.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Njacpf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hibljoco.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Haidklda.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kcifkp32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lcpllo32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Laalifad.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ibjqcd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Icjmmg32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kkkdan32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ndghmo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ndghmo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hpihai32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jiphkm32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lnjjdgee.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Iabgaklg.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ijkljp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Lklnhlfb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mciobn32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mkbchk32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mpolqa32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nbhkac32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Idacmfkj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Liekmj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ifmcdblq.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lgikfn32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hpihai32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ijdeiaio.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nbhkac32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hbeghene.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lcgblncm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Laopdgcg.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lnhmng32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jbmfoa32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jangmibi.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jkfkfohj.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kbapjafe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Liggbi32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ldaeka32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Users\Admin\AppData\Local\Temp\907dd6fa9a521211d55df07e6acce1dc64dedbbed440e35dfb2e305b67e1e196.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jpojcf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Njacpf32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ldohebqh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jmpngk32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kkbkamnl.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lijdhiaa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kbfiep32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ldmlpbbj.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mpmokb32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ijdeiaio.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Iannfk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kilhgk32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kkpnlm32.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Hpgkkioa.exe N/A
N/A N/A C:\Windows\SysWOW64\Hbeghene.exe N/A
N/A N/A C:\Windows\SysWOW64\Hmklen32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hpihai32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hfcpncdk.exe N/A
N/A N/A C:\Windows\SysWOW64\Hibljoco.exe N/A
N/A N/A C:\Windows\SysWOW64\Haidklda.exe N/A
N/A N/A C:\Windows\SysWOW64\Ibjqcd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ijaida32.exe N/A
N/A N/A C:\Windows\SysWOW64\Impepm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Icjmmg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ijdeiaio.exe N/A
N/A N/A C:\Windows\SysWOW64\Iannfk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ibojncfj.exe N/A
N/A N/A C:\Windows\SysWOW64\Ijfboafl.exe N/A
N/A N/A C:\Windows\SysWOW64\Imdnklfp.exe N/A
N/A N/A C:\Windows\SysWOW64\Idofhfmm.exe N/A
N/A N/A C:\Windows\SysWOW64\Ifmcdblq.exe N/A
N/A N/A C:\Windows\SysWOW64\Iikopmkd.exe N/A
N/A N/A C:\Windows\SysWOW64\Iabgaklg.exe N/A
N/A N/A C:\Windows\SysWOW64\Idacmfkj.exe N/A
N/A N/A C:\Windows\SysWOW64\Ijkljp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Imihfl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jdcpcf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jbfpobpb.exe N/A
N/A N/A C:\Windows\SysWOW64\Jiphkm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jagqlj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jdemhe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jfdida32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jibeql32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jbkjjblm.exe N/A
N/A N/A C:\Windows\SysWOW64\Jjbako32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jmpngk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jpojcf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jbmfoa32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jkdnpo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jangmibi.exe N/A
N/A N/A C:\Windows\SysWOW64\Jbocea32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jkfkfohj.exe N/A
N/A N/A C:\Windows\SysWOW64\Kmegbjgn.exe N/A
N/A N/A C:\Windows\SysWOW64\Kpccnefa.exe N/A
N/A N/A C:\Windows\SysWOW64\Kbapjafe.exe N/A
N/A N/A C:\Windows\SysWOW64\Kgmlkp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kilhgk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kmgdgjek.exe N/A
N/A N/A C:\Windows\SysWOW64\Kacphh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kdaldd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kbdmpqcb.exe N/A
N/A N/A C:\Windows\SysWOW64\Kkkdan32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kinemkko.exe N/A
N/A N/A C:\Windows\SysWOW64\Kaemnhla.exe N/A
N/A N/A C:\Windows\SysWOW64\Kphmie32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kbfiep32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kgbefoji.exe N/A
N/A N/A C:\Windows\SysWOW64\Kipabjil.exe N/A
N/A N/A C:\Windows\SysWOW64\Kagichjo.exe N/A
N/A N/A C:\Windows\SysWOW64\Kpjjod32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kcifkp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kkpnlm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kajfig32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kpmfddnf.exe N/A
N/A N/A C:\Windows\SysWOW64\Kckbqpnj.exe N/A
N/A N/A C:\Windows\SysWOW64\Kkbkamnl.exe N/A
N/A N/A C:\Windows\SysWOW64\Liekmj32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Mjcgohig.exe C:\Windows\SysWOW64\Mkpgck32.exe N/A
File created C:\Windows\SysWOW64\Mglack32.exe C:\Windows\SysWOW64\Mdmegp32.exe N/A
File created C:\Windows\SysWOW64\Bebboiqi.dll C:\Windows\SysWOW64\Mjjmog32.exe N/A
File created C:\Windows\SysWOW64\Hehifldd.dll C:\Windows\SysWOW64\Kbapjafe.exe N/A
File created C:\Windows\SysWOW64\Gcgqhjop.dll C:\Windows\SysWOW64\Lgikfn32.exe N/A
File created C:\Windows\SysWOW64\Lgpagm32.exe C:\Windows\SysWOW64\Ldaeka32.exe N/A
File created C:\Windows\SysWOW64\Jpojcf32.exe C:\Windows\SysWOW64\Jmpngk32.exe N/A
File opened for modification C:\Windows\SysWOW64\Kgmlkp32.exe C:\Windows\SysWOW64\Kbapjafe.exe N/A
File created C:\Windows\SysWOW64\Lbhnnj32.dll C:\Windows\SysWOW64\Kkpnlm32.exe N/A
File created C:\Windows\SysWOW64\Dgcifj32.dll C:\Windows\SysWOW64\Mpolqa32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ijkljp32.exe C:\Windows\SysWOW64\Idacmfkj.exe N/A
File created C:\Windows\SysWOW64\Lppaheqp.dll C:\Windows\SysWOW64\Jkdnpo32.exe N/A
File opened for modification C:\Windows\SysWOW64\Lnepih32.exe C:\Windows\SysWOW64\Lijdhiaa.exe N/A
File created C:\Windows\SysWOW64\Mpaifalo.exe C:\Windows\SysWOW64\Maohkd32.exe N/A
File opened for modification C:\Windows\SysWOW64\Mpdelajl.exe C:\Windows\SysWOW64\Maaepd32.exe N/A
File created C:\Windows\SysWOW64\Jgengpmj.dll C:\Windows\SysWOW64\Mjeddggd.exe N/A
File created C:\Windows\SysWOW64\Hdgpjm32.dll C:\Windows\SysWOW64\Haidklda.exe N/A
File opened for modification C:\Windows\SysWOW64\Jbfpobpb.exe C:\Windows\SysWOW64\Jdcpcf32.exe N/A
File opened for modification C:\Windows\SysWOW64\Kbapjafe.exe C:\Windows\SysWOW64\Kpccnefa.exe N/A
File created C:\Windows\SysWOW64\Ncldnkae.exe C:\Windows\SysWOW64\Nqmhbpba.exe N/A
File created C:\Windows\SysWOW64\Lklnhlfb.exe C:\Windows\SysWOW64\Lgpagm32.exe N/A
File created C:\Windows\SysWOW64\Ibhblqpo.dll C:\Windows\SysWOW64\Mjqjih32.exe N/A
File opened for modification C:\Windows\SysWOW64\Majopeii.exe C:\Windows\SysWOW64\Mjcgohig.exe N/A
File created C:\Windows\SysWOW64\Lihoogdd.dll C:\Windows\SysWOW64\Ifmcdblq.exe N/A
File opened for modification C:\Windows\SysWOW64\Liekmj32.exe C:\Windows\SysWOW64\Kkbkamnl.exe N/A
File opened for modification C:\Windows\SysWOW64\Laalifad.exe C:\Windows\SysWOW64\Lnepih32.exe N/A
File opened for modification C:\Windows\SysWOW64\Nkjjij32.exe C:\Windows\SysWOW64\Mcbahlip.exe N/A
File created C:\Windows\SysWOW64\Kmegbjgn.exe C:\Windows\SysWOW64\Jkfkfohj.exe N/A
File created C:\Windows\SysWOW64\Imppcc32.dll C:\Windows\SysWOW64\Kkbkamnl.exe N/A
File created C:\Windows\SysWOW64\Mkgmcjld.exe C:\Windows\SysWOW64\Mglack32.exe N/A
File created C:\Windows\SysWOW64\Iikopmkd.exe C:\Windows\SysWOW64\Ifmcdblq.exe N/A
File created C:\Windows\SysWOW64\Lnjjdgee.exe C:\Windows\SysWOW64\Lklnhlfb.exe N/A
File opened for modification C:\Windows\SysWOW64\Mncmjfmk.exe C:\Windows\SysWOW64\Mjhqjg32.exe N/A
File created C:\Windows\SysWOW64\Impepm32.exe C:\Windows\SysWOW64\Ijaida32.exe N/A
File created C:\Windows\SysWOW64\Eddbig32.dll C:\Windows\SysWOW64\Imdnklfp.exe N/A
File created C:\Windows\SysWOW64\Nkjjij32.exe C:\Windows\SysWOW64\Mcbahlip.exe N/A
File created C:\Windows\SysWOW64\Nqfbaq32.exe C:\Windows\SysWOW64\Nnhfee32.exe N/A
File opened for modification C:\Windows\SysWOW64\Lilanioo.exe C:\Windows\SysWOW64\Lgneampk.exe N/A
File created C:\Windows\SysWOW64\Jkfkfohj.exe C:\Windows\SysWOW64\Jbocea32.exe N/A
File created C:\Windows\SysWOW64\Phogofep.dll C:\Windows\SysWOW64\Ibojncfj.exe N/A
File created C:\Windows\SysWOW64\Jdkind32.dll C:\Windows\SysWOW64\Jbfpobpb.exe N/A
File opened for modification C:\Windows\SysWOW64\Ldmlpbbj.exe C:\Windows\SysWOW64\Laopdgcg.exe N/A
File opened for modification C:\Windows\SysWOW64\Hpgkkioa.exe C:\Users\Admin\AppData\Local\Temp\907dd6fa9a521211d55df07e6acce1dc64dedbbed440e35dfb2e305b67e1e196.exe N/A
File created C:\Windows\SysWOW64\Imdnklfp.exe C:\Windows\SysWOW64\Ijfboafl.exe N/A
File opened for modification C:\Windows\SysWOW64\Jangmibi.exe C:\Windows\SysWOW64\Jkdnpo32.exe N/A
File created C:\Windows\SysWOW64\Fcdjjo32.dll C:\Windows\SysWOW64\Nqfbaq32.exe N/A
File created C:\Windows\SysWOW64\Mlhblb32.dll C:\Windows\SysWOW64\Nceonl32.exe N/A
File created C:\Windows\SysWOW64\Jnngob32.dll C:\Windows\SysWOW64\Lcgblncm.exe N/A
File created C:\Windows\SysWOW64\Fnelfilp.dll C:\Windows\SysWOW64\Maohkd32.exe N/A
File opened for modification C:\Windows\SysWOW64\Njljefql.exe C:\Windows\SysWOW64\Nkjjij32.exe N/A
File created C:\Windows\SysWOW64\Ppmeid32.dll C:\Windows\SysWOW64\Hbeghene.exe N/A
File created C:\Windows\SysWOW64\Jkdnpo32.exe C:\Windows\SysWOW64\Jbmfoa32.exe N/A
File opened for modification C:\Windows\SysWOW64\Jdemhe32.exe C:\Windows\SysWOW64\Jagqlj32.exe N/A
File created C:\Windows\SysWOW64\Lijdhiaa.exe C:\Windows\SysWOW64\Lcpllo32.exe N/A
File created C:\Windows\SysWOW64\Lgneampk.exe C:\Windows\SysWOW64\Ldohebqh.exe N/A
File created C:\Windows\SysWOW64\Mkbchk32.exe C:\Windows\SysWOW64\Mcklgm32.exe N/A
File opened for modification C:\Windows\SysWOW64\Kckbqpnj.exe C:\Windows\SysWOW64\Kpmfddnf.exe N/A
File created C:\Windows\SysWOW64\Ekmihm32.dll C:\Windows\SysWOW64\Ijfboafl.exe N/A
File created C:\Windows\SysWOW64\Kpmfddnf.exe C:\Windows\SysWOW64\Kajfig32.exe N/A
File created C:\Windows\SysWOW64\Gjoceo32.dll C:\Windows\SysWOW64\Ldmlpbbj.exe N/A
File opened for modification C:\Windows\SysWOW64\Mcklgm32.exe C:\Windows\SysWOW64\Mpmokb32.exe N/A
File created C:\Windows\SysWOW64\Egqcbapl.dll C:\Windows\SysWOW64\Mcbahlip.exe N/A
File created C:\Windows\SysWOW64\Hlmobp32.dll C:\Windows\SysWOW64\Njljefql.exe N/A
File created C:\Windows\SysWOW64\Hmklen32.exe C:\Windows\SysWOW64\Hbeghene.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Nkcmohbg.exe

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mkbchk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcldhk32.dll" C:\Windows\SysWOW64\Mcnhmm32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Kkkdan32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kckbqpnj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Laopdgcg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbgkjl32.dll" C:\Windows\SysWOW64\Ldaeka32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lelgbkio.dll" C:\Windows\SysWOW64\Mdpalp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgdnaigp.dll" C:\Windows\SysWOW64\Hfcpncdk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebaqkk32.dll" C:\Windows\SysWOW64\Lnjjdgee.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Lnjjdgee.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Lcgblncm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egqcbapl.dll" C:\Windows\SysWOW64\Mcbahlip.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Njacpf32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ibojncfj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jchbak32.dll" C:\Windows\SysWOW64\Lmqgnhmp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pellipfm.dll" C:\Windows\SysWOW64\Liggbi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mcbahlip.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nafokcol.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Jkfkfohj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ndghmo32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Kgbefoji.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Lnepih32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Lknjmkdo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcoegc32.dll" C:\Windows\SysWOW64\Njogjfoj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Iikopmkd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kdaldd32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Lmqgnhmp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Lpocjdld.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ldmlpbbj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojmmkpmf.dll" C:\Windows\SysWOW64\Kdaldd32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Imihfl32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mjhqjg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpqnnk32.dll" C:\Windows\SysWOW64\Iabgaklg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ndghmo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ibjqcd32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ijkljp32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Haidklda.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ijkljp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Imihfl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plilol32.dll" C:\Windows\SysWOW64\Lddbqa32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Lcpllo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcbibebo.dll" C:\Windows\SysWOW64\Nkjjij32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Nceonl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Idofhfmm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mglack32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ngcgcjnc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qngfmkdl.dll" C:\Windows\SysWOW64\Icjmmg32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Lklnhlfb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Maaepd32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Lcmofolg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kpccnefa.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Hbeghene.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pckgbakk.dll" C:\Windows\SysWOW64\Jdcpcf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mpaifalo.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ijfboafl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmpfpdoi.dll" C:\Windows\SysWOW64\Ijaida32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kbfiep32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnelfilp.dll" C:\Windows\SysWOW64\Maohkd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\907dd6fa9a521211d55df07e6acce1dc64dedbbed440e35dfb2e305b67e1e196.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ncldnkae.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jkdnpo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgengpmj.dll" C:\Windows\SysWOW64\Mjeddggd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jbocea32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kcifkp32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3240 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\907dd6fa9a521211d55df07e6acce1dc64dedbbed440e35dfb2e305b67e1e196.exe C:\Windows\SysWOW64\Hpgkkioa.exe
PID 3240 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\907dd6fa9a521211d55df07e6acce1dc64dedbbed440e35dfb2e305b67e1e196.exe C:\Windows\SysWOW64\Hpgkkioa.exe
PID 3240 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\907dd6fa9a521211d55df07e6acce1dc64dedbbed440e35dfb2e305b67e1e196.exe C:\Windows\SysWOW64\Hpgkkioa.exe
PID 1968 wrote to memory of 560 N/A C:\Windows\SysWOW64\Hpgkkioa.exe C:\Windows\SysWOW64\Hbeghene.exe
PID 1968 wrote to memory of 560 N/A C:\Windows\SysWOW64\Hpgkkioa.exe C:\Windows\SysWOW64\Hbeghene.exe
PID 1968 wrote to memory of 560 N/A C:\Windows\SysWOW64\Hpgkkioa.exe C:\Windows\SysWOW64\Hbeghene.exe
PID 560 wrote to memory of 5036 N/A C:\Windows\SysWOW64\Hbeghene.exe C:\Windows\SysWOW64\Hmklen32.exe
PID 560 wrote to memory of 5036 N/A C:\Windows\SysWOW64\Hbeghene.exe C:\Windows\SysWOW64\Hmklen32.exe
PID 560 wrote to memory of 5036 N/A C:\Windows\SysWOW64\Hbeghene.exe C:\Windows\SysWOW64\Hmklen32.exe
PID 5036 wrote to memory of 5084 N/A C:\Windows\SysWOW64\Hmklen32.exe C:\Windows\SysWOW64\Hpihai32.exe
PID 5036 wrote to memory of 5084 N/A C:\Windows\SysWOW64\Hmklen32.exe C:\Windows\SysWOW64\Hpihai32.exe
PID 5036 wrote to memory of 5084 N/A C:\Windows\SysWOW64\Hmklen32.exe C:\Windows\SysWOW64\Hpihai32.exe
PID 5084 wrote to memory of 2912 N/A C:\Windows\SysWOW64\Hpihai32.exe C:\Windows\SysWOW64\Hfcpncdk.exe
PID 5084 wrote to memory of 2912 N/A C:\Windows\SysWOW64\Hpihai32.exe C:\Windows\SysWOW64\Hfcpncdk.exe
PID 5084 wrote to memory of 2912 N/A C:\Windows\SysWOW64\Hpihai32.exe C:\Windows\SysWOW64\Hfcpncdk.exe
PID 2912 wrote to memory of 2920 N/A C:\Windows\SysWOW64\Hfcpncdk.exe C:\Windows\SysWOW64\Hibljoco.exe
PID 2912 wrote to memory of 2920 N/A C:\Windows\SysWOW64\Hfcpncdk.exe C:\Windows\SysWOW64\Hibljoco.exe
PID 2912 wrote to memory of 2920 N/A C:\Windows\SysWOW64\Hfcpncdk.exe C:\Windows\SysWOW64\Hibljoco.exe
PID 2920 wrote to memory of 1640 N/A C:\Windows\SysWOW64\Hibljoco.exe C:\Windows\SysWOW64\Haidklda.exe
PID 2920 wrote to memory of 1640 N/A C:\Windows\SysWOW64\Hibljoco.exe C:\Windows\SysWOW64\Haidklda.exe
PID 2920 wrote to memory of 1640 N/A C:\Windows\SysWOW64\Hibljoco.exe C:\Windows\SysWOW64\Haidklda.exe
PID 1640 wrote to memory of 4796 N/A C:\Windows\SysWOW64\Haidklda.exe C:\Windows\SysWOW64\Ibjqcd32.exe
PID 1640 wrote to memory of 4796 N/A C:\Windows\SysWOW64\Haidklda.exe C:\Windows\SysWOW64\Ibjqcd32.exe
PID 1640 wrote to memory of 4796 N/A C:\Windows\SysWOW64\Haidklda.exe C:\Windows\SysWOW64\Ibjqcd32.exe
PID 4796 wrote to memory of 3896 N/A C:\Windows\SysWOW64\Ibjqcd32.exe C:\Windows\SysWOW64\Ijaida32.exe
PID 4796 wrote to memory of 3896 N/A C:\Windows\SysWOW64\Ibjqcd32.exe C:\Windows\SysWOW64\Ijaida32.exe
PID 4796 wrote to memory of 3896 N/A C:\Windows\SysWOW64\Ibjqcd32.exe C:\Windows\SysWOW64\Ijaida32.exe
PID 3896 wrote to memory of 1396 N/A C:\Windows\SysWOW64\Ijaida32.exe C:\Windows\SysWOW64\Impepm32.exe
PID 3896 wrote to memory of 1396 N/A C:\Windows\SysWOW64\Ijaida32.exe C:\Windows\SysWOW64\Impepm32.exe
PID 3896 wrote to memory of 1396 N/A C:\Windows\SysWOW64\Ijaida32.exe C:\Windows\SysWOW64\Impepm32.exe
PID 1396 wrote to memory of 4160 N/A C:\Windows\SysWOW64\Impepm32.exe C:\Windows\SysWOW64\Icjmmg32.exe
PID 1396 wrote to memory of 4160 N/A C:\Windows\SysWOW64\Impepm32.exe C:\Windows\SysWOW64\Icjmmg32.exe
PID 1396 wrote to memory of 4160 N/A C:\Windows\SysWOW64\Impepm32.exe C:\Windows\SysWOW64\Icjmmg32.exe
PID 4160 wrote to memory of 4232 N/A C:\Windows\SysWOW64\Icjmmg32.exe C:\Windows\SysWOW64\Ijdeiaio.exe
PID 4160 wrote to memory of 4232 N/A C:\Windows\SysWOW64\Icjmmg32.exe C:\Windows\SysWOW64\Ijdeiaio.exe
PID 4160 wrote to memory of 4232 N/A C:\Windows\SysWOW64\Icjmmg32.exe C:\Windows\SysWOW64\Ijdeiaio.exe
PID 4232 wrote to memory of 3904 N/A C:\Windows\SysWOW64\Ijdeiaio.exe C:\Windows\SysWOW64\Iannfk32.exe
PID 4232 wrote to memory of 3904 N/A C:\Windows\SysWOW64\Ijdeiaio.exe C:\Windows\SysWOW64\Iannfk32.exe
PID 4232 wrote to memory of 3904 N/A C:\Windows\SysWOW64\Ijdeiaio.exe C:\Windows\SysWOW64\Iannfk32.exe
PID 3904 wrote to memory of 632 N/A C:\Windows\SysWOW64\Iannfk32.exe C:\Windows\SysWOW64\Ibojncfj.exe
PID 3904 wrote to memory of 632 N/A C:\Windows\SysWOW64\Iannfk32.exe C:\Windows\SysWOW64\Ibojncfj.exe
PID 3904 wrote to memory of 632 N/A C:\Windows\SysWOW64\Iannfk32.exe C:\Windows\SysWOW64\Ibojncfj.exe
PID 632 wrote to memory of 844 N/A C:\Windows\SysWOW64\Ibojncfj.exe C:\Windows\SysWOW64\Ijfboafl.exe
PID 632 wrote to memory of 844 N/A C:\Windows\SysWOW64\Ibojncfj.exe C:\Windows\SysWOW64\Ijfboafl.exe
PID 632 wrote to memory of 844 N/A C:\Windows\SysWOW64\Ibojncfj.exe C:\Windows\SysWOW64\Ijfboafl.exe
PID 844 wrote to memory of 528 N/A C:\Windows\SysWOW64\Ijfboafl.exe C:\Windows\SysWOW64\Imdnklfp.exe
PID 844 wrote to memory of 528 N/A C:\Windows\SysWOW64\Ijfboafl.exe C:\Windows\SysWOW64\Imdnklfp.exe
PID 844 wrote to memory of 528 N/A C:\Windows\SysWOW64\Ijfboafl.exe C:\Windows\SysWOW64\Imdnklfp.exe
PID 528 wrote to memory of 740 N/A C:\Windows\SysWOW64\Imdnklfp.exe C:\Windows\SysWOW64\Idofhfmm.exe
PID 528 wrote to memory of 740 N/A C:\Windows\SysWOW64\Imdnklfp.exe C:\Windows\SysWOW64\Idofhfmm.exe
PID 528 wrote to memory of 740 N/A C:\Windows\SysWOW64\Imdnklfp.exe C:\Windows\SysWOW64\Idofhfmm.exe
PID 740 wrote to memory of 4896 N/A C:\Windows\SysWOW64\Idofhfmm.exe C:\Windows\SysWOW64\Ifmcdblq.exe
PID 740 wrote to memory of 4896 N/A C:\Windows\SysWOW64\Idofhfmm.exe C:\Windows\SysWOW64\Ifmcdblq.exe
PID 740 wrote to memory of 4896 N/A C:\Windows\SysWOW64\Idofhfmm.exe C:\Windows\SysWOW64\Ifmcdblq.exe
PID 4896 wrote to memory of 2888 N/A C:\Windows\SysWOW64\Ifmcdblq.exe C:\Windows\SysWOW64\Iikopmkd.exe
PID 4896 wrote to memory of 2888 N/A C:\Windows\SysWOW64\Ifmcdblq.exe C:\Windows\SysWOW64\Iikopmkd.exe
PID 4896 wrote to memory of 2888 N/A C:\Windows\SysWOW64\Ifmcdblq.exe C:\Windows\SysWOW64\Iikopmkd.exe
PID 2888 wrote to memory of 3868 N/A C:\Windows\SysWOW64\Iikopmkd.exe C:\Windows\SysWOW64\Iabgaklg.exe
PID 2888 wrote to memory of 3868 N/A C:\Windows\SysWOW64\Iikopmkd.exe C:\Windows\SysWOW64\Iabgaklg.exe
PID 2888 wrote to memory of 3868 N/A C:\Windows\SysWOW64\Iikopmkd.exe C:\Windows\SysWOW64\Iabgaklg.exe
PID 3868 wrote to memory of 4504 N/A C:\Windows\SysWOW64\Iabgaklg.exe C:\Windows\SysWOW64\Idacmfkj.exe
PID 3868 wrote to memory of 4504 N/A C:\Windows\SysWOW64\Iabgaklg.exe C:\Windows\SysWOW64\Idacmfkj.exe
PID 3868 wrote to memory of 4504 N/A C:\Windows\SysWOW64\Iabgaklg.exe C:\Windows\SysWOW64\Idacmfkj.exe
PID 4504 wrote to memory of 4812 N/A C:\Windows\SysWOW64\Idacmfkj.exe C:\Windows\SysWOW64\Ijkljp32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\907dd6fa9a521211d55df07e6acce1dc64dedbbed440e35dfb2e305b67e1e196.exe

"C:\Users\Admin\AppData\Local\Temp\907dd6fa9a521211d55df07e6acce1dc64dedbbed440e35dfb2e305b67e1e196.exe"

C:\Windows\SysWOW64\Hpgkkioa.exe

C:\Windows\system32\Hpgkkioa.exe

C:\Windows\SysWOW64\Hbeghene.exe

C:\Windows\system32\Hbeghene.exe

C:\Windows\SysWOW64\Hmklen32.exe

C:\Windows\system32\Hmklen32.exe

C:\Windows\SysWOW64\Hpihai32.exe

C:\Windows\system32\Hpihai32.exe

C:\Windows\SysWOW64\Hfcpncdk.exe

C:\Windows\system32\Hfcpncdk.exe

C:\Windows\SysWOW64\Hibljoco.exe

C:\Windows\system32\Hibljoco.exe

C:\Windows\SysWOW64\Haidklda.exe

C:\Windows\system32\Haidklda.exe

C:\Windows\SysWOW64\Ibjqcd32.exe

C:\Windows\system32\Ibjqcd32.exe

C:\Windows\SysWOW64\Ijaida32.exe

C:\Windows\system32\Ijaida32.exe

C:\Windows\SysWOW64\Impepm32.exe

C:\Windows\system32\Impepm32.exe

C:\Windows\SysWOW64\Icjmmg32.exe

C:\Windows\system32\Icjmmg32.exe

C:\Windows\SysWOW64\Ijdeiaio.exe

C:\Windows\system32\Ijdeiaio.exe

C:\Windows\SysWOW64\Iannfk32.exe

C:\Windows\system32\Iannfk32.exe

C:\Windows\SysWOW64\Ibojncfj.exe

C:\Windows\system32\Ibojncfj.exe

C:\Windows\SysWOW64\Ijfboafl.exe

C:\Windows\system32\Ijfboafl.exe

C:\Windows\SysWOW64\Imdnklfp.exe

C:\Windows\system32\Imdnklfp.exe

C:\Windows\SysWOW64\Idofhfmm.exe

C:\Windows\system32\Idofhfmm.exe

C:\Windows\SysWOW64\Ifmcdblq.exe

C:\Windows\system32\Ifmcdblq.exe

C:\Windows\SysWOW64\Iikopmkd.exe

C:\Windows\system32\Iikopmkd.exe

C:\Windows\SysWOW64\Iabgaklg.exe

C:\Windows\system32\Iabgaklg.exe

C:\Windows\SysWOW64\Idacmfkj.exe

C:\Windows\system32\Idacmfkj.exe

C:\Windows\SysWOW64\Ijkljp32.exe

C:\Windows\system32\Ijkljp32.exe

C:\Windows\SysWOW64\Imihfl32.exe

C:\Windows\system32\Imihfl32.exe

C:\Windows\SysWOW64\Jdcpcf32.exe

C:\Windows\system32\Jdcpcf32.exe

C:\Windows\SysWOW64\Jbfpobpb.exe

C:\Windows\system32\Jbfpobpb.exe

C:\Windows\SysWOW64\Jiphkm32.exe

C:\Windows\system32\Jiphkm32.exe

C:\Windows\SysWOW64\Jagqlj32.exe

C:\Windows\system32\Jagqlj32.exe

C:\Windows\SysWOW64\Jdemhe32.exe

C:\Windows\system32\Jdemhe32.exe

C:\Windows\SysWOW64\Jfdida32.exe

C:\Windows\system32\Jfdida32.exe

C:\Windows\SysWOW64\Jibeql32.exe

C:\Windows\system32\Jibeql32.exe

C:\Windows\SysWOW64\Jbkjjblm.exe

C:\Windows\system32\Jbkjjblm.exe

C:\Windows\SysWOW64\Jjbako32.exe

C:\Windows\system32\Jjbako32.exe

C:\Windows\SysWOW64\Jmpngk32.exe

C:\Windows\system32\Jmpngk32.exe

C:\Windows\SysWOW64\Jpojcf32.exe

C:\Windows\system32\Jpojcf32.exe

C:\Windows\SysWOW64\Jbmfoa32.exe

C:\Windows\system32\Jbmfoa32.exe

C:\Windows\SysWOW64\Jkdnpo32.exe

C:\Windows\system32\Jkdnpo32.exe

C:\Windows\SysWOW64\Jangmibi.exe

C:\Windows\system32\Jangmibi.exe

C:\Windows\SysWOW64\Jbocea32.exe

C:\Windows\system32\Jbocea32.exe

C:\Windows\SysWOW64\Jkfkfohj.exe

C:\Windows\system32\Jkfkfohj.exe

C:\Windows\SysWOW64\Kmegbjgn.exe

C:\Windows\system32\Kmegbjgn.exe

C:\Windows\SysWOW64\Kpccnefa.exe

C:\Windows\system32\Kpccnefa.exe

C:\Windows\SysWOW64\Kbapjafe.exe

C:\Windows\system32\Kbapjafe.exe

C:\Windows\SysWOW64\Kgmlkp32.exe

C:\Windows\system32\Kgmlkp32.exe

C:\Windows\SysWOW64\Kilhgk32.exe

C:\Windows\system32\Kilhgk32.exe

C:\Windows\SysWOW64\Kmgdgjek.exe

C:\Windows\system32\Kmgdgjek.exe

C:\Windows\SysWOW64\Kacphh32.exe

C:\Windows\system32\Kacphh32.exe

C:\Windows\SysWOW64\Kdaldd32.exe

C:\Windows\system32\Kdaldd32.exe

C:\Windows\SysWOW64\Kbdmpqcb.exe

C:\Windows\system32\Kbdmpqcb.exe

C:\Windows\SysWOW64\Kkkdan32.exe

C:\Windows\system32\Kkkdan32.exe

C:\Windows\SysWOW64\Kinemkko.exe

C:\Windows\system32\Kinemkko.exe

C:\Windows\SysWOW64\Kaemnhla.exe

C:\Windows\system32\Kaemnhla.exe

C:\Windows\SysWOW64\Kphmie32.exe

C:\Windows\system32\Kphmie32.exe

C:\Windows\SysWOW64\Kbfiep32.exe

C:\Windows\system32\Kbfiep32.exe

C:\Windows\SysWOW64\Kgbefoji.exe

C:\Windows\system32\Kgbefoji.exe

C:\Windows\SysWOW64\Kipabjil.exe

C:\Windows\system32\Kipabjil.exe

C:\Windows\SysWOW64\Kagichjo.exe

C:\Windows\system32\Kagichjo.exe

C:\Windows\SysWOW64\Kpjjod32.exe

C:\Windows\system32\Kpjjod32.exe

C:\Windows\SysWOW64\Kcifkp32.exe

C:\Windows\system32\Kcifkp32.exe

C:\Windows\SysWOW64\Kkpnlm32.exe

C:\Windows\system32\Kkpnlm32.exe

C:\Windows\SysWOW64\Kajfig32.exe

C:\Windows\system32\Kajfig32.exe

C:\Windows\SysWOW64\Kpmfddnf.exe

C:\Windows\system32\Kpmfddnf.exe

C:\Windows\SysWOW64\Kckbqpnj.exe

C:\Windows\system32\Kckbqpnj.exe

C:\Windows\SysWOW64\Kkbkamnl.exe

C:\Windows\system32\Kkbkamnl.exe

C:\Windows\SysWOW64\Liekmj32.exe

C:\Windows\system32\Liekmj32.exe

C:\Windows\SysWOW64\Lmqgnhmp.exe

C:\Windows\system32\Lmqgnhmp.exe

C:\Windows\SysWOW64\Lpocjdld.exe

C:\Windows\system32\Lpocjdld.exe

C:\Windows\SysWOW64\Lcmofolg.exe

C:\Windows\system32\Lcmofolg.exe

C:\Windows\SysWOW64\Lgikfn32.exe

C:\Windows\system32\Lgikfn32.exe

C:\Windows\SysWOW64\Liggbi32.exe

C:\Windows\system32\Liggbi32.exe

C:\Windows\SysWOW64\Laopdgcg.exe

C:\Windows\system32\Laopdgcg.exe

C:\Windows\SysWOW64\Ldmlpbbj.exe

C:\Windows\system32\Ldmlpbbj.exe

C:\Windows\SysWOW64\Lcpllo32.exe

C:\Windows\system32\Lcpllo32.exe

C:\Windows\SysWOW64\Lijdhiaa.exe

C:\Windows\system32\Lijdhiaa.exe

C:\Windows\SysWOW64\Lnepih32.exe

C:\Windows\system32\Lnepih32.exe

C:\Windows\SysWOW64\Laalifad.exe

C:\Windows\system32\Laalifad.exe

C:\Windows\SysWOW64\Ldohebqh.exe

C:\Windows\system32\Ldohebqh.exe

C:\Windows\SysWOW64\Lgneampk.exe

C:\Windows\system32\Lgneampk.exe

C:\Windows\SysWOW64\Lilanioo.exe

C:\Windows\system32\Lilanioo.exe

C:\Windows\SysWOW64\Lnhmng32.exe

C:\Windows\system32\Lnhmng32.exe

C:\Windows\SysWOW64\Lpfijcfl.exe

C:\Windows\system32\Lpfijcfl.exe

C:\Windows\SysWOW64\Ldaeka32.exe

C:\Windows\system32\Ldaeka32.exe

C:\Windows\SysWOW64\Lgpagm32.exe

C:\Windows\system32\Lgpagm32.exe

C:\Windows\SysWOW64\Lklnhlfb.exe

C:\Windows\system32\Lklnhlfb.exe

C:\Windows\SysWOW64\Lnjjdgee.exe

C:\Windows\system32\Lnjjdgee.exe

C:\Windows\SysWOW64\Laefdf32.exe

C:\Windows\system32\Laefdf32.exe

C:\Windows\SysWOW64\Lddbqa32.exe

C:\Windows\system32\Lddbqa32.exe

C:\Windows\SysWOW64\Lcgblncm.exe

C:\Windows\system32\Lcgblncm.exe

C:\Windows\SysWOW64\Lknjmkdo.exe

C:\Windows\system32\Lknjmkdo.exe

C:\Windows\SysWOW64\Mjqjih32.exe

C:\Windows\system32\Mjqjih32.exe

C:\Windows\SysWOW64\Mahbje32.exe

C:\Windows\system32\Mahbje32.exe

C:\Windows\SysWOW64\Mpkbebbf.exe

C:\Windows\system32\Mpkbebbf.exe

C:\Windows\SysWOW64\Mciobn32.exe

C:\Windows\system32\Mciobn32.exe

C:\Windows\SysWOW64\Mkpgck32.exe

C:\Windows\system32\Mkpgck32.exe

C:\Windows\SysWOW64\Mjcgohig.exe

C:\Windows\system32\Mjcgohig.exe

C:\Windows\SysWOW64\Majopeii.exe

C:\Windows\system32\Majopeii.exe

C:\Windows\SysWOW64\Mpmokb32.exe

C:\Windows\system32\Mpmokb32.exe

C:\Windows\SysWOW64\Mcklgm32.exe

C:\Windows\system32\Mcklgm32.exe

C:\Windows\SysWOW64\Mkbchk32.exe

C:\Windows\system32\Mkbchk32.exe

C:\Windows\SysWOW64\Mjeddggd.exe

C:\Windows\system32\Mjeddggd.exe

C:\Windows\SysWOW64\Mamleegg.exe

C:\Windows\system32\Mamleegg.exe

C:\Windows\SysWOW64\Mpolqa32.exe

C:\Windows\system32\Mpolqa32.exe

C:\Windows\SysWOW64\Mcnhmm32.exe

C:\Windows\system32\Mcnhmm32.exe

C:\Windows\SysWOW64\Mkepnjng.exe

C:\Windows\system32\Mkepnjng.exe

C:\Windows\SysWOW64\Mjhqjg32.exe

C:\Windows\system32\Mjhqjg32.exe

C:\Windows\SysWOW64\Mncmjfmk.exe

C:\Windows\system32\Mncmjfmk.exe

C:\Windows\SysWOW64\Maohkd32.exe

C:\Windows\system32\Maohkd32.exe

C:\Windows\SysWOW64\Mpaifalo.exe

C:\Windows\system32\Mpaifalo.exe

C:\Windows\SysWOW64\Mdmegp32.exe

C:\Windows\system32\Mdmegp32.exe

C:\Windows\SysWOW64\Mglack32.exe

C:\Windows\system32\Mglack32.exe

C:\Windows\SysWOW64\Mkgmcjld.exe

C:\Windows\system32\Mkgmcjld.exe

C:\Windows\SysWOW64\Mjjmog32.exe

C:\Windows\system32\Mjjmog32.exe

C:\Windows\SysWOW64\Maaepd32.exe

C:\Windows\system32\Maaepd32.exe

C:\Windows\SysWOW64\Mpdelajl.exe

C:\Windows\system32\Mpdelajl.exe

C:\Windows\SysWOW64\Mdpalp32.exe

C:\Windows\system32\Mdpalp32.exe

C:\Windows\SysWOW64\Mcbahlip.exe

C:\Windows\system32\Mcbahlip.exe

C:\Windows\SysWOW64\Nkjjij32.exe

C:\Windows\system32\Nkjjij32.exe

C:\Windows\SysWOW64\Njljefql.exe

C:\Windows\system32\Njljefql.exe

C:\Windows\SysWOW64\Nnhfee32.exe

C:\Windows\system32\Nnhfee32.exe

C:\Windows\SysWOW64\Nqfbaq32.exe

C:\Windows\system32\Nqfbaq32.exe

C:\Windows\SysWOW64\Nceonl32.exe

C:\Windows\system32\Nceonl32.exe

C:\Windows\SysWOW64\Ngpjnkpf.exe

C:\Windows\system32\Ngpjnkpf.exe

C:\Windows\SysWOW64\Njogjfoj.exe

C:\Windows\system32\Njogjfoj.exe

C:\Windows\SysWOW64\Nafokcol.exe

C:\Windows\system32\Nafokcol.exe

C:\Windows\SysWOW64\Ngcgcjnc.exe

C:\Windows\system32\Ngcgcjnc.exe

C:\Windows\SysWOW64\Njacpf32.exe

C:\Windows\system32\Njacpf32.exe

C:\Windows\SysWOW64\Nbhkac32.exe

C:\Windows\system32\Nbhkac32.exe

C:\Windows\SysWOW64\Ndghmo32.exe

C:\Windows\system32\Ndghmo32.exe

C:\Windows\SysWOW64\Ngedij32.exe

C:\Windows\system32\Ngedij32.exe

C:\Windows\SysWOW64\Nqmhbpba.exe

C:\Windows\system32\Nqmhbpba.exe

C:\Windows\SysWOW64\Ncldnkae.exe

C:\Windows\system32\Ncldnkae.exe

C:\Windows\SysWOW64\Nkcmohbg.exe

C:\Windows\system32\Nkcmohbg.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6068 -ip 6068

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6068 -s 408

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 121.118.77.104.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp

Files

memory/3240-0-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3240-5-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1968-9-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Hpgkkioa.exe

MD5 8cfc6dc851774c4f654328d7664f72f1
SHA1 a4921ecc45ba7a618d96d8e2d954b165e032a3c2
SHA256 e2256d84718dc860bf02f0610456977fb488a6862ac4c9ae7de13723f72950a7
SHA512 97743bad87b996c21700e59aef93a6dd5bef45a698018ff4d3ec90e5029aab55248346bd77e98f3124d79a7b078a666d762f7b8d77211e40a62405507cf9d1e2

C:\Windows\SysWOW64\Hbeghene.exe

MD5 220d8a11f7fce16b92073168cac1092f
SHA1 500bad6af58d314351bedb4b48af763083ebc453
SHA256 45deb2acb501c49f9b9ced4518ea2a3445850da92c99bc651c2b12286a39c99a
SHA512 16a4a8db1686e8b8c6b651adc81f14a73773930f6af539980912838a07b47737a6c191e564eb1896d8721a30a6b8471c7fa44a7879f4e973b91f75eb19978c5c

memory/560-17-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Hmklen32.exe

MD5 a45b76bf6c000b6986b87fe46ecc5792
SHA1 de8ba9d36ca176a49e300115923a1ec3d524b6a0
SHA256 17cd6b4e27211eeadc828927722f528ce93e66d672b7b7b4179ae730cd8a2cf9
SHA512 08d637c089857071bae82a132024979a1d27ec4140fd6982c147116774cdfc46511a0ea25645e9ed72f10a9f4f66c92e9ccf2b3b877cf33bc3977981d23eee84

memory/5036-25-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Hpihai32.exe

MD5 ad0f3f13e51472cf6cfcdea667e84d6f
SHA1 387ea787e463b198959cf9f4d6588de87491de5b
SHA256 61d6fd20767b0a386e89afbdd2b86d9028ce8e748f860ccac7a1cb93475d3c9b
SHA512 266740d4bdbcd313ce4644fa1e3fa71c7bb1a7b9406009f108f6dc1e2a68897581213fd6528019e2c4c572250f5715c4ad8c7b01f49e1cf8e376ea1c675204a8

memory/5084-32-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Hfcpncdk.exe

MD5 2573d6b128be9e23d0f24a5b1f77ae61
SHA1 d68b8c44215520da53cd9e8d3fe0ee2e94cb4343
SHA256 7112bb0939da4b69acb65d5bc73eb687dd054c6e874063c7239289c82a5348be
SHA512 28dc75096cd4f119898b3d8a92e504a99ea7e8e063b82cb92cd3948391d2393e66fc869097f7b78099ab42df5004839be51c2ca313e2ac2eb64c236a386b1c8d

memory/2912-41-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Hibljoco.exe

MD5 01b760b4ddb2349cda211427cab41c64
SHA1 1c0633d254f079fa2d73c186780a734c61ff6109
SHA256 8dbc0f0085c698834f56874e6b3f6f5cbc02144b50f5030f41b4ce1f873296b8
SHA512 2ccd34f2078bf10a5c9f8ad8aa7922e2de07698378790652dfd7d339f44b22335c760ca4de0e888593252e8ee2fee5ae77430a920345023a1a02ade09cc6ef2d

memory/2920-49-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Haidklda.exe

MD5 3d703c5ad386d17be8c5358ce7ac8332
SHA1 78a3038ecafe93a6bb53b4b18a4bf9b81043a962
SHA256 dbca96a01d3b1cd85868f958a752f0a9f9a72873ff0fc286bf37194c0cdab484
SHA512 6c25c6e29b59581bde74fec4eb51201cb4a35056f26cf6b3a60d1ef5a8c45b2f6c41b10299a1874121cfa565cc5d51a97df4b14fc0ca4902fa8d13df71df8c2f

memory/1640-61-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4796-65-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Ijaida32.exe

MD5 b56268aa0f67e31b7b4f9b43a92613aa
SHA1 c0647989494bda97b74e30ee64df938d29156196
SHA256 ffd2ab3a3e584787b348e11ae2aba57f30c37da6357198c019b3ab82c855f63c
SHA512 28640fc55d79f4e10470498c5254c7a2c373c26851ebcf9c637e93c40d3cf70d21c3ea1e914d30806f25a0558d269f6ab9eb698c1352471f2d33d6a4e1e85a3b

C:\Windows\SysWOW64\Impepm32.exe

MD5 3b2a6e472f12fadfb5703ffa68f6f91a
SHA1 2e9d56c4d737f23d4bf9109808b3ffd408707298
SHA256 0cdf052bef3380893f84fd4c3b2e117d9466a951bc55dd803345f2a051372abe
SHA512 79067beb208cdf34bdf815abe77e107179142bf89625a9e39fa7971ed2116ad756496225adcaf4b2f554927dc7ba66f2b17277d5c66eb892ad43b0ea55b7656b

C:\Windows\SysWOW64\Icjmmg32.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1396-81-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3896-73-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Icjmmg32.exe

MD5 7b65fe955171baa50c0d3fe7ceb027b2
SHA1 7ffdd0f6c7c30ec3fdca76e3bc9c75d87950df80
SHA256 d842c6563419fd4a273b0d6dfa188bd044f716c433e5178c84670835aa6bf630
SHA512 59d5b369647ef06aadb76a599f2361d72d90fd49e5dd55e85b33bfa931609568cad9f6469c4271bfa97939c9da601b4e7a25e3f6c0c7e64e7a2570413b14bab3

memory/4160-89-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Ijdeiaio.exe

MD5 8f72124baecd9738af8d2a1487ac8afc
SHA1 83ccb35b78d8ddb1d3cfd70b9d82793fc55a4c55
SHA256 10c7f6a52071067ca55fb52b90234b090352b53c591d59a607590b4d6321c713
SHA512 8c838c6e0c287ad945a08ea9c85f513f6e133c032b0d85d6e27d70017f1e6dd08498db18b856c1ebcb675e9683392d402eb5cdf0406eaccd35323a5f66de6084

memory/3904-105-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Iannfk32.exe

MD5 860ca20b8bbed4910bb74bcab891eb5c
SHA1 0b5d1d8a7e872feff5da971a225563669f47862c
SHA256 ee187e3e12f0ac739727456069b20549f3151fef181d1596bc442f9bd93c950e
SHA512 54be83f5eafa06e008721f5c281826ddef7968eaed2e28c0d0719bf5310d0e09b6ad971703cc006526c2c06ed6fda4b18aa94b82c9ca76d478c9030d312c3176

C:\Windows\SysWOW64\Ibojncfj.exe

MD5 249702df3f03fe3568b0d5f3812f2cb0
SHA1 70a462fe08302992ca4a5a2cb81371ee3c9f5258
SHA256 6a7973d92bf7765ae70d52cc8e6c940e571045a7f0f89168a254d1ef99403894
SHA512 e36f1dfcabeb652d26acc1e9055956766e588acdcc9423e1a78dc36b8d0d6c098c1a7641e4b77b44aa2b3b52820299e8b78f915158f5ae990103d7263c9e480f

C:\Windows\SysWOW64\Ijfboafl.exe

MD5 0c605cd8e40cd6dfca69da56b1171a6c
SHA1 effd91b3e63b89e9b3ef3b29b90074136fdbdc1f
SHA256 10f7a8303b83aaf431311fd78112a16712318cf6c65c33c51f55f523931231b1
SHA512 a09a3237e87169669d1dab808e6855fdebb32649f1a6f28c9c9abea9c19fe6171ffecefca1a4a3b1820f053d884b40e70f2da7e8d2010680ab72c6edcbcf7174

memory/528-128-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Imdnklfp.exe

MD5 cc1743b8064ba973469c3d611540834d
SHA1 75b2171a815dcbed24d2efa401b502089f491c57
SHA256 53d2fba1e8d4809d47d53d27bed84b7b3124f1f8e31b9af41e0feaceef9acb34
SHA512 b33116159cd1fb6d245690e7731ab3db9e07334a0c827c9fb6e7e2754bde7bcc4e050427ce685ac224fde3764e724928c85107b619ce4c01ee35cb3a75854d54

memory/740-137-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Ifmcdblq.exe

MD5 9a577ebf487b61303448b81f3c951c4b
SHA1 9df139314f6f1e4a9fbd6f84f4651a6bf685a550
SHA256 f5208fc94b3be22ee5c518a1a8d801b3b355d8dcd88e2cfef33e66ef1d59597d
SHA512 37c5b13b9893ac8aa4d8a000d4b512c4bac1f083c68cd59b3d8cb0403f1d6965dd027e27c13f15313b4d5955acde58aac43f1a3fada61a068bbee4e57ce2b788

C:\Windows\SysWOW64\Iikopmkd.exe

MD5 2b2d8279c3f85606b0444a6db4e0b128
SHA1 ce984dc83ba296e5e2a7d960125a2d0fd4d07851
SHA256 93838517e5f9e353210827a20c136ff1fadc8fe14f1c39ca2835765e2ad94902
SHA512 0238d9deda06f5dfdba16a8d8bf4c27c80a7aa0e7dbb06bbb04524bf8d43e21f0b89cf4e536cf6b549462f31e1db3694f0a6adcc2a112c554bab5872a094725c

memory/2888-157-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Ijkljp32.exe

MD5 d98fcca24ec2619e16c6a53e741b8274
SHA1 ca7fe9d821bdbd822f02d69a3f22ec18f71ae5bb
SHA256 8b0cb6640c62fbe00ec1954677cac0cc41c4ca84779a3da0096c3795225b0051
SHA512 406edc3bb93c5943ec138d2d33272df8ae3ed2f05bdf7ce4791abd87dda6f1b9f0b397d4175714923e6518abd589cd6f94761681805735cdab40ad121c88b798

C:\Windows\SysWOW64\Imihfl32.exe

MD5 c6cd76593ba8ece3f23ff4b7074d6363
SHA1 8b9b9c0fe8b222c630971d9db759eeeebab61dff
SHA256 7ea9a1d0fd0994e9c1091b11ad5f50cbd1c19fd9e15e5c66961b022ed3590221
SHA512 b1d0264c1e1f1517fcd7cea56e0735e2caf82c8bf14474ac23ffe5ea3b118e2fe82f4c16bbf604c8ca9037dc5a29af72c6473b9e7585ac372ca8170c2741d534

memory/3120-184-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Jdcpcf32.exe

MD5 9d6fe9b2763591f09530f6850218b047
SHA1 f6574fbd80c9d059f09933a4ed583459420c9792
SHA256 d0410b56fb56bba5c6cc23dbcc1542015650486be633601c88fb0318e7adcd44
SHA512 c048898f7ab36018b0c1be7cdf8cc805d66fd49e6db722f08f628769a6c64d905595099e233c94dc6cea228d4d9ec3a7a3014f7258d54bf0d969c845167a8e06

C:\Windows\SysWOW64\Jbfpobpb.exe

MD5 d548d61a4a4193f10601ae56ebf4ad43
SHA1 e140bc3915b1639009797d78352f38c8727f7756
SHA256 ca1098c5f5b1d251beb2504c2c3f76dfba155527a9e3148833ee3efef3c700b6
SHA512 1a2b770a92e5a733181ca8df300248bc5c5c6f0cf586e79d4aa8600e7a937a4794cf7d79280e3344716fe702df774c231e881df4414d1ed313d9ae30d8ef3688

C:\Windows\SysWOW64\Jiphkm32.exe

MD5 5952d7fe99a0c09b500c31765aec1475
SHA1 c8552463bebcb578d60dbf36ee9001ae45e44843
SHA256 d83f8cfbfc8c4a7bb32d6f0946bc1d568850853c2ba521c59445dae77feb9262
SHA512 1ce913397a0afc05bc8a387ca2a2f43213306098aab813d30596d4da9d760facc234a60bd6b7a1b618ca569797d45a82fe851b4b4a6c026209e62c230dbbd1d6

C:\Windows\SysWOW64\Jdemhe32.exe

MD5 d28af249d749dd44e6fa14284cd9d2f4
SHA1 72447289fc8e10e253b84e95a09dde2c53f3d1c4
SHA256 0d2c031687e06b919b87b800c0d8f102b5cab832b1a6158ee80c1c1edd083885
SHA512 4e79c3615e3502769c35465a763d4ff6d42a644df37f793d34aa05262f75b0b4b2a92bc1289e65caa15ea0908355c38096eef9159427d7cf3f78a5febb6a7d79

memory/4308-233-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Jfdida32.exe

MD5 70161e39103f0e2c959a478db3361cec
SHA1 549fc57a6f8e9ae2cd9f10c325a80e60dfec8b2b
SHA256 8909c2b8cbeb550a30d62f71c864fcd8b914afcb5d46b17f07c2bff946caeba6
SHA512 25ec2bf45002a83dd3ea2a7b02ce58ba728b2e5524cb3a9a21d66e341fa3d6092579934a89bf3d2dc1f394955c47d6b083b400071a0eb87da15ba193aff1cbe3

memory/2352-229-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Jbkjjblm.exe

MD5 14a40b85efaac65d60a16ce28c1963ad
SHA1 adb0ce4ad2a883c3caa244031b8bd193cba69545
SHA256 b0088a91fd49cca373fbacf2a7421044dd386f43c8cef8cd51e83a12db5d008e
SHA512 18be0706995940af9aca6ef396425009c567f04a2edfc20398d67c166bed6465979364ee69f7c42ecaff7104521c02f9bb5bcab9e2edf2ce4e58473abe0f0777

memory/4440-280-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1472-273-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2456-303-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1836-309-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4912-317-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4596-339-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1852-347-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3228-363-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Kbfiep32.exe

MD5 86badc254f35e3e2015fa4257295e74d
SHA1 1802cd11cc25d47a0d85d0a5d5ed186b0dd85641
SHA256 93779c483b92a53e4eb9bb42fce06e48920b8d4c7b8cda6f4333e3c2225c8a3d
SHA512 588322191396e3c97d4f58d4feefd58ceda29577744770841ab7a2a0165f3ef4ccfda39372fbcf118296f77c6295d9c74979863d2363433f735011a468ca9b07

memory/2988-387-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4012-410-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1580-417-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4028-424-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Lpocjdld.exe

MD5 ba90dcaa7e5581463dd1597c0efc8398
SHA1 f713e0fc282735b1732be903711f19b6560b4fad
SHA256 56af7f62b833c1390f63587a6667d1c684f154d5e526f4ebc9bd92428e198741
SHA512 eea0fb4c816301e9d335db4884bf42806bfcc623544015b50fee4c250ee8ca4c5fac9b63bb0d30232f10bf729b1007275c2b1841041ca5f82b09413e22afdf21

C:\Windows\SysWOW64\Lgikfn32.exe

MD5 5b5a2513c3a7d59b19d6436eb14c20c8
SHA1 e61a34bac4d700026e9c2ba1074299b872060758
SHA256 895d7f761191f07c24e5cee32ae9b2e2d070bf7ca4cd7d0191a91ace9f5cf892
SHA512 425bf7895b0af9bf45db64e874ff6c09dd4a3df01c54b0598f38bbe1af2d18577bf3b7a1f4803586da49b4ec3372dede3e90b044f9d6a15a5d4a07597872844f

memory/2416-441-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4492-431-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Kpmfddnf.exe

MD5 23b1e44ee21c02af92989b4a74c59794
SHA1 1c20ab442ef6a45ceb893b6cb7f9a8a8c83e8fc1
SHA256 a7cf5c5974df12cd8cbd624f1700ac2b343bdd0caf67f374a267b76a1f612d91
SHA512 bd09bd72f3de261c57acc0a14c58a87f44af5df35d6289e094e5f3d21bdc65dffec49925cf0188985763a842d877447fba90a48a288e8ad8af640d8dab23d160

memory/1764-425-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4480-401-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2120-395-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4332-394-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3644-377-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1916-376-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1100-369-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Kinemkko.exe

MD5 e038112360a4df07857a6999a1bdc308
SHA1 00d09832a1ce0677e4b9ed8b46419b60574f46a6
SHA256 7045af9394cc93a733c36d311983e92052746c34102c52456eca5d428578780a
SHA512 ba3c60e93aa615b8389c61f468e2a93b0664a74ed043576a0ca98ca2430e962945d7f7bee159baf66f3e22b7dbff973294de981c3779c47d814c6975b1bccd52

memory/3988-354-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Kdaldd32.exe

MD5 a5b56473c2cac001186a5f095a260bbd
SHA1 d8472367c12b6ce2ab3c8e508923342f8b319256
SHA256 8147ee7bc7c5d8f92a21d2f022ebff65f15881fbdedef2532e8b1acefbee1690
SHA512 8bc9000de4deb6a885170fc36fb006dd0ba8331e17b3ba0f20cc6af4c3b1f713ab4d79cf80c67dbda163096f24c0a83110dfbc02bbcaa7a5bbc2e567361a2f6b

memory/3840-341-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4892-329-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1012-323-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3448-316-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Kmegbjgn.exe

MD5 23774feb538982480c74eb3add9b7585
SHA1 68f5afb431c1a1e3836f6db5d70c78440a6411de
SHA256 708e413e3c1e2ee4fbb4d7685033c2fce139e88317f88d8b4544b319ab359992
SHA512 5853a4ad0600aad87d49a6ecd3dbc2be9d6f041bbdb6b595fa9af484d11f4aabd1ef37e8d8ded9d55c633c166966685ca83efacbca1ab2e25556e1b7e2d358d6

memory/2508-297-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3716-287-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2256-286-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4436-263-0x0000000000400000-0x0000000000434000-memory.dmp

memory/884-257-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Jjbako32.exe

MD5 49e6fafd49953480341d6057eddef749
SHA1 9ae3c0265704788c8694cc315b43d6bc8c7981d8
SHA256 72a93e99ef8fc6b119c4eff46cc1775456c1de489683bce14c25017209f16944
SHA512 6762913c2be9799e9aec42e5b06b3fbfca127ee8d4438303e6f5564da30b31fb5d6bc9b86e48b86443b6b052ddd916393461385032f10dcbe40e8b9e9692db2d

memory/3864-249-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Jbkjjblm.exe

MD5 4011e05fdf9df9f6bbbd7721c36c9184
SHA1 ccbf31a56c9c7766c169266fdbbf809e1e0a3189
SHA256 afa1449ab4206d2edb01051b9a97870d6664538008eaaf82e7ef4438db122b16
SHA512 2846a06c825d3d7ef519d1ae380c172269e4694dc1876f9265eb3bdb18f2b87831d9698b81c988c2c8d88338f2a982b623a068d51cec34f372905449cbd68d1f

memory/1804-241-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1548-217-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Jagqlj32.exe

MD5 b7237211d3f42ced58703cec8b084f4b
SHA1 1b2ff0853ce408790ea4d1ff41029fdd910122e4
SHA256 4a72c2ab97d147673a056712c5cb3674825ef43a392956e2fa3da8fbcdf024b2
SHA512 ef99ed7c6952ae9bcd0806e7d4f23b1a606dde689b239768933679705c7195067d0c434cd67e7ef7d25005f46fc412ba328521adfa288b3cc7c3ade5c0ebd5b4

memory/3400-209-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2164-201-0x0000000000400000-0x0000000000434000-memory.dmp

memory/536-193-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4812-177-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4504-169-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Idacmfkj.exe

MD5 801edb8e85b98a57af0f5aaa04443b5b
SHA1 8f0bee5a05f374aef38068a077b8b416cdfece5e
SHA256 6d72f1c866476e926937bbbc236fca354696f25bb7aeaf778ef0e0851b3b9215
SHA512 f7a004d26aaefc4ede1bc333fd5541cc467bb92c67b7b9326d993600aeece2b7dd7a2cf7088df9a060e2b8cc3670f686a565e4d86ea4137de3f36494fc7cc06a

memory/3868-165-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Iabgaklg.exe

MD5 547fde7e579767e1fd4b2eb4391c733e
SHA1 7f8a3c91dfccd5bd71fb250b818a0a122a0dd93d
SHA256 baa1101c45cc7205c6be42ec0c57c11ae08617494c220b90c90912cf35e453f8
SHA512 7b3380fc607fb0b640ba07945c23f3a7f075c67bf520bc3567471ff3a6bb738a9d0fdc747bd3cc36f75aae9447f99f3f71f737c2794c40ccbe16e396578ba80b

memory/4896-145-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Idofhfmm.exe

MD5 04c70c04ca6dbb0cbdf1c5f27d0154b3
SHA1 776d582c39f0d92bfff7136cd620e0122f9dd4e9
SHA256 0beb32ed55b6c5bcc2f9354bfcf9c9d7a91de88c763f80fc810dbddc4b573390
SHA512 4a8ff65994db4116d13c76eefb21cb5cf7553f6581c99023999c1dcc67adc63524710f97fd2e655f4ca8832da951eb088beb9433f8a542c282512df6c3e8fdec

memory/844-121-0x0000000000400000-0x0000000000434000-memory.dmp

memory/632-113-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Lddbqa32.exe

MD5 591d9f038ad067bb505cdd4e2ef8b03e
SHA1 a75cfa269fe4386e32cccd89b951df3d79555ba2
SHA256 79e1d392d735eda2d72fb50930cc159cf34bd37ed339e872ec48e7ed0452bb29
SHA512 7e536e6e16d45da6b9a25c4ee23fe20e677f18657f31caaf78161b658a241792f5dd08a926d64801421a1f79253f9f4d807744fc86b7942e8273fae3d42a1d8b

memory/4232-97-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Ibjqcd32.exe

MD5 637d1eb97ed55e43bba6beb6ba0abd6d
SHA1 fa52eb96f38c4f89de134354521ddcb2bd530218
SHA256 35268d59003f317ca5d9e90ebcd2857ab318d8da97303cdbf9e6b26040bc13d9
SHA512 70d354d6ca64fe12558bf6bd97f48e375df354e267369f0e8edba3d6d2df12d1a3a1a5db36cf796330b1a3ffee77f0e6ca02a4e5e6584600a95ae14702351a4d

C:\Windows\SysWOW64\Mpkbebbf.exe

MD5 d2e196230575976fe91a8298029c71f2
SHA1 e28f1eb212781446a317d3d8483215df4047b429
SHA256 1fff86b5b3501e1a1682952fae0a325759c681cd7b83c122a5cd4cea2e219a6f
SHA512 5c9886f4313d56a39fc1d013057b692c2c525c003369537344fc5075837e3da9f4d8d105fb84a93ec186c1da6651c3583af77e34078b6d9fbbab07d439fdc5b3

C:\Windows\SysWOW64\Mpmokb32.exe

MD5 27e85a83b477499996c5075c929a066a
SHA1 aad5c22ff50888b565353646e39d0ea8d69ac2b3
SHA256 7491fb3d315584e39ac7695d7b51ac54dc3102e0f6991f397b32e63771552b23
SHA512 8206d312326cd79d45919d48fb21c385af15d1a2292de2bee77f75006cc2449105f940d4a56696e825df5edb084930a0b95d8378044eef4c2d1bfc8b9e1b2527

C:\Windows\SysWOW64\Mpolqa32.exe

MD5 629b5458451001ed3b537a82ab344424
SHA1 f6a591cd3efd4ff197c99a35d1e9a70126ffa590
SHA256 2dfe34c5db0486dc712e4cf0b59f0192b1b2528505f5aa55198726be7887c38d
SHA512 3ff127fc61e97bbcf7aa96cb4004eaa8efd41bc03febf8d1159d572dabd01a1191b85c9f5a5b5a26a48350eafe1cbb3b0815546dd40de74b6ae4810a408f2a2e

C:\Windows\SysWOW64\Mpaifalo.exe

MD5 77666e5ac1142445cd4ad204c79bf6e6
SHA1 9e63526f85733ec4f7d0e66e669b3376d050189c
SHA256 965ddefb2c332225f9c954f6c35fed53a826ecd21720f2d61e421fedb1eb1f43
SHA512 64150d951e2ad23b00bb612e0e5ded85613ee62dfac6c33be66a3d87aa4ef87a133e00119d98dce8215053fcf643e05adf4f2ffe4f4a9156c454a325efff2ef0

C:\Windows\SysWOW64\Mjjmog32.exe

MD5 445279c0bf9d92f2694361299eeab20f
SHA1 01de3095c39944f9b69169ecb84c58a23f10ce55
SHA256 a86ab6dc8c535e547228b85e58a808e4c1c6d557697010fac24c610025d521b0
SHA512 b576ff0d08f9aabeb539fb89c07174a958493a93ab7c8e8e6fda2ba6f353d6c11a31fc00d0998bfc4114b7b7e5e3d500cff49ce508bf92ed3b19569caf058d71

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-07 23:22

Reported

2024-04-07 23:24

Platform

win7-20240221-en

Max time kernel

118s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\907dd6fa9a521211d55df07e6acce1dc64dedbbed440e35dfb2e305b67e1e196.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Users\Admin\AppData\Local\Temp\907dd6fa9a521211d55df07e6acce1dc64dedbbed440e35dfb2e305b67e1e196.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pmccjbaf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pmccjbaf.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qbbhgi32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Acpdko32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pokieo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pokieo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Acpdko32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bejdiffp.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bajomhbl.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pjldghjm.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Anlfbi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Anlfbi32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Afkdakjb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Afkdakjb.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cpfaocal.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cpfaocal.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Users\Admin\AppData\Local\Temp\907dd6fa9a521211d55df07e6acce1dc64dedbbed440e35dfb2e305b67e1e196.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pjldghjm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Qbbhgi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bajomhbl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bejdiffp.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\Afkdakjb.exe C:\Windows\SysWOW64\Anlfbi32.exe N/A
File created C:\Windows\SysWOW64\Ceegmj32.exe C:\Windows\SysWOW64\Cpfaocal.exe N/A
File opened for modification C:\Windows\SysWOW64\Ceegmj32.exe C:\Windows\SysWOW64\Cpfaocal.exe N/A
File created C:\Windows\SysWOW64\Lmmlmd32.dll C:\Windows\SysWOW64\Anlfbi32.exe N/A
File created C:\Windows\SysWOW64\Aoogfhfp.dll C:\Windows\SysWOW64\Cpfaocal.exe N/A
File created C:\Windows\SysWOW64\Pmccjbaf.exe C:\Windows\SysWOW64\Pokieo32.exe N/A
File created C:\Windows\SysWOW64\Oodajl32.dll C:\Windows\SysWOW64\Pokieo32.exe N/A
File opened for modification C:\Windows\SysWOW64\Qbbhgi32.exe C:\Windows\SysWOW64\Pmccjbaf.exe N/A
File created C:\Windows\SysWOW64\Cpfaocal.exe C:\Windows\SysWOW64\Bejdiffp.exe N/A
File created C:\Windows\SysWOW64\Dqcngnae.dll C:\Windows\SysWOW64\Bejdiffp.exe N/A
File created C:\Windows\SysWOW64\Lnhbfpnj.dll C:\Users\Admin\AppData\Local\Temp\907dd6fa9a521211d55df07e6acce1dc64dedbbed440e35dfb2e305b67e1e196.exe N/A
File created C:\Windows\SysWOW64\Pokieo32.exe C:\Windows\SysWOW64\Pjldghjm.exe N/A
File created C:\Windows\SysWOW64\Qbbhgi32.exe C:\Windows\SysWOW64\Pmccjbaf.exe N/A
File opened for modification C:\Windows\SysWOW64\Pmccjbaf.exe C:\Windows\SysWOW64\Pokieo32.exe N/A
File created C:\Windows\SysWOW64\Bajomhbl.exe C:\Windows\SysWOW64\Acpdko32.exe N/A
File opened for modification C:\Windows\SysWOW64\Bejdiffp.exe C:\Windows\SysWOW64\Bajomhbl.exe N/A
File opened for modification C:\Windows\SysWOW64\Cpfaocal.exe C:\Windows\SysWOW64\Bejdiffp.exe N/A
File opened for modification C:\Windows\SysWOW64\Pjldghjm.exe C:\Users\Admin\AppData\Local\Temp\907dd6fa9a521211d55df07e6acce1dc64dedbbed440e35dfb2e305b67e1e196.exe N/A
File created C:\Windows\SysWOW64\Anlfbi32.exe C:\Windows\SysWOW64\Qbbhgi32.exe N/A
File created C:\Windows\SysWOW64\Afkdakjb.exe C:\Windows\SysWOW64\Anlfbi32.exe N/A
File created C:\Windows\SysWOW64\Ecjdib32.dll C:\Windows\SysWOW64\Afkdakjb.exe N/A
File created C:\Windows\SysWOW64\Nmmfff32.dll C:\Windows\SysWOW64\Bajomhbl.exe N/A
File created C:\Windows\SysWOW64\Pjldghjm.exe C:\Users\Admin\AppData\Local\Temp\907dd6fa9a521211d55df07e6acce1dc64dedbbed440e35dfb2e305b67e1e196.exe N/A
File opened for modification C:\Windows\SysWOW64\Pokieo32.exe C:\Windows\SysWOW64\Pjldghjm.exe N/A
File created C:\Windows\SysWOW64\Gcnmkd32.dll C:\Windows\SysWOW64\Pmccjbaf.exe N/A
File opened for modification C:\Windows\SysWOW64\Anlfbi32.exe C:\Windows\SysWOW64\Qbbhgi32.exe N/A
File created C:\Windows\SysWOW64\Odmoin32.dll C:\Windows\SysWOW64\Qbbhgi32.exe N/A
File created C:\Windows\SysWOW64\Acpdko32.exe C:\Windows\SysWOW64\Afkdakjb.exe N/A
File opened for modification C:\Windows\SysWOW64\Acpdko32.exe C:\Windows\SysWOW64\Afkdakjb.exe N/A
File created C:\Windows\SysWOW64\Bejdiffp.exe C:\Windows\SysWOW64\Bajomhbl.exe N/A
File created C:\Windows\SysWOW64\Hmomkh32.dll C:\Windows\SysWOW64\Pjldghjm.exe N/A
File opened for modification C:\Windows\SysWOW64\Bajomhbl.exe C:\Windows\SysWOW64\Acpdko32.exe N/A
File created C:\Windows\SysWOW64\Fhbhji32.dll C:\Windows\SysWOW64\Acpdko32.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Ceegmj32.exe

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmmlmd32.dll" C:\Windows\SysWOW64\Anlfbi32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Afkdakjb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bajomhbl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Acpdko32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Cpfaocal.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} C:\Users\Admin\AppData\Local\Temp\907dd6fa9a521211d55df07e6acce1dc64dedbbed440e35dfb2e305b67e1e196.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\907dd6fa9a521211d55df07e6acce1dc64dedbbed440e35dfb2e305b67e1e196.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Pokieo32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Qbbhgi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Qbbhgi32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Anlfbi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoogfhfp.dll" C:\Windows\SysWOW64\Cpfaocal.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node C:\Users\Admin\AppData\Local\Temp\907dd6fa9a521211d55df07e6acce1dc64dedbbed440e35dfb2e305b67e1e196.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Users\Admin\AppData\Local\Temp\907dd6fa9a521211d55df07e6acce1dc64dedbbed440e35dfb2e305b67e1e196.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecjdib32.dll" C:\Windows\SysWOW64\Afkdakjb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhbhji32.dll" C:\Windows\SysWOW64\Acpdko32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmmfff32.dll" C:\Windows\SysWOW64\Bajomhbl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Pjldghjm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmomkh32.dll" C:\Windows\SysWOW64\Pjldghjm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pjldghjm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Acpdko32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcnmkd32.dll" C:\Windows\SysWOW64\Pmccjbaf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pmccjbaf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bejdiffp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqcngnae.dll" C:\Windows\SysWOW64\Bejdiffp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cpfaocal.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Users\Admin\AppData\Local\Temp\907dd6fa9a521211d55df07e6acce1dc64dedbbed440e35dfb2e305b67e1e196.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odmoin32.dll" C:\Windows\SysWOW64\Qbbhgi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnhbfpnj.dll" C:\Users\Admin\AppData\Local\Temp\907dd6fa9a521211d55df07e6acce1dc64dedbbed440e35dfb2e305b67e1e196.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oodajl32.dll" C:\Windows\SysWOW64\Pokieo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pokieo32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Pmccjbaf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Anlfbi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Afkdakjb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bajomhbl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bejdiffp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2208 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\907dd6fa9a521211d55df07e6acce1dc64dedbbed440e35dfb2e305b67e1e196.exe C:\Windows\SysWOW64\Pjldghjm.exe
PID 2208 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\907dd6fa9a521211d55df07e6acce1dc64dedbbed440e35dfb2e305b67e1e196.exe C:\Windows\SysWOW64\Pjldghjm.exe
PID 2208 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\907dd6fa9a521211d55df07e6acce1dc64dedbbed440e35dfb2e305b67e1e196.exe C:\Windows\SysWOW64\Pjldghjm.exe
PID 2208 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\907dd6fa9a521211d55df07e6acce1dc64dedbbed440e35dfb2e305b67e1e196.exe C:\Windows\SysWOW64\Pjldghjm.exe
PID 2600 wrote to memory of 2572 N/A C:\Windows\SysWOW64\Pjldghjm.exe C:\Windows\SysWOW64\Pokieo32.exe
PID 2600 wrote to memory of 2572 N/A C:\Windows\SysWOW64\Pjldghjm.exe C:\Windows\SysWOW64\Pokieo32.exe
PID 2600 wrote to memory of 2572 N/A C:\Windows\SysWOW64\Pjldghjm.exe C:\Windows\SysWOW64\Pokieo32.exe
PID 2600 wrote to memory of 2572 N/A C:\Windows\SysWOW64\Pjldghjm.exe C:\Windows\SysWOW64\Pokieo32.exe
PID 2572 wrote to memory of 2648 N/A C:\Windows\SysWOW64\Pokieo32.exe C:\Windows\SysWOW64\Pmccjbaf.exe
PID 2572 wrote to memory of 2648 N/A C:\Windows\SysWOW64\Pokieo32.exe C:\Windows\SysWOW64\Pmccjbaf.exe
PID 2572 wrote to memory of 2648 N/A C:\Windows\SysWOW64\Pokieo32.exe C:\Windows\SysWOW64\Pmccjbaf.exe
PID 2572 wrote to memory of 2648 N/A C:\Windows\SysWOW64\Pokieo32.exe C:\Windows\SysWOW64\Pmccjbaf.exe
PID 2648 wrote to memory of 2880 N/A C:\Windows\SysWOW64\Pmccjbaf.exe C:\Windows\SysWOW64\Qbbhgi32.exe
PID 2648 wrote to memory of 2880 N/A C:\Windows\SysWOW64\Pmccjbaf.exe C:\Windows\SysWOW64\Qbbhgi32.exe
PID 2648 wrote to memory of 2880 N/A C:\Windows\SysWOW64\Pmccjbaf.exe C:\Windows\SysWOW64\Qbbhgi32.exe
PID 2648 wrote to memory of 2880 N/A C:\Windows\SysWOW64\Pmccjbaf.exe C:\Windows\SysWOW64\Qbbhgi32.exe
PID 2880 wrote to memory of 2400 N/A C:\Windows\SysWOW64\Qbbhgi32.exe C:\Windows\SysWOW64\Anlfbi32.exe
PID 2880 wrote to memory of 2400 N/A C:\Windows\SysWOW64\Qbbhgi32.exe C:\Windows\SysWOW64\Anlfbi32.exe
PID 2880 wrote to memory of 2400 N/A C:\Windows\SysWOW64\Qbbhgi32.exe C:\Windows\SysWOW64\Anlfbi32.exe
PID 2880 wrote to memory of 2400 N/A C:\Windows\SysWOW64\Qbbhgi32.exe C:\Windows\SysWOW64\Anlfbi32.exe
PID 2400 wrote to memory of 2660 N/A C:\Windows\SysWOW64\Anlfbi32.exe C:\Windows\SysWOW64\Afkdakjb.exe
PID 2400 wrote to memory of 2660 N/A C:\Windows\SysWOW64\Anlfbi32.exe C:\Windows\SysWOW64\Afkdakjb.exe
PID 2400 wrote to memory of 2660 N/A C:\Windows\SysWOW64\Anlfbi32.exe C:\Windows\SysWOW64\Afkdakjb.exe
PID 2400 wrote to memory of 2660 N/A C:\Windows\SysWOW64\Anlfbi32.exe C:\Windows\SysWOW64\Afkdakjb.exe
PID 2660 wrote to memory of 2004 N/A C:\Windows\SysWOW64\Afkdakjb.exe C:\Windows\SysWOW64\Acpdko32.exe
PID 2660 wrote to memory of 2004 N/A C:\Windows\SysWOW64\Afkdakjb.exe C:\Windows\SysWOW64\Acpdko32.exe
PID 2660 wrote to memory of 2004 N/A C:\Windows\SysWOW64\Afkdakjb.exe C:\Windows\SysWOW64\Acpdko32.exe
PID 2660 wrote to memory of 2004 N/A C:\Windows\SysWOW64\Afkdakjb.exe C:\Windows\SysWOW64\Acpdko32.exe
PID 2004 wrote to memory of 1100 N/A C:\Windows\SysWOW64\Acpdko32.exe C:\Windows\SysWOW64\Bajomhbl.exe
PID 2004 wrote to memory of 1100 N/A C:\Windows\SysWOW64\Acpdko32.exe C:\Windows\SysWOW64\Bajomhbl.exe
PID 2004 wrote to memory of 1100 N/A C:\Windows\SysWOW64\Acpdko32.exe C:\Windows\SysWOW64\Bajomhbl.exe
PID 2004 wrote to memory of 1100 N/A C:\Windows\SysWOW64\Acpdko32.exe C:\Windows\SysWOW64\Bajomhbl.exe
PID 1100 wrote to memory of 2716 N/A C:\Windows\SysWOW64\Bajomhbl.exe C:\Windows\SysWOW64\Bejdiffp.exe
PID 1100 wrote to memory of 2716 N/A C:\Windows\SysWOW64\Bajomhbl.exe C:\Windows\SysWOW64\Bejdiffp.exe
PID 1100 wrote to memory of 2716 N/A C:\Windows\SysWOW64\Bajomhbl.exe C:\Windows\SysWOW64\Bejdiffp.exe
PID 1100 wrote to memory of 2716 N/A C:\Windows\SysWOW64\Bajomhbl.exe C:\Windows\SysWOW64\Bejdiffp.exe
PID 2716 wrote to memory of 996 N/A C:\Windows\SysWOW64\Bejdiffp.exe C:\Windows\SysWOW64\Cpfaocal.exe
PID 2716 wrote to memory of 996 N/A C:\Windows\SysWOW64\Bejdiffp.exe C:\Windows\SysWOW64\Cpfaocal.exe
PID 2716 wrote to memory of 996 N/A C:\Windows\SysWOW64\Bejdiffp.exe C:\Windows\SysWOW64\Cpfaocal.exe
PID 2716 wrote to memory of 996 N/A C:\Windows\SysWOW64\Bejdiffp.exe C:\Windows\SysWOW64\Cpfaocal.exe
PID 996 wrote to memory of 2000 N/A C:\Windows\SysWOW64\Cpfaocal.exe C:\Windows\SysWOW64\Ceegmj32.exe
PID 996 wrote to memory of 2000 N/A C:\Windows\SysWOW64\Cpfaocal.exe C:\Windows\SysWOW64\Ceegmj32.exe
PID 996 wrote to memory of 2000 N/A C:\Windows\SysWOW64\Cpfaocal.exe C:\Windows\SysWOW64\Ceegmj32.exe
PID 996 wrote to memory of 2000 N/A C:\Windows\SysWOW64\Cpfaocal.exe C:\Windows\SysWOW64\Ceegmj32.exe
PID 2000 wrote to memory of 2136 N/A C:\Windows\SysWOW64\Ceegmj32.exe C:\Windows\SysWOW64\WerFault.exe
PID 2000 wrote to memory of 2136 N/A C:\Windows\SysWOW64\Ceegmj32.exe C:\Windows\SysWOW64\WerFault.exe
PID 2000 wrote to memory of 2136 N/A C:\Windows\SysWOW64\Ceegmj32.exe C:\Windows\SysWOW64\WerFault.exe
PID 2000 wrote to memory of 2136 N/A C:\Windows\SysWOW64\Ceegmj32.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\907dd6fa9a521211d55df07e6acce1dc64dedbbed440e35dfb2e305b67e1e196.exe

"C:\Users\Admin\AppData\Local\Temp\907dd6fa9a521211d55df07e6acce1dc64dedbbed440e35dfb2e305b67e1e196.exe"

C:\Windows\SysWOW64\Pjldghjm.exe

C:\Windows\system32\Pjldghjm.exe

C:\Windows\SysWOW64\Pokieo32.exe

C:\Windows\system32\Pokieo32.exe

C:\Windows\SysWOW64\Pmccjbaf.exe

C:\Windows\system32\Pmccjbaf.exe

C:\Windows\SysWOW64\Qbbhgi32.exe

C:\Windows\system32\Qbbhgi32.exe

C:\Windows\SysWOW64\Anlfbi32.exe

C:\Windows\system32\Anlfbi32.exe

C:\Windows\SysWOW64\Afkdakjb.exe

C:\Windows\system32\Afkdakjb.exe

C:\Windows\SysWOW64\Acpdko32.exe

C:\Windows\system32\Acpdko32.exe

C:\Windows\SysWOW64\Bajomhbl.exe

C:\Windows\system32\Bajomhbl.exe

C:\Windows\SysWOW64\Bejdiffp.exe

C:\Windows\system32\Bejdiffp.exe

C:\Windows\SysWOW64\Cpfaocal.exe

C:\Windows\system32\Cpfaocal.exe

C:\Windows\SysWOW64\Ceegmj32.exe

C:\Windows\system32\Ceegmj32.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2000 -s 140

Network

N/A

Files

memory/2208-0-0x0000000000400000-0x0000000000434000-memory.dmp

\Windows\SysWOW64\Pjldghjm.exe

MD5 15b9cb7a3b46c80a2c593a1421cdf0e1
SHA1 1c86bae559d2f1ed3be0b962925fb3c29e61ba6f
SHA256 1ca126b84f0826bc517be76abea4adbb2e11e2038831cbb5fe69a7c7aaee303f
SHA512 72552e714e7aa38beb09c5583a15e1ca670d8f089f2de0a14a60fd393d3b169f20341c763514c983da89ad21a8503e7512a503c99429c503e91bbd87b48d8f4e

memory/2208-6-0x0000000000220000-0x0000000000254000-memory.dmp

memory/2208-13-0x0000000000220000-0x0000000000254000-memory.dmp

memory/2600-19-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Pokieo32.exe

MD5 352435c3c5ba2ef4a9d726ff8f86e631
SHA1 e1262a23d34bf98f725e2021482dba5f7b8df217
SHA256 284352735787c37aa5b0d64ebba5af667528f2cce249b422f0e079daee9d155d
SHA512 68e6ef7daaa23594957a7c08c3d6fe76551a09dbc81065427b5a2cb1bb8f910a71a796708382f281c98b11f3789eb9fb3823d30244c25032b52b1f9166d0f7ff

memory/2600-32-0x0000000000220000-0x0000000000254000-memory.dmp

memory/2600-33-0x0000000000220000-0x0000000000254000-memory.dmp

memory/2572-34-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Pmccjbaf.exe

MD5 93cddfca1cdb99e02a919d7c4c1852df
SHA1 42736ad6a8fce023f09bde411b74b40c6f7f81a3
SHA256 91d7a5f95119e9796024d39e3d38727e0834f8129787db987f90b3e7310d0fe4
SHA512 6e3ad04ae740fc5fe91d0b1ad9fd5beeddc1d1824ad312e98515d920e0634487fa328d477dd93cd0de6fbfd97552ee4f8d6fdf06aea3d2d9bae1afbce0cdd51c

memory/2648-42-0x0000000000400000-0x0000000000434000-memory.dmp

\Windows\SysWOW64\Qbbhgi32.exe

MD5 36bbc888aa3f3ff5d817c7f10608b5c1
SHA1 63da3af6aa47e01578e0a1818c7571191dc06da3
SHA256 6db7b790cde4697556fe3b7469e39b02fd9c8bcf607c66c5ae4ef6b3810eff01
SHA512 6d71ddbf5432385db97a70bb1bc9e964e0757ac35f11a70a9fe7019fc01ad2b4904a575ebcdb74b0fd3c337d8b351f5d01381b1532114b3767a122d5c0a256bd

memory/2880-55-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Anlfbi32.exe

MD5 c8f60926fb4908d72a2023a16fb8fae3
SHA1 ee79365d21266e6ff5d18ee7ffa6db5140782057
SHA256 dc08c4266f7f15f97018f94bb9e6f2bd9d665d48c4127468589449f439186660
SHA512 4edcd4917fd7222e882793bfb1cfd1e8ed5e7877e9e28060fbcd35b50a66e61743e7125db1d5844955cf432bed4f15e0c468812970d0036f420e1320f4aaa042

memory/2880-63-0x0000000000220000-0x0000000000254000-memory.dmp

\Windows\SysWOW64\Afkdakjb.exe

MD5 43f1dbfe3258b6ce60fb1a0b015e8bcd
SHA1 c61b3432b5b01ff8f46852e2ad99c0885f15856d
SHA256 c60f37e390afcb7b3f4d1b8d7252d56bfc84940db3871c880eba93a7f533b8c6
SHA512 3ef354ec93d449abfe6899e7bb9c5a0900b91b4c00e614865ee6b655d8da7b8e7e5064299d26fe5418d9e583dfca0d16fe1e94576eff5f860a7b063e0cad07e7

C:\Windows\SysWOW64\Acpdko32.exe

MD5 f3976d5c4f460179b57a313ed566617b
SHA1 67bbdd18995677c10554340c89242a07806aaf12
SHA256 a6b52d93fbcf3a174e032acb5989724ef82866670d286e749203b3014f5fa82d
SHA512 6e0c4f8914b2fbbfa8647c58feb675d2c024749bf605ca2e19da5eb1ed94dcb7eb4d0e8df64e14e7bb3cf95af7e30e657b9e70a5ba14ae1592846e2a136882c8

memory/2400-93-0x0000000000220000-0x0000000000254000-memory.dmp

memory/2400-99-0x0000000000220000-0x0000000000254000-memory.dmp

memory/2660-100-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2004-101-0x0000000000400000-0x0000000000434000-memory.dmp

\Windows\SysWOW64\Bajomhbl.exe

MD5 f2c4beeb67a7aa9febbacac6615778c0
SHA1 fe5f832f0ae501bd409a80b593bc08c6525f0664
SHA256 4b16b8852417a9416ace2f1107fdf89d49a265eef9c1199bfefa6e3e3c1b87b3
SHA512 90136a1b92d1b5fecc6dd82a8828176add2ea7ecf2752ad94032a5ac9f57e9d47a031cef31e97a4c271702cce432094fd31e46673fd213f922c9d5628ec4b26b

memory/1100-110-0x0000000000400000-0x0000000000434000-memory.dmp

\Windows\SysWOW64\Bejdiffp.exe

MD5 7a35d09e13e2550e9730b4ecf91f2142
SHA1 bee36c6b41240123b9de4806b75f137bf0f98fc8
SHA256 76a6805d15c2e288135055f78936b44157ca6112e212ece050256bb1bcaf69df
SHA512 dcd2cf56bf5866991491cfdc0aed518e0a9b055666a1b1940f87100de710d898610c2d7a6188ce5f4419605e2a70ed383a4847e9882de2e7ebae6ab2cf89a231

memory/1100-121-0x0000000000220000-0x0000000000254000-memory.dmp

memory/2716-128-0x0000000000400000-0x0000000000434000-memory.dmp

\Windows\SysWOW64\Cpfaocal.exe

MD5 f9b6dcaf6485c05f8a012365a9f03042
SHA1 86b933b2dbdda0b5194bf655c65310be90ad6c9d
SHA256 00cdc5e8777103b5ca3d6cca00ab4a514dca87fe1d56ae1d767c6cf92e734cb3
SHA512 6372b794feae45083125c593ddaee254b1e5d2871eb362a542728ea10fe6a3a831d70c614c58893bfb38ce6ada9929b1e87dbc41e221d897acbbdb38fbca4b71

memory/996-142-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2716-135-0x0000000000220000-0x0000000000254000-memory.dmp

\Windows\SysWOW64\Ceegmj32.exe

MD5 d11956fae14bf97afbe3b59ec91c4436
SHA1 ae35699fb1ae11013e0cdf23817c134669e670bb
SHA256 770c799dd6e76c4b58cbe689a8179cb3521d88bdd0ba6ab620a1adf554aef61c
SHA512 b16a0d4bb1e79f478df0d0f242d7433f4cc9fd700160e946676b28d413c4623e2a63f05eb86ad12deaf857a17b7c9922bccc7d7f088cd29f4265989e50ccabad

memory/2000-150-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2208-155-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2648-156-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2880-157-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2400-158-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1100-159-0x0000000000400000-0x0000000000434000-memory.dmp