b9993861be60bf3acc942f6b08afb461a9a4ddb0e23b32dae862ba69098d33db

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 02:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b9993861be60bf3acc942f6b08afb461a9a4ddb0e23b32dae862ba69098d33db.exe
Size

52KB
MD5

ad4ea5a7cb23f8e8c3e2352a92de0598
SHA1

7ebc9a53303240db25dd8cf9c063041930d4d544
SHA256

b9993861be60bf3acc942f6b08afb461a9a4ddb0e23b32dae862ba69098d33db
SHA512

bcc8a1857261549cb940f76d8b150adc8b369592251413149117a73d12a0119df4a9c9d585ae5346e34e00d4cc686dbdc2e43369ca9195866b6c450ae002bc12
SSDEEP

768:7yCYPcSTBAwE18ydWjT1JHBPQkoaNB7ts7JCYQuACe5Co/1H5:2hddAwk8YgT1r7NFtI6R5Ci

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Kkbkamnl.exeLdkojb32.exeMamleegg.exeNqfbaq32.exeMaohkd32.exeNcihikcg.exeNdghmo32.exeKbfiep32.exeMcklgm32.exeMglack32.exeNjogjfoj.exeNjacpf32.exeLpfijcfl.exeNjljefql.exeNgpjnkpf.exeKdcijcke.exeLpcmec32.exeMnocof32.exeMnfipekh.exeb9993861be60bf3acc942f6b08afb461a9a4ddb0e23b32dae862ba69098d33db.exeLcdegnep.exeLcgblncm.exeMpaifalo.exeKpjjod32.exeLnepih32.exeLaefdf32.exeMjqjih32.exeMkbchk32.exeMkgmcjld.exeKmjqmi32.exeKckbqpnj.exeKipabjil.exeLgneampk.exeMpdelajl.exeMgnnhk32.exeNnjbke32.exeLmqgnhmp.exeNcldnkae.exeMcnhmm32.exeKgdbkohf.exeLkdggmlj.exeLdmlpbbj.exeMgekbljc.exeNbhkac32.exeKajfig32.exeMgidml32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkbkamnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldkojb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maohkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbfiep32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mglack32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpfijcfl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdcijcke.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpcmec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnocof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	b9993861be60bf3acc942f6b08afb461a9a4ddb0e23b32dae862ba69098d33db.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laefdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmjqmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kckbqpnj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mglack32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kipabjil.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kckbqpnj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmqgnhmp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njljefql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	b9993861be60bf3acc942f6b08afb461a9a4ddb0e23b32dae862ba69098d33db.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkdggmlj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kajfig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpcmec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnfipekh.exe

Executes dropped EXE 60 IoCs

Processes:

Kgphpo32.exeKmjqmi32.exeKdcijcke.exeKbfiep32.exeKipabjil.exeKpjjod32.exeKgdbkohf.exeKajfig32.exeKckbqpnj.exeKkbkamnl.exeLmqgnhmp.exeLdkojb32.exeLkdggmlj.exeLmccchkn.exeLdmlpbbj.exeLgkhlnbn.exeLnepih32.exeLpcmec32.exeLgneampk.exeLpfijcfl.exeLcdegnep.exeLklnhlfb.exeLaefdf32.exeLcgblncm.exeMjqjih32.exeMdfofakp.exeMgekbljc.exeMnocof32.exeMpmokb32.exeMcklgm32.exeMkbchk32.exeMamleegg.exeMcnhmm32.exeMgidml32.exeMncmjfmk.exeMaohkd32.exeMpaifalo.exeMglack32.exeMkgmcjld.exeMnfipekh.exeMpdelajl.exeMgnnhk32.exeNjljefql.exeNacbfdao.exeNqfbaq32.exeNgpjnkpf.exeNjogjfoj.exeNnjbke32.exeNqiogp32.exeNcgkcl32.exeNgcgcjnc.exeNjacpf32.exeNbhkac32.exeNdghmo32.exeNcihikcg.exeNjcpee32.exeNbkhfc32.exeNdidbn32.exeNcldnkae.exeNkcmohbg.exe

pid	process
3020	Kgphpo32.exe
400	Kmjqmi32.exe
956	Kdcijcke.exe
3448	Kbfiep32.exe
872	Kipabjil.exe
848	Kpjjod32.exe
4928	Kgdbkohf.exe
3488	Kajfig32.exe
100	Kckbqpnj.exe
1540	Kkbkamnl.exe
1488	Lmqgnhmp.exe
4872	Ldkojb32.exe
3492	Lkdggmlj.exe
4496	Lmccchkn.exe
4880	Ldmlpbbj.exe
4068	Lgkhlnbn.exe
1492	Lnepih32.exe
5068	Lpcmec32.exe
2588	Lgneampk.exe
388	Lpfijcfl.exe
1400	Lcdegnep.exe
5064	Lklnhlfb.exe
740	Laefdf32.exe
5008	Lcgblncm.exe
4464	Mjqjih32.exe
2720	Mdfofakp.exe
4724	Mgekbljc.exe
2404	Mnocof32.exe
4208	Mpmokb32.exe
2616	Mcklgm32.exe
3876	Mkbchk32.exe
2176	Mamleegg.exe
3484	Mcnhmm32.exe
1616	Mgidml32.exe
1000	Mncmjfmk.exe
2100	Maohkd32.exe
3396	Mpaifalo.exe
2472	Mglack32.exe
2632	Mkgmcjld.exe
1560	Mnfipekh.exe
1476	Mpdelajl.exe
4456	Mgnnhk32.exe
5100	Njljefql.exe
2796	Nacbfdao.exe
2452	Nqfbaq32.exe
3892	Ngpjnkpf.exe
4660	Njogjfoj.exe
3028	Nnjbke32.exe
4528	Nqiogp32.exe
2524	Ncgkcl32.exe
3032	Ngcgcjnc.exe
1020	Njacpf32.exe
2444	Nbhkac32.exe
4236	Ndghmo32.exe
2368	Ncihikcg.exe
4512	Njcpee32.exe
2416	Nbkhfc32.exe
60	Ndidbn32.exe
1892	Ncldnkae.exe
4084	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

Processes:

Kckbqpnj.exeMpdelajl.exeNjcpee32.exeNbkhfc32.exeNcldnkae.exeLnepih32.exeLcdegnep.exeLklnhlfb.exeMcnhmm32.exeKdcijcke.exeLaefdf32.exeNdidbn32.exeMgnnhk32.exeNjogjfoj.exeNbhkac32.exeLdkojb32.exeMjqjih32.exeMaohkd32.exeMkgmcjld.exeKmjqmi32.exeKipabjil.exeLdmlpbbj.exeNjacpf32.exeMpmokb32.exeKkbkamnl.exeMdfofakp.exeMgidml32.exeNqfbaq32.exeKpjjod32.exeKgdbkohf.exeLmccchkn.exeMnocof32.exeMcklgm32.exeMnfipekh.exeNacbfdao.exeKajfig32.exeLmqgnhmp.exeLgneampk.exeMncmjfmk.exeKgphpo32.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Gcdihi32.dll	Kckbqpnj.exe
File created	C:\Windows\SysWOW64\Mgnnhk32.exe	Mpdelajl.exe
File opened for modification	C:\Windows\SysWOW64\Nbkhfc32.exe	Njcpee32.exe
File created	C:\Windows\SysWOW64\Opbnic32.dll	Nbkhfc32.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Lpcmec32.exe	Lnepih32.exe
File created	C:\Windows\SysWOW64\Bheenp32.dll	Lcdegnep.exe
File created	C:\Windows\SysWOW64\Ebaqkk32.dll	Lklnhlfb.exe
File opened for modification	C:\Windows\SysWOW64\Mgidml32.exe	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Ppaaagol.dll	Kdcijcke.exe
File opened for modification	C:\Windows\SysWOW64\Laefdf32.exe	Lklnhlfb.exe
File created	C:\Windows\SysWOW64\Lcgblncm.exe	Laefdf32.exe
File opened for modification	C:\Windows\SysWOW64\Lpcmec32.exe	Lnepih32.exe
File opened for modification	C:\Windows\SysWOW64\Mgnnhk32.exe	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Dlddhggk.dll	Ndidbn32.exe
File opened for modification	C:\Windows\SysWOW64\Njljefql.exe	Mgnnhk32.exe
File opened for modification	C:\Windows\SysWOW64\Nnjbke32.exe	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Bdknoa32.dll	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Qgejif32.dll	Ldkojb32.exe
File created	C:\Windows\SysWOW64\Laefdf32.exe	Lklnhlfb.exe
File created	C:\Windows\SysWOW64\Mdfofakp.exe	Mjqjih32.exe
File created	C:\Windows\SysWOW64\Mpaifalo.exe	Maohkd32.exe
File created	C:\Windows\SysWOW64\Mnfipekh.exe	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Jcpkbc32.dll	Kmjqmi32.exe
File created	C:\Windows\SysWOW64\Joamagmq.dll	Kipabjil.exe
File created	C:\Windows\SysWOW64\Lgkhlnbn.exe	Ldmlpbbj.exe
File created	C:\Windows\SysWOW64\Cnacjn32.dll	Mcnhmm32.exe
File opened for modification	C:\Windows\SysWOW64\Nbhkac32.exe	Njacpf32.exe
File opened for modification	C:\Windows\SysWOW64\Kbfiep32.exe	Kdcijcke.exe
File opened for modification	C:\Windows\SysWOW64\Lgkhlnbn.exe	Ldmlpbbj.exe
File created	C:\Windows\SysWOW64\Mcklgm32.exe	Mpmokb32.exe
File created	C:\Windows\SysWOW64\Fnelfilp.dll	Maohkd32.exe
File opened for modification	C:\Windows\SysWOW64\Ndidbn32.exe	Nbkhfc32.exe
File opened for modification	C:\Windows\SysWOW64\Ncldnkae.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Lmqgnhmp.exe	Kkbkamnl.exe
File created	C:\Windows\SysWOW64\Kpdobeck.dll	Mdfofakp.exe
File created	C:\Windows\SysWOW64\Mncmjfmk.exe	Mgidml32.exe
File opened for modification	C:\Windows\SysWOW64\Lklnhlfb.exe	Lcdegnep.exe
File created	C:\Windows\SysWOW64\Mgekbljc.exe	Mdfofakp.exe
File created	C:\Windows\SysWOW64\Ngpjnkpf.exe	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Kgdbkohf.exe	Kpjjod32.exe
File created	C:\Windows\SysWOW64\Kajfig32.exe	Kgdbkohf.exe
File created	C:\Windows\SysWOW64\Ldmlpbbj.exe	Lmccchkn.exe
File created	C:\Windows\SysWOW64\Mgidml32.exe	Mcnhmm32.exe
File opened for modification	C:\Windows\SysWOW64\Ngpjnkpf.exe	Nqfbaq32.exe
File opened for modification	C:\Windows\SysWOW64\Lkdggmlj.exe	Ldkojb32.exe
File created	C:\Windows\SysWOW64\Baefid32.dll	Lnepih32.exe
File created	C:\Windows\SysWOW64\Bkankc32.dll	Mnocof32.exe
File created	C:\Windows\SysWOW64\Gqffnmfa.dll	Mcklgm32.exe
File created	C:\Windows\SysWOW64\Ciiqgjgg.dll	Mgidml32.exe
File created	C:\Windows\SysWOW64\Gbbkdl32.dll	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Hnfmbf32.dll	Mpdelajl.exe
File opened for modification	C:\Windows\SysWOW64\Nqfbaq32.exe	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Lklnhlfb.exe	Lcdegnep.exe
File created	C:\Windows\SysWOW64\Mpmokb32.exe	Mnocof32.exe
File opened for modification	C:\Windows\SysWOW64\Mcklgm32.exe	Mpmokb32.exe
File created	C:\Windows\SysWOW64\Jplifcqp.dll	Kajfig32.exe
File created	C:\Windows\SysWOW64\Ldkojb32.exe	Lmqgnhmp.exe
File created	C:\Windows\SysWOW64\Lpfijcfl.exe	Lgneampk.exe
File created	C:\Windows\SysWOW64\Plilol32.dll	Laefdf32.exe
File opened for modification	C:\Windows\SysWOW64\Maohkd32.exe	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Kmjqmi32.exe	Kgphpo32.exe
File created	C:\Windows\SysWOW64\Kbfiep32.exe	Kdcijcke.exe
File opened for modification	C:\Windows\SysWOW64\Kpjjod32.exe	Kipabjil.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1592 4084 WerFault.exe Nkcmohbg.exe

pid	pid_target	process	target process
1592	4084	WerFault.exe	Nkcmohbg.exe

Modifies registry class 64 IoCs

Processes:

b9993861be60bf3acc942f6b08afb461a9a4ddb0e23b32dae862ba69098d33db.exeMgekbljc.exeMcnhmm32.exeMglack32.exeMgnnhk32.exeKckbqpnj.exeMnocof32.exeMaohkd32.exeMcklgm32.exeMncmjfmk.exeMpaifalo.exeKgdbkohf.exeLklnhlfb.exeMjqjih32.exeNjogjfoj.exeKbfiep32.exeLkdggmlj.exeLnepih32.exeKgphpo32.exeNjacpf32.exeNcihikcg.exeNjcpee32.exeNbkhfc32.exeKipabjil.exeMpmokb32.exeNqfbaq32.exeLcgblncm.exeNdghmo32.exeMkbchk32.exeNjljefql.exeNnjbke32.exeKajfig32.exeMpdelajl.exeNgpjnkpf.exeKkbkamnl.exeLpfijcfl.exeMnfipekh.exeNcldnkae.exeLcdegnep.exeLmqgnhmp.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	b9993861be60bf3acc942f6b08afb461a9a4ddb0e23b32dae862ba69098d33db.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnacjn32.dll"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekipni32.dll"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcbibebo.dll"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	b9993861be60bf3acc942f6b08afb461a9a4ddb0e23b32dae862ba69098d33db.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kckbqpnj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnelfilp.dll"	Maohkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaehlf32.dll"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nqjfoc32.dll"	b9993861be60bf3acc942f6b08afb461a9a4ddb0e23b32dae862ba69098d33db.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebaqkk32.dll"	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flfmin32.dll"	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oedbld32.dll"	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbfiep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baefid32.dll"	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgphpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddpfgd32.dll"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkfbjdpq.dll"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbfiep32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kipabjil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epmjjbbj.dll"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqffnmfa.dll"	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lppbjjia.dll"	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkckjila.dll"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	b9993861be60bf3acc942f6b08afb461a9a4ddb0e23b32dae862ba69098d33db.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbhnnj32.dll"	Kgdbkohf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Legdcg32.dll"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pponmema.dll"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkankc32.dll"	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbcfgejn.dll"	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgdbkohf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeandl32.dll"	Lpfijcfl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgphpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bheenp32.dll"	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jifkeoll.dll"	Lmqgnhmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncihikcg.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

b9993861be60bf3acc942f6b08afb461a9a4ddb0e23b32dae862ba69098d33db.exeKgphpo32.exeKmjqmi32.exeKdcijcke.exeKbfiep32.exeKipabjil.exeKpjjod32.exeKgdbkohf.exeKajfig32.exeKckbqpnj.exeKkbkamnl.exeLmqgnhmp.exeLdkojb32.exeLkdggmlj.exeLmccchkn.exeLdmlpbbj.exeLgkhlnbn.exeLnepih32.exeLpcmec32.exeLgneampk.exeLpfijcfl.exeLcdegnep.exe

description	pid	process	target process
PID 1448 wrote to memory of 3020	1448	b9993861be60bf3acc942f6b08afb461a9a4ddb0e23b32dae862ba69098d33db.exe	Kgphpo32.exe
PID 1448 wrote to memory of 3020	1448	b9993861be60bf3acc942f6b08afb461a9a4ddb0e23b32dae862ba69098d33db.exe	Kgphpo32.exe
PID 1448 wrote to memory of 3020	1448	b9993861be60bf3acc942f6b08afb461a9a4ddb0e23b32dae862ba69098d33db.exe	Kgphpo32.exe
PID 3020 wrote to memory of 400	3020	Kgphpo32.exe	Kmjqmi32.exe
PID 3020 wrote to memory of 400	3020	Kgphpo32.exe	Kmjqmi32.exe
PID 3020 wrote to memory of 400	3020	Kgphpo32.exe	Kmjqmi32.exe
PID 400 wrote to memory of 956	400	Kmjqmi32.exe	Kdcijcke.exe
PID 400 wrote to memory of 956	400	Kmjqmi32.exe	Kdcijcke.exe
PID 400 wrote to memory of 956	400	Kmjqmi32.exe	Kdcijcke.exe
PID 956 wrote to memory of 3448	956	Kdcijcke.exe	Kbfiep32.exe
PID 956 wrote to memory of 3448	956	Kdcijcke.exe	Kbfiep32.exe
PID 956 wrote to memory of 3448	956	Kdcijcke.exe	Kbfiep32.exe
PID 3448 wrote to memory of 872	3448	Kbfiep32.exe	Kipabjil.exe
PID 3448 wrote to memory of 872	3448	Kbfiep32.exe	Kipabjil.exe
PID 3448 wrote to memory of 872	3448	Kbfiep32.exe	Kipabjil.exe
PID 872 wrote to memory of 848	872	Kipabjil.exe	Kpjjod32.exe
PID 872 wrote to memory of 848	872	Kipabjil.exe	Kpjjod32.exe
PID 872 wrote to memory of 848	872	Kipabjil.exe	Kpjjod32.exe
PID 848 wrote to memory of 4928	848	Kpjjod32.exe	Kgdbkohf.exe
PID 848 wrote to memory of 4928	848	Kpjjod32.exe	Kgdbkohf.exe
PID 848 wrote to memory of 4928	848	Kpjjod32.exe	Kgdbkohf.exe
PID 4928 wrote to memory of 3488	4928	Kgdbkohf.exe	Kajfig32.exe
PID 4928 wrote to memory of 3488	4928	Kgdbkohf.exe	Kajfig32.exe
PID 4928 wrote to memory of 3488	4928	Kgdbkohf.exe	Kajfig32.exe
PID 3488 wrote to memory of 100	3488	Kajfig32.exe	Kckbqpnj.exe
PID 3488 wrote to memory of 100	3488	Kajfig32.exe	Kckbqpnj.exe
PID 3488 wrote to memory of 100	3488	Kajfig32.exe	Kckbqpnj.exe
PID 100 wrote to memory of 1540	100	Kckbqpnj.exe	Kkbkamnl.exe
PID 100 wrote to memory of 1540	100	Kckbqpnj.exe	Kkbkamnl.exe
PID 100 wrote to memory of 1540	100	Kckbqpnj.exe	Kkbkamnl.exe
PID 1540 wrote to memory of 1488	1540	Kkbkamnl.exe	Lmqgnhmp.exe
PID 1540 wrote to memory of 1488	1540	Kkbkamnl.exe	Lmqgnhmp.exe
PID 1540 wrote to memory of 1488	1540	Kkbkamnl.exe	Lmqgnhmp.exe
PID 1488 wrote to memory of 4872	1488	Lmqgnhmp.exe	Ldkojb32.exe
PID 1488 wrote to memory of 4872	1488	Lmqgnhmp.exe	Ldkojb32.exe
PID 1488 wrote to memory of 4872	1488	Lmqgnhmp.exe	Ldkojb32.exe
PID 4872 wrote to memory of 3492	4872	Ldkojb32.exe	Lkdggmlj.exe
PID 4872 wrote to memory of 3492	4872	Ldkojb32.exe	Lkdggmlj.exe
PID 4872 wrote to memory of 3492	4872	Ldkojb32.exe	Lkdggmlj.exe
PID 3492 wrote to memory of 4496	3492	Lkdggmlj.exe	Lmccchkn.exe
PID 3492 wrote to memory of 4496	3492	Lkdggmlj.exe	Lmccchkn.exe
PID 3492 wrote to memory of 4496	3492	Lkdggmlj.exe	Lmccchkn.exe
PID 4496 wrote to memory of 4880	4496	Lmccchkn.exe	Ldmlpbbj.exe
PID 4496 wrote to memory of 4880	4496	Lmccchkn.exe	Ldmlpbbj.exe
PID 4496 wrote to memory of 4880	4496	Lmccchkn.exe	Ldmlpbbj.exe
PID 4880 wrote to memory of 4068	4880	Ldmlpbbj.exe	Lgkhlnbn.exe
PID 4880 wrote to memory of 4068	4880	Ldmlpbbj.exe	Lgkhlnbn.exe
PID 4880 wrote to memory of 4068	4880	Ldmlpbbj.exe	Lgkhlnbn.exe
PID 4068 wrote to memory of 1492	4068	Lgkhlnbn.exe	Lnepih32.exe
PID 4068 wrote to memory of 1492	4068	Lgkhlnbn.exe	Lnepih32.exe
PID 4068 wrote to memory of 1492	4068	Lgkhlnbn.exe	Lnepih32.exe
PID 1492 wrote to memory of 5068	1492	Lnepih32.exe	Lpcmec32.exe
PID 1492 wrote to memory of 5068	1492	Lnepih32.exe	Lpcmec32.exe
PID 1492 wrote to memory of 5068	1492	Lnepih32.exe	Lpcmec32.exe
PID 5068 wrote to memory of 2588	5068	Lpcmec32.exe	Lgneampk.exe
PID 5068 wrote to memory of 2588	5068	Lpcmec32.exe	Lgneampk.exe
PID 5068 wrote to memory of 2588	5068	Lpcmec32.exe	Lgneampk.exe
PID 2588 wrote to memory of 388	2588	Lgneampk.exe	Lpfijcfl.exe
PID 2588 wrote to memory of 388	2588	Lgneampk.exe	Lpfijcfl.exe
PID 2588 wrote to memory of 388	2588	Lgneampk.exe	Lpfijcfl.exe
PID 388 wrote to memory of 1400	388	Lpfijcfl.exe	Lcdegnep.exe
PID 388 wrote to memory of 1400	388	Lpfijcfl.exe	Lcdegnep.exe
PID 388 wrote to memory of 1400	388	Lpfijcfl.exe	Lcdegnep.exe
PID 1400 wrote to memory of 5064	1400	Lcdegnep.exe	Lklnhlfb.exe

C:\Users\Admin\AppData\Local\Temp\b9993861be60bf3acc942f6b08afb461a9a4ddb0e23b32dae862ba69098d33db.exe
"C:\Users\Admin\AppData\Local\Temp\b9993861be60bf3acc942f6b08afb461a9a4ddb0e23b32dae862ba69098d33db.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1448

C:\Windows\SysWOW64\Kgphpo32.exe
C:\Windows\system32\Kgphpo32.exe
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3020

C:\Windows\SysWOW64\Kmjqmi32.exe
C:\Windows\system32\Kmjqmi32.exe
3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:400

C:\Windows\SysWOW64\Kdcijcke.exe
C:\Windows\system32\Kdcijcke.exe
4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:956

C:\Windows\SysWOW64\Kbfiep32.exe
C:\Windows\system32\Kbfiep32.exe
5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3448

C:\Windows\SysWOW64\Kipabjil.exe
C:\Windows\system32\Kipabjil.exe
6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:872

C:\Windows\SysWOW64\Kpjjod32.exe
C:\Windows\system32\Kpjjod32.exe
7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:848

C:\Windows\SysWOW64\Kgdbkohf.exe
C:\Windows\system32\Kgdbkohf.exe
8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4928

C:\Windows\SysWOW64\Kajfig32.exe
C:\Windows\system32\Kajfig32.exe
9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3488

C:\Windows\SysWOW64\Kckbqpnj.exe
C:\Windows\system32\Kckbqpnj.exe
10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:100

C:\Windows\SysWOW64\Kkbkamnl.exe
C:\Windows\system32\Kkbkamnl.exe
11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1540

C:\Windows\SysWOW64\Lmqgnhmp.exe
C:\Windows\system32\Lmqgnhmp.exe
12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1488

C:\Windows\SysWOW64\Ldkojb32.exe
C:\Windows\system32\Ldkojb32.exe
13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4872

C:\Windows\SysWOW64\Lkdggmlj.exe
C:\Windows\system32\Lkdggmlj.exe
14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3492

C:\Windows\SysWOW64\Lmccchkn.exe
C:\Windows\system32\Lmccchkn.exe
15⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4496

C:\Windows\SysWOW64\Ldmlpbbj.exe
C:\Windows\system32\Ldmlpbbj.exe
16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4880

C:\Windows\SysWOW64\Lgkhlnbn.exe
C:\Windows\system32\Lgkhlnbn.exe
17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4068

C:\Windows\SysWOW64\Lnepih32.exe
C:\Windows\system32\Lnepih32.exe
18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1492

C:\Windows\SysWOW64\Lpcmec32.exe
C:\Windows\system32\Lpcmec32.exe
19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5068

C:\Windows\SysWOW64\Lgneampk.exe
C:\Windows\system32\Lgneampk.exe
20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2588

C:\Windows\SysWOW64\Lpfijcfl.exe
C:\Windows\system32\Lpfijcfl.exe
21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:388

C:\Windows\SysWOW64\Lcdegnep.exe
C:\Windows\system32\Lcdegnep.exe
22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1400

C:\Windows\SysWOW64\Lklnhlfb.exe
C:\Windows\system32\Lklnhlfb.exe
23⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:5064

C:\Windows\SysWOW64\Laefdf32.exe
C:\Windows\system32\Laefdf32.exe
24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:740

C:\Windows\SysWOW64\Lcgblncm.exe
C:\Windows\system32\Lcgblncm.exe
25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:5008

C:\Windows\SysWOW64\Mjqjih32.exe
C:\Windows\system32\Mjqjih32.exe
26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4464

C:\Windows\SysWOW64\Mdfofakp.exe
C:\Windows\system32\Mdfofakp.exe
27⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2720

C:\Windows\SysWOW64\Mgekbljc.exe
C:\Windows\system32\Mgekbljc.exe
28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4724

C:\Windows\SysWOW64\Mnocof32.exe
C:\Windows\system32\Mnocof32.exe
29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2404

C:\Windows\SysWOW64\Mpmokb32.exe
C:\Windows\system32\Mpmokb32.exe
30⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4208

C:\Windows\SysWOW64\Mcklgm32.exe
C:\Windows\system32\Mcklgm32.exe
31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2616

C:\Windows\SysWOW64\Mkbchk32.exe
C:\Windows\system32\Mkbchk32.exe
32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3876

C:\Windows\SysWOW64\Mamleegg.exe
C:\Windows\system32\Mamleegg.exe
33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2176

C:\Windows\SysWOW64\Mcnhmm32.exe
C:\Windows\system32\Mcnhmm32.exe
34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3484

C:\Windows\SysWOW64\Mgidml32.exe
C:\Windows\system32\Mgidml32.exe
35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1616

C:\Windows\SysWOW64\Mncmjfmk.exe
C:\Windows\system32\Mncmjfmk.exe
36⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1000

C:\Windows\SysWOW64\Maohkd32.exe
C:\Windows\system32\Maohkd32.exe
37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2100

C:\Windows\SysWOW64\Mpaifalo.exe
C:\Windows\system32\Mpaifalo.exe
38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3396

C:\Windows\SysWOW64\Mglack32.exe
C:\Windows\system32\Mglack32.exe
39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2472

C:\Windows\SysWOW64\Mkgmcjld.exe
C:\Windows\system32\Mkgmcjld.exe
40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2632

C:\Windows\SysWOW64\Mnfipekh.exe
C:\Windows\system32\Mnfipekh.exe
41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1560

C:\Windows\SysWOW64\Mpdelajl.exe
C:\Windows\system32\Mpdelajl.exe
42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1476

C:\Windows\SysWOW64\Mgnnhk32.exe
C:\Windows\system32\Mgnnhk32.exe
43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4456

C:\Windows\SysWOW64\Njljefql.exe
C:\Windows\system32\Njljefql.exe
44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:5100

C:\Windows\SysWOW64\Nacbfdao.exe
C:\Windows\system32\Nacbfdao.exe
45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2796

C:\Windows\SysWOW64\Nqfbaq32.exe
C:\Windows\system32\Nqfbaq32.exe
46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2452

C:\Windows\SysWOW64\Ngpjnkpf.exe
C:\Windows\system32\Ngpjnkpf.exe
47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3892

C:\Windows\SysWOW64\Njogjfoj.exe
C:\Windows\system32\Njogjfoj.exe
48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4660

C:\Windows\SysWOW64\Nnjbke32.exe
C:\Windows\system32\Nnjbke32.exe
49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3028

C:\Windows\SysWOW64\Nqiogp32.exe
C:\Windows\system32\Nqiogp32.exe
50⤵
- Executes dropped EXE
PID:4528

C:\Windows\SysWOW64\Ncgkcl32.exe
C:\Windows\system32\Ncgkcl32.exe
51⤵
- Executes dropped EXE
PID:2524

C:\Windows\SysWOW64\Ngcgcjnc.exe
C:\Windows\system32\Ngcgcjnc.exe
52⤵
- Executes dropped EXE
PID:3032

C:\Windows\SysWOW64\Njacpf32.exe
C:\Windows\system32\Njacpf32.exe
53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1020

C:\Windows\SysWOW64\Nbhkac32.exe
C:\Windows\system32\Nbhkac32.exe
54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2444

C:\Windows\SysWOW64\Ndghmo32.exe
C:\Windows\system32\Ndghmo32.exe
55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4236

C:\Windows\SysWOW64\Ncihikcg.exe
C:\Windows\system32\Ncihikcg.exe
56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2368

C:\Windows\SysWOW64\Njcpee32.exe
C:\Windows\system32\Njcpee32.exe
57⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4512

C:\Windows\SysWOW64\Nbkhfc32.exe
C:\Windows\system32\Nbkhfc32.exe
58⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2416

C:\Windows\SysWOW64\Ndidbn32.exe
C:\Windows\system32\Ndidbn32.exe
59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:60

C:\Windows\SysWOW64\Ncldnkae.exe
C:\Windows\system32\Ncldnkae.exe
60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1892

C:\Windows\SysWOW64\Nkcmohbg.exe
C:\Windows\system32\Nkcmohbg.exe
61⤵
- Executes dropped EXE
PID:4084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4084 -s 404
62⤵
- Program crash
PID:1592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 4084 -ip 4084
1⤵
PID:3964

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Kajfig32.exe
Filesize
52KB

MD5
e5a55405da870b6658e8f44e284b1158

SHA1
50db47344e68b2c00eb1a1ddf6b6894b8a03e4a5

SHA256
da2761212f694b8a8be59061ddedd4fa83121d387f468cb6fa895cf267250c5f

SHA512
83fe76039a0510207f29e9d45187cc1961de8c251a32b082e6288fb04ff611210e78d96220d60677456401d0d5a1d71563b3d5cdfff4e548e5545ec6335a6592

Download Submit
C:\Windows\SysWOW64\Kbfiep32.exe
Filesize
52KB

MD5
dda15f8cca840b058d0f27c67df6b053

SHA1
ba680bdd4461271733f7493eefd9d85a48025c5a

SHA256
34c83e334ac2754acc96a300cc5ec00d33ec64784910de5ab83ebd838a505b36

SHA512
c84129982a0b6c2b5f48f9b70722a648adbab1b28cf8f651bef2e5261c761ccdb34f7534ffad8af978c22a5ba4adfb1e5b0730ad773b165cadea6af754442a91

Download Submit
C:\Windows\SysWOW64\Kckbqpnj.exe
Filesize
52KB

MD5
1068938c3f04a0a0ca154f804254e860

SHA1
f229ef727433cd84fe7d7a07999dc5dce6be3f7b

SHA256
a5b8fb44fa986deed328f169800dcbc31816494ed448b69add8c84823ec09001

SHA512
69d4d3dfed811ca6065b8571dfe1a3ce89c28119f8f87fd6b0fef31344d4577534e8ec2cb57ea453c9e2eb03dd74fa80aff615b0eb8fef6b4d1453c012a87821

Download Submit
C:\Windows\SysWOW64\Kdcijcke.exe
Filesize
52KB

MD5
45cfbc01354368337189337ef9acf746

SHA1
bbaf686dd6d369fea26b8a8f4377de08749f016a

SHA256
90bfde378aa29b61c81705c2875863302ae04972e2c56b581435ce3742d7200a

SHA512
6c4b43dfac0e4b3e75132980f8f6b5881004387f568fe050f2790e3a5c384977f4a12e2329c3d6e6245ea44881e5fe74de41eaac3746575753c23f56003febcf

Download Submit
C:\Windows\SysWOW64\Kgdbkohf.exe
Filesize
52KB

MD5
68bba879df87361a55bfbcaeea4edeaf

SHA1
ad0f317668319f8c195b47976aa1cbd8f805bba0

SHA256
ab9670f60313ab40436ce94ebec4080df2536c2832d609f76bdb064803b77974

SHA512
8e9926de8186dc81e3ddfa50557c1cdcbb39a73b8746adff4ccd5f33926681006f906ea387200a38f2b323a3cfde3cc01c1876f757186be42f287066abafe07a

Download Submit
C:\Windows\SysWOW64\Kgphpo32.exe
Filesize
52KB

MD5
d876c1c2458b563d45d57e0e428128e9

SHA1
8f4268afaa343834b396a19c8c572a11d447a1a7

SHA256
5fcd361a63389d14a40e7e4c61337b783d88ac0612104ef15e10c1b41d4bd37d

SHA512
f4195939badba625157a2ee55796a0bef781461af39b0a088a82a74ef27e32d4c4042eff500d5854047fc8bdfe493eef15f75c2991b979e0de15fdf75ced9025

Download Submit
C:\Windows\SysWOW64\Kipabjil.exe
Filesize
52KB

MD5
789de8ff43c12b0076d0e5f7862bd4e5

SHA1
1172cbec596755e10c10dce303ed1bfc8d57f4f1

SHA256
f1481a5a1b81fe38bac541241203d1adc5edee6185794da46b6e92498317756a

SHA512
f53c6ba5666dcdbb95c19bd609c19cb4e07b646dd08ba639cb2bce9498d5fc1fc8a21a84009ec5c933a17d4b717f396ab206e991cd2b0aeb0acef96323f06301

Download Submit
C:\Windows\SysWOW64\Kkbkamnl.exe
Filesize
52KB

MD5
2fdbf601bcf24d1e7297bbfefc2b36da

SHA1
c74e615c9e22a114eb7f9bec705e71abcdae42e6

SHA256
962694ba0b8b12596ef3a382e9a10b5eaf1c2d49802ff6ef2a61488bcdb0020f

SHA512
32ee1259a4f6e7f2ea1e1b2802c04b84c4f48aee9eaee09d5d43e8007de2efac6a2cb9733034b62c4861da75ab6cb7120309a124ff5fc7a7ef58754963f3c0e2

Download Submit
C:\Windows\SysWOW64\Kmjqmi32.exe
Filesize
52KB

MD5
ed92e959a1f1e7a252b8a3ee0ef9634f

SHA1
936cd0c4614acb6459f7a7ca4f00b2e2a11cfca6

SHA256
ab8e6ec60c30bec7b26deefed9526b5f0318145c21767c6b0470725d21dc496d

SHA512
bc16305422ea49592fbbcb52ef0d616ab1a43568080dd45e179728663bc7b410265ae7997522fd7b66056ea74ddaa30f3a9c3f48353a84fb645a0e660c225b7c

Download Submit
C:\Windows\SysWOW64\Kpjjod32.exe
Filesize
52KB

MD5
1ec35b69526832e8a39a53fda946858a

SHA1
1f6db2660b7de6bbfefc68d987d1514f03cff6b2

SHA256
f3bcaa358908b1fa357dffc004eba6d43a1538d0a74be58230970867975461ea

SHA512
83bbc72b0bbeffa7ec7757e3545e77ba3ac0688e97354bca6a91aad9c2ddd7b09d79737db7e66feaa10ce3207d6791f93c76c146f40dca3473de5c8075c8c789

Download Submit
C:\Windows\SysWOW64\Laefdf32.exe
Filesize
52KB

MD5
4f837c43e18c613d61b2955ac59d4dea

SHA1
9ae2bf7eec79c039570887e914a3cba85e470c16

SHA256
20c075d479fa7c7062f34e4b1b2c512c46b023fddfee044c7253b05f3feec28e

SHA512
c61b3a9ca99a379889d974112d92a7d7792559be3cd8ec2bd287d543133658dd2424859149c479d80874eeee48bf771e816c0c5a4ea82913c013d206af042405

Download Submit
C:\Windows\SysWOW64\Lcdegnep.exe
Filesize
52KB

MD5
c0fe346d12eb9dcf705723f170bfc6f2

SHA1
54e6b3fc7f43c000d20ac64c7b50a00a0fa0123b

SHA256
bdf1a9a7c3b6228b8f3cbb4623a93a9cc1ad7bec9a1fd7517fd31f407d51012e

SHA512
3726f7139824516916322b71564773bd07c303162d2814de5334e578a10bf205e2b7eda24b15396dc6abe41307c6364d70da90b70a781565fff91cc1d963d7a1

Download Submit
C:\Windows\SysWOW64\Lcgblncm.exe
Filesize
52KB

MD5
bf896489b8bb3dfee173a2a40c6842c6

SHA1
b14387dc6df300e0a2fa9bf4fb36e6cda38afcf6

SHA256
7caf6e3c855c527282b2067b416a11df622bacfc9f504b89a1c7ba1cd6888b5c

SHA512
1736f32eadaea115c87035992e5e69828f2c94e55192b7ab9fa89d78d0c42c9f656eb036cb0559f806d815eda69fcac3dfcdb503b2eb4b763996455573dfb448

Download Submit
C:\Windows\SysWOW64\Ldkojb32.exe
Filesize
52KB

MD5
7b63cccf7f01445a92fc389c05342fba

SHA1
c2f45e2b17a5c9d6004c70988a59d99f1b5c7fe0

SHA256
c63f3e7cc20cbdf0b1d55918217858035b30b27d8eced1e1617412e750114b69

SHA512
52a07ee8d23b92d9f36a623bfac84744b6f89a87ff520243699a8f06434fc66da6875d25e2588787cf6177a0b51fba55803ad4faa3d5423ae14068c4ca5a35ae

Download Submit
C:\Windows\SysWOW64\Ldmlpbbj.exe
Filesize
52KB

MD5
1d22e4e59fe9c4e7168ca44c0c57c828

SHA1
48395ee5a657261c4c7edba1bcb1d82408fcb936

SHA256
f33be1af7ac691d6850cfc23722b21c54c9d745b265deb22afe9a40f41a85524

SHA512
5c505afe5cc344a294de176b8f33910639665e2acefda18d93bead386cdfb56cc1b6613770e9ac4acbb28814375f895e6e017d402e50d4bac3a0320221d22c9f

Download Submit
C:\Windows\SysWOW64\Lgkhlnbn.exe
Filesize
52KB

MD5
25470903864b3fb27bf5ae55c0fc0266

SHA1
c4d3d50b5876ac427956c5f2f85eb969244eac9e

SHA256
2c5494809be9a948dfb484534205c20bc0536d6a1c4997110ca6af160df50659

SHA512
af4a535207cd273b3b1e8b2e034da18e40393e16a229a6d03a90e870407f07c8a0f453ffe54c220300eb58adb4da42523783a55582629933a2f6800ade7f7c21

Download Submit
C:\Windows\SysWOW64\Lgneampk.exe
Filesize
52KB

MD5
b970a9e30b83193aa9339bc75e86e86a

SHA1
7cc16f297099b73f65edcbf67c266effb133c0ee

SHA256
3d4194df7c1bf077860074d12d4712e311121a9fa2b78e76c993e9fd25b6c2cb

SHA512
0ee3c64844edb0d52fd961b03d43485db935419243d0a03cbd6b6959cbc1d7f19a691d4da1bc9c549f531933ec2cb4fb466db0a060290e6228b3a9ec51c3b967

Download Submit
C:\Windows\SysWOW64\Lkdggmlj.exe
Filesize
52KB

MD5
57cd71d14a4d874fa875ff84eb08bfc0

SHA1
7d745798fc53e99329d45c145fafbeec12682921

SHA256
2f11dbeeb8d1e86706dfaf8303a0729c24382174b5215e5bd6b7ce3262555993

SHA512
6b45ceea0c4cdb466573cd7828a4c6333fdb07e04523a19e14d32c1123dcab502f52a085fd831880399c953821711258858840d4ac6ac422558ebe6dce7691c9

Download Submit
C:\Windows\SysWOW64\Lklnhlfb.exe
Filesize
52KB

MD5
e735239f05fb5965c6d4898607dc4a4c

SHA1
f4b94f80b5144fd1454fb2442cf3df7f5fe24cdd

SHA256
21fe9abf3bae1a535295575ca2648639c23d9129a196479382772901e0387c4a

SHA512
6e2630d6d4cc6a96726b2f6a7c9c308aac1516e6e1b174940ad52f7a3659a79796e16cfdec88ff079b1896cf41a85332ecb60e31a158e619ae8585099e832520

Download Submit
C:\Windows\SysWOW64\Lmccchkn.exe
Filesize
52KB

MD5
6f20a86d37996863250ca42fd6b18b76

SHA1
f337575939421ca8a783de7feaad6604b011129e

SHA256
60cb3ce0e0ab6cadc8b78da7e8f440d82a72680793eb11b5fc5739c407db3042

SHA512
5f802102915445ef93fdcdb386aeb5924273949b71e61900eb1b844549fd28abfe3d7617237f12e34dcee7c4e467a1bbcea8134de822de34f5d0e1dfead80f41

Download Submit
C:\Windows\SysWOW64\Lmqgnhmp.exe
Filesize
52KB

MD5
47e51e1d709c12246cebe343bbb7f26e

SHA1
35096e1ad221b7762376559501b17a6708a0dace

SHA256
91f868a9f0f6c4f694f011b822562d87830d5957c1fa2f9fe127cc127024ed05

SHA512
fc623113bd812b78505263d682d0b44b7ba1d791638f21a5ff8b0d39470bca17636d80101d7db624204d6b226b9bf836566a09e3aa483492425ba2455ec8762c

Download Submit
C:\Windows\SysWOW64\Lnepih32.exe
Filesize
52KB

MD5
87701755eee2819f6a22563d76f28712

SHA1
a528b66f93a750a197be0b862e6d05b8866c0640

SHA256
50dfbb55ce66f2a5dea4ccd8519bab56e04034db30d2e046f7320acb77027c2f

SHA512
3f8672100ace77239e055392afdeac4ed18ab60b516fb85a71ce61f6b4dc0215a8ae3f7b442db56da767b2f15f5da8b275b5bc577080778f636b7a7a9e440184

Download Submit
C:\Windows\SysWOW64\Lpcmec32.exe
Filesize
52KB

MD5
13e690a58cf5bbbe5b6a9d93ce6832c9

SHA1
0bf3df2e5683fcf397634b44c095912a15b46aa5

SHA256
a4234c9353d00d53f402d33c185fc39cb06e4f248fc8479e290905c7153ed641

SHA512
3271c757196bc1892fc2933bb5f2dc1b8eb2ec2b6ede345425dd3e5859de5cc0d0e05c86f0f9496937998705fe7c0064223e25b55881365eda993fa9534801d7

Download Submit
C:\Windows\SysWOW64\Lpfijcfl.exe
Filesize
52KB

MD5
b17b689e13e33d4c945c0e3728460f92

SHA1
91ebe4a8967dd2ac40adbe2cea6fe0f7b64f00c3

SHA256
5360829c1e43d68bd10020267f5b3895f9fa002f806b668c256b28f50f5fe70d

SHA512
4020904c10a84e1f5183b8ba459d204b904ffcdbd82d26aafbc0963c614013b35c3b4cc1b8b21333698cd56487c36f4631847b01b8f15acd36012dcc3ed9467a

Download Submit
C:\Windows\SysWOW64\Mamleegg.exe
Filesize
52KB

MD5
0ce14bb8a0719fec84651f56f92bfdd8

SHA1
266a00b47d7b5cac7e1cc1b9c332b84f32efae6e

SHA256
5dacac22fd9a244640ae458db4df5edf006dabee6698724bfae9d87f72bb72f3

SHA512
91beeed2ae1cd4ca3bdc65483e4910eb70027d66f5c12b7fc73f9b9281fe1a3eb180a9beea6d78a6acb5f69def95cb080b53a26c722096dddffb0f8e8a3311a6

Download Submit
C:\Windows\SysWOW64\Mcklgm32.exe
Filesize
52KB

MD5
01d125d44d4f923ded69b255859b42da

SHA1
28c6080535726782a757b5b795a545f4e67e3e8a

SHA256
86ad5bc7900f82123081a938a271b25949fdb8c7153971f8307b2d4575c9480b

SHA512
9771e2677fa97a71bed6a7815b2882d112f24a19b7af1c5d4fabcbbc791e4e710ce651f5823c3785956c9086b818db182f65834c1147c67d800283a8b251599e

Download Submit
C:\Windows\SysWOW64\Mdfofakp.exe
Filesize
52KB

MD5
68ee9e599766101634d232f378dd371a

SHA1
bd7e0b680e2328dacfb8d3c49895d134a4cd5c65

SHA256
1e7fd707b173120525912b6c4c8c8d1c55de90b13922be55b13cab542d703863

SHA512
a29b3a3767fdc5463941bb509e3a26c7b00fd0b5ed7bd727fd4baa8e61dcd55851ce90e0a28f5d44116bf473d50f21fc82f7dbc7e549efee18eded054267fe15

Download Submit
C:\Windows\SysWOW64\Mgekbljc.exe
Filesize
52KB

MD5
31552fb11f2b7f969bf124268be1994c

SHA1
16ec14e150671f012ada4e0d93aff0422e4f85f7

SHA256
04424db3a35e532cbd00f6cf7221cc5a26c280be226a4ebf69c9cf383edeff7c

SHA512
cc1fd8a94748f1ff97950dfe91fd048eab7bc1bd77aea43466b4f4fde87ef89a6c0886096b2b017e1f325a2e87de97553a42adab247471483ca2979bcf0c6cb9

Download Submit
C:\Windows\SysWOW64\Mjqjih32.exe
Filesize
52KB

MD5
f2824472cc78f2bc30bfd8780074d7e5

SHA1
69e3148ad3cd064d6cff129b4ad0a5e404dff6a3

SHA256
1ee6b69c34f4aa465fd0682eba7182a5faa54308d6bdb37f1d9dc3f02fff5d99

SHA512
42b55126239e74ccc2283d71290044e41065e6a79c699e73bbb5b6984906ca1b9625892406962cb75aa40e6ef514bb6da536a92c864f47c8a4c964594226e54f

Download Submit
C:\Windows\SysWOW64\Mkbchk32.exe
Filesize
52KB

MD5
a92163486315c3ed40750055a6b7aaaa

SHA1
7ed4f4a07caab24205109410bf7a69cfe172268f

SHA256
c256864f8b2bae315a8c760089d4242ceb4f771ccab288f4b9dcb8901a0bafd5

SHA512
deecc51093656a3b86d6559ef9e1544e1b46ed4914b49b6ce834a2bd2d1e42636f8b0bb4df8e14af4886450fbc2797ae571b8eb6c2efc7d289efe8f8d4cc4b30

Download Submit
C:\Windows\SysWOW64\Mnocof32.exe
Filesize
52KB

MD5
7f0aa5fe9f48a06fb2e089d874ef9b8f

SHA1
85b5eb44165141657c1834b1562b9e1c083080c5

SHA256
70788e881fd21db0afefbce8b11882921b5486c0c70cc12e929d56eb37a1f20d

SHA512
fcb66e70287ceb8af8411481837dbc127ccd78ffbaa4da7abdb027cbed61bf3948067771ec0d2efbe3ae51f2aa0a82ed92e1365bbdb89a0b446acfe58174903a

Download Submit
C:\Windows\SysWOW64\Mpmokb32.exe
Filesize
52KB

MD5
b450446b47a2ecb6d69bb993bc7f060a

SHA1
18da0316bde58ece6fd70272c494f8963b107322

SHA256
639abd9335d0f9397aeb43e97260d89ed00300367e17e3b9354c5fdf84b2a2d9

SHA512
83947d51af648b0d3b8989555bacb850cb04fa34621c2548dedfb6a6ccb1a5b553a00c40d000a6e74b5d840e5167aade28786c14a1e5c853ea364a65de45c593

Download Submit
memory/60-429-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/60-416-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/100-72-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/388-159-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/388-491-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/400-16-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/740-184-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/740-485-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/848-47-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/872-39-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/956-28-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1000-465-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1000-274-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1020-380-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1400-168-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1400-489-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1448-0-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1476-456-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1476-310-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1488-88-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1488-509-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1492-135-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1492-497-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1540-80-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1560-308-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1616-467-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1616-268-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1892-423-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2100-284-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2176-256-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2176-470-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2368-394-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2368-433-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2404-477-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2404-223-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2416-411-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2444-436-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2444-386-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2452-449-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2452-334-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2472-292-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2472-460-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2524-440-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2524-364-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2588-493-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2588-151-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2616-244-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2632-302-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2720-212-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2796-328-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2796-451-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3020-8-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3028-444-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3028-352-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3032-374-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3396-462-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3396-286-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3448-34-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3484-266-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3488-64-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3492-505-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3492-103-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3876-248-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3876-472-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3892-447-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3892-340-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4068-128-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4068-499-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4084-426-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4084-424-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4208-475-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4208-232-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4236-392-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4456-316-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4456-454-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4464-200-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4464-481-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4496-503-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4496-111-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4512-431-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4512-400-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4528-359-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4528-442-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4660-445-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4660-350-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4724-220-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4872-96-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4872-507-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4880-120-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4880-501-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4928-56-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/5008-483-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/5008-192-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/5064-175-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/5064-487-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/5068-143-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/5068-495-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/5100-326-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download