edc542fe63461771530cadd0064e29fc89ef66d64af30fbe8cc4d734f50bb677

Analysis

max time kernel
149s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 04:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

edc542fe63461771530cadd0064e29fc89ef66d64af30fbe8cc4d734f50bb677.exe
Size

272KB
MD5

3f89e22fbaf37996b3f3e331cd2b5ca1
SHA1

8d0d856d3fdb203f3d052ad9c4045961763d67fd
SHA256

edc542fe63461771530cadd0064e29fc89ef66d64af30fbe8cc4d734f50bb677
SHA512

ce835e15ee50facc20f03bea41ecb330c38acb91c1239b71026b087c4d98f4306ba70d083b8c8a84d6f37b49a9046a53e8d52cc33928ce7191e7deb1949ccaf3
SSDEEP

6144:KMwIRdoz18mkwkByvZ6Mxv5Rar3O6B9fZSLhZmzbByvZ6Mxv5R:KURM1817ByvNv54B9f01ZmHByvNv5

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Ncldnkae.exeedc542fe63461771530cadd0064e29fc89ef66d64af30fbe8cc4d734f50bb677.exeMaohkd32.exeMjjmog32.exeNqfbaq32.exeNdidbn32.exeNnjbke32.exeNqiogp32.exeNbkhfc32.exeMcnhmm32.exeMgidml32.exeMglack32.exeNnhfee32.exeNgedij32.exeMkpgck32.exeNklfoi32.exeMnapdf32.exeMjhqjg32.exeNjcpee32.exeMdfofakp.exeMaaepd32.exeNqklmpdd.exeMajopeii.exeMdmegp32.exeMgnnhk32.exeMcklgm32.exeMkbchk32.exeMdpalp32.exeNkncdifl.exeNkjjij32.exeNcgkcl32.exeMdiklqhm.exeMpolqa32.exeNceonl32.exeNnmopdep.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	edc542fe63461771530cadd0064e29fc89ef66d64af30fbe8cc4d734f50bb677.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	edc542fe63461771530cadd0064e29fc89ef66d64af30fbe8cc4d734f50bb677.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mglack32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mglack32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ngedij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Majopeii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maohkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nceonl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nceonl32.exe

Executes dropped EXE 35 IoCs

Processes:

Mdfofakp.exeMkpgck32.exeMajopeii.exeMdiklqhm.exeMcklgm32.exeMkbchk32.exeMnapdf32.exeMpolqa32.exeMcnhmm32.exeMgidml32.exeMjhqjg32.exeMaohkd32.exeMdmegp32.exeMglack32.exeMjjmog32.exeMaaepd32.exeMdpalp32.exeMgnnhk32.exeNkjjij32.exeNnhfee32.exeNqfbaq32.exeNceonl32.exeNklfoi32.exeNnjbke32.exeNqiogp32.exeNcgkcl32.exeNkncdifl.exeNnmopdep.exeNqklmpdd.exeNgedij32.exeNjcpee32.exeNbkhfc32.exeNdidbn32.exeNcldnkae.exeNkcmohbg.exe

pid	process
5100	Mdfofakp.exe
4364	Mkpgck32.exe
3044	Majopeii.exe
692	Mdiklqhm.exe
2696	Mcklgm32.exe
1508	Mkbchk32.exe
3972	Mnapdf32.exe
4344	Mpolqa32.exe
4688	Mcnhmm32.exe
3624	Mgidml32.exe
1012	Mjhqjg32.exe
2276	Maohkd32.exe
688	Mdmegp32.exe
2320	Mglack32.exe
3472	Mjjmog32.exe
4468	Maaepd32.exe
4976	Mdpalp32.exe
4092	Mgnnhk32.exe
3280	Nkjjij32.exe
3748	Nnhfee32.exe
2660	Nqfbaq32.exe
3544	Nceonl32.exe
3716	Nklfoi32.exe
3288	Nnjbke32.exe
3452	Nqiogp32.exe
1812	Ncgkcl32.exe
3120	Nkncdifl.exe
1164	Nnmopdep.exe
3172	Nqklmpdd.exe
760	Ngedij32.exe
3592	Njcpee32.exe
4592	Nbkhfc32.exe
3596	Ndidbn32.exe
3988	Ncldnkae.exe
4864	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

Processes:

Mdfofakp.exeMcnhmm32.exeMaaepd32.exeNkncdifl.exeNgedij32.exeedc542fe63461771530cadd0064e29fc89ef66d64af30fbe8cc4d734f50bb677.exeMglack32.exeMjjmog32.exeMgnnhk32.exeMaohkd32.exeMajopeii.exeNnjbke32.exeMkpgck32.exeMgidml32.exeNbkhfc32.exeMcklgm32.exeNkjjij32.exeNcgkcl32.exeMjhqjg32.exeNnhfee32.exeNklfoi32.exeNdidbn32.exeNcldnkae.exeMkbchk32.exeNceonl32.exeNqklmpdd.exeMnapdf32.exeMdmegp32.exeMpolqa32.exeMdpalp32.exeMdiklqhm.exeNnmopdep.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Mkpgck32.exe	Mdfofakp.exe
File created	C:\Windows\SysWOW64\Cnacjn32.dll	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Fhpdhp32.dll	Maaepd32.exe
File opened for modification	C:\Windows\SysWOW64\Nnmopdep.exe	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Njcpee32.exe	Ngedij32.exe
File opened for modification	C:\Windows\SysWOW64\Mdfofakp.exe	edc542fe63461771530cadd0064e29fc89ef66d64af30fbe8cc4d734f50bb677.exe
File opened for modification	C:\Windows\SysWOW64\Mjjmog32.exe	Mglack32.exe
File created	C:\Windows\SysWOW64\Maaepd32.exe	Mjjmog32.exe
File opened for modification	C:\Windows\SysWOW64\Nkjjij32.exe	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Fneiph32.dll	Maohkd32.exe
File created	C:\Windows\SysWOW64\Mdiklqhm.exe	Majopeii.exe
File created	C:\Windows\SysWOW64\Pponmema.dll	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Majopeii.exe	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Mjhqjg32.exe	Mgidml32.exe
File created	C:\Windows\SysWOW64\Mdmegp32.exe	Maohkd32.exe
File created	C:\Windows\SysWOW64\Ndidbn32.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Mkbchk32.exe	Mcklgm32.exe
File opened for modification	C:\Windows\SysWOW64\Mjhqjg32.exe	Mgidml32.exe
File opened for modification	C:\Windows\SysWOW64\Mdpalp32.exe	Maaepd32.exe
File created	C:\Windows\SysWOW64\Nnhfee32.exe	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Jkeang32.dll	Ncgkcl32.exe
File opened for modification	C:\Windows\SysWOW64\Mgidml32.exe	Mcnhmm32.exe
File opened for modification	C:\Windows\SysWOW64\Maohkd32.exe	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Nqfbaq32.exe	Nnhfee32.exe
File opened for modification	C:\Windows\SysWOW64\Nqfbaq32.exe	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Kmalco32.dll	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Mgidml32.exe	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Bebboiqi.dll	Mjjmog32.exe
File opened for modification	C:\Windows\SysWOW64\Ncldnkae.exe	Ndidbn32.exe
File opened for modification	C:\Windows\SysWOW64\Majopeii.exe	Mkpgck32.exe
File opened for modification	C:\Windows\SysWOW64\Mdmegp32.exe	Maohkd32.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Pdgdjjem.dll	Mkbchk32.exe
File opened for modification	C:\Windows\SysWOW64\Maaepd32.exe	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Nklfoi32.exe	Nceonl32.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File opened for modification	C:\Windows\SysWOW64\Mkbchk32.exe	Mcklgm32.exe
File created	C:\Windows\SysWOW64\Gqffnmfa.dll	Mcklgm32.exe
File created	C:\Windows\SysWOW64\Paadnmaq.dll	Nqklmpdd.exe
File opened for modification	C:\Windows\SysWOW64\Mdiklqhm.exe	Majopeii.exe
File created	C:\Windows\SysWOW64\Maohkd32.exe	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Pbcfgejn.dll	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Geegicjl.dll	Mglack32.exe
File created	C:\Windows\SysWOW64\Mpolqa32.exe	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Ncldnkae.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Dlddhggk.dll	Ndidbn32.exe
File opened for modification	C:\Windows\SysWOW64\Ngedij32.exe	Nqklmpdd.exe
File opened for modification	C:\Windows\SysWOW64\Ndidbn32.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Ockcknah.dll	Majopeii.exe
File created	C:\Windows\SysWOW64\Npckna32.dll	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Nkncdifl.exe	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Mglack32.exe	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Mcnhmm32.exe	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Nqiogp32.exe	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Odegmceb.dll	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Nnjbke32.exe	Nklfoi32.exe
File opened for modification	C:\Windows\SysWOW64\Mgnnhk32.exe	Mdpalp32.exe
File opened for modification	C:\Windows\SysWOW64\Nnhfee32.exe	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Mcklgm32.exe	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Hlmobp32.dll	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Nnmopdep.exe	Nkncdifl.exe
File opened for modification	C:\Windows\SysWOW64\Mcklgm32.exe	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Mgnnhk32.exe	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Ljfemn32.dll	Nnmopdep.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process

4316 4864 WerFault.exe

pid	pid_target	process
4316	4864	WerFault.exe

Modifies registry class 64 IoCs

Processes:

Nqiogp32.exeNbkhfc32.exeMaaepd32.exeNkjjij32.exeNjcpee32.exeMglack32.exeNkncdifl.exeMdiklqhm.exeMkbchk32.exeedc542fe63461771530cadd0064e29fc89ef66d64af30fbe8cc4d734f50bb677.exeMkpgck32.exeMdmegp32.exeMnapdf32.exeMpolqa32.exeMdpalp32.exeNnmopdep.exeNnhfee32.exeNnjbke32.exeNqklmpdd.exeMgidml32.exeNqfbaq32.exeNceonl32.exeNcgkcl32.exeMcklgm32.exeMjhqjg32.exeMajopeii.exeMcnhmm32.exeNdidbn32.exeNcldnkae.exeMaohkd32.exeNgedij32.exeMjjmog32.exeMgnnhk32.exeNklfoi32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhpdhp32.dll"	Maaepd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mglack32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdgdjjem.dll"	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	edc542fe63461771530cadd0064e29fc89ef66d64af30fbe8cc4d734f50bb677.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnohlokp.dll"	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npckna32.dll"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mgidml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nceonl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odegmceb.dll"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbcfgejn.dll"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnfmbf32.dll"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paadnmaq.dll"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ockcknah.dll"	Majopeii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibjjh32.dll"	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mgidml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljfemn32.dll"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlmobp32.dll"	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	edc542fe63461771530cadd0064e29fc89ef66d64af30fbe8cc4d734f50bb677.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pponmema.dll"	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlddhggk.dll"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqffnmfa.dll"	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geegicjl.dll"	Mglack32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flfmin32.dll"	edc542fe63461771530cadd0064e29fc89ef66d64af30fbe8cc4d734f50bb677.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bebboiqi.dll"	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	edc542fe63461771530cadd0064e29fc89ef66d64af30fbe8cc4d734f50bb677.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaehlf32.dll"	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mkpgck32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

edc542fe63461771530cadd0064e29fc89ef66d64af30fbe8cc4d734f50bb677.exeMdfofakp.exeMkpgck32.exeMajopeii.exeMdiklqhm.exeMcklgm32.exeMkbchk32.exeMnapdf32.exeMpolqa32.exeMcnhmm32.exeMgidml32.exeMjhqjg32.exeMaohkd32.exeMdmegp32.exeMglack32.exeMjjmog32.exeMaaepd32.exeMdpalp32.exeMgnnhk32.exeNkjjij32.exeNnhfee32.exeNqfbaq32.exe

description	pid	process	target process
PID 1128 wrote to memory of 5100	1128	edc542fe63461771530cadd0064e29fc89ef66d64af30fbe8cc4d734f50bb677.exe	Mdfofakp.exe
PID 1128 wrote to memory of 5100	1128	edc542fe63461771530cadd0064e29fc89ef66d64af30fbe8cc4d734f50bb677.exe	Mdfofakp.exe
PID 1128 wrote to memory of 5100	1128	edc542fe63461771530cadd0064e29fc89ef66d64af30fbe8cc4d734f50bb677.exe	Mdfofakp.exe
PID 5100 wrote to memory of 4364	5100	Mdfofakp.exe	Mkpgck32.exe
PID 5100 wrote to memory of 4364	5100	Mdfofakp.exe	Mkpgck32.exe
PID 5100 wrote to memory of 4364	5100	Mdfofakp.exe	Mkpgck32.exe
PID 4364 wrote to memory of 3044	4364	Mkpgck32.exe	Majopeii.exe
PID 4364 wrote to memory of 3044	4364	Mkpgck32.exe	Majopeii.exe
PID 4364 wrote to memory of 3044	4364	Mkpgck32.exe	Majopeii.exe
PID 3044 wrote to memory of 692	3044	Majopeii.exe	Mdiklqhm.exe
PID 3044 wrote to memory of 692	3044	Majopeii.exe	Mdiklqhm.exe
PID 3044 wrote to memory of 692	3044	Majopeii.exe	Mdiklqhm.exe
PID 692 wrote to memory of 2696	692	Mdiklqhm.exe	Mcklgm32.exe
PID 692 wrote to memory of 2696	692	Mdiklqhm.exe	Mcklgm32.exe
PID 692 wrote to memory of 2696	692	Mdiklqhm.exe	Mcklgm32.exe
PID 2696 wrote to memory of 1508	2696	Mcklgm32.exe	Mkbchk32.exe
PID 2696 wrote to memory of 1508	2696	Mcklgm32.exe	Mkbchk32.exe
PID 2696 wrote to memory of 1508	2696	Mcklgm32.exe	Mkbchk32.exe
PID 1508 wrote to memory of 3972	1508	Mkbchk32.exe	Mnapdf32.exe
PID 1508 wrote to memory of 3972	1508	Mkbchk32.exe	Mnapdf32.exe
PID 1508 wrote to memory of 3972	1508	Mkbchk32.exe	Mnapdf32.exe
PID 3972 wrote to memory of 4344	3972	Mnapdf32.exe	Mpolqa32.exe
PID 3972 wrote to memory of 4344	3972	Mnapdf32.exe	Mpolqa32.exe
PID 3972 wrote to memory of 4344	3972	Mnapdf32.exe	Mpolqa32.exe
PID 4344 wrote to memory of 4688	4344	Mpolqa32.exe	Mcnhmm32.exe
PID 4344 wrote to memory of 4688	4344	Mpolqa32.exe	Mcnhmm32.exe
PID 4344 wrote to memory of 4688	4344	Mpolqa32.exe	Mcnhmm32.exe
PID 4688 wrote to memory of 3624	4688	Mcnhmm32.exe	Mgidml32.exe
PID 4688 wrote to memory of 3624	4688	Mcnhmm32.exe	Mgidml32.exe
PID 4688 wrote to memory of 3624	4688	Mcnhmm32.exe	Mgidml32.exe
PID 3624 wrote to memory of 1012	3624	Mgidml32.exe	Mjhqjg32.exe
PID 3624 wrote to memory of 1012	3624	Mgidml32.exe	Mjhqjg32.exe
PID 3624 wrote to memory of 1012	3624	Mgidml32.exe	Mjhqjg32.exe
PID 1012 wrote to memory of 2276	1012	Mjhqjg32.exe	Maohkd32.exe
PID 1012 wrote to memory of 2276	1012	Mjhqjg32.exe	Maohkd32.exe
PID 1012 wrote to memory of 2276	1012	Mjhqjg32.exe	Maohkd32.exe
PID 2276 wrote to memory of 688	2276	Maohkd32.exe	Mdmegp32.exe
PID 2276 wrote to memory of 688	2276	Maohkd32.exe	Mdmegp32.exe
PID 2276 wrote to memory of 688	2276	Maohkd32.exe	Mdmegp32.exe
PID 688 wrote to memory of 2320	688	Mdmegp32.exe	Mglack32.exe
PID 688 wrote to memory of 2320	688	Mdmegp32.exe	Mglack32.exe
PID 688 wrote to memory of 2320	688	Mdmegp32.exe	Mglack32.exe
PID 2320 wrote to memory of 3472	2320	Mglack32.exe	Mjjmog32.exe
PID 2320 wrote to memory of 3472	2320	Mglack32.exe	Mjjmog32.exe
PID 2320 wrote to memory of 3472	2320	Mglack32.exe	Mjjmog32.exe
PID 3472 wrote to memory of 4468	3472	Mjjmog32.exe	Maaepd32.exe
PID 3472 wrote to memory of 4468	3472	Mjjmog32.exe	Maaepd32.exe
PID 3472 wrote to memory of 4468	3472	Mjjmog32.exe	Maaepd32.exe
PID 4468 wrote to memory of 4976	4468	Maaepd32.exe	Mdpalp32.exe
PID 4468 wrote to memory of 4976	4468	Maaepd32.exe	Mdpalp32.exe
PID 4468 wrote to memory of 4976	4468	Maaepd32.exe	Mdpalp32.exe
PID 4976 wrote to memory of 4092	4976	Mdpalp32.exe	Mgnnhk32.exe
PID 4976 wrote to memory of 4092	4976	Mdpalp32.exe	Mgnnhk32.exe
PID 4976 wrote to memory of 4092	4976	Mdpalp32.exe	Mgnnhk32.exe
PID 4092 wrote to memory of 3280	4092	Mgnnhk32.exe	Nkjjij32.exe
PID 4092 wrote to memory of 3280	4092	Mgnnhk32.exe	Nkjjij32.exe
PID 4092 wrote to memory of 3280	4092	Mgnnhk32.exe	Nkjjij32.exe
PID 3280 wrote to memory of 3748	3280	Nkjjij32.exe	Nnhfee32.exe
PID 3280 wrote to memory of 3748	3280	Nkjjij32.exe	Nnhfee32.exe
PID 3280 wrote to memory of 3748	3280	Nkjjij32.exe	Nnhfee32.exe
PID 3748 wrote to memory of 2660	3748	Nnhfee32.exe	Nqfbaq32.exe
PID 3748 wrote to memory of 2660	3748	Nnhfee32.exe	Nqfbaq32.exe
PID 3748 wrote to memory of 2660	3748	Nnhfee32.exe	Nqfbaq32.exe
PID 2660 wrote to memory of 3544	2660	Nqfbaq32.exe	Nceonl32.exe

C:\Users\Admin\AppData\Local\Temp\edc542fe63461771530cadd0064e29fc89ef66d64af30fbe8cc4d734f50bb677.exe
"C:\Users\Admin\AppData\Local\Temp\edc542fe63461771530cadd0064e29fc89ef66d64af30fbe8cc4d734f50bb677.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1128

C:\Windows\SysWOW64\Mdfofakp.exe
C:\Windows\system32\Mdfofakp.exe
2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5100

C:\Windows\SysWOW64\Mkpgck32.exe
C:\Windows\system32\Mkpgck32.exe
3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4364

C:\Windows\SysWOW64\Majopeii.exe
C:\Windows\system32\Majopeii.exe
4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3044

C:\Windows\SysWOW64\Mdiklqhm.exe
C:\Windows\system32\Mdiklqhm.exe
5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:692

C:\Windows\SysWOW64\Mcklgm32.exe
C:\Windows\system32\Mcklgm32.exe
6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2696

C:\Windows\SysWOW64\Mkbchk32.exe
C:\Windows\system32\Mkbchk32.exe
7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1508

C:\Windows\SysWOW64\Mnapdf32.exe
C:\Windows\system32\Mnapdf32.exe
8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3972

C:\Windows\SysWOW64\Mpolqa32.exe
C:\Windows\system32\Mpolqa32.exe
9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4344

C:\Windows\SysWOW64\Mcnhmm32.exe
C:\Windows\system32\Mcnhmm32.exe
10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4688

C:\Windows\SysWOW64\Mgidml32.exe
C:\Windows\system32\Mgidml32.exe
11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3624

C:\Windows\SysWOW64\Mjhqjg32.exe
C:\Windows\system32\Mjhqjg32.exe
12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1012

C:\Windows\SysWOW64\Maohkd32.exe
C:\Windows\system32\Maohkd32.exe
13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2276

C:\Windows\SysWOW64\Mdmegp32.exe
C:\Windows\system32\Mdmegp32.exe
14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:688

C:\Windows\SysWOW64\Mglack32.exe
C:\Windows\system32\Mglack32.exe
15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2320

C:\Windows\SysWOW64\Mjjmog32.exe
C:\Windows\system32\Mjjmog32.exe
16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3472

C:\Windows\SysWOW64\Maaepd32.exe
C:\Windows\system32\Maaepd32.exe
17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4468

C:\Windows\SysWOW64\Mdpalp32.exe
C:\Windows\system32\Mdpalp32.exe
18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4976

C:\Windows\SysWOW64\Mgnnhk32.exe
C:\Windows\system32\Mgnnhk32.exe
19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4092

C:\Windows\SysWOW64\Nkjjij32.exe
C:\Windows\system32\Nkjjij32.exe
20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3280

C:\Windows\SysWOW64\Nnhfee32.exe
C:\Windows\system32\Nnhfee32.exe
21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3748

C:\Windows\SysWOW64\Nqfbaq32.exe
C:\Windows\system32\Nqfbaq32.exe
22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2660

C:\Windows\SysWOW64\Nceonl32.exe
C:\Windows\system32\Nceonl32.exe
23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3544

C:\Windows\SysWOW64\Nklfoi32.exe
C:\Windows\system32\Nklfoi32.exe
24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3716

C:\Windows\SysWOW64\Nnjbke32.exe
C:\Windows\system32\Nnjbke32.exe
25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3288

C:\Windows\SysWOW64\Nqiogp32.exe
C:\Windows\system32\Nqiogp32.exe
26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3452

C:\Windows\SysWOW64\Ncgkcl32.exe
C:\Windows\system32\Ncgkcl32.exe
27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1812

C:\Windows\SysWOW64\Nkncdifl.exe
C:\Windows\system32\Nkncdifl.exe
28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3120

C:\Windows\SysWOW64\Nnmopdep.exe
C:\Windows\system32\Nnmopdep.exe
29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1164

C:\Windows\SysWOW64\Nqklmpdd.exe
C:\Windows\system32\Nqklmpdd.exe
30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3172

C:\Windows\SysWOW64\Ngedij32.exe
C:\Windows\system32\Ngedij32.exe
31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:760

C:\Windows\SysWOW64\Njcpee32.exe
C:\Windows\system32\Njcpee32.exe
32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3592

C:\Windows\SysWOW64\Nbkhfc32.exe
C:\Windows\system32\Nbkhfc32.exe
33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4592

C:\Windows\SysWOW64\Ndidbn32.exe
C:\Windows\system32\Ndidbn32.exe
34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3596

C:\Windows\SysWOW64\Ncldnkae.exe
C:\Windows\system32\Ncldnkae.exe
35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3988

C:\Windows\SysWOW64\Nkcmohbg.exe
C:\Windows\system32\Nkcmohbg.exe
36⤵
- Executes dropped EXE
PID:4864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4864 -s 412
37⤵
- Program crash
PID:4316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4864 -ip 4864
1⤵
PID:3620

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Epmjjbbj.dll
Filesize
7KB

MD5
3d33c33766bc50d382ed5d6dbda5d549

SHA1
9313ac5040e3a5fac095e31165c22d3a618fce46

SHA256
bd2e75fbbf4009e05e924499e51605c22978d58646e32a6b1cc752399640aa26

SHA512
015fff4e58d7b598f584c49972bddf1eb9a142bb993b4a9d77a1b3eaa95efda28a637885ea3ad0f8bb317d114ff30bd2f9a7052df78c69f5eb7194c77261f83a

Download Submit
C:\Windows\SysWOW64\Maaepd32.exe
Filesize
272KB

MD5
1790db98eefd7ec70e5247547bf79702

SHA1
9e312b3ffcd57b6a41214657d2a4d09f282d4372

SHA256
157de8a72e0b5f0d3ea6079d91aae1f03569f1341f16d9f4cf4cc0307fcfb35f

SHA512
06e2f31e06e1fd67d5ad0734e1b5cc7c4f1f3ed1b4a9e4f953d9594584c73c39ef86de3a53432cd4de904ffbbd44596071a391978e57a35359476be90fb48e3f

Download Submit
C:\Windows\SysWOW64\Majopeii.exe
Filesize
272KB

MD5
d55209f3a4869f2ed6152b35919b578e

SHA1
a7a67954d505e56d220a5f8d06d451a0468f0581

SHA256
86ac1b9d35be8ff0f71deb116d41051fcb6950bf1f682427d0a94a86f9946ece

SHA512
7ee6774326be03fe2e96af0dc0e637b2f66b906ed0aa11deef466179325bc77788f9e24c27a3e471d920189e2d56701e7ac88d4138b797ddffa349120ad97ab8

Download Submit
C:\Windows\SysWOW64\Maohkd32.exe
Filesize
272KB

MD5
628393d8d06862faeaf56529307d3390

SHA1
dfa31bce1817d291781e2110c4aeabe72d5ed910

SHA256
1a2a242be1695bd20ea9c9eb8ad7f05162b55b9be73b9d64307105a9d308078f

SHA512
84ac6c432507c4ee785789d097f4657ac44232a8e3c1ec0a24d37b1daf7f81bf00331577643d3b6a24ac5d9129a14349f2a314944a1350421ef394e99514b25f

Download Submit
C:\Windows\SysWOW64\Mcklgm32.exe
Filesize
272KB

MD5
9a1fc4bc08708d72a61605b89c60f2d9

SHA1
8e9a1645bb308e442cd149b7d6543e8e29b28ba5

SHA256
7dbf3156880f9013f20309c613ff25fb4286a176eda7998dcc54bdff669e61f9

SHA512
80c4841d5d530f8c7490dc0bcde4ba377cd4546e0bd3eaf9c67a65f4d387d85ecdc9a6d00d77feabdb9eddb9fd68edbc0314e079e9164ec1840f0a483ce37e1d

Download Submit
C:\Windows\SysWOW64\Mcnhmm32.exe
Filesize
272KB

MD5
73afcd3ef8d87330cf7a858609fa09db

SHA1
234694a2e572682b1621e2731a980b7d0b0d27c6

SHA256
a8782b23f24511a7f464fe52dd018d31e3913565451b65bd3bdb588923310cb4

SHA512
4b8d3dfc06ed480ec2f0ba491db181dc03a5f8fcfb123d7ec8a3111a0f4fca9bbdecc122af6712c624befd530bb72a9c7050136e3e76cef0aa046e0cb8ee5ea6

Download Submit
C:\Windows\SysWOW64\Mdfofakp.exe
Filesize
272KB

MD5
b53e4e6d2dc790766654b5bbce8c49b1

SHA1
45dcf6c13c7f852f2a13936b9adfb37dfdfb3c90

SHA256
a6be830823658457a9a3d32fab6092253662dce2295514c15ceea2ce6d80d69d

SHA512
0669e725e80a3867b5d9ecec37be515f4f9113db776c29e03642fea3a27d7a89fd7ebd40ed617ff80ba9be976400e929df6a839f8a62b4b07bc6f5d1b03a6c25

Download Submit
C:\Windows\SysWOW64\Mdiklqhm.exe
Filesize
272KB

MD5
56eec18a51c8a1770491ba87d862e5b5

SHA1
8d2cb23e9c81498046a0cd021df6f317fc94a5d2

SHA256
b908ef10c6259bde054000ec962a2a786c508a0d2ae9d2c480dfba36bf6db8c0

SHA512
b1a34b48cd51e737d4029c6b0c8aa84921e44252a3399bdb84aa64e61fcf12ab3b975133e486b9f69dced8d85755600262713705dd2545fda758ed632c1993c3

Download Submit
C:\Windows\SysWOW64\Mdmegp32.exe
Filesize
272KB

MD5
e0621eba1b8d10be3fd1987d9d4d4be0

SHA1
4cd4bb71ba54462495d783547194521c3898cf9f

SHA256
ed56c0999e7f94bab839e5c1b5ebe14632131a1dc90ead31f37ad79d7e3a099c

SHA512
a5275cd7740f3657e034bf20d6db26845e88486cb29b8c22a144aa2e6acab1b5f444d3c707cd8779e679f0d117c4382380113a25be66cec798c8cda5f97041ba

Download Submit
C:\Windows\SysWOW64\Mdpalp32.exe
Filesize
272KB

MD5
58b82ce0b2c02ce20307a4ca44212a9b

SHA1
1253ea24e1ead205ffe436ac2be0dab4a6872cc1

SHA256
a47cb592e2ba55c299aa341c229746b2db813f03323a75e005b27bd625ec0f79

SHA512
a20136cbbc9a4c6902563ce2deeda8cb4c09b9be1a3001cfff9de20270d43c883ee21337d25ef54bfa90bcea616c9f4d088ae9ced4a39c5cf9de897b7049561c

Download Submit
C:\Windows\SysWOW64\Mgidml32.exe
Filesize
272KB

MD5
2a6d4ca0920cb8291be180d6d3f8205c

SHA1
490b98bc74c91a6ebbfd6f0681fed707be22310b

SHA256
5b66f6b9f80df89bba6a85895231b0f1c57919c781f18ee28e3cc3ccbbccfba0

SHA512
f1e216e28d77fb3b474b1a18a225382019b710a11638502930fa40b2cd2fbb47fc46944688896fc80b613a7eb838b9b6d9faca8d71475c4e1372951a8434d1e4

Download Submit
C:\Windows\SysWOW64\Mglack32.exe
Filesize
272KB

MD5
0901a10b418e07081ab3965f46e8925b

SHA1
ad3f730983aa993bf2383e6943ba2eeee8a23b9c

SHA256
0689424496f7cce69ed0028d124c4fe1ed73be282b64d3dff0c33af050e8ad04

SHA512
e64df88780747427b8de8e2d82701f64cf7d184ca63dfc3f4ae17c2a8066ece444c2740b318565ce1626c842829cc11152a2acafc81822c866d3037f2af4d3e6

Download Submit
C:\Windows\SysWOW64\Mgnnhk32.exe
Filesize
272KB

MD5
36696ae4a50e71972f348cc4a63bdb40

SHA1
f23498279cc14537c403ebb00cc15659c240235e

SHA256
d0390bd425740d58bb4a586490319ef2355246cadda1b599029ee64815de18b8

SHA512
c8b7d6db568bf2c8893a76fed278c20b4a384e935be181039d921c7ff3c1e50f3d87e8fdba4844cebefa306410d0ed1131fce7a97b05922d381aba3670af2e1b

Download Submit
C:\Windows\SysWOW64\Mjhqjg32.exe
Filesize
272KB

MD5
53c44f34e8dc46e837097e75fecc9ac1

SHA1
0e5a17f7f8547f34cb5d0ec5d179cf27d9312f34

SHA256
660325d0e0127603bee4fe258cc4927b5bb49c6d0d2b6bf1860a723a3f3fa6b5

SHA512
8ffdeb6b57b549070f11c306434c20b4f7cfd595e757d82e813c5605d2e7ecc4edbfb3cf0ae27a0472794e7ee54e991c4a9a42530a32f6af0d76ffc7da92acce

Download Submit
C:\Windows\SysWOW64\Mjjmog32.exe
Filesize
272KB

MD5
8679526ecf43e4ab8ec553be4fa2dd0d

SHA1
aa01df50e000c7a8724c15238b94a6d820e43dde

SHA256
adf3caa6e1eaf78bca304d37dba35ba37c9bdaee24c6a52ba2bdcd07703ddab0

SHA512
3e67246221268436c4b656948d13cbacc41ab564ce6102af2999df1157d257e983aa3ac36c2eeeaa77975f014a6e82319d3551c6ea383b64043e3edd35b74aa1

Download Submit
C:\Windows\SysWOW64\Mkbchk32.exe
Filesize
272KB

MD5
c364c871672fc3fe03a1c31dc516ed1a

SHA1
2d7e3e27313bbdf7f36e1073f428acfa28f4a5e5

SHA256
30009ce34402ac21d36c07297a464645588eabf1c4eef7530e4afc5c763dd7e6

SHA512
ff2ea58cd18debde6297d09aef79bb3bf7b02b21e86f6727dd40a8293cb5bedc3a64d6c5a9bc7a777e09bf8d21f3ae579f90cdb29908cf7589fc1dbefc3209a8

Download Submit
C:\Windows\SysWOW64\Mkpgck32.exe
Filesize
272KB

MD5
db4de5137354ab1d21c6f3fb26afd0f7

SHA1
442e1ec0525e0d26b69f87022cfcff2ed559d15f

SHA256
4502f4283786f3769549fb1572720a837ea4a71b00653075e2597bf9db7e7025

SHA512
1d954f9ad083c353b45693f7d6b5cc69dda5fc2459b6c7e2a288aef9e12059f231edddf412018695043fd6e2794ab20d77690f336c6df2b425e44fed9c2bde68

Download Submit
C:\Windows\SysWOW64\Mnapdf32.exe
Filesize
272KB

MD5
68721d7e8e1c95d6816cff78d96530b1

SHA1
67d276cc6a70b3fbaf5dfcae4786e9d6487474d8

SHA256
bce5e36991b0da3dc27a277ed41e5bc9bc9890b6673fd9f34aacf1f6ca616e08

SHA512
4949458df39ca240d0d6dc9824dc867eff951cf1c8877490062453e4d762fd15e8cbb190d70f8bcbbb1ca7872b73091122bdacc0a4fe1caf7feff17c6bd870f8

Download Submit
C:\Windows\SysWOW64\Mpolqa32.exe
Filesize
272KB

MD5
b3792b6343d09e2d6372a7dea38889fc

SHA1
43a60334a09bf8f465c71bd6a476ef38b604350f

SHA256
41c4ceb03e1f031370363911a2ffd20917f2bb48f0cab32db369c8314c093404

SHA512
e918de9241096ba53f87cd7cadbbedfc366491ca0970657523fd27ba7c05e17271b369bd4be8baa00f55a8184525ea9841870940882965395c31b19134bfaff3

Download Submit
C:\Windows\SysWOW64\Nbkhfc32.exe
Filesize
272KB

MD5
b481658ef826173ac7e0971cf4c80b5c

SHA1
18aa3ee316e7a3ffaf14ac76c14ad52543c51c58

SHA256
560fd6a90575b6feec2453258a409a8b3f6d0b3e54166aba79d394beda844376

SHA512
eb737fe5c83d5c30b17e3d21c1bbfc443ee94f2a367205cc8eac99aa14fe872ea9930a2258c76d7f8539b6e766eb64c6994e030f874f0a5398662b3c2da07fbf

Download Submit
C:\Windows\SysWOW64\Nceonl32.exe
Filesize
272KB

MD5
3b86c1a29bb91386ca62f8e23b635423

SHA1
ad074c2bcaf007b1fb154ca3d372434f7cf832d1

SHA256
6bcfa2f785ffdb47c920bb19479be709b812b17454f3cc102406b42e297b750a

SHA512
e5b7005466f4986d1cdcf2ce69aeba22fb7ab13515c541ae0c233dc0d0e7c94c1166b1dcfae9f324d826086d2613f83969583e19c9d000615d588ba8266619c3

Download Submit
C:\Windows\SysWOW64\Ncgkcl32.exe
Filesize
272KB

MD5
b4cdd6bf68c64c321193e4c60670567a

SHA1
5ae234569e96036208951626988bf72e778d0f7c

SHA256
19ded7bfc38c3452b26f1b934d535b57cdb1f5e129dbb8a0c1f6dda7d8e68b4a

SHA512
ff17fba77194766f7f19e005d15a56afe42fbe387c9227240bcad9f37a737c67a001fa9edffd2ea2ccb40b5f2665dddaceb635b98b391eafa03bd156974b427a

Download Submit
C:\Windows\SysWOW64\Ngedij32.exe
Filesize
272KB

MD5
b260a8451aaf0701152dce3ab42c7e57

SHA1
645da004513437fa97426222c07ce41d9216feb4

SHA256
90c9eaf4605b31fca3f339b91d34d67eaf54dfda2158cc3000b3459e993d0ea6

SHA512
efd903c443df8dd1e22c273951ee592ad8841cede008956e3a671251b4f5a9447270dc73f3fbce691c048f49a968e0d1fa0ada0ca2ec066d087588dabd5cfc94

Download Submit
C:\Windows\SysWOW64\Njcpee32.exe
Filesize
272KB

MD5
4fae874707cbe8ba2eb03986c3e5112e

SHA1
f061620f7277d42203ea6ae1e2a2acca4ae48368

SHA256
fb0ebd9a5ce08b0efe65a5bb1a37f7a6ba38326fa6ca6dcd9e46790d3cc1dadc

SHA512
a463a545d166ee8c1b8da9a763b43e76b91ccbaf67f1705b621d694cd73ec84389f9afcafa8732b66b719ba9e9733f166465751e12c9cc718a178d0b9dcd203c

Download Submit
C:\Windows\SysWOW64\Nkjjij32.exe
Filesize
272KB

MD5
bd71b199575b2241921123c43b6007f5

SHA1
1640b2e127b6268d6132cc2fc3fb1ae9dcbd1a2e

SHA256
85dce56bd9a228542904fc065115dfa540fa0348cc9ed66395e1e9c18e962bd2

SHA512
8316d124db0cf572a3bfadaa9cea730850cc9afbce2b3af91bc818f48a0e1810f214890babcb1a1257050a78e0385cd898e0c2d620bb5f0a2dfd76e8bf9da548

Download Submit
C:\Windows\SysWOW64\Nklfoi32.exe
Filesize
272KB

MD5
7432c991a761b9a4602f2ec27af031e2

SHA1
0582abb80bc14e63f3a3d93bf5a4352ad2335b84

SHA256
f49bde2d9aaf09d9214a767832f0c3ecdf92d6d36780b7b3fd3714d756d351f4

SHA512
5a4d00702adfceef714173000b9875397e9468d0ca33f288896c4162ef9353a17910b89ff08006f0680f9804756e4ede4e8e550ac59d82870437c66aebea2dc3

Download Submit
C:\Windows\SysWOW64\Nkncdifl.exe
Filesize
272KB

MD5
1215be435f639935e064c9488d9a228b

SHA1
3cadb58e292679594394097ab9a542fdecbe95a5

SHA256
9f96da0c5d8fba98a7cdb55a8953fb12f17e913b4bfd17975811765ebd7a09cc

SHA512
5fe9c0e4eb9f9d20c81c9cfa5ad2b1876a88526bc2098d1c673d3d420fde3ecce523b7a26a46d3346e66ca1661f4d9236075d5ff075bf36a0eb85cdc1032daa5

Download Submit
C:\Windows\SysWOW64\Nnhfee32.exe
Filesize
272KB

MD5
add2f6427edcab462bbc7037a9e943be

SHA1
2597482f5eb9aff66145baad86d07988bc6b8721

SHA256
8eba65b0ccbb42e1926ca1ae46ea386782cdc1f98edae1795ab1aadad4657741

SHA512
ca96149b53050a873c1683caa1cac060c2690e3e846f58b9738743968ac191486ce2dcd7c2a15a1d44f06d473ea7dec71516ec6d796b2098151cfac4875af126

Download Submit
C:\Windows\SysWOW64\Nnjbke32.exe
Filesize
272KB

MD5
b5904e75874b50630bc88b3c21722179

SHA1
18a6d12128153a5d76131f798f8f6a6a8750d4ef

SHA256
225de62e90cda41493aa749c2824c3ead2e082d0dda65426b866988adb414ce9

SHA512
92c1fac94c0feafe20722225025ca570359e87973adf502099d2c6d789324ead27bd1aa49e2e386c47b1dac2cc08919a8cd130230d863b305b8f5fd95e5ba6fc

Download Submit
C:\Windows\SysWOW64\Nnmopdep.exe
Filesize
272KB

MD5
8366a084ea83b72b243927f87070f2a5

SHA1
b08c9cd701e842eeaa046f7ddd43f958ddac46a7

SHA256
9dd316569487939b6e126a49e390d3fc26e38d73770171876a892d8c63b24b9e

SHA512
aa3a76ebf7fffdb6d4eaa563379f044334a89dacc4c9154732c1c68a0b89022d85b48467bd87c11cbf243d8b757da28a8fee6bf054f9c74fdd8f50fc3b0fd393

Download Submit
C:\Windows\SysWOW64\Nqfbaq32.exe
Filesize
272KB

MD5
3e5e950e4d3dc05ce876a289350c1b49

SHA1
97526685dbe5c25d9cda3c8f2608d8b917a9f888

SHA256
e5330918697b5763c934608ce6daab94c5745d1eae6b097aad7f313272a74855

SHA512
a96309c4c88d7d01a0c5519d32f0fd95f9b25b20a4c16dd2c95f90df9dc5aefec443953d78c57be42eea613c539574c0a798bdf17e1c8c571554c53d23a1ce81

Download Submit
C:\Windows\SysWOW64\Nqiogp32.exe
Filesize
272KB

MD5
35a3b0566b9871c77f772c8437d86929

SHA1
e387f1b19d94a4a263525099c43f5f5fe0eb101e

SHA256
2bcbefb6c176e8d099c164b0d87c4b23be52b5fe68f5c81d85439034641e93f2

SHA512
d0021c7e91e4c7308a4bf31a877c25cf0173ddef6d1107e0a8b23070dbc1fed608686dd6b1973ba115dd2aa6a36ee91a0d0c9037509592a4ce6caf52f509a11e

Download Submit
C:\Windows\SysWOW64\Nqklmpdd.exe
Filesize
272KB

MD5
916a466000b82c27eed3e6feca566934

SHA1
28fd06118d5ed877478f8dca17056c0e007f5c8e

SHA256
b2a76181763893d9f8d47596a2cf9e96bc175b344be336d14a5d933c9610dc25

SHA512
3642bd5279b1ee4f0dbcdf1734c4efa1b088d3f1dd2e2902738915a22a4ac9b76ef9ef8f83ea671b283b34a355a95a56094ef7e1cd37a8204869e550fc1379cd

Download Submit
memory/688-276-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/692-267-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/760-254-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1012-274-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1128-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1128-312-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1164-258-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1508-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1812-262-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2276-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2320-277-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2660-284-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2696-268-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3044-28-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3120-260-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3172-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3280-282-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3288-266-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3452-264-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3472-278-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3544-285-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3592-252-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3596-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3624-273-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3716-286-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3748-283-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3972-270-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3988-246-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4092-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4344-271-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4364-20-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4468-279-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4592-250-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4688-272-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4864-244-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4976-280-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5100-310-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5100-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download