15a4ddb02a88523cfbb345cc386bbfdd85a6452fa46eefa942a58011a7df6ed6

Analysis

max time kernel
129s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 03:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

15a4ddb02a88523cfbb345cc386bbfdd85a6452fa46eefa942a58011a7df6ed6.exe
Size

416KB
MD5

0bbb81b3ec9ac9f98b466d4766ba4570
SHA1

39016d8a43398197fc1becda0a04ab3e1a86dde8
SHA256

15a4ddb02a88523cfbb345cc386bbfdd85a6452fa46eefa942a58011a7df6ed6
SHA512

47b3042abdd859bd5f35e945c73345a0190f681d0c0613e3ce1b8f5d34451168cd398e1db7eb8e39753a8b3dd78dade1a92e88aa65482c7181444c76169e2675
SSDEEP

12288:hhSSWGHYJ07kE0KoFtw2gu9RxrBIUbPLwH96/I0lOZ0vbqFB:VWGHYJ07kE0KoFtw2gu9RxrBIUbPLwHh

Score

10^/10

backdoor dropper persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Lnhmng32.exeLgpagm32.exeLknjmkdo.exeMnlfigcc.exeMkpgck32.exeMpmokb32.exeMgidml32.exeNklfoi32.exeNbhkac32.exeNjcpee32.exeNggqoj32.exe15a4ddb02a88523cfbb345cc386bbfdd85a6452fa46eefa942a58011a7df6ed6.exeKmlnbi32.exeKgdbkohf.exeMjhqjg32.exeNkncdifl.exeNnmopdep.exeLnepih32.exeLdohebqh.exeLpfijcfl.exeLdaeka32.exeNacbfdao.exeLiekmj32.exeMglack32.exeMdpalp32.exeLpocjdld.exeLkdggmlj.exeLcpllo32.exeNcgkcl32.exeLklnhlfb.exeMcklgm32.exeNdghmo32.exeKckbqpnj.exeMnocof32.exeNnjbke32.exeMaaepd32.exeNbkhfc32.exeMpkbebbf.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	15a4ddb02a88523cfbb345cc386bbfdd85a6452fa46eefa942a58011a7df6ed6.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmlnbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgdbkohf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnepih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lpfijcfl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liekmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lpocjdld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kgdbkohf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	15a4ddb02a88523cfbb345cc386bbfdd85a6452fa46eefa942a58011a7df6ed6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kckbqpnj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnocof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mglack32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Liekmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcpllo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maaepd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nggqoj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mnocof32.exe

Malware Dropper & Backdoor - Berbew 34 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

Processes:

resource	yara_rule
C:\Windows\SysWOW64\Kmlnbi32.exe	family_berbew
C:\Windows\SysWOW64\Kcifkp32.exe	family_berbew
C:\Windows\SysWOW64\Kgdbkohf.exe	family_berbew
C:\Windows\SysWOW64\Kckbqpnj.exe	family_berbew
C:\Windows\SysWOW64\Kgfoan32.exe	family_berbew
C:\Windows\SysWOW64\Liekmj32.exe	family_berbew
C:\Windows\SysWOW64\Lpocjdld.exe	family_berbew
C:\Windows\SysWOW64\Lkdggmlj.exe	family_berbew
C:\Windows\SysWOW64\Lcpllo32.exe	family_berbew
C:\Windows\SysWOW64\Lnepih32.exe	family_berbew
C:\Windows\SysWOW64\Ldohebqh.exe	family_berbew
C:\Windows\SysWOW64\Lnhmng32.exe	family_berbew
C:\Windows\SysWOW64\Lnhmng32.exe	family_berbew
C:\Windows\SysWOW64\Lpfijcfl.exe	family_berbew
C:\Windows\SysWOW64\Ldaeka32.exe	family_berbew
C:\Windows\SysWOW64\Lgpagm32.exe	family_berbew
C:\Windows\SysWOW64\Lklnhlfb.exe	family_berbew
C:\Windows\SysWOW64\Lknjmkdo.exe	family_berbew
C:\Windows\SysWOW64\Mnlfigcc.exe	family_berbew
C:\Windows\SysWOW64\Mpkbebbf.exe	family_berbew
C:\Windows\SysWOW64\Mkpgck32.exe	family_berbew
C:\Windows\SysWOW64\Mnocof32.exe	family_berbew
C:\Windows\SysWOW64\Mpmokb32.exe	family_berbew
C:\Windows\SysWOW64\Mcklgm32.exe	family_berbew
C:\Windows\SysWOW64\Mgidml32.exe	family_berbew
C:\Windows\SysWOW64\Mjhqjg32.exe	family_berbew
C:\Windows\SysWOW64\Mdmegp32.exe	family_berbew
C:\Windows\SysWOW64\Mglack32.exe	family_berbew
C:\Windows\SysWOW64\Maaepd32.exe	family_berbew
C:\Windows\SysWOW64\Mdpalp32.exe	family_berbew
C:\Windows\SysWOW64\Nacbfdao.exe	family_berbew
C:\Windows\SysWOW64\Nklfoi32.exe	family_berbew
C:\Windows\SysWOW64\Nnjbke32.exe	family_berbew
C:\Windows\SysWOW64\Ndghmo32.exe	family_berbew

Executes dropped EXE 43 IoCs

Processes:

Kmlnbi32.exeKcifkp32.exeKgdbkohf.exeKckbqpnj.exeKgfoan32.exeLiekmj32.exeLpocjdld.exeLkdggmlj.exeLcpllo32.exeLnepih32.exeLdohebqh.exeLnhmng32.exeLpfijcfl.exeLdaeka32.exeLgpagm32.exeLklnhlfb.exeLknjmkdo.exeMnlfigcc.exeMpkbebbf.exeMkpgck32.exeMnocof32.exeMpmokb32.exeMcklgm32.exeMgidml32.exeMjhqjg32.exeMdmegp32.exeMglack32.exeMaaepd32.exeMdpalp32.exeNacbfdao.exeNklfoi32.exeNnjbke32.exeNcgkcl32.exeNkncdifl.exeNnmopdep.exeNbhkac32.exeNdghmo32.exeNcihikcg.exeNjcpee32.exeNbkhfc32.exeNqmhbpba.exeNggqoj32.exeNkcmohbg.exe

pid	process
4328	Kmlnbi32.exe
112	Kcifkp32.exe
4668	Kgdbkohf.exe
3976	Kckbqpnj.exe
1072	Kgfoan32.exe
1372	Liekmj32.exe
4716	Lpocjdld.exe
3052	Lkdggmlj.exe
1076	Lcpllo32.exe
2008	Lnepih32.exe
1720	Ldohebqh.exe
3880	Lnhmng32.exe
2812	Lpfijcfl.exe
3908	Ldaeka32.exe
2548	Lgpagm32.exe
1464	Lklnhlfb.exe
2496	Lknjmkdo.exe
1920	Mnlfigcc.exe
432	Mpkbebbf.exe
2700	Mkpgck32.exe
4512	Mnocof32.exe
944	Mpmokb32.exe
3552	Mcklgm32.exe
2500	Mgidml32.exe
5076	Mjhqjg32.exe
4508	Mdmegp32.exe
4536	Mglack32.exe
1776	Maaepd32.exe
4412	Mdpalp32.exe
5084	Nacbfdao.exe
4616	Nklfoi32.exe
3332	Nnjbke32.exe
4760	Ncgkcl32.exe
656	Nkncdifl.exe
3076	Nnmopdep.exe
3372	Nbhkac32.exe
796	Ndghmo32.exe
2668	Ncihikcg.exe
2416	Njcpee32.exe
4764	Nbkhfc32.exe
4524	Nqmhbpba.exe
2364	Nggqoj32.exe
4024	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

Processes:

Lcpllo32.exeMnocof32.exeNjcpee32.exeNqmhbpba.exeMglack32.exeNnjbke32.exeNnmopdep.exeMjhqjg32.exeMnlfigcc.exeNacbfdao.exeLdaeka32.exeLknjmkdo.exeMgidml32.exeNkncdifl.exeLpfijcfl.exeMcklgm32.exeMaaepd32.exeNbkhfc32.exeLdohebqh.exeMpkbebbf.exeMdpalp32.exeKgfoan32.exeKcifkp32.exeLnepih32.exeMdmegp32.exeNdghmo32.exeNcihikcg.exeNggqoj32.exeKmlnbi32.exeNbhkac32.exeLnhmng32.exeLklnhlfb.exeMpmokb32.exeKckbqpnj.exeLpocjdld.exe15a4ddb02a88523cfbb345cc386bbfdd85a6452fa46eefa942a58011a7df6ed6.exeLgpagm32.exeLkdggmlj.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Nngcpm32.dll	Lcpllo32.exe
File created	C:\Windows\SysWOW64\Bkankc32.dll	Mnocof32.exe
File opened for modification	C:\Windows\SysWOW64\Nbkhfc32.exe	Njcpee32.exe
File created	C:\Windows\SysWOW64\Addjcmqn.dll	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Lnepih32.exe	Lcpllo32.exe
File opened for modification	C:\Windows\SysWOW64\Maaepd32.exe	Mglack32.exe
File created	C:\Windows\SysWOW64\Pipfna32.dll	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Ipkobd32.dll	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Fneiph32.dll	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Kmdigkkd.dll	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Nklfoi32.exe	Nacbfdao.exe
File opened for modification	C:\Windows\SysWOW64\Lgpagm32.exe	Ldaeka32.exe
File created	C:\Windows\SysWOW64\Mnlfigcc.exe	Lknjmkdo.exe
File created	C:\Windows\SysWOW64\Gpnkgo32.dll	Mgidml32.exe
File opened for modification	C:\Windows\SysWOW64\Nnmopdep.exe	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Ldaeka32.exe	Lpfijcfl.exe
File opened for modification	C:\Windows\SysWOW64\Mgidml32.exe	Mcklgm32.exe
File opened for modification	C:\Windows\SysWOW64\Mdpalp32.exe	Maaepd32.exe
File created	C:\Windows\SysWOW64\Bghhihab.dll	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Mgidml32.exe	Mcklgm32.exe
File opened for modification	C:\Windows\SysWOW64\Lnhmng32.exe	Ldohebqh.exe
File opened for modification	C:\Windows\SysWOW64\Mkpgck32.exe	Mpkbebbf.exe
File created	C:\Windows\SysWOW64\Nacbfdao.exe	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Nggqoj32.exe	Nqmhbpba.exe
File opened for modification	C:\Windows\SysWOW64\Liekmj32.exe	Kgfoan32.exe
File opened for modification	C:\Windows\SysWOW64\Kgdbkohf.exe	Kcifkp32.exe
File created	C:\Windows\SysWOW64\Ldohebqh.exe	Lnepih32.exe
File created	C:\Windows\SysWOW64\Oaehlf32.dll	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Ncihikcg.exe	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Ddpfgd32.dll	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Lkfbjdpq.dll	Njcpee32.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Nggqoj32.exe
File created	C:\Windows\SysWOW64\Ghiqbiae.dll	Kmlnbi32.exe
File created	C:\Windows\SysWOW64\Bdknoa32.dll	Nbhkac32.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Nggqoj32.exe
File opened for modification	C:\Windows\SysWOW64\Lpfijcfl.exe	Lnhmng32.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Nggqoj32.exe
File opened for modification	C:\Windows\SysWOW64\Lknjmkdo.exe	Lklnhlfb.exe
File opened for modification	C:\Windows\SysWOW64\Mpmokb32.exe	Mnocof32.exe
File created	C:\Windows\SysWOW64\Nnmopdep.exe	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Kgdbkohf.exe	Kcifkp32.exe
File created	C:\Windows\SysWOW64\Nbhkac32.exe	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Fogjfmfe.dll	Kcifkp32.exe
File opened for modification	C:\Windows\SysWOW64\Ncgkcl32.exe	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Mcklgm32.exe	Mpmokb32.exe
File opened for modification	C:\Windows\SysWOW64\Kgfoan32.exe	Kckbqpnj.exe
File created	C:\Windows\SysWOW64\Lkdggmlj.exe	Lpocjdld.exe
File opened for modification	C:\Windows\SysWOW64\Lnepih32.exe	Lcpllo32.exe
File created	C:\Windows\SysWOW64\Lpfijcfl.exe	Lnhmng32.exe
File opened for modification	C:\Windows\SysWOW64\Mcklgm32.exe	Mpmokb32.exe
File opened for modification	C:\Windows\SysWOW64\Nggqoj32.exe	Nqmhbpba.exe
File opened for modification	C:\Windows\SysWOW64\Kmlnbi32.exe	15a4ddb02a88523cfbb345cc386bbfdd85a6452fa46eefa942a58011a7df6ed6.exe
File created	C:\Windows\SysWOW64\Mglack32.exe	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Fibjjh32.dll	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Ndghmo32.exe	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Mdmegp32.exe	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Liekmj32.exe	Kgfoan32.exe
File created	C:\Windows\SysWOW64\Jnngob32.dll	Lklnhlfb.exe
File created	C:\Windows\SysWOW64\Mpkbebbf.exe	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Legdcg32.dll	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Kgfoan32.exe	Kckbqpnj.exe
File opened for modification	C:\Windows\SysWOW64\Ndghmo32.exe	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Bheenp32.dll	Lgpagm32.exe
File created	C:\Windows\SysWOW64\Gjoceo32.dll	Lkdggmlj.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

456 4024 WerFault.exe Nkcmohbg.exe

pid	pid_target	process	target process
456	4024	WerFault.exe	Nkcmohbg.exe

Modifies registry class 64 IoCs

Processes:

Nklfoi32.exeKgfoan32.exeMcklgm32.exeMglack32.exeNnjbke32.exeNbkhfc32.exeLiekmj32.exeLpfijcfl.exeMpmokb32.exeLdaeka32.exeMjhqjg32.exeNqmhbpba.exeMgidml32.exe15a4ddb02a88523cfbb345cc386bbfdd85a6452fa46eefa942a58011a7df6ed6.exeLkdggmlj.exeMdpalp32.exeNjcpee32.exeKcifkp32.exeNnmopdep.exeNdghmo32.exeNkncdifl.exeNggqoj32.exeKgdbkohf.exeLklnhlfb.exeMkpgck32.exeMpkbebbf.exeNcgkcl32.exeKmlnbi32.exeLdohebqh.exeNcihikcg.exeLpocjdld.exeLnepih32.exeMaaepd32.exeNacbfdao.exeLknjmkdo.exeMdmegp32.exeKckbqpnj.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmalco32.dll"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bebboiqi.dll"	Mglack32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipfna32.dll"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckegia32.dll"	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbgkjl32.dll"	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Addjcmqn.dll"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpnkgo32.dll"	Mgidml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	15a4ddb02a88523cfbb345cc386bbfdd85a6452fa46eefa942a58011a7df6ed6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lkdggmlj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipkobd32.dll"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgfgaq32.dll"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jplifcqp.dll"	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnngob32.dll"	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kcifkp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkeang32.dll"	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kmlnbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnapla32.dll"	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lpfijcfl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgcomh32.dll"	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epmjjbbj.dll"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghhihab.dll"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kmlnbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fogjfmfe.dll"	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfbhfihj.dll"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddpfgd32.dll"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgejif32.dll"	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ldaeka32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnacjn32.dll"	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bidjkmlh.dll"	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhpdhp32.dll"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibjjh32.dll"	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaehlf32.dll"	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kckbqpnj.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

15a4ddb02a88523cfbb345cc386bbfdd85a6452fa46eefa942a58011a7df6ed6.exeKmlnbi32.exeKcifkp32.exeKgdbkohf.exeKckbqpnj.exeKgfoan32.exeLiekmj32.exeLpocjdld.exeLkdggmlj.exeLcpllo32.exeLnepih32.exeLdohebqh.exeLnhmng32.exeLpfijcfl.exeLdaeka32.exeLgpagm32.exeLklnhlfb.exeLknjmkdo.exeMnlfigcc.exeMpkbebbf.exeMkpgck32.exeMnocof32.exe

description	pid	process	target process
PID 3776 wrote to memory of 4328	3776	15a4ddb02a88523cfbb345cc386bbfdd85a6452fa46eefa942a58011a7df6ed6.exe	Kmlnbi32.exe
PID 3776 wrote to memory of 4328	3776	15a4ddb02a88523cfbb345cc386bbfdd85a6452fa46eefa942a58011a7df6ed6.exe	Kmlnbi32.exe
PID 3776 wrote to memory of 4328	3776	15a4ddb02a88523cfbb345cc386bbfdd85a6452fa46eefa942a58011a7df6ed6.exe	Kmlnbi32.exe
PID 4328 wrote to memory of 112	4328	Kmlnbi32.exe	Kcifkp32.exe
PID 4328 wrote to memory of 112	4328	Kmlnbi32.exe	Kcifkp32.exe
PID 4328 wrote to memory of 112	4328	Kmlnbi32.exe	Kcifkp32.exe
PID 112 wrote to memory of 4668	112	Kcifkp32.exe	Kgdbkohf.exe
PID 112 wrote to memory of 4668	112	Kcifkp32.exe	Kgdbkohf.exe
PID 112 wrote to memory of 4668	112	Kcifkp32.exe	Kgdbkohf.exe
PID 4668 wrote to memory of 3976	4668	Kgdbkohf.exe	Kckbqpnj.exe
PID 4668 wrote to memory of 3976	4668	Kgdbkohf.exe	Kckbqpnj.exe
PID 4668 wrote to memory of 3976	4668	Kgdbkohf.exe	Kckbqpnj.exe
PID 3976 wrote to memory of 1072	3976	Kckbqpnj.exe	Kgfoan32.exe
PID 3976 wrote to memory of 1072	3976	Kckbqpnj.exe	Kgfoan32.exe
PID 3976 wrote to memory of 1072	3976	Kckbqpnj.exe	Kgfoan32.exe
PID 1072 wrote to memory of 1372	1072	Kgfoan32.exe	Liekmj32.exe
PID 1072 wrote to memory of 1372	1072	Kgfoan32.exe	Liekmj32.exe
PID 1072 wrote to memory of 1372	1072	Kgfoan32.exe	Liekmj32.exe
PID 1372 wrote to memory of 4716	1372	Liekmj32.exe	Lpocjdld.exe
PID 1372 wrote to memory of 4716	1372	Liekmj32.exe	Lpocjdld.exe
PID 1372 wrote to memory of 4716	1372	Liekmj32.exe	Lpocjdld.exe
PID 4716 wrote to memory of 3052	4716	Lpocjdld.exe	Lkdggmlj.exe
PID 4716 wrote to memory of 3052	4716	Lpocjdld.exe	Lkdggmlj.exe
PID 4716 wrote to memory of 3052	4716	Lpocjdld.exe	Lkdggmlj.exe
PID 3052 wrote to memory of 1076	3052	Lkdggmlj.exe	Lcpllo32.exe
PID 3052 wrote to memory of 1076	3052	Lkdggmlj.exe	Lcpllo32.exe
PID 3052 wrote to memory of 1076	3052	Lkdggmlj.exe	Lcpllo32.exe
PID 1076 wrote to memory of 2008	1076	Lcpllo32.exe	Lnepih32.exe
PID 1076 wrote to memory of 2008	1076	Lcpllo32.exe	Lnepih32.exe
PID 1076 wrote to memory of 2008	1076	Lcpllo32.exe	Lnepih32.exe
PID 2008 wrote to memory of 1720	2008	Lnepih32.exe	Ldohebqh.exe
PID 2008 wrote to memory of 1720	2008	Lnepih32.exe	Ldohebqh.exe
PID 2008 wrote to memory of 1720	2008	Lnepih32.exe	Ldohebqh.exe
PID 1720 wrote to memory of 3880	1720	Ldohebqh.exe	Lnhmng32.exe
PID 1720 wrote to memory of 3880	1720	Ldohebqh.exe	Lnhmng32.exe
PID 1720 wrote to memory of 3880	1720	Ldohebqh.exe	Lnhmng32.exe
PID 3880 wrote to memory of 2812	3880	Lnhmng32.exe	Lpfijcfl.exe
PID 3880 wrote to memory of 2812	3880	Lnhmng32.exe	Lpfijcfl.exe
PID 3880 wrote to memory of 2812	3880	Lnhmng32.exe	Lpfijcfl.exe
PID 2812 wrote to memory of 3908	2812	Lpfijcfl.exe	Ldaeka32.exe
PID 2812 wrote to memory of 3908	2812	Lpfijcfl.exe	Ldaeka32.exe
PID 2812 wrote to memory of 3908	2812	Lpfijcfl.exe	Ldaeka32.exe
PID 3908 wrote to memory of 2548	3908	Ldaeka32.exe	Lgpagm32.exe
PID 3908 wrote to memory of 2548	3908	Ldaeka32.exe	Lgpagm32.exe
PID 3908 wrote to memory of 2548	3908	Ldaeka32.exe	Lgpagm32.exe
PID 2548 wrote to memory of 1464	2548	Lgpagm32.exe	Lklnhlfb.exe
PID 2548 wrote to memory of 1464	2548	Lgpagm32.exe	Lklnhlfb.exe
PID 2548 wrote to memory of 1464	2548	Lgpagm32.exe	Lklnhlfb.exe
PID 1464 wrote to memory of 2496	1464	Lklnhlfb.exe	Lknjmkdo.exe
PID 1464 wrote to memory of 2496	1464	Lklnhlfb.exe	Lknjmkdo.exe
PID 1464 wrote to memory of 2496	1464	Lklnhlfb.exe	Lknjmkdo.exe
PID 2496 wrote to memory of 1920	2496	Lknjmkdo.exe	Mnlfigcc.exe
PID 2496 wrote to memory of 1920	2496	Lknjmkdo.exe	Mnlfigcc.exe
PID 2496 wrote to memory of 1920	2496	Lknjmkdo.exe	Mnlfigcc.exe
PID 1920 wrote to memory of 432	1920	Mnlfigcc.exe	Mpkbebbf.exe
PID 1920 wrote to memory of 432	1920	Mnlfigcc.exe	Mpkbebbf.exe
PID 1920 wrote to memory of 432	1920	Mnlfigcc.exe	Mpkbebbf.exe
PID 432 wrote to memory of 2700	432	Mpkbebbf.exe	Mkpgck32.exe
PID 432 wrote to memory of 2700	432	Mpkbebbf.exe	Mkpgck32.exe
PID 432 wrote to memory of 2700	432	Mpkbebbf.exe	Mkpgck32.exe
PID 2700 wrote to memory of 4512	2700	Mkpgck32.exe	Mnocof32.exe
PID 2700 wrote to memory of 4512	2700	Mkpgck32.exe	Mnocof32.exe
PID 2700 wrote to memory of 4512	2700	Mkpgck32.exe	Mnocof32.exe
PID 4512 wrote to memory of 944	4512	Mnocof32.exe	Mpmokb32.exe

C:\Users\Admin\AppData\Local\Temp\15a4ddb02a88523cfbb345cc386bbfdd85a6452fa46eefa942a58011a7df6ed6.exe
"C:\Users\Admin\AppData\Local\Temp\15a4ddb02a88523cfbb345cc386bbfdd85a6452fa46eefa942a58011a7df6ed6.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3776

C:\Windows\SysWOW64\Kmlnbi32.exe
C:\Windows\system32\Kmlnbi32.exe
2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4328

C:\Windows\SysWOW64\Kcifkp32.exe
C:\Windows\system32\Kcifkp32.exe
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:112

C:\Windows\SysWOW64\Kgdbkohf.exe
C:\Windows\system32\Kgdbkohf.exe
4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4668

C:\Windows\SysWOW64\Kckbqpnj.exe
C:\Windows\system32\Kckbqpnj.exe
5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3976

C:\Windows\SysWOW64\Kgfoan32.exe
C:\Windows\system32\Kgfoan32.exe
6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1072

C:\Windows\SysWOW64\Liekmj32.exe
C:\Windows\system32\Liekmj32.exe
7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1372

C:\Windows\SysWOW64\Lpocjdld.exe
C:\Windows\system32\Lpocjdld.exe
8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4716

C:\Windows\SysWOW64\Lkdggmlj.exe
C:\Windows\system32\Lkdggmlj.exe
9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3052

C:\Windows\SysWOW64\Lcpllo32.exe
C:\Windows\system32\Lcpllo32.exe
10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1076

C:\Windows\SysWOW64\Lnepih32.exe
C:\Windows\system32\Lnepih32.exe
11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2008

C:\Windows\SysWOW64\Ldohebqh.exe
C:\Windows\system32\Ldohebqh.exe
12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1720

C:\Windows\SysWOW64\Lnhmng32.exe
C:\Windows\system32\Lnhmng32.exe
13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3880

C:\Windows\SysWOW64\Lpfijcfl.exe
C:\Windows\system32\Lpfijcfl.exe
14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2812

C:\Windows\SysWOW64\Ldaeka32.exe
C:\Windows\system32\Ldaeka32.exe
15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3908

C:\Windows\SysWOW64\Lgpagm32.exe
C:\Windows\system32\Lgpagm32.exe
16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2548

C:\Windows\SysWOW64\Lklnhlfb.exe
C:\Windows\system32\Lklnhlfb.exe
17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1464

C:\Windows\SysWOW64\Lknjmkdo.exe
C:\Windows\system32\Lknjmkdo.exe
18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2496

C:\Windows\SysWOW64\Mnlfigcc.exe
C:\Windows\system32\Mnlfigcc.exe
19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1920

C:\Windows\SysWOW64\Mpkbebbf.exe
C:\Windows\system32\Mpkbebbf.exe
20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:432

C:\Windows\SysWOW64\Mkpgck32.exe
C:\Windows\system32\Mkpgck32.exe
21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2700

C:\Windows\SysWOW64\Mnocof32.exe
C:\Windows\system32\Mnocof32.exe
22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4512

C:\Windows\SysWOW64\Mpmokb32.exe
C:\Windows\system32\Mpmokb32.exe
23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:944

C:\Windows\SysWOW64\Mcklgm32.exe
C:\Windows\system32\Mcklgm32.exe
24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3552

C:\Windows\SysWOW64\Mgidml32.exe
C:\Windows\system32\Mgidml32.exe
25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2500

C:\Windows\SysWOW64\Mjhqjg32.exe
C:\Windows\system32\Mjhqjg32.exe
26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:5076

C:\Windows\SysWOW64\Mdmegp32.exe
C:\Windows\system32\Mdmegp32.exe
27⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4508

C:\Windows\SysWOW64\Mglack32.exe
C:\Windows\system32\Mglack32.exe
28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4536

C:\Windows\SysWOW64\Maaepd32.exe
C:\Windows\system32\Maaepd32.exe
29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1776

C:\Windows\SysWOW64\Mdpalp32.exe
C:\Windows\system32\Mdpalp32.exe
30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4412

C:\Windows\SysWOW64\Nacbfdao.exe
C:\Windows\system32\Nacbfdao.exe
31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:5084

C:\Windows\SysWOW64\Nklfoi32.exe
C:\Windows\system32\Nklfoi32.exe
32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4616

C:\Windows\SysWOW64\Nnjbke32.exe
C:\Windows\system32\Nnjbke32.exe
33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3332

C:\Windows\SysWOW64\Ncgkcl32.exe
C:\Windows\system32\Ncgkcl32.exe
34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4760

C:\Windows\SysWOW64\Nkncdifl.exe
C:\Windows\system32\Nkncdifl.exe
35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:656

C:\Windows\SysWOW64\Nnmopdep.exe
C:\Windows\system32\Nnmopdep.exe
36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3076

C:\Windows\SysWOW64\Nbhkac32.exe
C:\Windows\system32\Nbhkac32.exe
37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3372

C:\Windows\SysWOW64\Ndghmo32.exe
C:\Windows\system32\Ndghmo32.exe
38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:796

C:\Windows\SysWOW64\Ncihikcg.exe
C:\Windows\system32\Ncihikcg.exe
39⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2668

C:\Windows\SysWOW64\Njcpee32.exe
C:\Windows\system32\Njcpee32.exe
40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2416

C:\Windows\SysWOW64\Nbkhfc32.exe
C:\Windows\system32\Nbkhfc32.exe
41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4764

C:\Windows\SysWOW64\Nqmhbpba.exe
C:\Windows\system32\Nqmhbpba.exe
42⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4524

C:\Windows\SysWOW64\Nggqoj32.exe
C:\Windows\system32\Nggqoj32.exe
43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2364

C:\Windows\SysWOW64\Nkcmohbg.exe
C:\Windows\system32\Nkcmohbg.exe
44⤵
- Executes dropped EXE
PID:4024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4024 -s 212
45⤵
- Program crash
PID:456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4024 -ip 4024
1⤵
PID:2844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Kcifkp32.exe

Filesize
416KB

MD5
c150e81b8b5069e66f105c8d7b4b20c8

SHA1
0df4b9da9476bf6482cc74caf3f0f5a17e82fc3d

SHA256
5fab48f5549ffee57522f2e6bcbd673be25adedd9cdf995c8f0a064cc87c09fb

SHA512
fdbdc635c5543c9054a4a15daecfda28db637dceb34f8cf44df36bf45f51ffeee1793846b5173e06b1ef04bdb0a5c9f5e589d7f03b522cba5f373e89fe457062

Download Submit
C:\Windows\SysWOW64\Kckbqpnj.exe

Filesize
416KB

MD5
9b862790c64c9f11c93af398c5bd781c

SHA1
71069e03c716a6d1be924689317674ce7058d397

SHA256
ab263a3c2e9871a7e9d7ae63923cf0a6bc5564101a9b555e6c853c77e99de3e0

SHA512
920efb2fc40a7dec72415667756ce6cfbf43efbefe59015579ccbebeee0a51617168ab4b1828ca36aa298c427d8869ab6c714602c71c6e6ed09df36eefc6b696

Download Submit
C:\Windows\SysWOW64\Kgdbkohf.exe

Filesize
416KB

MD5
75f872a1055cebdc0828068bc04050a4

SHA1
5ed5692a3f0c5444491c89ff89b02d2af7bce811

SHA256
6cbeead3181edb0742ebf30169925cc897726c4b002bc4f77a92f747c01ae1c8

SHA512
6d44202efd3e371ddbb975254cd1cbf1337b6098becd7a117d463ef43eea7727f3f15205ed437bf24e4d119f35a77e80e402eaa9f196d1af94beff23fdf2860c

Download Submit
C:\Windows\SysWOW64\Kgfoan32.exe

Filesize
416KB

MD5
dd99e785886316be830f141a85b2567e

SHA1
f5a0870cf30345ece837d538a936a1f0653a2134

SHA256
ff47ff8b35cc99ba8c219f098e2baa6ded4baf965b81e862510c6049f4f4d372

SHA512
c28234581735b7d534656aa3b186fe514278bc881dc46671d98b2336bbdf5edcb6a7793f6e380693e8d88263feeb4df8e83ffaca2ef91d8ac461f5311f50561a

Download Submit
C:\Windows\SysWOW64\Kmlnbi32.exe

Filesize
416KB

MD5
d26ee31706fe5154166fb8e1875bd620

SHA1
7d4e89facc70238001400d6457df936702201472

SHA256
41a6cc6eb6ff68e735cb83c2f5b49849be4548aa1fe16967b180de041bd0467b

SHA512
ffa65e8a5afa48057b4735dfe7bcce43aeeda8f358f0cd8f753cc65477904a329e26b740f8533d987b0c1b1b8ef5f2e46b6d1b47bf3ee08680200010688a3113

Download Submit
C:\Windows\SysWOW64\Lcpllo32.exe

Filesize
416KB

MD5
d65aa4ea0654967a45e81f00a3537ce0

SHA1
21d4598a0887fb2f8843f4cefc158a0f2edfb7bb

SHA256
ca19ddbddeea61aa1200dd3d2418d40266f48ebfca1c4f8956bcbf725436cb57

SHA512
2560adae770765ea469b652395131dd0925c153550bdc14cb235e0d475ff893cde3b7dee457b7cf19fe9ac0b8c4346e5c6eb770069cecfeb6805d70217738280

Download Submit
C:\Windows\SysWOW64\Ldaeka32.exe

Filesize
416KB

MD5
6d3b9bc71f8b1fb7419ef2e6162b9b44

SHA1
24dbb76f77b469d1af67ea13b6e7903092621a99

SHA256
2dc6fd945b767e24b8911dd27db82932e98411f02e84631223822509e9812e1d

SHA512
24bb3344318db72783ab90d17faa4608ba7a777adac13838da4dfc89c06a9ecdfc812e4b0bd5b9446be56aa61fd99ab0379c8de2489fb2ba24dd86e03cee8354

Download Submit
C:\Windows\SysWOW64\Ldohebqh.exe

Filesize
416KB

MD5
49b17b4a4dc163043abf89c4e43e0b25

SHA1
9659a69e83ff4f52a16b8880f1bc85db1702d22f

SHA256
1ad83e98ce5ac176179936bce5df76bec629ba08a3a897f181e1b5be712dc675

SHA512
2cc51661a8c0d8b54a28fe532543a55e4d9f2e482198c31df153630f62b0f817fcafa2ad5bd516ecf7a52ac036ac773425a23c1a6e0aea224ea97795d492d794

Download Submit
C:\Windows\SysWOW64\Lgpagm32.exe

Filesize
416KB

MD5
d782f6258e9b6cb0a49fef0c38a2c10c

SHA1
19e81fc8e923eda970056d2458038b7d9169179c

SHA256
7172769c0a222e140eca6b5a8765830ad7b3c026b106683f41331386d39b5b47

SHA512
8429a495b5b249df84307b325ed92b9898dc623b3438be27ad021b6e18c623801b4d19e4475043e80d44a3312ef453e1fc0a58715f7e7b32e91edbc720b52835

Download Submit
C:\Windows\SysWOW64\Liekmj32.exe

Filesize
416KB

MD5
08775e7f512ad7284c8ee546224f3826

SHA1
6533608f625823382b597dd00754a7f016f18d79

SHA256
18f70b1aa30f1af558f04669b183191fa73e26f4bb9e030bdb3eee1490918ae4

SHA512
45edc2fd7b7f7d81b501f791c29d4a3e92898260c8c458e86e40b846609320651a43ce52687821d1fb479753e314662c076aa2524b3f981377ad5611bf5c9bdd

Download Submit
C:\Windows\SysWOW64\Lkdggmlj.exe

Filesize
416KB

MD5
14f612e0f523f45866d2361dc94d6a7b

SHA1
814dfd013d3208f36d4779c813eb5ea35fae4fc1

SHA256
2f654337bae49c9828321bda23fadfc8eca8558807d64fd551b1a48fada36507

SHA512
85c406c18ee2a41f8669a938c93dc774f8a1cc9818119d9ddd46189126ba97ef243c7793c762a4d26d1344d77ed229014d41fd2a47023d49f13492c82fbe9d1e

Download Submit
C:\Windows\SysWOW64\Lklnhlfb.exe

Filesize
416KB

MD5
ad5097d7a64defbdfda32134f364b249

SHA1
d056c433f9d2fc2565ca52299fb21e2299d05470

SHA256
96a9b62d8a2fc0547c739a35a7180a98335bdbfa9b24c7c6b7dc156edb43d838

SHA512
25c4a19f5c68981b557d0b240a651258018432026a0135a454841ec81e26bd57ac582ebef5e1b33995800bbc43a3fb563e43d98ba9bd868914466e2054dafe67

Download Submit
C:\Windows\SysWOW64\Lknjmkdo.exe

Filesize
416KB

MD5
2ef0c38451b9a37a4e65aa8acbdee0a9

SHA1
7ad90a3d7ede24f6ddcbc2e26120238938609811

SHA256
04d76a3ed295a0ae0badb756b7d56872feee3d782f89fa082550aa172b847310

SHA512
67a791246034efee7811b3137e4f7b93576b13aa184cceaccbb0c88084d9df0837f2957239078036300b6a90da19c4c54535b1c2886625ec6c27e1099fb63f0e

Download Submit
C:\Windows\SysWOW64\Lnepih32.exe

Filesize
416KB

MD5
d4aebb9253f99963abc7a9bc65875256

SHA1
0f2592f9bd727f604d09e76e23c018ca47be43a8

SHA256
0c79b3383d77a3d4db91005dc44f6c8b929bf97aa5233cc6fcfc427a7b9b1811

SHA512
24082c2be2d4f077e47c67ec4f8536f9b82a339adce95e3f676972f011359653f05a923bd032d871d8d9596d84496d4df75e0069ad243a02b45e93ba5797d08f

Download Submit
C:\Windows\SysWOW64\Lnhmng32.exe

Filesize
416KB

MD5
8802b7e2b43ee0d32bbae4a63b655783

SHA1
593a38015f90e1b6535c46904011c3e4b38a49d5

SHA256
8cf79b0f1c8608986ce313d9e3ef84f9ccf5fbde355d13c05d24d04a0f09829c

SHA512
fe5e7097b3007ac452015f15a09bcaf80f71ff799071abc9b79b05450b7cd2a5fb52d439dd3f8138b9d3d24a290d67d248ddc3fe9b2964877c2f10b6fec74516

Download Submit
C:\Windows\SysWOW64\Lnhmng32.exe

Filesize
416KB

MD5
50f6a9f7a57c4a29919eebd5cb7996d5

SHA1
9c3fa024fe8d6217a613125902353f57e6c4d546

SHA256
fb0f9ee0b990281196470abab70004b6ed865c3f2633970a196a7407515ddce0

SHA512
7822b7b1f971ca66645e1a70629b98c640bcf7b409e0b3a7da0af68093d5902505c9d1031a4fbec893dde70b1a031bfa02a60fbab0c150c66d440ce704bf0fd1

Download Submit
C:\Windows\SysWOW64\Lpfijcfl.exe

Filesize
416KB

MD5
fcef9b746d3c863f09eef9b1c8e90ec8

SHA1
293161671b60452d9d230e9211ff2bb21708ca31

SHA256
1ede5af5928eb50d790a32717ef6494d2be28912452ad5f1e30d814702565d9f

SHA512
eee6d0885ad1f2e83a2832ce81e9186106bfd2f21bdb8c10936abd9faecb32aac1b3de46172d188c5c219bd37c24f8897adb83e954b1f98e5d596d79448f83c5

Download Submit
C:\Windows\SysWOW64\Lpocjdld.exe

Filesize
416KB

MD5
0c3eb41e5d9bdb86331aaf209b9a3343

SHA1
30aaeb1c0a028c3e13cf3f99efbd1a9e25c8c135

SHA256
1c581a6a36aaa12d7b337ca90c53f18a6b81fc166abe07eda137733ccf7823df

SHA512
3668b907b5a8fb2138031be888a121269bfcbabd91e6678938ca5269facba9f8d981c198ff9b5a6678010c49283dfdb26c5efeb18e27522e043a70b8111eb949

Download Submit
C:\Windows\SysWOW64\Maaepd32.exe

Filesize
416KB

MD5
4fc6c5f4da553ccd742758185ab7f276

SHA1
f6e8763f7aa1af047fe85125e5e3e177e1656e2b

SHA256
14aab99ad446f93d54e4660ecf3c3d48d626094c62330672c5614a4c8aa8ff74

SHA512
372e200c91c45c4527e3b07a282b0f6b4c14c10e32b7781a6677bca1b437c9fc02508be76d2d715d8813e6696bd268604c9c78458795b6aacf31de385123f680

Download Submit
C:\Windows\SysWOW64\Mcklgm32.exe

Filesize
416KB

MD5
9864c0dffe98adde10abdae29f85ed33

SHA1
32330b6797072c5e185e579fd14d169151a26bd3

SHA256
b0c20b307691e6461dab97341c987ca469602b9a270c556a20f3ec837b8052a1

SHA512
d4ce8d848fb73a6b7085eaceb61d668f989d982102117265bee48e4eb019381952afd89023ce270fd66ed598c7ec7363a4cfacbb71c3208e26f166ba10038fbd

Download Submit
C:\Windows\SysWOW64\Mdmegp32.exe

Filesize
416KB

MD5
1453ae715705896dde0e182d14bb242d

SHA1
5228cef646119dc339d727093dc2166af168e017

SHA256
8a91477e2f893ab35ba9401cb6cb364e694eba420f0980a759e39438931bb678

SHA512
21708256aa820e8249d16cdc622cf6670dd56985a5753f51f3fe0b8ad42baa5073ea82c4e693a9de1126725897d0542df14158718a435bd3e9fa2f77395f0843

Download Submit
C:\Windows\SysWOW64\Mdpalp32.exe

Filesize
416KB

MD5
69da0bb020a708e89e3814fefa8cdee2

SHA1
a1d1748012e2559104593184e5667754ce1f3705

SHA256
7fb43d67c3f4024e4e0937bd8f9425e6e1dd612033b3c6574d799f7e275bacb1

SHA512
49dc249b4b5a66e8a5951451c0b40a74543c73c23d44f684f37de5e0f7f4ac147b748937ed4a4170524ebb82a4cfcf4e69cd05bc35f18bd227a61094dc945bf1

Download Submit
C:\Windows\SysWOW64\Mgidml32.exe

Filesize
416KB

MD5
9824928bc8fcacf8135811e0f0507094

SHA1
f63b46ce6a43384ee326f97310069449ac7b0d59

SHA256
e90b90654a799ff4954f5e4463fea257de26a225d792e510d4f659463a90f05a

SHA512
aac7d46a6ab274e6fdf6108715e5405b7094aeedb9dcabccfa8f78eb91ccb342842ebe4f94448caa7d70bb8909fa5e9973701dc3420884b5cd7a302442bd2c2c

Download Submit
C:\Windows\SysWOW64\Mglack32.exe

Filesize
416KB

MD5
b6e904f407615d629b72cc50b3eee582

SHA1
058b74e53ca761fbe9fcf763d5125051a8255635

SHA256
5f5c1a9acfdaa8d9a83d5342fd84c879f9290aa5227570a6402fd3b055ee3eee

SHA512
168078e149735ece7e016aaf5376a9fe86bd0badac6f9677b4416ed3d18c4646dc56aac82e09713a1cf9ef69aaa163412d04fd2134ed9fcd16e23bbd81128e3e

Download Submit
C:\Windows\SysWOW64\Mjhqjg32.exe

Filesize
416KB

MD5
fd5b385bfbef5bbc14e68aa94842f716

SHA1
93bd82117b1e5d43a00d9eaa1a9ac7fae061a315

SHA256
f84729850aaa4c534e203222a66945f98e3298aef94f18d7a769462268f3b684

SHA512
e70753c5532b2bd41fae40400d9fe586ed3dc4fa814cc8d40eb6b95a61b1156ad094c28b61ec632db8513c8e3764ff25dc7bcbc5a6712e673ce86ff1412ab55e

Download Submit
C:\Windows\SysWOW64\Mkpgck32.exe

Filesize
416KB

MD5
e98a490686465a32177ed99a394735ac

SHA1
41ac4189b59009f2b60c1c474fd7cae9af47d82e

SHA256
415be3b7b985a206f287e1ec6c8cfa37cb1a6a9e9309ec83c4fd9eee19fcbf38

SHA512
17f5c616ef8fabbcadfdc7cfd1dac13c8ebb38b3c138f97cd62984381a7b7d0092d7029729d1f54346e039471e6c0b5c93d672017ff0556097bbd012fd79c64b

Download Submit
C:\Windows\SysWOW64\Mnlfigcc.exe

Filesize
416KB

MD5
cda8363a2a8a352c3ce1b5b08e28bfb8

SHA1
53b8226212c45a3e3032d88793ba2eca4d0dce29

SHA256
95391de7b1a8d461d5458dda2cf4853aabe868fc30d8acd890bc495377f0bb96

SHA512
a3a75a7f9741cae5ad91a8742122bd172c50920635b927e60b3a99831e91fbc2de817acb16d274bbd958dda8a327bc101a41ac17beb51df54cbb7a7dd13df2dc

Download Submit
C:\Windows\SysWOW64\Mnocof32.exe

Filesize
416KB

MD5
4a797089b5c37f27d4d1a12ea031cdd9

SHA1
c77e6728f4a3b48eeb0f1c180be313cc54db44e3

SHA256
5010a8a35d2a4e2aecd24f760498ca6bc29dc8257072df2aa3cd9ce864b712c1

SHA512
362961f9eba6c2b759c6540bc2c35be95b3fbf63d8b67ce2f8cb34d22e6a4a5fac986842ac93e5fa707a18c9d07572ddab7f18c6c3c3d6bbdb31e35104571564

Download Submit
C:\Windows\SysWOW64\Mpkbebbf.exe

Filesize
416KB

MD5
b4a111b26364c66f827ea00468c4c1c6

SHA1
49623c9bfacef24245e371a93b68bb4527b010a0

SHA256
8296cc4a94e4652289425876f870992481ebda0bd7a6eaee5acfeabec65a93e0

SHA512
64d1f04dd0bc9b194a645c4f31b78dbe4d22153f709ab178cdd5cca70fb3cbe061d800f39122daf0faf7ae6986e46dbe7e3281fb95f4dd8400ba407f9c1038db

Download Submit
C:\Windows\SysWOW64\Mpmokb32.exe

Filesize
416KB

MD5
74f048a8835cc5360ab64587f6bc1139

SHA1
289c43239f794d264e2a5e1967ef118eb8f03914

SHA256
9abcbcd62f9ce366178e46670034fad59028309cc738443964eaa6b1a56bf513

SHA512
5af464bed24bc35eba1ecc43d3b36f70056b75bdb95b85b90a53d590e32d3db55b82c15bdfa2420886c2329fd04686245ae41096d3ab4a8ae71a724256164575

Download Submit
C:\Windows\SysWOW64\Nacbfdao.exe

Filesize
416KB

MD5
5c67eeef725d73dab91ed3366fa30940

SHA1
136524c5cbe315a4692c66689d12b0bf709da2fe

SHA256
57cadcd25fbcdec54811afb699a8ba92cf61bad30d776c918eea7285697b912e

SHA512
2b099a1d57440093eee94d5b941e7632efc3e41ff42c41fa64fe01226fb4faa771b984482a71726670549f4351da20661d25120421bb54d827a3bfcaab73f710

Download Submit
C:\Windows\SysWOW64\Ndghmo32.exe

Filesize
416KB

MD5
d0053dc610559bc489732a47b8b22d0c

SHA1
3a526bb272002e4c217bcad949fb684ecbff214a

SHA256
aa0c3e4865a7012b01413e92927b6281784b2e4938edf3e2284edbadf4e346b1

SHA512
00727252d65017a7c78cd6f8301e0a59f943b2f8411b6e69fed7974159d4a536b5b872e0635bad28e9d493ae24e2daa2ce9fcae27db4107d24ce28e382798321

Download Submit
C:\Windows\SysWOW64\Nklfoi32.exe

Filesize
416KB

MD5
6f71a86153d33503ed90a5fe3018b222

SHA1
2fbc201cc1cc825edfaa87dd3f9c97892643cbd5

SHA256
c9042f9c51c2e014c5f6ea9cf891c04ccb6917168e6dcfa58bce3048c1850700

SHA512
16dd147817c5dc6a824fe9ddc4ec4e83efa3da98f3088dcfd61e336c9465b0dad8c453ff320bb80367bd1c19eef3c7ca001a0eab6205b6ef5712cd7eb7d2b445

Download Submit
C:\Windows\SysWOW64\Nnjbke32.exe

Filesize
416KB

MD5
7284d1a4bf3351ea8c37b733ee087364

SHA1
9b6ee6c57f790bee88ef2dd779eff9082130ff93

SHA256
f2b105776eef608f0215878507f1c5c8da5aff13709fc8ed5533b1639132294a

SHA512
40eb8ad0612291895c0fabb582a9d7f372eaeb1f87d48fee0c9b2368258cb0dacdebc8d7e626e7a2429b7f6dfc58a79bd36cebb27978ebc8cd9380ddb3c66bd8

Download Submit
C:\Windows\SysWOW64\Pipagf32.dll

Filesize
7KB

MD5
921e32de57e24534dc1f15604877e7ff

SHA1
d0f508ee063b7c92b7500742bfb989a3267c80d6

SHA256
c3c88bd887e9fe25f2801f3323b8a47a56956b54c587fd6db2b9cb793117e092

SHA512
35738fdab721280df715468084e7b6272adaf26c2f888dc22ca49b2a4e84bd7286f8ce14282c1d7a1e3bbd7ac49509054c66b5e985b77c559c6d54006eccb4d8

Download Submit
memory/112-21-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/432-157-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/656-268-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/656-329-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/796-290-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/944-183-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1072-40-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1072-347-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1076-71-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1076-344-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1372-51-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1372-346-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1464-132-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1720-342-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1720-88-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1776-224-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1776-335-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1920-340-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1920-144-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2008-343-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2008-80-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2364-316-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2364-324-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2416-326-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2416-298-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2496-140-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2500-197-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2548-125-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2668-327-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2668-292-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2700-165-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2812-341-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2812-103-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3052-63-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3052-345-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3076-278-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3332-256-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3332-330-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3372-280-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3372-328-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3552-184-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3552-339-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3776-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3776-351-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3880-100-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3908-123-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3976-32-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3976-348-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4024-323-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4024-322-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4328-350-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4328-8-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4412-333-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4412-232-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4508-211-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4508-337-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4512-173-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4524-310-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4524-325-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4536-216-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4536-336-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4616-331-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4616-251-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4668-24-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4668-349-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4716-61-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4760-334-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4760-262-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4764-308-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5076-338-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5076-199-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5084-240-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5084-332-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download