5e702d40aad636f10c65d919d899c9f716baeaef6b0970d32d85f4a8e29478e2

Analysis

max time kernel
129s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 00:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e702d40aad636f10c65d919d899c9f716baeaef6b0970d32d85f4a8e29478e2.exe
Size

96KB
MD5

0ada3b7f9afc3180eed384cb7cb37960
SHA1

692c46301e194681b5f8298f1ea6af4668c840b6
SHA256

5e702d40aad636f10c65d919d899c9f716baeaef6b0970d32d85f4a8e29478e2
SHA512

aa47ef0417208074ce9f00480d3114fd47e0ba2ef61a6d388cc9eb80ce1a830a697fbdab4872373a64440a07f96996a79132759799246c3e191be20afd333785
SSDEEP

1536:8OenojLeWpRWZco1VGB2LBsBMu/HCmiDcg3MZRP3cEW3AE:CoXeWW7OaBa6miEo

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Lknjmkdo.exeMjcgohig.exeNcihikcg.exe5e702d40aad636f10c65d919d899c9f716baeaef6b0970d32d85f4a8e29478e2.exeMdpalp32.exeNqmhbpba.exeLgbnmm32.exeMncmjfmk.exeMkgmcjld.exeNkjjij32.exeNkncdifl.exeNjcpee32.exeMaaepd32.exeNceonl32.exeNafokcol.exeNqklmpdd.exeMgnnhk32.exeNnmopdep.exeMnlfigcc.exeMdfofakp.exeMgekbljc.exeMdkhapfj.exeMjhqjg32.exeMpaifalo.exeNnolfdcn.exeNdidbn32.exeMajopeii.exeMdiklqhm.exeNjogjfoj.exeNcgkcl32.exeMdmegp32.exeNnhfee32.exeNacbfdao.exeNbhkac32.exeLddbqa32.exeMgghhlhq.exeMnapdf32.exeMpolqa32.exeMjjmog32.exeNgpjnkpf.exeNggqoj32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	5e702d40aad636f10c65d919d899c9f716baeaef6b0970d32d85f4a8e29478e2.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maaepd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nceonl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nceonl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nggqoj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Majopeii.exe

Executes dropped EXE 44 IoCs

Processes:

Lddbqa32.exeLgbnmm32.exeLknjmkdo.exeMnlfigcc.exeMdfofakp.exeMgekbljc.exeMjcgohig.exeMajopeii.exeMdiklqhm.exeMgghhlhq.exeMjeddggd.exeMnapdf32.exeMpolqa32.exeMdkhapfj.exeMgidml32.exeMjhqjg32.exeMncmjfmk.exeMpaifalo.exeMdmegp32.exeMkgmcjld.exeMjjmog32.exeMaaepd32.exeMdpalp32.exeMgnnhk32.exeNkjjij32.exeNnhfee32.exeNacbfdao.exeNceonl32.exeNgpjnkpf.exeNjogjfoj.exeNafokcol.exeNcgkcl32.exeNkncdifl.exeNnmopdep.exeNbhkac32.exeNqklmpdd.exeNcihikcg.exeNkqpjidj.exeNjcpee32.exeNnolfdcn.exeNqmhbpba.exeNdidbn32.exeNggqoj32.exeNkcmohbg.exe

pid	process
3024	Lddbqa32.exe
1724	Lgbnmm32.exe
1220	Lknjmkdo.exe
4776	Mnlfigcc.exe
3976	Mdfofakp.exe
972	Mgekbljc.exe
1684	Mjcgohig.exe
2892	Majopeii.exe
3364	Mdiklqhm.exe
3592	Mgghhlhq.exe
4364	Mjeddggd.exe
1840	Mnapdf32.exe
2132	Mpolqa32.exe
2316	Mdkhapfj.exe
2128	Mgidml32.exe
4568	Mjhqjg32.exe
2884	Mncmjfmk.exe
1464	Mpaifalo.exe
1364	Mdmegp32.exe
1000	Mkgmcjld.exe
452	Mjjmog32.exe
3748	Maaepd32.exe
5036	Mdpalp32.exe
4284	Mgnnhk32.exe
3544	Nkjjij32.exe
3208	Nnhfee32.exe
3636	Nacbfdao.exe
2908	Nceonl32.exe
4828	Ngpjnkpf.exe
4344	Njogjfoj.exe
2384	Nafokcol.exe
4668	Ncgkcl32.exe
1576	Nkncdifl.exe
5112	Nnmopdep.exe
4760	Nbhkac32.exe
3052	Nqklmpdd.exe
1376	Ncihikcg.exe
440	Nkqpjidj.exe
2444	Njcpee32.exe
1908	Nnolfdcn.exe
3576	Nqmhbpba.exe
1864	Ndidbn32.exe
760	Nggqoj32.exe
4112	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

Processes:

Mpolqa32.exeNkjjij32.exeNjogjfoj.exeNcihikcg.exeLknjmkdo.exeMjcgohig.exeMjhqjg32.exeMncmjfmk.exeMnlfigcc.exeNbhkac32.exeNqmhbpba.exeLddbqa32.exeMgghhlhq.exeMjeddggd.exeNnmopdep.exe5e702d40aad636f10c65d919d899c9f716baeaef6b0970d32d85f4a8e29478e2.exeLgbnmm32.exeMdiklqhm.exeMaaepd32.exeNnhfee32.exeMdfofakp.exeNkqpjidj.exeNggqoj32.exeMajopeii.exeMgnnhk32.exeNafokcol.exeNjcpee32.exeNdidbn32.exeNacbfdao.exeNkncdifl.exeMpaifalo.exeMgidml32.exeMjjmog32.exeMdkhapfj.exeNceonl32.exeNnolfdcn.exeNgpjnkpf.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\Mdkhapfj.exe	Mpolqa32.exe
File opened for modification	C:\Windows\SysWOW64\Nnhfee32.exe	Nkjjij32.exe
File opened for modification	C:\Windows\SysWOW64\Nafokcol.exe	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Nkqpjidj.exe	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Mnlfigcc.exe	Lknjmkdo.exe
File created	C:\Windows\SysWOW64\Majopeii.exe	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Mncmjfmk.exe	Mjhqjg32.exe
File opened for modification	C:\Windows\SysWOW64\Mpaifalo.exe	Mncmjfmk.exe
File opened for modification	C:\Windows\SysWOW64\Mdfofakp.exe	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Ljfemn32.dll	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Ndidbn32.exe	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Mecaoggc.dll	Lddbqa32.exe
File opened for modification	C:\Windows\SysWOW64\Mjeddggd.exe	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Mnapdf32.exe	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Nnhfee32.exe	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Ipkobd32.dll	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Jpgeph32.dll	5e702d40aad636f10c65d919d899c9f716baeaef6b0970d32d85f4a8e29478e2.exe
File created	C:\Windows\SysWOW64\Lgbnmm32.exe	Lddbqa32.exe
File opened for modification	C:\Windows\SysWOW64\Lknjmkdo.exe	Lgbnmm32.exe
File opened for modification	C:\Windows\SysWOW64\Majopeii.exe	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Mgghhlhq.exe	Mdiklqhm.exe
File opened for modification	C:\Windows\SysWOW64\Mncmjfmk.exe	Mjhqjg32.exe
File opened for modification	C:\Windows\SysWOW64\Mdpalp32.exe	Maaepd32.exe
File opened for modification	C:\Windows\SysWOW64\Nqklmpdd.exe	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Legdcg32.dll	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Ogpnaafp.dll	Ncihikcg.exe
File opened for modification	C:\Windows\SysWOW64\Ndidbn32.exe	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Kpdobeck.dll	Mdfofakp.exe
File created	C:\Windows\SysWOW64\Mpaifalo.exe	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Njcpee32.exe	Nkqpjidj.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Nggqoj32.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Nggqoj32.exe
File opened for modification	C:\Windows\SysWOW64\Mdiklqhm.exe	Majopeii.exe
File created	C:\Windows\SysWOW64\Ockcknah.dll	Majopeii.exe
File opened for modification	C:\Windows\SysWOW64\Mnapdf32.exe	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Nkjjij32.exe	Mgnnhk32.exe
File opened for modification	C:\Windows\SysWOW64\Ncgkcl32.exe	Nafokcol.exe
File created	C:\Windows\SysWOW64\Cknpkhch.dll	Njcpee32.exe
File created	C:\Windows\SysWOW64\Lddbqa32.exe	5e702d40aad636f10c65d919d899c9f716baeaef6b0970d32d85f4a8e29478e2.exe
File created	C:\Windows\SysWOW64\Nggqoj32.exe	Ndidbn32.exe
File opened for modification	C:\Windows\SysWOW64\Lgbnmm32.exe	Lddbqa32.exe
File created	C:\Windows\SysWOW64\Fhpdhp32.dll	Maaepd32.exe
File created	C:\Windows\SysWOW64\Fcdjjo32.dll	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Nnmopdep.exe	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Fneiph32.dll	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Addjcmqn.dll	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Agbnmibj.dll	Mdiklqhm.exe
File opened for modification	C:\Windows\SysWOW64\Mjhqjg32.exe	Mgidml32.exe
File opened for modification	C:\Windows\SysWOW64\Maaepd32.exe	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Nnolfdcn.exe	Njcpee32.exe
File opened for modification	C:\Windows\SysWOW64\Mgekbljc.exe	Mdfofakp.exe
File created	C:\Windows\SysWOW64\Mgidml32.exe	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Gpnkgo32.dll	Mgidml32.exe
File created	C:\Windows\SysWOW64\Ngpjnkpf.exe	Nceonl32.exe
File opened for modification	C:\Windows\SysWOW64\Njcpee32.exe	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Hlmobp32.dll	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Bghhihab.dll	Nnolfdcn.exe
File opened for modification	C:\Windows\SysWOW64\Lddbqa32.exe	5e702d40aad636f10c65d919d899c9f716baeaef6b0970d32d85f4a8e29478e2.exe
File created	C:\Windows\SysWOW64\Lnohlokp.dll	Mjcgohig.exe
File opened for modification	C:\Windows\SysWOW64\Njogjfoj.exe	Ngpjnkpf.exe
File opened for modification	C:\Windows\SysWOW64\Nnolfdcn.exe	Njcpee32.exe
File created	C:\Windows\SysWOW64\Lknjmkdo.exe	Lgbnmm32.exe
File opened for modification	C:\Windows\SysWOW64\Mnlfigcc.exe	Lknjmkdo.exe
File created	C:\Windows\SysWOW64\Mgekbljc.exe	Mdfofakp.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1056 4112 WerFault.exe Nkcmohbg.exe

pid	pid_target	process	target process
1056	4112	WerFault.exe	Nkcmohbg.exe

Modifies registry class 64 IoCs

Processes:

Ngpjnkpf.exeNkncdifl.exeNnolfdcn.exeNkjjij32.exeMajopeii.exeMjeddggd.exeMgidml32.exeMncmjfmk.exeNcgkcl32.exeNnmopdep.exeNqklmpdd.exeLknjmkdo.exeNqmhbpba.exeNjogjfoj.exeMdfofakp.exeMnlfigcc.exeMjcgohig.exeMjhqjg32.exeMaaepd32.exe5e702d40aad636f10c65d919d899c9f716baeaef6b0970d32d85f4a8e29478e2.exeMdmegp32.exeMjjmog32.exeNnhfee32.exeMgekbljc.exeMnapdf32.exeMdkhapfj.exeNbhkac32.exeNcihikcg.exeMpolqa32.exeMgghhlhq.exeNjcpee32.exeLgbnmm32.exeMdiklqhm.exeMkgmcjld.exeNacbfdao.exeNceonl32.exeMdpalp32.exeNafokcol.exeNggqoj32.exeMgnnhk32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlmobp32.dll"	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpnkgo32.dll"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnelfilp.dll"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbnic32.dll"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ockcknah.dll"	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkeang32.dll"	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flfmin32.dll"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciiqgjgg.dll"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Maaepd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	5e702d40aad636f10c65d919d899c9f716baeaef6b0970d32d85f4a8e29478e2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocbakl32.dll"	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnacjn32.dll"	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njcqqgjb.dll"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjblifaf.dll"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cknpkhch.dll"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnngob32.dll"	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agbnmibj.dll"	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Legdcg32.dll"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcdjjo32.dll"	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	5e702d40aad636f10c65d919d899c9f716baeaef6b0970d32d85f4a8e29478e2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipfna32.dll"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Nggqoj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	5e702d40aad636f10c65d919d899c9f716baeaef6b0970d32d85f4a8e29478e2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egqcbapl.dll"	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkckjila.dll"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgbnmm32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

5e702d40aad636f10c65d919d899c9f716baeaef6b0970d32d85f4a8e29478e2.exeLddbqa32.exeLgbnmm32.exeLknjmkdo.exeMnlfigcc.exeMdfofakp.exeMgekbljc.exeMjcgohig.exeMajopeii.exeMdiklqhm.exeMgghhlhq.exeMjeddggd.exeMnapdf32.exeMpolqa32.exeMdkhapfj.exeMgidml32.exeMjhqjg32.exeMncmjfmk.exeMpaifalo.exeMdmegp32.exeMkgmcjld.exeMjjmog32.exe

description	pid	process	target process
PID 3776 wrote to memory of 3024	3776	5e702d40aad636f10c65d919d899c9f716baeaef6b0970d32d85f4a8e29478e2.exe	Lddbqa32.exe
PID 3776 wrote to memory of 3024	3776	5e702d40aad636f10c65d919d899c9f716baeaef6b0970d32d85f4a8e29478e2.exe	Lddbqa32.exe
PID 3776 wrote to memory of 3024	3776	5e702d40aad636f10c65d919d899c9f716baeaef6b0970d32d85f4a8e29478e2.exe	Lddbqa32.exe
PID 3024 wrote to memory of 1724	3024	Lddbqa32.exe	Lgbnmm32.exe
PID 3024 wrote to memory of 1724	3024	Lddbqa32.exe	Lgbnmm32.exe
PID 3024 wrote to memory of 1724	3024	Lddbqa32.exe	Lgbnmm32.exe
PID 1724 wrote to memory of 1220	1724	Lgbnmm32.exe	Lknjmkdo.exe
PID 1724 wrote to memory of 1220	1724	Lgbnmm32.exe	Lknjmkdo.exe
PID 1724 wrote to memory of 1220	1724	Lgbnmm32.exe	Lknjmkdo.exe
PID 1220 wrote to memory of 4776	1220	Lknjmkdo.exe	Mnlfigcc.exe
PID 1220 wrote to memory of 4776	1220	Lknjmkdo.exe	Mnlfigcc.exe
PID 1220 wrote to memory of 4776	1220	Lknjmkdo.exe	Mnlfigcc.exe
PID 4776 wrote to memory of 3976	4776	Mnlfigcc.exe	Mdfofakp.exe
PID 4776 wrote to memory of 3976	4776	Mnlfigcc.exe	Mdfofakp.exe
PID 4776 wrote to memory of 3976	4776	Mnlfigcc.exe	Mdfofakp.exe
PID 3976 wrote to memory of 972	3976	Mdfofakp.exe	Mgekbljc.exe
PID 3976 wrote to memory of 972	3976	Mdfofakp.exe	Mgekbljc.exe
PID 3976 wrote to memory of 972	3976	Mdfofakp.exe	Mgekbljc.exe
PID 972 wrote to memory of 1684	972	Mgekbljc.exe	Mjcgohig.exe
PID 972 wrote to memory of 1684	972	Mgekbljc.exe	Mjcgohig.exe
PID 972 wrote to memory of 1684	972	Mgekbljc.exe	Mjcgohig.exe
PID 1684 wrote to memory of 2892	1684	Mjcgohig.exe	Majopeii.exe
PID 1684 wrote to memory of 2892	1684	Mjcgohig.exe	Majopeii.exe
PID 1684 wrote to memory of 2892	1684	Mjcgohig.exe	Majopeii.exe
PID 2892 wrote to memory of 3364	2892	Majopeii.exe	Mdiklqhm.exe
PID 2892 wrote to memory of 3364	2892	Majopeii.exe	Mdiklqhm.exe
PID 2892 wrote to memory of 3364	2892	Majopeii.exe	Mdiklqhm.exe
PID 3364 wrote to memory of 3592	3364	Mdiklqhm.exe	Mgghhlhq.exe
PID 3364 wrote to memory of 3592	3364	Mdiklqhm.exe	Mgghhlhq.exe
PID 3364 wrote to memory of 3592	3364	Mdiklqhm.exe	Mgghhlhq.exe
PID 3592 wrote to memory of 4364	3592	Mgghhlhq.exe	Mjeddggd.exe
PID 3592 wrote to memory of 4364	3592	Mgghhlhq.exe	Mjeddggd.exe
PID 3592 wrote to memory of 4364	3592	Mgghhlhq.exe	Mjeddggd.exe
PID 4364 wrote to memory of 1840	4364	Mjeddggd.exe	Mnapdf32.exe
PID 4364 wrote to memory of 1840	4364	Mjeddggd.exe	Mnapdf32.exe
PID 4364 wrote to memory of 1840	4364	Mjeddggd.exe	Mnapdf32.exe
PID 1840 wrote to memory of 2132	1840	Mnapdf32.exe	Mpolqa32.exe
PID 1840 wrote to memory of 2132	1840	Mnapdf32.exe	Mpolqa32.exe
PID 1840 wrote to memory of 2132	1840	Mnapdf32.exe	Mpolqa32.exe
PID 2132 wrote to memory of 2316	2132	Mpolqa32.exe	Mdkhapfj.exe
PID 2132 wrote to memory of 2316	2132	Mpolqa32.exe	Mdkhapfj.exe
PID 2132 wrote to memory of 2316	2132	Mpolqa32.exe	Mdkhapfj.exe
PID 2316 wrote to memory of 2128	2316	Mdkhapfj.exe	Mgidml32.exe
PID 2316 wrote to memory of 2128	2316	Mdkhapfj.exe	Mgidml32.exe
PID 2316 wrote to memory of 2128	2316	Mdkhapfj.exe	Mgidml32.exe
PID 2128 wrote to memory of 4568	2128	Mgidml32.exe	Mjhqjg32.exe
PID 2128 wrote to memory of 4568	2128	Mgidml32.exe	Mjhqjg32.exe
PID 2128 wrote to memory of 4568	2128	Mgidml32.exe	Mjhqjg32.exe
PID 4568 wrote to memory of 2884	4568	Mjhqjg32.exe	Mncmjfmk.exe
PID 4568 wrote to memory of 2884	4568	Mjhqjg32.exe	Mncmjfmk.exe
PID 4568 wrote to memory of 2884	4568	Mjhqjg32.exe	Mncmjfmk.exe
PID 2884 wrote to memory of 1464	2884	Mncmjfmk.exe	Mpaifalo.exe
PID 2884 wrote to memory of 1464	2884	Mncmjfmk.exe	Mpaifalo.exe
PID 2884 wrote to memory of 1464	2884	Mncmjfmk.exe	Mpaifalo.exe
PID 1464 wrote to memory of 1364	1464	Mpaifalo.exe	Mdmegp32.exe
PID 1464 wrote to memory of 1364	1464	Mpaifalo.exe	Mdmegp32.exe
PID 1464 wrote to memory of 1364	1464	Mpaifalo.exe	Mdmegp32.exe
PID 1364 wrote to memory of 1000	1364	Mdmegp32.exe	Mkgmcjld.exe
PID 1364 wrote to memory of 1000	1364	Mdmegp32.exe	Mkgmcjld.exe
PID 1364 wrote to memory of 1000	1364	Mdmegp32.exe	Mkgmcjld.exe
PID 1000 wrote to memory of 452	1000	Mkgmcjld.exe	Mjjmog32.exe
PID 1000 wrote to memory of 452	1000	Mkgmcjld.exe	Mjjmog32.exe
PID 1000 wrote to memory of 452	1000	Mkgmcjld.exe	Mjjmog32.exe
PID 452 wrote to memory of 3748	452	Mjjmog32.exe	Maaepd32.exe

C:\Users\Admin\AppData\Local\Temp\5e702d40aad636f10c65d919d899c9f716baeaef6b0970d32d85f4a8e29478e2.exe
"C:\Users\Admin\AppData\Local\Temp\5e702d40aad636f10c65d919d899c9f716baeaef6b0970d32d85f4a8e29478e2.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3776

C:\Windows\SysWOW64\Lddbqa32.exe
C:\Windows\system32\Lddbqa32.exe
2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3024

C:\Windows\SysWOW64\Lgbnmm32.exe
C:\Windows\system32\Lgbnmm32.exe
3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1724

C:\Windows\SysWOW64\Lknjmkdo.exe
C:\Windows\system32\Lknjmkdo.exe
4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1220

C:\Windows\SysWOW64\Mnlfigcc.exe
C:\Windows\system32\Mnlfigcc.exe
5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4776

C:\Windows\SysWOW64\Mdfofakp.exe
C:\Windows\system32\Mdfofakp.exe
6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3976

C:\Windows\SysWOW64\Mgekbljc.exe
C:\Windows\system32\Mgekbljc.exe
7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:972

C:\Windows\SysWOW64\Mjcgohig.exe
C:\Windows\system32\Mjcgohig.exe
8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1684

C:\Windows\SysWOW64\Majopeii.exe
C:\Windows\system32\Majopeii.exe
9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2892

C:\Windows\SysWOW64\Mdiklqhm.exe
C:\Windows\system32\Mdiklqhm.exe
10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3364

C:\Windows\SysWOW64\Mgghhlhq.exe
C:\Windows\system32\Mgghhlhq.exe
11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3592

C:\Windows\SysWOW64\Mjeddggd.exe
C:\Windows\system32\Mjeddggd.exe
12⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4364

C:\Windows\SysWOW64\Mnapdf32.exe
C:\Windows\system32\Mnapdf32.exe
13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1840

C:\Windows\SysWOW64\Mpolqa32.exe
C:\Windows\system32\Mpolqa32.exe
14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2132

C:\Windows\SysWOW64\Mdkhapfj.exe
C:\Windows\system32\Mdkhapfj.exe
15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2316

C:\Windows\SysWOW64\Mgidml32.exe
C:\Windows\system32\Mgidml32.exe
16⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2128

C:\Windows\SysWOW64\Mjhqjg32.exe
C:\Windows\system32\Mjhqjg32.exe
17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4568

C:\Windows\SysWOW64\Mncmjfmk.exe
C:\Windows\system32\Mncmjfmk.exe
18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2884

C:\Windows\SysWOW64\Mpaifalo.exe
C:\Windows\system32\Mpaifalo.exe
19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1464

C:\Windows\SysWOW64\Mdmegp32.exe
C:\Windows\system32\Mdmegp32.exe
20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1364

C:\Windows\SysWOW64\Mkgmcjld.exe
C:\Windows\system32\Mkgmcjld.exe
21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1000

C:\Windows\SysWOW64\Mjjmog32.exe
C:\Windows\system32\Mjjmog32.exe
22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:452

C:\Windows\SysWOW64\Maaepd32.exe
C:\Windows\system32\Maaepd32.exe
23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3748

C:\Windows\SysWOW64\Mdpalp32.exe
C:\Windows\system32\Mdpalp32.exe
24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:5036

C:\Windows\SysWOW64\Mgnnhk32.exe
C:\Windows\system32\Mgnnhk32.exe
25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4284

C:\Windows\SysWOW64\Nkjjij32.exe
C:\Windows\system32\Nkjjij32.exe
26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3544

C:\Windows\SysWOW64\Nnhfee32.exe
C:\Windows\system32\Nnhfee32.exe
27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3208

C:\Windows\SysWOW64\Nacbfdao.exe
C:\Windows\system32\Nacbfdao.exe
28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3636

C:\Windows\SysWOW64\Nceonl32.exe
C:\Windows\system32\Nceonl32.exe
29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2908

C:\Windows\SysWOW64\Ngpjnkpf.exe
C:\Windows\system32\Ngpjnkpf.exe
30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4828

C:\Windows\SysWOW64\Njogjfoj.exe
C:\Windows\system32\Njogjfoj.exe
31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4344

C:\Windows\SysWOW64\Nafokcol.exe
C:\Windows\system32\Nafokcol.exe
32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2384

C:\Windows\SysWOW64\Ncgkcl32.exe
C:\Windows\system32\Ncgkcl32.exe
33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4668

C:\Windows\SysWOW64\Nkncdifl.exe
C:\Windows\system32\Nkncdifl.exe
34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1576

C:\Windows\SysWOW64\Nnmopdep.exe
C:\Windows\system32\Nnmopdep.exe
35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:5112

C:\Windows\SysWOW64\Nbhkac32.exe
C:\Windows\system32\Nbhkac32.exe
36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4760

C:\Windows\SysWOW64\Nqklmpdd.exe
C:\Windows\system32\Nqklmpdd.exe
37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3052

C:\Windows\SysWOW64\Ncihikcg.exe
C:\Windows\system32\Ncihikcg.exe
38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1376

C:\Windows\SysWOW64\Nkqpjidj.exe
C:\Windows\system32\Nkqpjidj.exe
39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:440

C:\Windows\SysWOW64\Njcpee32.exe
C:\Windows\system32\Njcpee32.exe
40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2444

C:\Windows\SysWOW64\Nnolfdcn.exe
C:\Windows\system32\Nnolfdcn.exe
41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1908

C:\Windows\SysWOW64\Nqmhbpba.exe
C:\Windows\system32\Nqmhbpba.exe
42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3576

C:\Windows\SysWOW64\Ndidbn32.exe
C:\Windows\system32\Ndidbn32.exe
43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1864

C:\Windows\SysWOW64\Nggqoj32.exe
C:\Windows\system32\Nggqoj32.exe
44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:760

C:\Windows\SysWOW64\Nkcmohbg.exe
C:\Windows\system32\Nkcmohbg.exe
45⤵
- Executes dropped EXE
PID:4112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4112 -s 408
46⤵
- Program crash
PID:1056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4112 -ip 4112
1⤵
PID:4208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Lddbqa32.exe

Filesize
96KB

MD5
bc67efbe3ad54ed5fb3e6736222ca994

SHA1
63b2ac7ceddecebb4a762eb0d68d9fc73e708bfc

SHA256
c3edaa84b7ceb11f80d8dc23bfe0f5868112207b39690c3d52a4dc12ce3e8b24

SHA512
2b102f78ede2555441d5e14112fef4cad3154aa6f7cbf0007f6b809f4b2aa41157518e292b5f7e2ca149f9e7ae13133fea313e05c0221f65993c37ef1a0e8344

Download Submit
C:\Windows\SysWOW64\Lgbnmm32.exe

Filesize
96KB

MD5
d5a68060aea74cd93cd9f45e745970e9

SHA1
bb8543e28c4bda664c95d5e253981d6bde0efbcf

SHA256
f66c202edcda2e7606a3df1550b2a2a99ed0df7f22e9af0a3a262158afb3b19a

SHA512
ed3d70714660fbe641708ceb4772924733babf1e98fee2a3bfc725a2d03865552cd14d2b385a4b2f83e1fc5fa86ee459cdc94b52dcd4664d8739214ab3b13f07

Download Submit
C:\Windows\SysWOW64\Lknjmkdo.exe

Filesize
96KB

MD5
af9f9b04247fc9fe9ec2a303c13fc629

SHA1
9afd4ed0c2b5d4392d779aade8f5101cebb71853

SHA256
29a9e70c3572d13f4eb08cfe3cbf31ceafe6f7f859bf8b28d6ffbb1cbd34fa1b

SHA512
1daa059dfdebdce088c39bdcd0480b398a3595dd24caaf418d40171bb7dd17152ef1d8ed67d58814497e41cbde7bb91c99a26da700631b13c318fdfb5bf3ae45

Download Submit
C:\Windows\SysWOW64\Maaepd32.exe

Filesize
96KB

MD5
78957b4cbf42983a30ab214cb217fd53

SHA1
5fce8e1e1a71371d97a5d953bfe5fa1e31418b5a

SHA256
da6541800ed3e9279e87497e91b54ae8bee234e6172601f62274047404d1eb4d

SHA512
11ac0723f8c10bb68f77c144df85dc1a83e26fb22c42e4714bd95628093f74bacb36b1bb1721ec2cfe4f0756d071e2ffa859b25700546db9cc95e4513ce75e86

Download Submit
C:\Windows\SysWOW64\Majopeii.exe

Filesize
96KB

MD5
d48969895dbdcdb61c4a3dec4d523288

SHA1
9328a19f0c6b2ee4e40502bedbe5ac0aeaa001ec

SHA256
350328c72b83a4bf4f37cc270086df25faea4eefe6b7672f056bf14d357413eb

SHA512
1e2326152049dbad1fc50163649bc6c3614bda197dd096d14a1d4b82ff65de0a50085aee89fc289dfbdf215b28bdcd964da9b9427814da9277cc8fe043ef71fc

Download Submit
C:\Windows\SysWOW64\Mdfofakp.exe

Filesize
96KB

MD5
5e7cdcc5c5e9cdaa9922f294daf32471

SHA1
1d4e2e7bf0c9d5bee90f8894b32bfed85657667d

SHA256
cc70788c46a590944c5f103f9ee267636cbd5426ce65167f5b9fd2d1618f1cc0

SHA512
5b0f5a847214e37f256acc8ae685a68bf761f816763b31c22abc2ebab5d1cf5b25379acb1ed409128d625fbb17d10ccc47e9d4abad68a0094ecca1aa9f629b69

Download Submit
C:\Windows\SysWOW64\Mdiklqhm.exe

Filesize
96KB

MD5
427a87a91d2bdd86bffeef5b2337da6e

SHA1
139aa75efaf19aee08fc3619d77753c9a65f0db3

SHA256
333ddcb29d025e499e448dd72db334af5015c8c07d7a586fe169e47b79edd19e

SHA512
c6860e1db5282782090a2b8d4423121b5fc9d64e04e7659756ba919c84c63869179eb98e2d4f39d7fe560725c1f90fd664f4243c6d9e1429cca4d73b9e110be2

Download Submit
C:\Windows\SysWOW64\Mdkhapfj.exe

Filesize
96KB

MD5
1a7677712cfc1406c9099e0aa8d51f7a

SHA1
59e78a7b18f95e5bc63cb267a1e7fbfc3836ed79

SHA256
4f2b25d2ecd4fcb9adb24457ef6459e46870a355cdad4db608dc1ba958cfc419

SHA512
2a2f91071e0691b1e9340da7eacec34ccf3d43d8ebcffcd7df7a57e4d1dfaae30cd721b4a7855cd4d6bbf110d9e9e203f14e6b15313f64b7c9309bcdea66d9e3

Download Submit
C:\Windows\SysWOW64\Mdmegp32.exe

Filesize
96KB

MD5
2b30b2af35ed4ed86d43ad8423b5d335

SHA1
14e1e4df1c3a54802ea81da9622fc384af7b7271

SHA256
dbc597fdf78bb7596a9bcdcaf69f964f635b1e8d92f976d3530f2c22cb77c1ba

SHA512
193c279d94db1ad2cc3d16137ab3ef16223a35493c409e1ed436865e3be8311575811653b996d8695c9d1040bb5e806d32e7ecfdb37e7a61d7ae5b5945388295

Download Submit
C:\Windows\SysWOW64\Mdpalp32.exe

Filesize
96KB

MD5
e081d5b8d676d472ce45bb7d4656184b

SHA1
37014ca0f1b8cdc464811c7ddb7e01bfa0cabee4

SHA256
cc6fcb468479a30286e682f54b1647510ca04c6a1d4ae74430f6703f8330b428

SHA512
0482c2377a5cb21a98bff3e165b8589c5a5a3147982687e156239e09b923ef77a97653b33af0385eac344c2f45baf3b2ae6c20b0ed8f3f5c8196721f7bfa5871

Download Submit
C:\Windows\SysWOW64\Mgekbljc.exe

Filesize
96KB

MD5
86b2e1e646ef8a40757698ef4f04545f

SHA1
545428b2239f7c20a3cc159d033b659f212b3480

SHA256
fe907426570ab7467a700933181ce4bcd83d2e3c873641b6105f9aeb57fb8922

SHA512
8a5d6ce17615945435a531f390e2793edefe080e64c5ad039c5ee01d38182f4305959e9e18ce2c3add48f1afe6ed7073bd17491ab93c22b72d798c5503c130dc

Download Submit
C:\Windows\SysWOW64\Mgghhlhq.exe

Filesize
96KB

MD5
40bf32e9ebe68670c2d941022adff65d

SHA1
ec9cd23300508392413bdc1b3f14b12e30a5d59b

SHA256
ee8fdaf7923e2493631f55d18237f4767e869aafeef5ff82654f5c03e74709ff

SHA512
5c6afb0a4b8b27daa8da1ea8f2fd2c80e8cf820b3120bbec41fa4e36c425797a6e3084ddc41440644fa82dcccf7c2d8a2bc5151c1d733ab1b80095904adfac4f

Download Submit
C:\Windows\SysWOW64\Mgidml32.exe

Filesize
96KB

MD5
23cf574606010f78e7ed6913faab4c2e

SHA1
55e0f2d8af6a564ed0502e060e4b04eba6b36569

SHA256
e5ddb558899fb0432450d3649517525161b6909717544098d685efe84dedcae7

SHA512
d7283c57a211c57a57c45b882128e09d709b526b74e28db6ff757f7a620505916c65fe39a1309e9914ca41f910f755415a572fccf7ff2a4ebd780ad6ccd95ca9

Download Submit
C:\Windows\SysWOW64\Mgnnhk32.exe

Filesize
96KB

MD5
e9e75eea7b5dc4f151115ced03eb73d0

SHA1
fa96cb8d28212894a18eb521363b2b109ca74d7b

SHA256
4ab83816745df46366c68d38c7c1c12ba9cc0e16ce436e64d4cfb1fef5c9df16

SHA512
fc732034c1aea7ac3542be97f4ec2d03d33d95c3adb49be6e2ff048bb8649d034aa82d2325c8c75fccad0d292025d472cc48bd7db741af2ff863608799cf9360

Download Submit
C:\Windows\SysWOW64\Mjcgohig.exe

Filesize
96KB

MD5
aee973e3a55e31c33bc27e3731d2fb8c

SHA1
c06df321771862b844fd5b8e33b61c43d907549b

SHA256
cedd9d7cbd5ba05ebe2f1ec81464e140e3b184f31032aa6acd79197bc7a71d42

SHA512
95c3356deea808b3963790d08bf83fffb4fb546cded0be8c81e1a8f9ad1f7c0e351113a9932382fffb60cf5ed1c8e2b903685eedcfedd1b95eb8ea62b7ff12a5

Download Submit
C:\Windows\SysWOW64\Mjeddggd.exe

Filesize
96KB

MD5
85af73b821b32e8114f6603ad1025fea

SHA1
1bd9d93d9c0bb8074ece9c615437d211aec2889e

SHA256
05f43204453911b0914ad2a2255a3cb7fdb8528dedac548e3beddc3c5aef4796

SHA512
ba94c152b6b6aeefca28023a641b12b572e76ec06e174e4f28bae1472718c17afdff602e8408b733d2325fd1a660da6bba19b74c6827810e82b9d9c24fba25bf

Download Submit
C:\Windows\SysWOW64\Mjhqjg32.exe

Filesize
96KB

MD5
c2c5c099f583204e9def9dd72e06296b

SHA1
a829aa8a3f6661ebad36c0d50c10f1c38ae3b90d

SHA256
9044deda178f3bacfb57891bd31fe547c3c44329f472c3d3d88f72c5d007922a

SHA512
cfa602011a3cf7cdc7252c52965a7142311866bb273a9f430061175089fb795f45dfe733b9be4a55817c12e17206e792cde27295e203d687b94d0dcc22ce55c1

Download Submit
C:\Windows\SysWOW64\Mjjmog32.exe

Filesize
96KB

MD5
dda073552ea62225c65d295d807a8aa0

SHA1
33d19195f252d9e934f0202019151d71ed657d01

SHA256
684eeb3426b9d1817277328c1cfc93ee3d20d796060e7f0e17e3f33d8922e449

SHA512
ef0c26091ffd77cd0168f0b61ec51bb5f1536482cefda69f3b968be9f1f2844c29bf493084b46aa5528ed3108276491c830d90c2714aa874d243568978a311ac

Download Submit
C:\Windows\SysWOW64\Mkgmcjld.exe

Filesize
96KB

MD5
b4babea9024e521c9b9527dd097e5ac1

SHA1
78bf12eba06e4da1e581fae42bed305c93bbb5f2

SHA256
03e2cc6a0ecd3c1ad35ffc89413699862115a76f236e51cfd0cee2522feee539

SHA512
a6572beb98c04f82b83443cfc8f7512b9dd49f0a2d9ca92fd80ba5091b571bc8aa011b181475b93abed6df6a054c286430770f2c983548ff06bd4ec84b2df20c

Download Submit
C:\Windows\SysWOW64\Mnapdf32.exe

Filesize
96KB

MD5
1e99789610647c2b365184549f7383ef

SHA1
393956fb7cb5c53db71f675b06fb9488c654a21d

SHA256
20491a80decc900fc259aec1e8d51db6f07aedb22a9945467787c7927da79751

SHA512
5e594cd9b5baf0f2bbf3b6f4f3cc7f23152a48324b5d270d3dadee3c22b746bd4186dd593f69a2f1a1d000eb0da54393f0e271bd073d425e7de7e007aa5f75c2

Download Submit
C:\Windows\SysWOW64\Mncmjfmk.exe

Filesize
96KB

MD5
8fdb4bef7a8d777d2d112a7a41e71fab

SHA1
e4d51bdb5d25b3b4d5bb8db6bd5585338dee7a42

SHA256
c827c9628e7539b7c87d319948e903430d3c13dfa390666a1b605178bdc82d98

SHA512
1e6ffdac844ac55d247e1319f937ca444efa238d4e20993a666646312155d7fef535be5c59541ffb563ed1a6b6ffe2973df11eb654ca4c483c7e118c03565905

Download Submit
C:\Windows\SysWOW64\Mnlfigcc.exe

Filesize
96KB

MD5
beb438611c0cda7e2a45e380104a3f95

SHA1
5dcb86d2f87dc1a9d42bc801d74eccaaca81f284

SHA256
cf3afd715d64c614483c4ee4153def9fd3da05705d726fd332f7da6033d5c125

SHA512
303dd05b559a43e051939382744441d6b71fb289b3ca7fdc3bc8ea33cac66f040b1865da12018d10e5d1af65a806b78703e17d1ddeda0abc746376ffac356b50

Download Submit
C:\Windows\SysWOW64\Mpaifalo.exe

Filesize
96KB

MD5
014ff8099fe78ee85282449ed33ed23d

SHA1
a3785130021a9e28a12a50ed450859a81f2eec8f

SHA256
662169456a8e96555f28858562ea2f10e1ffcd91f85cebfcc915b970c8056c6a

SHA512
74503a270c93f16cc176267f498833fd3bbda6de43b728a50ee621132aed4bb4032fd548613ae725d6eb041d6fcdd34601e851f6fa992f5ba75a73f4310a44d9

Download Submit
C:\Windows\SysWOW64\Mpolqa32.exe

Filesize
96KB

MD5
d33c0c199e51c65f0b43c13ccf8c2694

SHA1
3fdd83087d0b816e37612680dcd7b1d206ba7173

SHA256
28dd70a9f9c1a47127e626b9360ada7083aabaf7a23331569cb1fb45fa6830c1

SHA512
0698a77fe0f20e0b4efcae213588ffe2dee66b8d633e942155f6ebcbb0f4a8467757c02614004724771e6335e5717f5e9633bad89c6f425aed0587025872ac6a

Download Submit
C:\Windows\SysWOW64\Nacbfdao.exe

Filesize
96KB

MD5
8ac63ef9bfa17e92d2d31a94236c7ed6

SHA1
ea7b6565e88f68504d0003ccea6139cea76863b1

SHA256
79fee83b9bf00887acb2a42ee48f1793968d4baee1ddadc3f792df5c29c0ae8b

SHA512
50c95d96787506a634c6a3af5fc3d6627f7899f28b2458a532cd8c37d692456523c25ab259f4925155a07e1f12637ec00ad3ea5998f573415ea1e2603248369c

Download Submit
C:\Windows\SysWOW64\Nafokcol.exe

Filesize
96KB

MD5
b5841c13634047e6ba0bd3c83f5b2cdf

SHA1
ebea73e8e86ac0d0e27de7c056adfb1784ae90fe

SHA256
5fa258da54b5d0ec74afbe6ff0ca3e50a08227e3ad97bfa557292d5d72e9cbb6

SHA512
bc31f0d0f2f1659e9eb3f0e91ba5cbb680ba0b7de9641e0602a776200d829a040c0d20110aa37199b77d7cbf3f73bfe410b947b5cbff18e31c09b50b0ac7e15f

Download Submit
C:\Windows\SysWOW64\Nceonl32.exe

Filesize
96KB

MD5
9d071360104078734a44862790b50ae5

SHA1
d87f4251bbded4057e6c0d8572fe2b81593b4a2c

SHA256
8ec3b9cde6119fce8362d4200922eaa262e37ea9aa40cc11849f0a9876fcea1a

SHA512
96c0ff0558087842b471f92d5cb3048d8d1346002b89245427c20a4d39681b770187dda406f6509364f220556230daf536ed30a9c2542cfa3ba456c5b16cdff5

Download Submit
C:\Windows\SysWOW64\Ncgkcl32.exe

Filesize
96KB

MD5
f5d591b57bcf7d87612a59fee26a4088

SHA1
98b7369ba27f3a778142e092c9d2aa7d51b718b0

SHA256
24ba63472095f98cf945ef21f5f0405c6283d50416d88a04a7effb8d4bf4c1ea

SHA512
032e81b1a116a82d2b2bfc51ef57689286474513aec9c693116855fa3a3b378fa55c85591d6b91108007740efee9885aecb1e7e6445e32ee1531fd3fe52a5934

Download Submit
C:\Windows\SysWOW64\Ncihikcg.exe

Filesize
96KB

MD5
29752b789cb569b939c322f9cf10f50d

SHA1
5111e39b99ccc29d769e9b49f0a8a8fb8b6960e2

SHA256
ce916ef8c813b140119009e6952c7aadb5ba2e660cf62fc72593ff40e42445d6

SHA512
7f2b1ba6171e6057bc77391e449a108c26908177118e14d7fc8ddd19a6df22d197e11db3241dd816fce8d7d2687ca6b46c463a9b509a9075cc8cf8b7428631e0

Download Submit
C:\Windows\SysWOW64\Nggqoj32.exe

Filesize
96KB

MD5
bf15125da0df94b97027d46471fef604

SHA1
ac2eef9f415dbc8c8448715120ac6af790846598

SHA256
9a0059990cffe7650fbd278a65427dde16fce8d0d8a4dcbb923bdb78b50b70fe

SHA512
10b9a592c845005d3a9cb9925fbe269334a653e5903f9e1a9c81fb977d129102efcd3a0adfe6f8a3d46c355dc8c01d8eaed254b4178a13ea65948fcadaf25b89

Download Submit
C:\Windows\SysWOW64\Ngpjnkpf.exe

Filesize
96KB

MD5
b1435f84b4c9f2e88e21b0be1efcb424

SHA1
e59f759d9e6a6093cdab3bc81e4aaaaeab32bc27

SHA256
b8e0acdaf1b3d0c91238da9747d6e3b9816c6a726cf0c1540f7172169be52db7

SHA512
00db8a6e93a8a5059d6d8e1cbd11b73f59c6c2ed1e657462f1be5deddfdd5c2268a18357a1af7530d84aaf705d3abd34d8a12fdfafa30dfcb078b74a2d188b7c

Download Submit
C:\Windows\SysWOW64\Njogjfoj.exe

Filesize
96KB

MD5
e139c77e7fca22ab19f424d304e3f423

SHA1
d3d3c0430a778673083629334f43030caff6d0a1

SHA256
cd9b10e1805ed6b826e5722e92b5519789628c4fc423009e200a9fb5516adb93

SHA512
794f8f7792f1fabc53a9c0c3a086fc9415782bf704d1bf3b8bdc3a7fe67707244cf3a9ef7e7ff74824741d7b123cc14398eac041d2ca521876b641f562906f75

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
96KB

MD5
04da53bbb5496e5b0ebfcc689ebd373b

SHA1
9f9d6e5414439f2631c6144c6eb2441476ebd234

SHA256
39c916186c2ef6f284ce5ea01e04d299d72f6d3bd3d2ccfccc012fb0b721bfbc

SHA512
96218598c22ef5f1b58af81f3e1ccdafb7548f4c6c7019180c1f1a43c4d71f94abab566065c528ed22768a1b19ededadc3aa11c794324d02a9ddce246a14e96e

Download Submit
C:\Windows\SysWOW64\Nkjjij32.exe

Filesize
96KB

MD5
fd27fdf5173807d60caf2bb69c36f650

SHA1
7a785840c9a442d51e4cd8015c11e127e2399d1b

SHA256
9bc5c22eeee5c1deeb96c5a625c491c8469e82fc4e969fbeb407f17788890be9

SHA512
513984b29174db6a69dd716890ef1d68d623b6b053cc1b4f9d42de3e3fe03b05bf73b2650799f8fa7513e005ea095e4fa02059160d66e8f29108d3736a38c8ea

Download Submit
C:\Windows\SysWOW64\Nnhfee32.exe

Filesize
96KB

MD5
ce3935d129d8e7126feb039221fdbc80

SHA1
159312d7a6418f9030429efc83262ed8b893846f

SHA256
03aa7c0cc2e94c571aa1cc94e63757f489211090b0e3339ee9dc48ee89d4b5d9

SHA512
c7c55119cc733af51def794764084aaeeb5fb09b701575259132367263f0e4a6a8b53548b18123d2c6c75eb466ab6bd9e117cc9565b798a2dd664c496ac95c8a

Download Submit
memory/440-297-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/440-339-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/452-169-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/452-369-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/760-327-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/972-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/972-397-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1000-161-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1000-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1220-403-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1220-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1364-153-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1364-373-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1376-291-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1464-149-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1576-267-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1684-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1684-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1724-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1724-405-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1840-385-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1840-97-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1864-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1864-337-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1908-314-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2128-125-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2132-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2132-105-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2316-381-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2316-113-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2384-249-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2384-351-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2444-303-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2884-376-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2884-137-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2892-69-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2892-393-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2908-357-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2908-229-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3024-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3024-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3052-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3052-342-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3208-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3208-361-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3364-391-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3364-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3544-207-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3576-315-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3592-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3592-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3636-217-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3636-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3748-177-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3748-367-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3776-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3776-409-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3776-5-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/3976-43-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3976-399-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4112-331-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4112-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4284-197-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4344-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4344-241-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4364-387-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4364-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4568-129-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4568-378-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4668-257-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4668-349-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4760-344-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4760-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4776-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4776-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4828-233-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4828-355-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5036-189-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5036-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5112-346-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5112-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download