60b290310f67adb0ae186b4b938ca466a6b55653b2519261fa425127f5500a1f

max time kernel
94s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
12-05-2024 17:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Dropper/Berbew.exe
Size

109KB
MD5

331d4664aaa1e426075838bac0ba0e80
SHA1

b5825947ed101a498fadd55ed128172773f014e3
SHA256

90a4b2cba38cde1495721ebc965e888440e212585cb565acf18b6216631d13d1
SHA512

9da4eb7b4fee5956f9ad0444c362fb884295d0a8e087ee7f6ed5d3f9e54422730f8c75553edf6ebf57435f2588e9045573f23879d2d8ec1d3843d80c75cd91ec
SSDEEP

3072:vZYeP+XEYkuuHbJ9GLCqwzBu1DjHLMVDqqkSpR:vPUk3J9Cwtu1DjrFqhz

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Lcmofolg.exeLmccchkn.exeLnepih32.exeNnhfee32.exeNcldnkae.exeLpocjdld.exeMajopeii.exeMgidml32.exeBerbew.exeMcbahlip.exeNklfoi32.exeLgneampk.exeMdiklqhm.exeMgghhlhq.exeMcpebmkb.exeNdbnboqb.exeLpcmec32.exeMnlfigcc.exeMgekbljc.exeKkbkamnl.exeLkgdml32.exeMjeddggd.exeMjjmog32.exeNnmopdep.exeLjnnch32.exeLcgblncm.exeLknjmkdo.exeMpaifalo.exeNcihikcg.exeNbkhfc32.exeLilanioo.exeMjcgohig.exeMjhqjg32.exeMamleegg.exeMdkhapfj.exeMpdelajl.exeLaefdf32.exeNqiogp32.exeLcdegnep.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lmccchkn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnepih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Majopeii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgidml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Berbew.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgidml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lkgdml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgneampk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ljnnch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Berbew.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mamleegg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laefdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lilanioo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljnnch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjcgohig.exe

Executes dropped EXE 42 IoCs

Processes:

Kkbkamnl.exeLpocjdld.exeLcmofolg.exeLmccchkn.exeLdmlpbbj.exeLkgdml32.exeLnepih32.exeLpcmec32.exeLgneampk.exeLilanioo.exeLaciofpa.exeLcdegnep.exeLjnnch32.exeLaefdf32.exeLcgblncm.exeLknjmkdo.exeMnlfigcc.exeMgekbljc.exeMjcgohig.exeMajopeii.exeMdiklqhm.exeMgghhlhq.exeMjeddggd.exeMamleegg.exeMdkhapfj.exeMgidml32.exeMjhqjg32.exeMpaifalo.exeMcpebmkb.exeMjjmog32.exeMpdelajl.exeMcbahlip.exeNnhfee32.exeNdbnboqb.exeNklfoi32.exeNqiogp32.exeNnmopdep.exeNcihikcg.exeNjcpee32.exeNbkhfc32.exeNcldnkae.exeNkcmohbg.exe

pid	process
3400	Kkbkamnl.exe
1824	Lpocjdld.exe
1536	Lcmofolg.exe
2136	Lmccchkn.exe
1076	Ldmlpbbj.exe
2628	Lkgdml32.exe
1008	Lnepih32.exe
1352	Lpcmec32.exe
1340	Lgneampk.exe
4332	Lilanioo.exe
996	Laciofpa.exe
3600	Lcdegnep.exe
3460	Ljnnch32.exe
4564	Laefdf32.exe
2280	Lcgblncm.exe
2124	Lknjmkdo.exe
2100	Mnlfigcc.exe
512	Mgekbljc.exe
3960	Mjcgohig.exe
1124	Majopeii.exe
4872	Mdiklqhm.exe
856	Mgghhlhq.exe
924	Mjeddggd.exe
3440	Mamleegg.exe
2916	Mdkhapfj.exe
4880	Mgidml32.exe
5004	Mjhqjg32.exe
3028	Mpaifalo.exe
1896	Mcpebmkb.exe
2120	Mjjmog32.exe
4292	Mpdelajl.exe
4688	Mcbahlip.exe
4768	Nnhfee32.exe
2252	Ndbnboqb.exe
3216	Nklfoi32.exe
1204	Nqiogp32.exe
3244	Nnmopdep.exe
4420	Ncihikcg.exe
2204	Njcpee32.exe
4232	Nbkhfc32.exe
1308	Ncldnkae.exe
1884	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

Processes:

Lgneampk.exeLcgblncm.exeNbkhfc32.exeMgekbljc.exeNjcpee32.exeLaefdf32.exeLknjmkdo.exeNcihikcg.exeLmccchkn.exeMnlfigcc.exeNqiogp32.exeNcldnkae.exeLilanioo.exeMjcgohig.exeMpaifalo.exeMdiklqhm.exeMjhqjg32.exeKkbkamnl.exeLdmlpbbj.exeLkgdml32.exeLpcmec32.exeNnmopdep.exeLcmofolg.exeLjnnch32.exeMjjmog32.exeLnepih32.exeMajopeii.exeBerbew.exeMcbahlip.exeMjeddggd.exeNklfoi32.exeMgidml32.exeMamleegg.exeMpdelajl.exeNdbnboqb.exeMcpebmkb.exeNnhfee32.exeLcdegnep.exeLaciofpa.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Kgkocp32.dll	Lgneampk.exe
File created	C:\Windows\SysWOW64\Lknjmkdo.exe	Lcgblncm.exe
File created	C:\Windows\SysWOW64\Dlddhggk.dll	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Mjcgohig.exe	Mgekbljc.exe
File opened for modification	C:\Windows\SysWOW64\Nbkhfc32.exe	Njcpee32.exe
File opened for modification	C:\Windows\SysWOW64\Lcgblncm.exe	Laefdf32.exe
File opened for modification	C:\Windows\SysWOW64\Mnlfigcc.exe	Lknjmkdo.exe
File created	C:\Windows\SysWOW64\Njcpee32.exe	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Eqbmje32.dll	Lmccchkn.exe
File created	C:\Windows\SysWOW64\Mgekbljc.exe	Mnlfigcc.exe
File opened for modification	C:\Windows\SysWOW64\Nnmopdep.exe	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Laciofpa.exe	Lilanioo.exe
File opened for modification	C:\Windows\SysWOW64\Majopeii.exe	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Hhapkbgi.dll	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Lkfbjdpq.dll	Njcpee32.exe
File created	C:\Windows\SysWOW64\Lcgblncm.exe	Laefdf32.exe
File created	C:\Windows\SysWOW64\Majopeii.exe	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Mgghhlhq.exe	Mdiklqhm.exe
File opened for modification	C:\Windows\SysWOW64\Mpaifalo.exe	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Jchbak32.dll	Kkbkamnl.exe
File opened for modification	C:\Windows\SysWOW64\Lkgdml32.exe	Ldmlpbbj.exe
File created	C:\Windows\SysWOW64\Nngcpm32.dll	Lkgdml32.exe
File created	C:\Windows\SysWOW64\Hbocda32.dll	Lpcmec32.exe
File created	C:\Windows\SysWOW64\Ncihikcg.exe	Nnmopdep.exe
File opened for modification	C:\Windows\SysWOW64\Lmccchkn.exe	Lcmofolg.exe
File created	C:\Windows\SysWOW64\Laefdf32.exe	Ljnnch32.exe
File created	C:\Windows\SysWOW64\Mpdelajl.exe	Mjjmog32.exe
File opened for modification	C:\Windows\SysWOW64\Njcpee32.exe	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Baefid32.dll	Lnepih32.exe
File opened for modification	C:\Windows\SysWOW64\Lgneampk.exe	Lpcmec32.exe
File opened for modification	C:\Windows\SysWOW64\Laefdf32.exe	Ljnnch32.exe
File opened for modification	C:\Windows\SysWOW64\Mdiklqhm.exe	Majopeii.exe
File opened for modification	C:\Windows\SysWOW64\Kkbkamnl.exe	Berbew.exe
File created	C:\Windows\SysWOW64\Hlmobp32.dll	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Dngdgf32.dll	Ldmlpbbj.exe
File opened for modification	C:\Windows\SysWOW64\Mamleegg.exe	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Jgengpmj.dll	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Mcpebmkb.exe	Mpaifalo.exe
File opened for modification	C:\Windows\SysWOW64\Lpcmec32.exe	Lnepih32.exe
File created	C:\Windows\SysWOW64\Kpdobeck.dll	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Ncldnkae.exe	Nbkhfc32.exe
File opened for modification	C:\Windows\SysWOW64\Nqiogp32.exe	Nklfoi32.exe
File opened for modification	C:\Windows\SysWOW64\Lpocjdld.exe	Kkbkamnl.exe
File created	C:\Windows\SysWOW64\Lnepih32.exe	Lkgdml32.exe
File created	C:\Windows\SysWOW64\Jnngob32.dll	Lcgblncm.exe
File opened for modification	C:\Windows\SysWOW64\Mjcgohig.exe	Mgekbljc.exe
File opened for modification	C:\Windows\SysWOW64\Laciofpa.exe	Lilanioo.exe
File created	C:\Windows\SysWOW64\Gpnkgo32.dll	Mgidml32.exe
File opened for modification	C:\Windows\SysWOW64\Mcpebmkb.exe	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Lkgdml32.exe	Ldmlpbbj.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Ldmlpbbj.exe	Lmccchkn.exe
File created	C:\Windows\SysWOW64\Mdkhapfj.exe	Mamleegg.exe
File created	C:\Windows\SysWOW64\Lelgbkio.dll	Mpdelajl.exe
File opened for modification	C:\Windows\SysWOW64\Nklfoi32.exe	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Lnohlokp.dll	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Mjjmog32.exe	Mcpebmkb.exe
File opened for modification	C:\Windows\SysWOW64\Ndbnboqb.exe	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Gefncbmc.dll	Lcdegnep.exe
File opened for modification	C:\Windows\SysWOW64\Mgghhlhq.exe	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Nnhfee32.exe	Mcbahlip.exe
File opened for modification	C:\Windows\SysWOW64\Ncldnkae.exe	Nbkhfc32.exe
File opened for modification	C:\Windows\SysWOW64\Lcdegnep.exe	Laciofpa.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1284 1884 WerFault.exe Nkcmohbg.exe

pid	pid_target	process	target process
1284	1884	WerFault.exe	Nkcmohbg.exe

Modifies registry class 64 IoCs

Processes:

Lnepih32.exeMjeddggd.exeNcihikcg.exeLmccchkn.exeLgneampk.exeLcdegnep.exeMgekbljc.exeMdkhapfj.exeNcldnkae.exeMdiklqhm.exeNklfoi32.exeNjcpee32.exeBerbew.exeLcmofolg.exeMgidml32.exeMjjmog32.exeKkbkamnl.exeMjcgohig.exeMpaifalo.exeLknjmkdo.exeMnlfigcc.exeMgghhlhq.exeMcpebmkb.exeLilanioo.exeNnmopdep.exeNnhfee32.exeLpcmec32.exeNqiogp32.exeLaefdf32.exeMajopeii.exeNdbnboqb.exeLcgblncm.exeLpocjdld.exeMjhqjg32.exeLkgdml32.exeLjnnch32.exeMamleegg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baefid32.dll"	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddpfgd32.dll"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lgneampk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkfbjdpq.dll"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Berbew.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lcmofolg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mgidml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kkbkamnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lmccchkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lnepih32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geegicjl.dll"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqbmje32.dll"	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkckjila.dll"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bidjkmlh.dll"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbbkdl32.dll"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbocda32.dll"	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lgneampk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibjjh32.dll"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pponmema.dll"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Berbew.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plilol32.dll"	Laefdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnacjn32.dll"	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jchbak32.dll"	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nngcpm32.dll"	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmafhe32.dll"	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebaqkk32.dll"	Ljnnch32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnohlokp.dll"	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njcqqgjb.dll"	Mamleegg.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Berbew.exeKkbkamnl.exeLpocjdld.exeLcmofolg.exeLmccchkn.exeLdmlpbbj.exeLkgdml32.exeLnepih32.exeLpcmec32.exeLgneampk.exeLilanioo.exeLaciofpa.exeLcdegnep.exeLjnnch32.exeLaefdf32.exeLcgblncm.exeLknjmkdo.exeMnlfigcc.exeMgekbljc.exeMjcgohig.exeMajopeii.exeMdiklqhm.exe

description	pid	process	target process
PID 4856 wrote to memory of 3400	4856	Berbew.exe	Kkbkamnl.exe
PID 4856 wrote to memory of 3400	4856	Berbew.exe	Kkbkamnl.exe
PID 4856 wrote to memory of 3400	4856	Berbew.exe	Kkbkamnl.exe
PID 3400 wrote to memory of 1824	3400	Kkbkamnl.exe	Lpocjdld.exe
PID 3400 wrote to memory of 1824	3400	Kkbkamnl.exe	Lpocjdld.exe
PID 3400 wrote to memory of 1824	3400	Kkbkamnl.exe	Lpocjdld.exe
PID 1824 wrote to memory of 1536	1824	Lpocjdld.exe	Lcmofolg.exe
PID 1824 wrote to memory of 1536	1824	Lpocjdld.exe	Lcmofolg.exe
PID 1824 wrote to memory of 1536	1824	Lpocjdld.exe	Lcmofolg.exe
PID 1536 wrote to memory of 2136	1536	Lcmofolg.exe	Lmccchkn.exe
PID 1536 wrote to memory of 2136	1536	Lcmofolg.exe	Lmccchkn.exe
PID 1536 wrote to memory of 2136	1536	Lcmofolg.exe	Lmccchkn.exe
PID 2136 wrote to memory of 1076	2136	Lmccchkn.exe	Ldmlpbbj.exe
PID 2136 wrote to memory of 1076	2136	Lmccchkn.exe	Ldmlpbbj.exe
PID 2136 wrote to memory of 1076	2136	Lmccchkn.exe	Ldmlpbbj.exe
PID 1076 wrote to memory of 2628	1076	Ldmlpbbj.exe	Lkgdml32.exe
PID 1076 wrote to memory of 2628	1076	Ldmlpbbj.exe	Lkgdml32.exe
PID 1076 wrote to memory of 2628	1076	Ldmlpbbj.exe	Lkgdml32.exe
PID 2628 wrote to memory of 1008	2628	Lkgdml32.exe	Lnepih32.exe
PID 2628 wrote to memory of 1008	2628	Lkgdml32.exe	Lnepih32.exe
PID 2628 wrote to memory of 1008	2628	Lkgdml32.exe	Lnepih32.exe
PID 1008 wrote to memory of 1352	1008	Lnepih32.exe	Lpcmec32.exe
PID 1008 wrote to memory of 1352	1008	Lnepih32.exe	Lpcmec32.exe
PID 1008 wrote to memory of 1352	1008	Lnepih32.exe	Lpcmec32.exe
PID 1352 wrote to memory of 1340	1352	Lpcmec32.exe	Lgneampk.exe
PID 1352 wrote to memory of 1340	1352	Lpcmec32.exe	Lgneampk.exe
PID 1352 wrote to memory of 1340	1352	Lpcmec32.exe	Lgneampk.exe
PID 1340 wrote to memory of 4332	1340	Lgneampk.exe	Lilanioo.exe
PID 1340 wrote to memory of 4332	1340	Lgneampk.exe	Lilanioo.exe
PID 1340 wrote to memory of 4332	1340	Lgneampk.exe	Lilanioo.exe
PID 4332 wrote to memory of 996	4332	Lilanioo.exe	Laciofpa.exe
PID 4332 wrote to memory of 996	4332	Lilanioo.exe	Laciofpa.exe
PID 4332 wrote to memory of 996	4332	Lilanioo.exe	Laciofpa.exe
PID 996 wrote to memory of 3600	996	Laciofpa.exe	Lcdegnep.exe
PID 996 wrote to memory of 3600	996	Laciofpa.exe	Lcdegnep.exe
PID 996 wrote to memory of 3600	996	Laciofpa.exe	Lcdegnep.exe
PID 3600 wrote to memory of 3460	3600	Lcdegnep.exe	Ljnnch32.exe
PID 3600 wrote to memory of 3460	3600	Lcdegnep.exe	Ljnnch32.exe
PID 3600 wrote to memory of 3460	3600	Lcdegnep.exe	Ljnnch32.exe
PID 3460 wrote to memory of 4564	3460	Ljnnch32.exe	Laefdf32.exe
PID 3460 wrote to memory of 4564	3460	Ljnnch32.exe	Laefdf32.exe
PID 3460 wrote to memory of 4564	3460	Ljnnch32.exe	Laefdf32.exe
PID 4564 wrote to memory of 2280	4564	Laefdf32.exe	Lcgblncm.exe
PID 4564 wrote to memory of 2280	4564	Laefdf32.exe	Lcgblncm.exe
PID 4564 wrote to memory of 2280	4564	Laefdf32.exe	Lcgblncm.exe
PID 2280 wrote to memory of 2124	2280	Lcgblncm.exe	Lknjmkdo.exe
PID 2280 wrote to memory of 2124	2280	Lcgblncm.exe	Lknjmkdo.exe
PID 2280 wrote to memory of 2124	2280	Lcgblncm.exe	Lknjmkdo.exe
PID 2124 wrote to memory of 2100	2124	Lknjmkdo.exe	Mnlfigcc.exe
PID 2124 wrote to memory of 2100	2124	Lknjmkdo.exe	Mnlfigcc.exe
PID 2124 wrote to memory of 2100	2124	Lknjmkdo.exe	Mnlfigcc.exe
PID 2100 wrote to memory of 512	2100	Mnlfigcc.exe	Mgekbljc.exe
PID 2100 wrote to memory of 512	2100	Mnlfigcc.exe	Mgekbljc.exe
PID 2100 wrote to memory of 512	2100	Mnlfigcc.exe	Mgekbljc.exe
PID 512 wrote to memory of 3960	512	Mgekbljc.exe	Mjcgohig.exe
PID 512 wrote to memory of 3960	512	Mgekbljc.exe	Mjcgohig.exe
PID 512 wrote to memory of 3960	512	Mgekbljc.exe	Mjcgohig.exe
PID 3960 wrote to memory of 1124	3960	Mjcgohig.exe	Majopeii.exe
PID 3960 wrote to memory of 1124	3960	Mjcgohig.exe	Majopeii.exe
PID 3960 wrote to memory of 1124	3960	Mjcgohig.exe	Majopeii.exe
PID 1124 wrote to memory of 4872	1124	Majopeii.exe	Mdiklqhm.exe
PID 1124 wrote to memory of 4872	1124	Majopeii.exe	Mdiklqhm.exe
PID 1124 wrote to memory of 4872	1124	Majopeii.exe	Mdiklqhm.exe
PID 4872 wrote to memory of 856	4872	Mdiklqhm.exe	Mgghhlhq.exe

C:\Users\Admin\AppData\Local\Temp\Dropper\Berbew.exe
"C:\Users\Admin\AppData\Local\Temp\Dropper\Berbew.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4856
- C:\Windows\SysWOW64\Kkbkamnl.exe
  C:\Windows\system32\Kkbkamnl.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3400
- - C:\Windows\SysWOW64\Lpocjdld.exe
    C:\Windows\system32\Lpocjdld.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1824
  - - C:\Windows\SysWOW64\Lcmofolg.exe
      C:\Windows\system32\Lcmofolg.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1536
    - - C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2136
      - C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1076
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2628
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1008
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1352
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1340
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4332
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:996
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3600
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3460
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4564
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2280
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2124
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2100
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:512
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3960
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1124
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4872
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:856
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:924
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3440
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2916
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4880
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5004
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3028
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1896
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2120
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4292
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4688
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4768
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2252
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3216
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1204
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3244
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4420
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2204
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4232
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1308
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        43⤵
        Executes dropped EXE
        
        PID:1884
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1884 -s 412
        44⤵
        Program crash
        
        PID:1284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1884 -ip 1884
1⤵
PID:4812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Eqbmje32.dll

Filesize
7KB

MD5
5f5b200e98787f96e4d560feb2b19bf5

SHA1
5141f3816d00423eb620861d1036028048c2f781

SHA256
487290f0741fc40962fb5cc91cf31ca12050f127a37aa55c20222bd708c67c75

SHA512
c74a2cddd4237508791fa6a7bf33c7c2b73faaecf2cb4b5cb9906ebc9f1eccfafedd648192c94e01bdd696247a0922a99e7cb9865f132855d34a24734ab4a122

Download Submit
C:\Windows\SysWOW64\Kkbkamnl.exe

Filesize
109KB

MD5
fcc7e981283a297d63d37904dcc193ff

SHA1
9155c1c1bb30ab39f51447a1c0caff51601388fb

SHA256
30ed02b674f59efd95e7dd152bb0dc653dae8ce561eb6a393754f07c57c19d01

SHA512
644c31db38c818204e3fa5380607d48f379271027f37545291547acfdb9954a844cb6afc776b2b4ab9bad2a1ca4ca572ab1162eb87bd6eb0530d81dd8f7530c9

Download Submit
C:\Windows\SysWOW64\Laciofpa.exe

Filesize
109KB

MD5
d4a4cbb5e909b59397237bd3486dec0c

SHA1
bb23955e86190a236d0ef0d59228149cf2a51e6b

SHA256
6ce2e4b4317868cf4e8cfc160374c516489a52e75270725fc58e70c349c36641

SHA512
06059627a8b9ad0d527ef429661f8b995fe96485ac3ddd8b03109cbbd3a53da71f7fa8780af45f18fb7f3668f31394b1f5cbabee0eece22ff7880069e08a4721

Download Submit
C:\Windows\SysWOW64\Laefdf32.exe

Filesize
109KB

MD5
ae81e54a7b7205a8c51eefff8a88f91b

SHA1
1a8e2711ccf8cd12adce6cf83a62871bcd03460b

SHA256
2638b81b2045bbdce1e7e6ef2b5cbb2d04d260f408fd36d5015c2436eaf2e599

SHA512
ae7092bd7ea9cd84c5bfb1b6ef72156bac0ce7347bb7215ffbe91612988f3937fc9164b9f8994365b4bbf7bb753ec501ed49bd49ef03e531566f02bbf375e58f

Download Submit
C:\Windows\SysWOW64\Lcdegnep.exe

Filesize
109KB

MD5
e79c05205251337b248b96249a164c14

SHA1
acaf6c3fe45df271fc5ebaca4c27ee4cdf97d786

SHA256
532316fd89eaca684907ada1e67c7644fbca7ee6e869fd5eec11b7568f61b81a

SHA512
e7f78219eeef43f0b8715f6924c5ce5dff171b12068054f1fd36810d6a1703af7553f05fb416dbac7ee612a7b93e861701f9dd36bc7351148e1afe0db0c26f59

Download Submit
C:\Windows\SysWOW64\Lcgblncm.exe

Filesize
109KB

MD5
7256f322c898be298f043822912465c7

SHA1
010a83b7e7653cbe329f5666824300be480772f7

SHA256
1f06a7065f097abad866471416634f987b379ded0f1f98bd1ad6063c9d177e61

SHA512
7bde402627701af9698a2c40b678343a359d0d117a45f64ef877a2dd391fd0bc5b65a225e2d5147d2c981b0a8953b92d375b9a617d003d1d25aa70576c7ae1c6

Download Submit
C:\Windows\SysWOW64\Lcmofolg.exe

Filesize
109KB

MD5
efa749df89a9ca2d0347e1b5e9de1fed

SHA1
549393b28df8d5d55e6107edccfe10843a43d265

SHA256
94da9798ba4ea408138bf79a5b01d63f47ffc645c27f69ead1cef153d8e22cc0

SHA512
548c3c61fe796e95415201992547e34f2e716a3262a6370616286c2cf819b175a7e1cb4b1f53075e462bf4a6023e790d5d0293146842215aa11a6f5444507ddd

Download Submit
C:\Windows\SysWOW64\Ldmlpbbj.exe

Filesize
109KB

MD5
6943d15b5f653ae6f8070daf7cb7806f

SHA1
0028e0e38524055e45d38fc88f362d564550c0f1

SHA256
3a16913193a3322f74f423590f65d8f1dea4a481aaaa2e1e12ffec3b2e36d585

SHA512
f288f3e7147e4a209bcb10c9336ba8e82a399cea93de9ecd67c6b2288a6bbb17ca60a1405616bc53401cc4a864bdc3400b2f2aef018e2cd1ee37313f1f8dae97

Download Submit
C:\Windows\SysWOW64\Lgneampk.exe

Filesize
109KB

MD5
5d84c50fa6005891816ad43d8e4631a5

SHA1
2e52e7b8fcb1efdb0a55146828dc71c355e5e6f1

SHA256
5bfb553d86497b509208d8bd20be45866c1bc9d4b64276a176c43ff3b17c830f

SHA512
31259815bcfa4cbed6593c60afb88552ddf89d40d228ef7538017e3b5263db5bb29d39f86358c2a25b72ce57a2f557dedc4f21c91bb9a13089b9434976ddfa41

Download Submit
C:\Windows\SysWOW64\Lilanioo.exe

Filesize
109KB

MD5
55c31c4ceb74134c95c7e52777fce5dd

SHA1
5cf0c5ee20bbb5a7464ff470f2515195f181790c

SHA256
b8a0dd53f95fbc57eaf60508c53576efc06645514152085a0a7e06457456e164

SHA512
4b0819cc5ce8c824f854a6b81cf2a9e57fb9acbaeff8dd67286b95c2659c22f14599d81806688e1dae8da473bb8e1ba3032dd00d1a8669f1c57384426890cc6b

Download Submit
C:\Windows\SysWOW64\Lilanioo.exe

Filesize
109KB

MD5
1ea632c742ca0204709974016d4b862c

SHA1
2137f4220756e66333be2cc38d386b9fe1386b73

SHA256
2187e884f41e721d8104be28d360990ded64b911f3b1a3efe37c8a033c41b948

SHA512
74349c5bbabfd168649bde543fc115ee1e1178317bffcb5a563219c5b3e721ecf2ccf8c5f638b1ddccffda9d3b015521c6ec67b064c064df14f656c23e2dd65f

Download Submit
C:\Windows\SysWOW64\Ljnnch32.exe

Filesize
109KB

MD5
75ed51ef043085fe6cc9128cebecdfac

SHA1
b06ced6f127d7e856740af9c193af2d97a8dacc3

SHA256
fe0225f563ce8dd345d5d18adf9d955d6b6a0ad93fda2a672bd1596678445386

SHA512
d581504929265d4b0ae8a9f5fde3644f82cd10562fec3c355f619841b17aa4186e265a5e92ab6cffd36de79ed9607f743bacfa0d34bd12ace6bcfbea76e693f6

Download Submit
C:\Windows\SysWOW64\Ljnnch32.exe

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\SysWOW64\Lkgdml32.exe

Filesize
109KB

MD5
53779c3385e186b10cbb6501b97c1f1e

SHA1
7fa49e4efcf4478e661b76fa79af1097520f9da9

SHA256
fcece14344badad06a8a3c1755f419591dc3b7eac41b37bfecf60032312d1ee5

SHA512
0bf972bb11246ac70ad7d53113a431d32ed729d912d7e64e2c743381136df394d947a1185dacf18695d88bd6235a675e8cb0c2fb115d2b7fcbee41bdc5604fc5

Download Submit
C:\Windows\SysWOW64\Lknjmkdo.exe

Filesize
109KB

MD5
d6a3e5f76be8ff6ff215293887486d80

SHA1
c731d4426e1e37ce0d91274cf168386e8fd5fb33

SHA256
433fa5bb0adbf882322fe683c624409601207264c18ef3de2b537c036973c122

SHA512
fd96ea4962405a8ff37771cc09a3d00652d288f199970ee803e936985a8d43d199da518602e45adf5e08874294e7ac6920c04cc6fa735b74d74f6759ad5dc6ff

Download Submit
C:\Windows\SysWOW64\Lmccchkn.exe

Filesize
109KB

MD5
e3e7c0a3ef0b7a95ca5e2ac0c8280ed4

SHA1
5aa6f3059d63674521a3ebf0f5db213d856d9f0a

SHA256
695386fb63190e6324a0835eb8bac490ac5e87d6d0a0d6c1ffa753f67258703f

SHA512
e6be149696ed8a90b4b92c91cbceb541ccede44c3d0b19a32a526a0a07886071d2cc4bd6849d5149607965dbc2aec36efe8541521da98c12219312ed89a22c70

Download Submit
C:\Windows\SysWOW64\Lnepih32.exe

Filesize
109KB

MD5
e9d4c77d8847de5e0b27fa9ef21bec91

SHA1
56f6eb052ebbba80d04e7f7cab7d743a7455a8ad

SHA256
04d3fdba7406844d7fcfea7334b570734cc0a8656f2e8c989cf4c3fd48dc74d6

SHA512
60cede578c0a33c0dc2f89c384794c280556a4ac0632e16f0ec26db8b2bda91a35157fe45119e398e0b2a689e529c51327a8bdf97e2d9acce9082f6c656a39cd

Download Submit
C:\Windows\SysWOW64\Lpcmec32.exe

Filesize
109KB

MD5
129dd4422c1b47f3202097fd80e9660a

SHA1
27a61e1b453327d3003228284f3fa10651c0e113

SHA256
ad7b86a8944eaae28727b2d44a18b61fe59382fa67af290f02b5d9baa41bde80

SHA512
4750bdb05fbe105041819a5eb6481cf4b1cf2c21176441460b089bde175e81df8310b3dbbb7c0dfef96a853bef0ab5b34a7ac14287f9619b567d089faa1d13ff

Download Submit
C:\Windows\SysWOW64\Lpcmec32.exe

Filesize
109KB

MD5
546647c87598ffec5bc13a762aa69070

SHA1
959e5a7b62af615ccc593bc504a4acb4e36c415e

SHA256
cd61cb9b329a40a67c9a606ea451603126b562fe380bd15241368b0efca886a9

SHA512
8cc67b54a6b549ef645ab2c151d90df3d806cef0d8a21442ffd175b4ca3555856b6927a67086e1a357617df50434149adbf476c3ca1f9377712f76cc317e7e38

Download Submit
C:\Windows\SysWOW64\Lpocjdld.exe

Filesize
109KB

MD5
3dc9bd7a4cf5d461ee86c8936012f896

SHA1
edad9a79d07f9ccda3cf99f974e5897c37bea078

SHA256
c491548f899605085757521bbcef37e5a093a7ffc44bd9f605cdcdaa4a6a1a08

SHA512
64a3c30a3e9d5bba9d781971caeb6f061e2e5098e511359c4f8937acae02de2f5c52b34395359176d03c9b9112c77bf6f6297ff87615ee16f82fa4d56d34d264

Download Submit
C:\Windows\SysWOW64\Majopeii.exe

Filesize
109KB

MD5
99ed28ed9aea8c3bbab0e868d280b742

SHA1
e6ea5b55dfbb21270333d2eed1409f09680c9247

SHA256
d26d677af5d7398ad46f564dfdf3752c0754e85d56ef647bcd1f35d0b0b40a94

SHA512
d43ad39811afb691d5b274dfa7646e6a73b2250339fa7743aa6b25ef0d4f423d8990f2e3348d0aa584faf4e774a278133723767be60a73f6e318d9fc24ba1bc9

Download Submit
C:\Windows\SysWOW64\Mamleegg.exe

Filesize
109KB

MD5
c6347c531370c61756fe67f5d86f9d6d

SHA1
b317aa5c2d5ed543242608a487ac0628da76d9fb

SHA256
c89935253013772823a60add990ed4b7cd3d2ee2c6cef2b6f6e36651000e5ef7

SHA512
3b8ce63805f722aa786936c3e00001acc4c5d15a4fda137a53fa0c5d4151678a4e912f63b5943ea528582a638dbef2a49e7f6b4027ed23d0f44e180867496ed2

Download Submit
C:\Windows\SysWOW64\Mcbahlip.exe

Filesize
109KB

MD5
b64d1b47e9e57046a880b73b47564374

SHA1
bb8ff006c2474a95eea5b5e1f1b3be1933d41c67

SHA256
7a74863769c25b38604228d533812e679460ffb2814557ea39167ea7fd80c481

SHA512
67da63ab89e49e0b5816f20c3d0bb453ddc280ab5e607639e44c550d352d973a0e08ee3a76feedced97beeaa752af68d0aaa3cf0cc18fe5a93c7a13012b731de

Download Submit
C:\Windows\SysWOW64\Mcpebmkb.exe

Filesize
109KB

MD5
afd288fa01913dbc993896be344c6ff1

SHA1
bb21f99105b2574d08fb2d9b24a11f67176ee3aa

SHA256
547033dbc4332479cdedca7b7af140da1df29d82479bbdedfc0a29ed83104403

SHA512
7f80ecf5571c940180708e8e54df000a86cd4090838fd7190b9df75bc5216ad1df124288808210eb380337e80cf2604545f9653e337269081fc01cb41566068e

Download Submit
C:\Windows\SysWOW64\Mdiklqhm.exe

Filesize
109KB

MD5
25fb5ed5197eeb86f37d51ef8dc4d5fe

SHA1
9f135fd1822ff48441ed6c6c1e8c2c8c90b8edb5

SHA256
bcfe6067462d070ec2431bd9968799472ea48fdc0a4ef7b9536cdb331f4e669f

SHA512
6e6cf2aef3df7783fa7f708ff5fb1c1a6ab48cbc935c79e40d8516dfb5cf7839862d083f155fad3898d282f974b49d4c15e71703ba9a05e75930afd79ca2be75

Download Submit
C:\Windows\SysWOW64\Mdiklqhm.exe

Filesize
109KB

MD5
020f103a14d30d6bb9cab50d06753cbc

SHA1
1bdb871f7e7bb8d6f78d4224469a19da273391bf

SHA256
ff52d312d35aa9b0f21e0ac013124f65cd29d91c398b1b1de378177bc1c65f24

SHA512
91f5ecbd08c6e263cc4710c7b5de7ebc597001b13538e1b9d9ff70973bb9020ad5f1732b2f3990f219c6ab2b245a05799810a308787af05686e71f05282ab752

Download Submit
C:\Windows\SysWOW64\Mdkhapfj.exe

Filesize
109KB

MD5
9e1350d801586785753fdf78fbb46aae

SHA1
50c069f0a518a6e07af78ffa6b9e0a3ca4943f21

SHA256
9d35cf641e3613230d7f7489a4a61ae32dcf6f67af0ff23d871a2c5ffb8a1e9a

SHA512
dfcc35c904024aa51dd702f56fa03c9cee35257e95544082a07a51de6153b7dca6553a1dccc3f70aa9c01c6f2ca4dfd4bf374bd914a19a597e361d4e2b4ebe68

Download Submit
C:\Windows\SysWOW64\Mgekbljc.exe

Filesize
109KB

MD5
cdd00f816162e7a0842bffccce7f2c9c

SHA1
42ac2c5427f1e39092c95fb455e020e16ba60ba6

SHA256
d7b44ecbaef93d093ece77d1d8c41256be3431858fd0db5fc64409dca51a9083

SHA512
1332f3ff1252913ab899c76f79917248065d8c06795ef677e0a72951ba7d3254dc25daa632d4a7b626e3ff8156417f66c1fe46d525b4bd33afc18efd35d0f2ca

Download Submit
C:\Windows\SysWOW64\Mgghhlhq.exe

Filesize
109KB

MD5
d2f7e915aa3ad62fc6860e696bdcf58a

SHA1
dbe022586debacd6501e74f010ac5786ed63db2e

SHA256
183e10234178b537a57972d52d9d2897c61c9ec59949f3728f0711cf28136be4

SHA512
75c7eac514c40d5cddf01ee7b568e96d844dc9395175948c7af314b74b1eb477064bc34adb4c4663acd1db95f87e710a56d5a40106ba845f66acb5dd0e1e54a3

Download Submit
C:\Windows\SysWOW64\Mgidml32.exe

Filesize
109KB

MD5
591e4da374a5ee98c231cbf2b69e9060

SHA1
e1c079fa323cb023d04cb6961bf1d9b6bac24d2d

SHA256
852390cd61c71e026cdf58c30e08eba5acd160d893a823b9f654d02c643edbce

SHA512
c04f69892225bc1559476b336b076c6c2b0522e452dbd85cce05e5c461286f2657594db5d3431a3023bab64652781671955aedec3661757730a3fb42d67ea5b8

Download Submit
C:\Windows\SysWOW64\Mjcgohig.exe

Filesize
109KB

MD5
e8f10b220a454247dc0108ee5456d093

SHA1
28614556d7c2da696f380b81d1edaa375b95d3a8

SHA256
51d3179552ada907a324cfd4abec531af7eacc7895f972df976a737e242bed43

SHA512
63aace2c3c16b0e3df662f49ba7cfb798271f1b6f3e44a237c7d9b698fcca322e8f42aa705be4bcbc7822276ef125395f8aadb313b8733e3e2a54658ce996286

Download Submit
C:\Windows\SysWOW64\Mjeddggd.exe

Filesize
109KB

MD5
9e544171971b2746bc04e8b3be795acc

SHA1
c8abd6fa41f399608fc1e7749fdf8431002fdf2a

SHA256
bdf03f468169cadf78d672f83aebdf01671b1539e916eb5506a7631f5181a261

SHA512
1d30188e6cdd81577b71305856934df86c92081534ff93d8b1f5c390d7e9b5a9772070a8ebbdefb169ed41c1d0360e611baeca6e37cf52c273781eb14e58050b

Download Submit
C:\Windows\SysWOW64\Mjhqjg32.exe

Filesize
109KB

MD5
8e0ddc9f76fa9e36a7118635d6fff808

SHA1
407c9b190b89ce2e9be3563a46a1a9e67e3363e0

SHA256
eece74334360468669a060a1f9c8676cfe473b5e7df9428d1757539c7f19978d

SHA512
623a7608b876e0f51fe0c096e9279fc511fd8d0e7b3f1d8e97298ad6aabeb7cb522fe80f4bd70da3d3785cd5c5b22539ebf872023172be5effe54a9281877344

Download Submit
C:\Windows\SysWOW64\Mjjmog32.exe

Filesize
109KB

MD5
f981190d091c8370328f5f2a86e8ed2a

SHA1
47ed0939c715d589b258e9bcdc9f2831a2d3e47b

SHA256
373764b7f865f85b340f729c7377185ea4ed8e1e69dc0e717c5b2d28fcb702ba

SHA512
7013726a63f28c93b4980b96e4b90ac5ecad0230a0b8b64910b79400d3e29c778501ef579281412c061fbd839af18948fdc809b980e5e04b3c0374a25f51865d

Download Submit
C:\Windows\SysWOW64\Mnlfigcc.exe

Filesize
109KB

MD5
b69220c8129e2dd09088462a5d278b39

SHA1
d5837cb03fc9e0c70c0320be01f0a2b0edc79846

SHA256
0d00dd939831245a3d5cddd6016ab5faa717cad7919be62aa641c4cbdb7fef86

SHA512
9ed6004975cfcedcdba0eec686c6fa8a69e89b421aea7722153f52f393b829cccb74a835b90c1607666e03d55310d131369846917efb53870ed2fa036f1e114f

Download Submit
C:\Windows\SysWOW64\Mpaifalo.exe

Filesize
109KB

MD5
da7cfe1d4aa80adabd19eb2da7fa923e

SHA1
dd316f9eaed7a2fb9baa7204ca402def6f1ed66d

SHA256
c79f6cfb1adda569917b9bbf44df13bbfb11e4cff881dcf79fcf18ccaf23d7a1

SHA512
0c7c868640ccc666382e0a7ef6058276b510390486ac89a822ceca75bdb76b62b6a6cf4158390db136d7b1a9054b1d3be6a5230fd34b697496ac156372017389

Download Submit
C:\Windows\SysWOW64\Mpdelajl.exe

Filesize
109KB

MD5
1ece39d7b832df3b3e0ad408f6eeb43b

SHA1
5f87ca36bc347599dba8faee06bd2c989cc1c43c

SHA256
1cbe4415625b2d0d95fd102f5f66d67f9270c1cbdabc991ec99e02781d2391a6

SHA512
dde83094d37374fa102b546bad53a4bbb01c2a76855a37324fbe96e502220a57d50c58a0f72ca5d4106be6a3d82cacb5f97d3f356190b69dc0cbea414b35d915

Download Submit
C:\Windows\SysWOW64\Nnmopdep.exe

Filesize
109KB

MD5
e2ce3d967185d0bc611240b0584bac4f

SHA1
e50778096396e396d3e5a2997270fd42a2c2c5e9

SHA256
9b2d412fc7a6301170d78515a2e5dda39b3c4ff7958730c0fabc3c690c2b7225

SHA512
2803401e6eb79da8973fadda0f6e927959a507760b002d60ece337ebd0ec0a9c7b73c671b43b30742854318d9908626ec3f0f200f7d0105dc09344cb172ae38e

Download Submit
memory/512-143-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/512-332-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/856-180-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/924-188-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/996-92-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1008-56-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1008-342-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1076-344-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1076-39-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1124-164-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1204-280-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1204-323-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1308-310-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1308-318-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1340-340-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1340-72-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1352-63-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1352-341-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1536-24-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1536-346-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1824-20-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1884-316-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1884-317-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1896-236-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2100-333-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2100-136-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2120-325-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2120-240-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2124-334-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2124-128-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2136-345-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2136-32-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2204-302-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2252-322-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2252-272-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2280-120-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2280-335-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2628-48-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2628-343-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2916-328-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2916-200-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3028-326-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3028-224-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3216-274-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3216-321-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3244-290-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3400-7-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3400-347-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3440-192-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3440-329-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3460-104-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3460-337-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3600-338-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3600-96-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3960-331-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3960-152-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4232-304-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4232-319-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4292-252-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4332-339-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4332-80-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4420-320-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4420-292-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4564-336-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4564-112-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4688-324-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4688-256-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4768-267-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4856-0-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4856-348-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4872-168-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4872-330-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4880-327-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4880-208-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5004-220-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download