c0cd9a7f2987c7eca65906f7f210c53f88055822a95f7833333d3c8a3c3c43fa

Analysis

max time kernel
1355s
max time network
1441s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-uk
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-uklocale:uk-uaos:windows10-ltsc 2021-x64systemwindows
submitted
21-11-2024 07:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

дрова/klmcp.exe
Size

19.1MB
MD5

0a2ca34cb4107331c84106593c95dbd0
SHA1

fe553065040b0175dc5ba23205a0415ea320f858
SHA256

3d0a23d9564d7234c42bd437af57539b6e20728d8d906b872b7f9ab974887481
SHA512

4d2fc0d6acb542afb01986f800c77eac2756822c38973acca27ba346d7ece95a1e9d8852c61245f941aa405d4025902b79a37cb0e4e22f961fd41d1318f9e7a1
SSDEEP

393216:1E/h/ZTb0njlxPU5qXWAqCcvcAPEoV8ROsM8TofqkVkaU9Yy4A4:mhBELPU5cWBCcvcA2sgekaIY5F

Score

7^/10

discovery upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral32/files/0x00280000000451ec-599.dat	acprotect

Executes dropped EXE 1 IoCs

pid	Process
4944	klmcp.tmp

Loads dropped DLL 52 IoCs

pid	Process
4944	klmcp.tmp
4944	klmcp.tmp
4944	klmcp.tmp
4944	klmcp.tmp
4944	klmcp.tmp
4944	klmcp.tmp
4944	klmcp.tmp
4232	regsvr32.exe
2260	regsvr32.exe
60	regsvr32.exe
3604	regsvr32.exe
3604	regsvr32.exe
3604	regsvr32.exe
3216	regsvr32.exe
3868	regsvr32.exe
3108	regsvr32.exe
3600	regsvr32.exe
3212	regsvr32.exe
760	regsvr32.exe
2020	regsvr32.exe
4520	regsvr32.exe
4520	regsvr32.exe
4520	regsvr32.exe
5004	regsvr32.exe
2212	regsvr32.exe
4380	regsvr32.exe
2608	regsvr32.exe
4640	regsvr32.exe
3620	regsvr32.exe
3620	regsvr32.exe
3620	regsvr32.exe
3620	regsvr32.exe
3620	regsvr32.exe
1108	regsvr32.exe
1108	regsvr32.exe
1108	regsvr32.exe
1108	regsvr32.exe
1108	regsvr32.exe
2800	regsvr32.exe
2800	regsvr32.exe
2800	regsvr32.exe
1100	regsvr32.exe
1100	regsvr32.exe
1100	regsvr32.exe
1100	regsvr32.exe
1100	regsvr32.exe
1560	regsvr32.exe
2056	regsvr32.exe
4200	regsvr32.exe
4716	regsvr32.exe
4716	regsvr32.exe
4716	regsvr32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 18 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\is-A136Q.tmp	klmcp.tmp
File created	C:\Windows\SysWOW64\is-0JRI7.tmp	klmcp.tmp
File created	C:\Windows\SysWOW64\is-E9G27.tmp	klmcp.tmp
File created	C:\Windows\SysWOW64\is-65LDB.tmp	klmcp.tmp
File created	C:\Windows\SysWOW64\is-DQ1KR.tmp	klmcp.tmp
File created	C:\Windows\SysWOW64\is-MFG5U.tmp	klmcp.tmp
File created	C:\Windows\SysWOW64\is-SBJL0.tmp	klmcp.tmp
File created	C:\Windows\SysWOW64\is-2LVA8.tmp	klmcp.tmp
File created	C:\Windows\SysWOW64\is-4LGM3.tmp	klmcp.tmp
File created	C:\Windows\SysWOW64\is-OIAQ8.tmp	klmcp.tmp
File created	C:\Windows\SysWOW64\is-E85UA.tmp	klmcp.tmp
File created	C:\Windows\SysWOW64\is-2ONOF.tmp	klmcp.tmp
File created	C:\Windows\SysWOW64\is-FIAUU.tmp	klmcp.tmp
File created	C:\Windows\SysWOW64\is-BVQ2N.tmp	klmcp.tmp
File created	C:\Windows\SysWOW64\is-041Q6.tmp	klmcp.tmp
File created	C:\Windows\SysWOW64\is-OD89L.tmp	klmcp.tmp
File created	C:\Windows\SysWOW64\is-QJESJ.tmp	klmcp.tmp
File created	C:\Windows\SysWOW64\is-82HIV.tmp	klmcp.tmp

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral32/files/0x00280000000451ec-599.dat	upx
behavioral32/memory/5004-602-0x0000000000400000-0x0000000000476000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\K-Lite Codec Pack\Real\Codecs\is-ULL5N.tmp	klmcp.tmp
File created	C:\Program Files (x86)\K-Lite Codec Pack\unins000.dat	klmcp.tmp
File created	C:\Program Files (x86)\K-Lite Codec Pack\is-RKIRU.tmp	klmcp.tmp
File created	C:\Program Files (x86)\K-Lite Codec Pack\Tools\XvidQuantMatrices\is-L2H9Q.tmp	klmcp.tmp
File created	C:\Program Files (x86)\K-Lite Codec Pack\Real\Codecs\is-2B0HO.tmp	klmcp.tmp
File created	C:\Program Files (x86)\K-Lite Codec Pack\Real\Plugins\is-D3SDP.tmp	klmcp.tmp
File created	C:\Program Files (x86)\K-Lite Codec Pack\Real\is-51DDB.tmp	klmcp.tmp
File created	C:\Program Files (x86)\K-Lite Codec Pack\Info\is-4P57F.tmp	klmcp.tmp
File created	C:\Program Files (x86)\K-Lite Codec Pack\Filters\is-BRLKG.tmp	klmcp.tmp
File created	C:\Program Files (x86)\K-Lite Codec Pack\Tools\is-0H1LQ.tmp	klmcp.tmp
File created	C:\Program Files (x86)\K-Lite Codec Pack\Info\is-RBRDU.tmp	klmcp.tmp
File created	C:\Program Files (x86)\K-Lite Codec Pack\ffdshow\is-IDDQ9.tmp	klmcp.tmp
File created	C:\Program Files (x86)\K-Lite Codec Pack\Tools\XvidQuantMatrices\is-MTUEJ.tmp	klmcp.tmp
File created	C:\Program Files (x86)\K-Lite Codec Pack\Real\Codecs\is-4D2JN.tmp	klmcp.tmp
File created	C:\Program Files (x86)\K-Lite Codec Pack\Real\Plugins\is-H7MJD.tmp	klmcp.tmp
File created	C:\Program Files (x86)\K-Lite Codec Pack\Real\Codecs\is-EVBU0.tmp	klmcp.tmp
File created	C:\Program Files (x86)\K-Lite Codec Pack\Real\Rpplugins\is-SUMG8.tmp	klmcp.tmp
File created	C:\Program Files (x86)\K-Lite Codec Pack\Real\Codecs\is-5C2BM.tmp	klmcp.tmp
File created	C:\Program Files (x86)\K-Lite Codec Pack\Real\Update_OB\is-RKU5E.tmp	klmcp.tmp
File created	C:\Program Files (x86)\K-Lite Codec Pack\Info\is-A1765.tmp	klmcp.tmp
File created	C:\Program Files (x86)\K-Lite Codec Pack\Media Player Classic\is-LJMVE.tmp	klmcp.tmp
File created	C:\Program Files (x86)\K-Lite Codec Pack\Filters\is-CBG79.tmp	klmcp.tmp
File created	C:\Program Files (x86)\K-Lite Codec Pack\Tools\is-4Q58F.tmp	klmcp.tmp
File created	C:\Program Files (x86)\K-Lite Codec Pack\ffdshow\custom matrices\is-QOGQI.tmp	klmcp.tmp
File created	C:\Program Files (x86)\K-Lite Codec Pack\Filters\is-PA1L5.tmp	klmcp.tmp
File created	C:\Program Files (x86)\K-Lite Codec Pack\Real\Plugins\is-78QK1.tmp	klmcp.tmp
File created	C:\Program Files (x86)\K-Lite Codec Pack\Real\Plugins\is-AM7E5.tmp	klmcp.tmp
File created	C:\Program Files (x86)\K-Lite Codec Pack\Real\Common\is-SJC5M.tmp	klmcp.tmp
File created	C:\Program Files (x86)\K-Lite Codec Pack\Real\Plugins\is-V8MLL.tmp	klmcp.tmp
File created	C:\Program Files (x86)\K-Lite Codec Pack\ffdshow\is-88E24.tmp	klmcp.tmp
File created	C:\Program Files (x86)\K-Lite Codec Pack\ffdshow\is-8HF93.tmp	klmcp.tmp
File created	C:\Program Files (x86)\K-Lite Codec Pack\ffdshow\languages\is-36LJK.tmp	klmcp.tmp
File created	C:\Program Files (x86)\K-Lite Codec Pack\ffdshow\languages\is-ML1CB.tmp	klmcp.tmp
File created	C:\Program Files (x86)\K-Lite Codec Pack\Tools\XvidQuantMatrices\is-HLHDD.tmp	klmcp.tmp
File created	C:\Program Files (x86)\K-Lite Codec Pack\Real\Codecs\is-SJP4J.tmp	klmcp.tmp
File created	C:\Program Files (x86)\K-Lite Codec Pack\Real\Browser\Components\is-8N8T2.tmp	klmcp.tmp
File created	C:\Program Files (x86)\K-Lite Codec Pack\Filters\is-2O2P9.tmp	klmcp.tmp
File created	C:\Program Files (x86)\K-Lite Codec Pack\Tools\is-5PSHL.tmp	klmcp.tmp
File created	C:\Program Files (x86)\K-Lite Codec Pack\Tools\is-VJ1UO.tmp	klmcp.tmp
File created	C:\Program Files (x86)\K-Lite Codec Pack\Real\Plugins\is-TA0JB.tmp	klmcp.tmp
File created	C:\Program Files\Google\Chrome\Application\plugins\is-9VSVP.tmp	klmcp.tmp
File created	C:\Program Files (x86)\K-Lite Codec Pack\Tools\XvidQuantMatrices\is-88M1M.tmp	klmcp.tmp
File created	C:\Program Files (x86)\K-Lite Codec Pack\Tools\XvidQuantMatrices\is-P0EA5.tmp	klmcp.tmp
File created	C:\Program Files (x86)\K-Lite Codec Pack\ffdshow\is-QRCHV.tmp	klmcp.tmp
File created	C:\Program Files (x86)\K-Lite Codec Pack\ffdshow\custom matrices\is-UNULR.tmp	klmcp.tmp
File created	C:\Program Files (x86)\K-Lite Codec Pack\Real\Plugins\is-2BOBU.tmp	klmcp.tmp
File created	C:\Program Files (x86)\K-Lite Codec Pack\ffdshow\custom matrices\is-6S4NV.tmp	klmcp.tmp
File created	C:\Program Files (x86)\K-Lite Codec Pack\Filters\is-BDR17.tmp	klmcp.tmp
File created	C:\Program Files (x86)\K-Lite Codec Pack\Filters\is-BV6NN.tmp	klmcp.tmp
File created	C:\Program Files (x86)\K-Lite Codec Pack\Filters\Haali\is-N6CO4.tmp	klmcp.tmp
File created	C:\Program Files (x86)\K-Lite Codec Pack\Real\Plugins\is-MOQ4I.tmp	klmcp.tmp
File created	C:\Program Files (x86)\K-Lite Codec Pack\Real\Plugins\is-O5NMF.tmp	klmcp.tmp
File created	C:\Program Files (x86)\K-Lite Codec Pack\ffdshow\languages\is-BCPBG.tmp	klmcp.tmp
File created	C:\Program Files (x86)\K-Lite Codec Pack\ffdshow\languages\is-0B7I6.tmp	klmcp.tmp
File created	C:\Program Files (x86)\K-Lite Codec Pack\Filters\is-IB97N.tmp	klmcp.tmp
File created	C:\Program Files (x86)\K-Lite Codec Pack\Filters\is-SPIM6.tmp	klmcp.tmp
File created	C:\Program Files (x86)\K-Lite Codec Pack\Real\Plugins\is-OQK69.tmp	klmcp.tmp
File created	C:\Program Files (x86)\K-Lite Codec Pack\Real\Plugins\ExtResources\is-VCGTA.tmp	klmcp.tmp
File created	C:\Program Files (x86)\K-Lite Codec Pack\ffdshow\languages\is-6PETO.tmp	klmcp.tmp
File created	C:\Program Files (x86)\K-Lite Codec Pack\Real\Codecs\is-5J3I1.tmp	klmcp.tmp
File created	C:\Program Files (x86)\K-Lite Codec Pack\Real\Common\is-EIISK.tmp	klmcp.tmp
File created	C:\Program Files (x86)\K-Lite Codec Pack\ffdshow\languages\is-I0F7U.tmp	klmcp.tmp
File created	C:\Program Files (x86)\K-Lite Codec Pack\Tools\gspot\is-QFO05.tmp	klmcp.tmp
File created	C:\Program Files (x86)\K-Lite Codec Pack\Real\Plugins\is-I86VO.tmp	klmcp.tmp

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\is-RNR6T.tmp	klmcp.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 27 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	klmcp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	klmcp.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.3g2\KLCP.bak = "VLC.3g2"	klmcp.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{224E833B-2CC6-42D9-AE39-90B6A38A4FA2}\VersionIndependentProgID\ = "rmocx.RealPlayer SMIL Download Handler"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mplayerc.mpg\shell\open\command	klmcp.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mplayerc.mpe\shell\enqueue\ = "Add to MPC Playlist"	klmcp.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{238D0F23-5DC9-45A6-9BE2-666160C324DD}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A1A41E11-91DB-4461-95CD-0C02327FD934}\InprocServer32\ = "C:\\Windows\\SysWow64\\rmoc3260.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A1A41E11-91DB-4461-95CD-0C02327FD934}\DocObject	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\rmocx.RealPlayer RAM Download Handler.1\CLSID\ = "{2F542A2E-EDC9-4BF7-8CB1-87C9919F7F93}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mplayerc.oga\DefaultIcon\ = "\"C:\\Program Files (x86)\\K-Lite Codec Pack\\Media player Classic\\mpciconlib.dll,\"18"	klmcp.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mplayerc.mts\PreviousRegistration = "VLC.mts"	klmcp.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mplayerc.3gp2\DefaultIcon\ = "\"C:\\Program Files (x86)\\K-Lite Codec Pack\\Media Player Classic\\mpciconlib.dll\",6"	klmcp.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9024FA6B-7751-4EA7-B575-393B472434EF}\InprocServer32\ = "C:\\Program Files (x86)\\K-Lite Codec Pack\\Filters\\mmmpcdec.ax"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mplayerc.amr\shell\enqueue	klmcp.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8E9922F0-B775-45B8-B650-941BEA790EEB}\ = "DwString::GlobalInitialization"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8F43B7D9-9D6B-4F48-BE18-4D787C795EEA}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mplayerc.mpe\shell	klmcp.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Media Type\{E436EB83-524F-11CE-9F53-0020AF0BA770}\{49952F4C-3EDC-4A9B-8906-1DE02A3D4BC2}\4 = "0,2,,0000,4,4,,66747970"	klmcp.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D26B55F2-8137-4916-9761-B5D415D25768}\Instance\{D26B55F2-8137-4916-9761-B5D415D25768}\CLSID = "{D26B55F2-8137-4916-9761-B5D415D25768}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CEA8DEFF-0AF7-4DB9-9A38-FB3C3AEFC0DE}\ = "Avi Source"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mplayerc.rpm\shell\open	klmcp.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\mplayerc.exe\SupportedTypes\.mp+	klmcp.tmp
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\RealNetworks\RealMediaSDK\6.0\Preferences\CookiesEnabled\ = "0"	klmcp.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7CEEEECF-3FEE-4548-B529-C254CAF4D182}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8E8B4A31-408B-4929-86A4-A9FA9F01BA43}\ = "Haali Video Renderer Properties"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\rmocx.RealPlayer SMIL Download Handler.1\CLSID\ = "{224E833B-2CC6-42D9-AE39-90B6A38A4FA2}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mplayerc.mts	klmcp.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\RealNetworks\RealPlayer\6.0\Preferences\ApplicationName\ = "RealPlayer"	klmcp.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C2D6D98F-09CA-4524-AF64-1049B5665C9C}\InprocServer32\ = "C:\\Program Files (x86)\\K-Lite Codec Pack\\Filters\\vsfilter.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\wmplayer.exe\SupportedTypes\.ogm	klmcp.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F6E8FC04-8B05-48B1-9399-848229502A06}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7AF1F00-A702-4D1B-8490-8B7E0CDC3DEF}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\rmocx.RealPlayer Download Handler.1\EditFlags = 00000100	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mplayerc.ifo\shell\enqueue	klmcp.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mplayerc.mkv\ = "Matroska File"	klmcp.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\mplayerc.exe\SupportedTypes\.mp4	klmcp.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{545A00C2-FCCC-40B3-9310-2C36AE64B0DD}\InprocServer32\ = "C:\\Program Files (x86)\\K-Lite Codec Pack\\ffdshow\\ffdshow.ax"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C2D6D98F-09CA-4524-AF64-1049B5665C9C}	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{555C4774-101E-49D7-8EEC-B9B87F8E1905}\FilterData = 0200000000006000020000000000000030706933000000000000000001000000000000000000000030747933000000006000000070000000317069330800000000000000010000000000000000000000307479330000000060000000800000006175647300001000800000aa00389b71b657260db3139b4cac9f2ee055c517550100000000001000800000aa00389b71	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9DD46B28-8A7F-409B-A365-C5CE3946A0C7}\InprocServer32\ = "C:\\Program Files (x86)\\K-Lite Codec Pack\\Filters\\WavPackDSDecoder.ax"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.flv\ = "mplayerc.flv"	klmcp.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\mplayerc.exe\SupportedTypes\.3g2	klmcp.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mplayerc.mpe\shell\enqueue\command	klmcp.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mplayerc.rmm\shell\open\command\ = "\"C:\\Program Files (x86)\\K-Lite Codec Pack\\Media Player Classic\\mplayerc.exe\" \"%1\""	klmcp.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.rmm\PerceivedType = "audio"	klmcp.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B86F6BEE-E7C0-4D03-8D52-5B4430CF6C88}\ = "ffdshow Audio Processor"	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\rmocx.RealPlayer RAM Download Handler\EditFlags = 00000100	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mplayerc.avi\shell\enqueue	klmcp.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mplayerc.ram\shell\open	klmcp.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F0B801B1-A239-473B-B6B4-6AE3DB3ABBD3}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{C3E2E983-0198-4F73-9E5C-8365BB4C4131}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.rmvb	klmcp.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{05F983EC-637F-4133-B489-5E03914929D7}\ = "ffdshow Video Codec"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mplayerc.vob\shell\enqueue\command\ = "\"C:\\Program Files (x86)\\K-Lite Codec Pack\\Media player Classic\\mplayerc.exe\" /add \"%1\""	klmcp.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mplayerc.rp\shell\open\command\ = "\"C:\\Program Files (x86)\\K-Lite Codec Pack\\Media Player Classic\\mplayerc.exe\" \"%1\""	klmcp.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Software\RealNetworks\RealPlayer\6.0\Preferences\GetHTTPProxyFromBrowser	klmcp.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mplayerc.m2v\shell\open\command\ = "\"C:\\Program Files (x86)\\K-Lite Codec Pack\\Media Player Classic\\mplayerc.exe\" \"%1\""	klmcp.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.3gp2	klmcp.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{007FC171-01AA-4B3A-B2DB-062DEE815A1E}\InprocServer32\ = "C:\\Program Files (x86)\\K-Lite Codec Pack\\ffdshow\\ffdshow.ax"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.divx\Content Type = "video/avi"	klmcp.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\audio/vnd.rn-realmedia\CLSID = "{CFCDAA03-8BE4-11CF-B84B-0020AFBBCCFA}}"	klmcp.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{564FD788-86C9-4444-971E-CC4A243DA150}\ = "Haali Media Splitter (AR)"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CFCDAA02-8BE4-11CF-B84B-0020AFBBCCFA}\ = "DRealAudioEvents"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MediaPlayerClassic.Autorun\shell\PlayMusicFiles\command\ = "\"C:\\Program Files (x86)\\K-Lite Codec Pack\\Media Player Classic\\mplayerc.exe\" %1"	klmcp.tmp

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
4944	klmcp.tmp
4944	klmcp.tmp
4944	klmcp.tmp
4944	klmcp.tmp
4944	klmcp.tmp
4944	klmcp.tmp
4944	klmcp.tmp
4944	klmcp.tmp
4944	klmcp.tmp
4944	klmcp.tmp
4944	klmcp.tmp
4944	klmcp.tmp
4944	klmcp.tmp
4944	klmcp.tmp
4944	klmcp.tmp
4944	klmcp.tmp
4944	klmcp.tmp
4944	klmcp.tmp

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4232	regsvr32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1672 wrote to memory of 4944	1672	klmcp.exe	81
PID 1672 wrote to memory of 4944	1672	klmcp.exe	81
PID 1672 wrote to memory of 4944	1672	klmcp.exe	81
PID 4944 wrote to memory of 4232	4944	klmcp.tmp	90
PID 4944 wrote to memory of 4232	4944	klmcp.tmp	90
PID 4944 wrote to memory of 4232	4944	klmcp.tmp	90
PID 4944 wrote to memory of 2260	4944	klmcp.tmp	91
PID 4944 wrote to memory of 2260	4944	klmcp.tmp	91
PID 4944 wrote to memory of 2260	4944	klmcp.tmp	91
PID 4944 wrote to memory of 60	4944	klmcp.tmp	92
PID 4944 wrote to memory of 60	4944	klmcp.tmp	92
PID 4944 wrote to memory of 60	4944	klmcp.tmp	92
PID 4944 wrote to memory of 3604	4944	klmcp.tmp	93
PID 4944 wrote to memory of 3604	4944	klmcp.tmp	93
PID 4944 wrote to memory of 3604	4944	klmcp.tmp	93
PID 4944 wrote to memory of 3216	4944	klmcp.tmp	94
PID 4944 wrote to memory of 3216	4944	klmcp.tmp	94
PID 4944 wrote to memory of 3216	4944	klmcp.tmp	94
PID 4944 wrote to memory of 3868	4944	klmcp.tmp	95
PID 4944 wrote to memory of 3868	4944	klmcp.tmp	95
PID 4944 wrote to memory of 3868	4944	klmcp.tmp	95
PID 4944 wrote to memory of 3108	4944	klmcp.tmp	96
PID 4944 wrote to memory of 3108	4944	klmcp.tmp	96
PID 4944 wrote to memory of 3108	4944	klmcp.tmp	96
PID 4944 wrote to memory of 3600	4944	klmcp.tmp	97
PID 4944 wrote to memory of 3600	4944	klmcp.tmp	97
PID 4944 wrote to memory of 3600	4944	klmcp.tmp	97
PID 4944 wrote to memory of 3212	4944	klmcp.tmp	98
PID 4944 wrote to memory of 3212	4944	klmcp.tmp	98
PID 4944 wrote to memory of 3212	4944	klmcp.tmp	98
PID 4944 wrote to memory of 760	4944	klmcp.tmp	99
PID 4944 wrote to memory of 760	4944	klmcp.tmp	99
PID 4944 wrote to memory of 760	4944	klmcp.tmp	99
PID 4944 wrote to memory of 2020	4944	klmcp.tmp	100
PID 4944 wrote to memory of 2020	4944	klmcp.tmp	100
PID 4944 wrote to memory of 2020	4944	klmcp.tmp	100
PID 4944 wrote to memory of 4520	4944	klmcp.tmp	101
PID 4944 wrote to memory of 4520	4944	klmcp.tmp	101
PID 4944 wrote to memory of 4520	4944	klmcp.tmp	101
PID 4944 wrote to memory of 5004	4944	klmcp.tmp	102
PID 4944 wrote to memory of 5004	4944	klmcp.tmp	102
PID 4944 wrote to memory of 5004	4944	klmcp.tmp	102
PID 4944 wrote to memory of 2212	4944	klmcp.tmp	103
PID 4944 wrote to memory of 2212	4944	klmcp.tmp	103
PID 4944 wrote to memory of 2212	4944	klmcp.tmp	103
PID 4944 wrote to memory of 4380	4944	klmcp.tmp	104
PID 4944 wrote to memory of 4380	4944	klmcp.tmp	104
PID 4944 wrote to memory of 4380	4944	klmcp.tmp	104
PID 4944 wrote to memory of 2608	4944	klmcp.tmp	105
PID 4944 wrote to memory of 2608	4944	klmcp.tmp	105
PID 4944 wrote to memory of 2608	4944	klmcp.tmp	105
PID 4944 wrote to memory of 4640	4944	klmcp.tmp	106
PID 4944 wrote to memory of 4640	4944	klmcp.tmp	106
PID 4944 wrote to memory of 4640	4944	klmcp.tmp	106
PID 4944 wrote to memory of 3620	4944	klmcp.tmp	107
PID 4944 wrote to memory of 3620	4944	klmcp.tmp	107
PID 4944 wrote to memory of 3620	4944	klmcp.tmp	107
PID 4944 wrote to memory of 1108	4944	klmcp.tmp	108
PID 4944 wrote to memory of 1108	4944	klmcp.tmp	108
PID 4944 wrote to memory of 1108	4944	klmcp.tmp	108
PID 4944 wrote to memory of 2800	4944	klmcp.tmp	109
PID 4944 wrote to memory of 2800	4944	klmcp.tmp	109
PID 4944 wrote to memory of 2800	4944	klmcp.tmp	109
PID 4944 wrote to memory of 1100	4944	klmcp.tmp	110

C:\Users\Admin\AppData\Local\Temp\дрова\klmcp.exe
"C:\Users\Admin\AppData\Local\Temp\дрова\klmcp.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1672
- C:\Users\Admin\AppData\Local\Temp\is-4151N.tmp\klmcp.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-4151N.tmp\klmcp.tmp" /SL5="$501C6,19634072,191488,C:\Users\Admin\AppData\Local\Temp\дрова\klmcp.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4944
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\K-Lite Codec Pack\ffdshow\ffdshow.ax"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    PID:4232
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\K-Lite Codec Pack\Filters\vp6dec.ax"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2260
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\K-Lite Codec Pack\Filters\vp7dec.ax"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:60
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\K-Lite Codec Pack\Filters\ac3filter.ax"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:3604
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\K-Lite Codec Pack\Filters\ac3file.ax"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:3216
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\K-Lite Codec Pack\Filters\mmamr.ax"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:3868
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\K-Lite Codec Pack\Filters\mmmpcdmx.ax"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:3108
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\K-Lite Codec Pack\Filters\mmmpcdec.ax"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:3600
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\K-Lite Codec Pack\Filters\CoreVorbis.ax"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:3212
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\K-Lite Codec Pack\Filters\WavPackDSDecoder.ax"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:760
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\K-Lite Codec Pack\Filters\WavPackDSSplitter.ax"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2020
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\K-Lite Codec Pack\Filters\madFlac.ax"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:4520
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\K-Lite Codec Pack\Filters\MonkeySource.ax"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:5004
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\K-Lite Codec Pack\Filters\FLVSplitter.ax"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:2212
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\K-Lite Codec Pack\Filters\MP4Splitter.ax"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:4380
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\K-Lite Codec Pack\Filters\OggSplitter.ax"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2608
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\K-Lite Codec Pack\Filters\avisplitter.ax"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:4640
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\K-Lite Codec Pack\Filters\Haali\mkx.dll"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:3620
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\K-Lite Codec Pack\Filters\Haali\mp4.dll"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:1108
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\K-Lite Codec Pack\Filters\Haali\ts.dll"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2800
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\K-Lite Codec Pack\Filters\Haali\splitter.ax"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:1100
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\K-Lite Codec Pack\Filters\Haali\dxr.dll"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:1560
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\K-Lite Codec Pack\Filters\vsfilter.dll"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:2056
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\K-Lite Codec Pack\Real\RealMediaSplitter.ax"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:4200
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\rmoc3260.dll"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:4716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\K-Lite Codec Pack\Filters\CoreVorbis.ax

Filesize
340KB

MD5
734c8cbaf43180a90d28cb650b2d4c67

SHA1
252eb2a34539c185ce9e57c7efb1c17472dad28a

SHA256
dde7f5480a669f32fd7aa1a5e250bb05859df959276cc1ae1443d8c3b590696d

SHA512
c354183472e69b7e45ba9e5837498a5a88b244bdec3d51495abc422284a03bbbeda34cdd2340ff18bcf8dddf13ff8a2875fb10ebe5c08942967f43a8221d8a23

Download Submit
C:\Program Files (x86)\K-Lite Codec Pack\Filters\FLVSplitter.ax

Filesize
408KB

MD5
37ad5345cb08c167821f2caaca08aa26

SHA1
a8cf0893bd5c4285574f49ec26350d20255b223d

SHA256
8aa8cbed372fa996e79d490cc66cd8395b6138401988b546e81c4ae9357071e0

SHA512
363680eb6b2dd1de7693c17438247278a2193a49f3e81a8629b5584cfad31afd82b27bef52c8adf9bdc8f8ac5cd786d9f102daa48933d46baceffd8f2b7ad034

Download Submit
C:\Program Files (x86)\K-Lite Codec Pack\Filters\Haali\mkunicode.dll

Filesize
23KB

MD5
48a2007cfe0ac7109b049711cd8878e9

SHA1
e9548af4d7111e200cdc99880135fd332ede6bb8

SHA256
ec67894a20661f57a7b4306c761e2448be8188c95ac6a87b6578c36c80a35058

SHA512
70b958b358007fa04737ea7644691790fd62d7b171aca3fc64647a4cf596d5413799cf5a84a59d1a533e572bf3111662b280f3da59f0dd2df7af0f599509df08

Download Submit
C:\Program Files (x86)\K-Lite Codec Pack\Filters\Haali\mkx.dll

Filesize
145KB

MD5
32490c8e20f677996f29e0c61bccdb94

SHA1
d36ad22dcad316eb606537c790485590caec7430

SHA256
13d77ac8ec5b51f8486b01e0b9c8e681d42644a8e916a4330d4917fd0c267ad0

SHA512
061125f430c78b1a7a07d7bd7a2c6a22634d29e9f30caa03e63bf6e67b9aaeb17c180f4972e1d6571bab8881af2e714af8f294abd25635cc3fa27d6f8a5d2c6a

Download Submit
C:\Program Files (x86)\K-Lite Codec Pack\Filters\Haali\mkzlib.dll

Filesize
77KB

MD5
e370be10ab395ee71602eab9d107da6c

SHA1
824ad35c47af461ead6260b9720fec0b252b382b

SHA256
46150d8aff6f9d3dc5adf8085e6a8f0c7ee59070ad813c01f50bab94bac28cd9

SHA512
206229fa596ad7b207e63b4b42e62602f41587c5e0cbd7250301df78e5ae47f407e42d13743064fd8f50f6f70b9c1dd0a556200275f64644ad5549fd2e2f9fb1

Download Submit
C:\Program Files (x86)\K-Lite Codec Pack\Filters\Haali\mp4.dll

Filesize
138KB

MD5
e1b7da4d31033282593de3a83a3d2416

SHA1
7f3f8c3bd2deb54bc290d1080a6acef98784bb39

SHA256
4ae438b58c4844ef22000b9c2333a0e0e437b4dabef1ea31ed4b5493c13b92d5

SHA512
05d1f6a5bdd24bcdf952834ae01154909855e29535e21d1b638feeeebb3ba1aa7d62626e2f21d3b0a6a26e3a4c00128598ec5f084cfc15ce92ba1ed46357875d

Download Submit
C:\Program Files (x86)\K-Lite Codec Pack\Filters\Haali\ts.dll

Filesize
160KB

MD5
1c93e5cfaf44133d11c61ae74842e400

SHA1
2e20abad1e446d69d10e281178db399c3685b6a8

SHA256
c2ebc7f4edb9acaedaef9f551e526b60d9b7693d802f0e933e9eb5bbd58a4adc

SHA512
164f0d17861e4f04cfe509022e5815d2719c63981da50ca35b47e6c09454310ee311a553378d6ac928cb84ff039ae85f9635fce5c38d2de7941f132a5373ac9e

Download Submit
C:\Program Files (x86)\K-Lite Codec Pack\Filters\MP4Splitter.ax

Filesize
508KB

MD5
42381a1efdd1cddfd3039361b0f7bf59

SHA1
ccdddaa0ccbda5e22c6ac9b4b6bb5a99318faf42

SHA256
3748f5b1985a8465a7b2a52c8d992ab665f14775543be9591b8958f1e5afe861

SHA512
b365136844560bd89b75d2a426144185bc44c0692ed99b120d52aa0ad7938520547fb47ae355ef8cc523dbe13415b9741806e617174cbdb574ff2340046efa91

Download Submit
C:\Program Files (x86)\K-Lite Codec Pack\Filters\MonkeySource.ax

Filesize
173KB

MD5
e14a141f614303c331cbdf38fc15b6cf

SHA1
65c9151792b9048777135c100d549fcecb49b810

SHA256
01f1840554c3207a2906865b071c0811d853e303d60b70144c181c01c5b230bc

SHA512
4b532a9217b2882e17bd373a9117396c94b4cf7638105f823859ac3cc43d87a0c014fb4c33657d8bffa380c8ad51ae825284f35a61d7de4f6ffe06c74c4a1c04

Download Submit
C:\Program Files (x86)\K-Lite Codec Pack\Filters\OggSplitter.ax

Filesize
368KB

MD5
8239433da9ccfdfb25b1fba0c69fee18

SHA1
6e2b643ded401637198089844a935fa468482773

SHA256
dbb0a6891cb04732a8438485df7cb8de588e22a3bf1ac48d8269805aa866117f

SHA512
69c3272fbb5df38a216f255face18694da03dfefd205aded1e89ffcdd0af3c4381fc458ab68e2a9b41e4021aa9ccfd797e191a0c80b26b03aa700d6fda87efb9

Download Submit
C:\Program Files (x86)\K-Lite Codec Pack\Filters\WavPackDSDecoder.ax

Filesize
144KB

MD5
7fba60e461326274ff354f7537481027

SHA1
ae799a2074e7d5b88a08cf54352a3301648ecead

SHA256
96ab123167cd2495d2e181f53843e995d833dd0f033c28781fb28f0ac94ce8f7

SHA512
e81805fc4f7e0f476748919cef38bbc47b738483aff87a11d056f11e58cf00855aed3e29a5d24b41249e3d2630cc2b82f1743100ba760b96257bc7f2909dc514

Download Submit
C:\Program Files (x86)\K-Lite Codec Pack\Filters\WavPackDSSplitter.ax

Filesize
80KB

MD5
707cb15443f8915701c3b0b747c2b799

SHA1
46604e40490657fc1b7fcc777d75594a17549de9

SHA256
c48781533dc9f259fb2b4bd10a0d11c3d40e90c623141649dc8608d69d6ba997

SHA512
e2814f2cfa05eadf031e51b73b4b4b9febcffa3335ffc8a71d4213e072346b86a333063243f36e399b6b0867c86bc4511c902c3775b5546334b90ea2d3f92153

Download Submit
C:\Program Files (x86)\K-Lite Codec Pack\Filters\ac3file.ax

Filesize
76KB

MD5
617d8088a67f8a1ab391e42b870d1b54

SHA1
4d304342c81a6dfcd9bf4ef63ec3d6827232876e

SHA256
7503dd3652eebbbd03bc20257f0c679c9e1f6f33f611a48816ffc0e667067a74

SHA512
b0e48704507b070469b296a54fc094437332143dd9d5f0bc50436e7cec2112a1ff1903f8c52a99611c6722c5c2e62ce6f482ccb430278f7b0abbfcb54c003662

Download Submit
C:\Program Files (x86)\K-Lite Codec Pack\Filters\ac3filter.ax

Filesize
660KB

MD5
f76e1461807291997b309bf34ccc59e2

SHA1
9b16d51d0719fc85253c46724be747b395c636ec

SHA256
922b877fcf4d09d5294976e6ad303fb5d7ea5d8a9e7f943f1f4e9f21dda80a1a

SHA512
b90b2842ced72542161cc5fdd26c60fdff742ef618806d76fdbc91274f9b8d00c50e983b6e20972445cda7bee439df2a088403b6f90947922d00d5236d2cc20e

Download Submit
C:\Program Files (x86)\K-Lite Codec Pack\Filters\avisplitter.ax

Filesize
372KB

MD5
531c2b0f8688b2173baf3c980a1af022

SHA1
bfe69aa72418b91a9fb5eb9bc37899c5c497319c

SHA256
37387d60ef54809466f042abedb3ab90f420ec9d10c3266b2f9ed8489fc290e2

SHA512
687491961163928925952c214b0e02feef89005e11636f2781625cdd9374bc3231253e742879c48151ee1915e2e619b8f36f973c640cf6016ed40bbccfd17151

Download Submit
C:\Program Files (x86)\K-Lite Codec Pack\Filters\iconv.dll

Filesize
872KB

MD5
60afbd58f9dfaf558003bd13e60f6bb3

SHA1
17bf442a6f3d3ff0624712f0ef272c989cf3ef0b

SHA256
dee0617599e3ffbf6aacefceef58de15d05b02447d9aee85ab1a074a82767704

SHA512
2bf981ffea8d4003b0b688fb34f8034e0a903a9dd0676396c3dbc6850f6b7c2f51bef5339c9d60f24b24e55d71740111ddb8da650b71d1d36ddb44aabb3423d0

Download Submit
C:\Program Files (x86)\K-Lite Codec Pack\Filters\libFLAC.dll

Filesize
252KB

MD5
5c3739f97d09caf8abcc0a1f14c82a49

SHA1
41eea45c079654b274eb2b58c3f42e75b7cfe4e4

SHA256
bc55629358df2ca70b555ace61de0a86228170d1f31c88e8a0abd253950e154c

SHA512
3c9c6764f34392e311aa29b7b970ffec8fbef62f0b13fcae6fd0a14ee9b2323ba9b837e8da661246650de5122035a6775ec131c72711f502173d4d1d6a14399f

Download Submit
C:\Program Files (x86)\K-Lite Codec Pack\Filters\madFlac.ax

Filesize
476KB

MD5
241754785a333fe38a25fdafd8a196c8

SHA1
5143c0e233554bcadc2d81cdc07547b9585fa254

SHA256
8a321a1e5d09445f3ca090a4d83fb237b29ba28e5f571ea1ff604d5a14ad227e

SHA512
ef661413f20535f47df6a8a91044d9920c22989a8644b4102c25667d37ec1d7890aa84e0bc357b5cb0b891790ec2f6779d4e8bff802715eaa69f9950796d3dfa

Download Submit
C:\Program Files (x86)\K-Lite Codec Pack\Filters\mmamr.ax

Filesize
672KB

MD5
a2680035053554d8a893e806fda79049

SHA1
a234657cfb6c30747f0b629b47e9ff919a5a39b3

SHA256
4d613e48865d1488531aa13178c634aca267e09ae1d2465fd28d56137fb501b7

SHA512
e6bf226aacbd8b8857690d189d56e0c6b67ff5ccef081e836ac639e9b5c6188a49efda980bfb73bb5b5babe491ff9e902e053565427e4539c07cd3ebd86b3d65

Download Submit
C:\Program Files (x86)\K-Lite Codec Pack\Filters\mmmpcdec.ax

Filesize
308KB

MD5
5e301f2da16a47b410739b5a8d848716

SHA1
5bfd93f6908884e47b759661c481dd29de79794f

SHA256
c6ed538dc8086724d9a90c7b9be1fd69ce7f93ba79958eada95b2e613a72bc47

SHA512
5e1128bf1c3484625d6c1c86de71433da3dc17b539f2937d5214c32253d023665ffd74d22ff42b6f0b028b69c8740c9d20fbaeb499cf315c4bba4476b55aa471

Download Submit
C:\Program Files (x86)\K-Lite Codec Pack\Filters\mmmpcdmx.ax

Filesize
308KB

MD5
cfd49fa8862fe327e1e3e79de3fbd6a7

SHA1
dbda50889ec04b93418381ad2b18c6d654ee03de

SHA256
4737216017bb948adcc2413d5898f9af16a751d240198bfb0658e3ac46e72726

SHA512
9c3e09cfcc3543da815fca961dbe4287b74c7bb642e6517c9bfe5f4877489f4af37f68fdad533af33d7851a702e7428b0e089640373628e52e4ced51390b4119

Download Submit
C:\Program Files (x86)\K-Lite Codec Pack\Filters\vp6dec.ax

Filesize
320KB

MD5
55ca1bff59bded14d855aaa5c5c0a6c1

SHA1
b1399962b73f4891da59a038f585eb7006695ee8

SHA256
f076fc98171423cc95ca7cece2814c53b60b2b654df8ab4af0d790fa5e673be7

SHA512
06bb53c40fe3835d2b9140f870c0d56d8f8e233763a0b0bfc62b2ced1f34b4da706af98461f81cbc05b48c643179a5521fb976db6ba3146819342b0d8e78c444

Download Submit
C:\Program Files (x86)\K-Lite Codec Pack\Filters\vp7dec.ax

Filesize
232KB

MD5
085574f70323b1842f076e6de899a78b

SHA1
748b2393795821f6b999ad55a476b2d2e480fe86

SHA256
1515637b179101c72e0a258b054d73b076b51b70c32aab686ce0e9dd9ec54b9c

SHA512
0e99fb46525d90cae9c76fcaa4531ba43b6613720527a89d8439ae52dfee2e1a23919acc08c74dbb2dec039407f48d27c4e31409d09b35cf2f6bb787ec91bd4f

Download Submit
C:\Program Files (x86)\K-Lite Codec Pack\Real\Codecs\cook3260.dll

Filesize
64KB

MD5
8bc5f371287336342c06b52828ef7ded

SHA1
bf27598eece58b3df3d9bcea4988fd74645f56d1

SHA256
0a8c69d30260a72ea3e23e8b8c10294d0cc5783cd58f1b80fb5f0ef319e47dd2

SHA512
2d1d02a1c9e385432d55765a7dca76196552856ad091631e34ef5ff0bc077a1c77c6abed845b6ba591519e3dac912be41698485f2b9194395600166d4507b8f9

Download Submit
C:\Program Files (x86)\K-Lite Codec Pack\Real\Codecs\sipr3260.dll

Filesize
136KB

MD5
477b8f42f07ac5c022edb00831772f61

SHA1
5539402bd7266c8b7421116cae4fa61c8d637d08

SHA256
0d78d1da2979b332234e0942c479842fe4333d0d5197c3bb6b54543c647bebbd

SHA512
6817c1f141432ac2f1164489c20eb10d0fc38d47391009778a234771636335aff80325cfcb0b92f379f0b71fb293d0e8d337c137518bc9b401807f6fda6fceba

Download Submit
C:\Program Files (x86)\K-Lite Codec Pack\Real\is-RSHIH.tmp

Filesize
12B

MD5
fa02fd8eb45f6989eb896ff1f384304e

SHA1
a9791dc2ce214268475c6613651b81217e9db5e4

SHA256
0c5b84dd007f1ec82417146e19f0963556c834de940a1d1416c04556e6c16878

SHA512
447d036abf18efdbd64ecc56b4f769b58eae463f5102fb87980bc037e340bb04eaf1ec389a272a241b9870c26dbaa7e1cecc2a47231fc6424ee3f6075b43776c

Download Submit
C:\Program Files (x86)\K-Lite Codec Pack\Real\settings.exe

Filesize
669KB

MD5
52950ac9e2b481453082f096120e355a

SHA1
159c09db1abcee9114b4f792ffba255c78a6e6c3

SHA256
25fbc88c7c967266f041ae4d47c2eae0b96086f9e440cca10729103aee7ef6cd

SHA512
5b61c28bbcaedadb3b6cd3bb8a392d18016c354c4c16e01395930666addc95994333dfc45bea1a1844f6f1585e79c729136d3714ac118b5848becde0bdb182ba

Download Submit
C:\Program Files (x86)\K-Lite Codec Pack\ffdshow\ffdshow.ax

Filesize
2.5MB

MD5
2f469b87413b499f40f92106698b766d

SHA1
f4242d46e20ed43949284a13eda6bccabfb86aaa

SHA256
8ac2f1b5c09a3f977313cf6990dc3a7804aaf4c423148601726e2cce8b5cae34

SHA512
d7704851b12b0860d3edb89f754f41a8450c2b5932fc9f1de78171563cd62edb539220008a30fa8ee18e9ac9f468625f339fc100bf852b8279688926daa883f4

Download Submit
C:\Program Files\Google\Chrome\Application\plugins\nppl3260.dll

Filesize
141KB

MD5
5db82b8c515c875ae58e1b8b5997416b

SHA1
e97525a75b61921c7922d1d435392ad7a2572e46

SHA256
80df6dd09ac6b6d9e253f5c88cc564c5c3f3db3c11213223f40c003d0d2fa18f

SHA512
4c1e924cd33a7506947a4dbc02618f66965de24412875d85dfb094f768d465a8aca0d9d672c81d762ede79d2ef16e1493a22d4f0623221bb6f4502c06606acee

Download Submit
C:\Program Files\Google\Chrome\Application\plugins\nppl3260.xpt

Filesize
6KB

MD5
811ba568e7fc0a61b763fd21906bd258

SHA1
cfda4c02785deec27be3ceba854989c27aa08428

SHA256
68d36aa053bd715a7b3c6b64c43182c6d6c3f50429a3ecf80713edba3e31ec93

SHA512
180d1d02bf8528ffeb513a5f11087eb6eb3e1ab020d0fc9e64af60e8b1f3cd6ab5157a0776eecc3ec177027bd59011149c83ea1f51cd413d36b4c5f189dd154a

Download Submit
C:\Program Files\Google\Chrome\Application\plugins\nprpjplug.dll

Filesize
92KB

MD5
2cda67c1309ca966d8efee4ee0d6ca92

SHA1
12a98fa32d7095f7c5c3041b9c389b60d859340a

SHA256
c89d9a50f022ef0d19a6cb436ddda796fd94cdec3cab1d949a2a248d209b3a20

SHA512
38140502302cde335405a2a16d47b663883b2b0fe2c06ce4123f68b12cd53cabd48db83d5ba5a6ed4655bd9e06e48c39271c8564bca247b5384d72e98c9a68ee

Download Submit
C:\Program Files\Google\Chrome\Application\plugins\nsJSRealPlayerPlugin.xpt

Filesize
556B

MD5
2997045bced819dc37a5d234515a7c84

SHA1
35553012297fe340222805883537295678b18c68

SHA256
eb0f2fb39b84600fed5a8ae7c7ba5a64dd0e9ce796f82d0c7e644401186eddc4

SHA512
351f3f75e9ce23ca4dc62d2a4f99f288738adbf9147355e78c656e95178e0b8e62fa603a623d79ae79cb34667fa89d626c8031fa54e84a06fd61778e9b20c665

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-4151N.tmp\klmcp.tmp

Filesize
804KB

MD5
00f2e43591f0eff61f55aafe90dfc43c

SHA1
db1f55df4237b5b3e37590ebcec92c9e2287f531

SHA256
fb8e849f0aec45d0090635d61f11f2c3a9a663546be2b32d33549d43247bcc67

SHA512
467b471af672209c4a22efe4be77ccd39ead317928e69a743f70c6a9bd9499f316e604fb68afa90fa57bfde44001fe35d8f3b66584a7fb18004f2ed4edba5ab4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-RN5NM.tmp\WinCPUID.dll

Filesize
56KB

MD5
22eb46911320614e971c05a21c649837

SHA1
35ee160ccd5edf0bf30f19ae2cb923e4c5b0d6ae

SHA256
55dc7047acae697ddb1cd0b912fcf9d470ac5eacefa2fcc7c8cf2a6c37ada202

SHA512
722a172c96065e81661520bb215838243bd9e4744bdb42e5f2c8e5fc5a746292ad75d114d1476fbdbca7b8f04b8a498dce93b2f1d52475f6392a90d8580605f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-RN5NM.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-RN5NM.tmp\ffSpkCfg.dll

Filesize
40KB

MD5
313092dcc48091a1259a4c9dbedc5b76

SHA1
086b57788bb83123570755bf23ac17d23ad7de79

SHA256
416ae1233fa908b72a75891599cb6e445d50e9e02cd1938a47f09ef8f2588323

SHA512
2eba04091f03c8a9fd5888890b834663b3e25d1e8469020d27d0315e0086ca805f4a4a3f1431d5652efd143c0763fa5e1e39e5b39adf8b4f7100008afe7a7708

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-RN5NM.tmp\psvince.dll

Filesize
36KB

MD5
a4e5c512b047a6d9dc38549161cac4de

SHA1
49d3e74f9604a6c61cda04ccc6d3cda87e280dfb

SHA256
c7f1e7e866834d9024f97c2b145c09d106e447e8abd65a10a1732116d178e44e

SHA512
2edb8a492b8369d56dda735a652c9e08539a5c4709a794efaff91adcae192a636d0545725af16cf8c31b275b34c2f19e4b019b57fb9050b99de65a4c08e3eee1

Download Submit
memory/1100-630-0x0000000002260000-0x0000000002276000-memory.dmp

Filesize
88KB

Download
memory/1108-627-0x0000000000B30000-0x0000000000B46000-memory.dmp

Filesize
88KB

Download
memory/1672-2-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/1672-652-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1672-36-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1672-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3604-577-0x00000000025A0000-0x000000000267A000-memory.dmp

Filesize
872KB

Download
memory/3620-618-0x0000000002230000-0x0000000002246000-memory.dmp

Filesize
88KB

Download
memory/4520-596-0x0000000001FC0000-0x000000000203D000-memory.dmp

Filesize
500KB

Download
memory/4944-601-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/4944-7-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/4944-37-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/4944-43-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/4944-41-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/4944-39-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/4944-33-0x0000000005DC0000-0x0000000005DCB000-memory.dmp

Filesize
44KB

Download
memory/4944-651-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/5004-602-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download