Analysis
-
max time kernel
146s -
max time network
139s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
21-10-2023 21:20
Behavioral task
behavioral1
Sample
NEAS.58b219a67d35b8a40318a16c986f9dd0.exe
Resource
win7-20231020-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.58b219a67d35b8a40318a16c986f9dd0.exe
Resource
win10v2004-20230915-en
windows10-2004-x64
0 signatures
150 seconds
General
-
Target
NEAS.58b219a67d35b8a40318a16c986f9dd0.exe
-
Size
104KB
-
MD5
58b219a67d35b8a40318a16c986f9dd0
-
SHA1
e2acff30516db9036d1fba6f17dcfeee717ac714
-
SHA256
a8c781b2d0edb5e412a51f001b9faabe816e9e3366a41f849eb2436d61458c92
-
SHA512
da070fddadf293717b8727d47baeea62c989358bca5068dc1e07c00263af4bda07168a1d75bc9f49534f58d2d507a52abfbc07859e022ed84d02280809c40a61
-
SSDEEP
3072:fZcJmgJnQlerJdq+7e5gx7cEGrhkngpDvchkqbAIQS:Vg+l6C5gx4brq2Ahn
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bqhbcqmj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hepdml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mjkndb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnlhab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jndflk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ddqeodjj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eqninhmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Haemloni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Adgein32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hmfmkjdf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jqbbhg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dofilm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkigfdjo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjnjfffm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hedllgjk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iabhah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Moenkf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chggdoee.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gekhgh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhnpih32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odfjdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kppldhla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Febjmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iniglajj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkaaee32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmbclj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hdpehd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dekhnh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Febjmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ihooog32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flmlmc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnjhaj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enkpahon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mbbfep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bpboinpd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dboglhna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Npdkdjhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bcgoolln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dmcibdad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aeommfnf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjpkqonj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fpemhb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glpgibbn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ibbffq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lckbkfbb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfookk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iciopdca.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkeoongd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fjfllm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kkigfdjo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnmjpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qkpnph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cncmei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hdeoccgn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmljnfll.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elcpdeam.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aenileon.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Miehak32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imhqbkbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bbchkime.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dcemnopj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ficilgai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bbcjfn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmbbcjic.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/memory/2272-0-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral1/files/0x0009000000012024-5.dat family_berbew behavioral1/memory/2272-6-0x0000000000380000-0x00000000003C3000-memory.dmp family_berbew behavioral1/files/0x0009000000012024-9.dat family_berbew behavioral1/files/0x0009000000012024-8.dat family_berbew behavioral1/files/0x0009000000012024-12.dat family_berbew behavioral1/files/0x0009000000012024-13.dat family_berbew behavioral1/files/0x002f000000015c74-24.dat family_berbew behavioral1/files/0x002f000000015c74-25.dat family_berbew behavioral1/files/0x002f000000015c74-21.dat family_berbew behavioral1/files/0x002f000000015c74-20.dat family_berbew behavioral1/files/0x0007000000015eb5-30.dat family_berbew behavioral1/files/0x002f000000015c74-18.dat family_berbew behavioral1/files/0x0007000000015eb5-37.dat family_berbew behavioral1/files/0x0007000000015eb5-34.dat family_berbew behavioral1/files/0x0007000000015eb5-39.dat family_berbew behavioral1/files/0x002f000000015cb3-44.dat family_berbew behavioral1/memory/2720-38-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral1/files/0x0007000000015eb5-33.dat family_berbew behavioral1/files/0x002f000000015cb3-52.dat family_berbew behavioral1/memory/2160-57-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral1/files/0x002f000000015cb3-51.dat family_berbew behavioral1/files/0x0009000000016064-58.dat family_berbew behavioral1/files/0x0009000000016064-64.dat family_berbew behavioral1/files/0x0009000000016064-61.dat family_berbew behavioral1/files/0x0009000000016064-60.dat family_berbew behavioral1/memory/2732-50-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral1/files/0x002f000000015cb3-47.dat family_berbew behavioral1/files/0x002f000000015cb3-46.dat family_berbew behavioral1/memory/2448-65-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral1/files/0x0009000000016064-66.dat family_berbew behavioral1/files/0x0007000000016ae6-79.dat family_berbew behavioral1/files/0x0007000000016ae6-78.dat family_berbew behavioral1/files/0x0007000000016ae6-75.dat family_berbew behavioral1/files/0x0007000000016ae6-74.dat family_berbew behavioral1/memory/2448-73-0x0000000000260000-0x00000000002A3000-memory.dmp family_berbew behavioral1/files/0x0006000000016c26-84.dat family_berbew behavioral1/files/0x0006000000016c26-92.dat family_berbew behavioral1/memory/2608-90-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral1/files/0x0007000000016ae6-71.dat family_berbew behavioral1/files/0x0006000000016c26-91.dat family_berbew behavioral1/memory/2312-97-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral1/files/0x0006000000016c26-87.dat family_berbew behavioral1/files/0x0006000000016c26-86.dat family_berbew behavioral1/files/0x0006000000016cbf-111.dat family_berbew behavioral1/files/0x0006000000016cbf-117.dat family_berbew behavioral1/memory/2804-110-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral1/files/0x0006000000016c36-105.dat family_berbew behavioral1/files/0x0006000000016c36-104.dat family_berbew behavioral1/memory/2664-118-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral1/memory/2664-131-0x00000000003A0000-0x00000000003E3000-memory.dmp family_berbew behavioral1/files/0x0006000000016ce8-132.dat family_berbew behavioral1/memory/2436-139-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral1/files/0x0006000000016d01-144.dat family_berbew behavioral1/files/0x0006000000016d01-141.dat family_berbew behavioral1/files/0x0006000000016d01-140.dat family_berbew behavioral1/files/0x0006000000016d01-137.dat family_berbew behavioral1/files/0x0006000000016ce8-130.dat family_berbew behavioral1/files/0x0006000000016ce8-127.dat family_berbew behavioral1/files/0x0006000000016ce8-126.dat family_berbew behavioral1/files/0x0006000000016ce8-124.dat family_berbew behavioral1/files/0x0006000000016cbf-114.dat family_berbew behavioral1/files/0x0006000000016cbf-113.dat family_berbew behavioral1/files/0x0006000000016cbf-119.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 1832 Daipqhdg.exe 2720 Ejkkfjkj.exe 2732 Epecbd32.exe 2160 Egokonjc.exe 2448 Epgphcqd.exe 2608 Enkpahon.exe 2312 Eolmip32.exe 2804 Fjbafi32.exe 2664 Fqlicclo.exe 2436 Fbmfkkbm.exe 1992 Fmcjhdbc.exe 2244 Fhikme32.exe 1060 Fnfcel32.exe 1924 Fgohna32.exe 2992 Fkmqdpce.exe 2388 Gbaken32.exe 900 Hinqgg32.exe 1412 Hipmmg32.exe 1660 Hegnahjo.exe 1640 Hlafnbal.exe 1652 Hnbopmnm.exe 1392 Iabhah32.exe 1808 Iphecepe.exe 3016 Imleli32.exe 1948 Iegjqk32.exe 1336 Ioooiack.exe 2728 Ioakoq32.exe 2428 Ielclkhe.exe 2844 Jdaqmg32.exe 2880 Jdcmbgkj.exe 2592 Jpjngh32.exe 1988 Jnnnalph.exe 2580 Jgfcja32.exe 2908 Jnpkflne.exe 2292 Kcmcoblm.exe 332 Kfkpknkq.exe 2016 Kpcqnf32.exe 1160 Kkmand32.exe 564 Kbgjkn32.exe 2396 Kdefgj32.exe 3004 Kkoncdcp.exe 1032 Knnkpobc.exe 1540 Kgfoie32.exe 2268 Lkakicam.exe 1684 Lblcfnhj.exe 1760 Lghlndfa.exe 556 Ljghjpfe.exe 2180 Ldllgiek.exe 1200 Lmgalkcf.exe 2264 Lqcmmjko.exe 2460 Lngnfnji.exe 2860 Lgoboc32.exe 2980 Ljnnko32.exe 2740 Lcfbdd32.exe 2624 Mjpkqonj.exe 3040 Mbkpeake.exe 2076 Miehak32.exe 2956 Mkddnf32.exe 2936 Melifl32.exe 2548 Mgjebg32.exe 1044 Meoell32.exe 756 Mjkndb32.exe 1108 Mbbfep32.exe 2644 Mhonngce.exe -
Loads dropped DLL 64 IoCs
pid Process 2272 NEAS.58b219a67d35b8a40318a16c986f9dd0.exe 2272 NEAS.58b219a67d35b8a40318a16c986f9dd0.exe 1832 Daipqhdg.exe 1832 Daipqhdg.exe 2720 Ejkkfjkj.exe 2720 Ejkkfjkj.exe 2732 Epecbd32.exe 2732 Epecbd32.exe 2160 Egokonjc.exe 2160 Egokonjc.exe 2448 Epgphcqd.exe 2448 Epgphcqd.exe 2608 Enkpahon.exe 2608 Enkpahon.exe 2312 Eolmip32.exe 2312 Eolmip32.exe 2804 Fjbafi32.exe 2804 Fjbafi32.exe 2664 Fqlicclo.exe 2664 Fqlicclo.exe 2436 Fbmfkkbm.exe 2436 Fbmfkkbm.exe 1992 Fmcjhdbc.exe 1992 Fmcjhdbc.exe 2244 Fhikme32.exe 2244 Fhikme32.exe 1060 Fnfcel32.exe 1060 Fnfcel32.exe 1924 Fgohna32.exe 1924 Fgohna32.exe 2992 Fkmqdpce.exe 2992 Fkmqdpce.exe 2388 Gbaken32.exe 2388 Gbaken32.exe 900 Hinqgg32.exe 900 Hinqgg32.exe 1412 Hipmmg32.exe 1412 Hipmmg32.exe 1660 Hegnahjo.exe 1660 Hegnahjo.exe 1640 Hlafnbal.exe 1640 Hlafnbal.exe 1652 Hnbopmnm.exe 1652 Hnbopmnm.exe 1392 Iabhah32.exe 1392 Iabhah32.exe 1808 Iphecepe.exe 1808 Iphecepe.exe 3016 Imleli32.exe 3016 Imleli32.exe 1948 Iegjqk32.exe 1948 Iegjqk32.exe 1336 Ioooiack.exe 1336 Ioooiack.exe 2728 Ioakoq32.exe 2728 Ioakoq32.exe 2428 Ielclkhe.exe 2428 Ielclkhe.exe 2844 Jdaqmg32.exe 2844 Jdaqmg32.exe 2880 Jdcmbgkj.exe 2880 Jdcmbgkj.exe 2592 Jpjngh32.exe 2592 Jpjngh32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Hlpchfdi.exe Hibgkjee.exe File opened for modification C:\Windows\SysWOW64\Pcghof32.exe Pnjofo32.exe File created C:\Windows\SysWOW64\Kppmhmhh.dll Edhkpcdb.exe File created C:\Windows\SysWOW64\Ledcahkp.dll Lkkckdhm.exe File opened for modification C:\Windows\SysWOW64\Lhjghlng.exe Lckbkfbb.exe File opened for modification C:\Windows\SysWOW64\Cfghagio.exe Bcgoolln.exe File created C:\Windows\SysWOW64\Qielqc32.dll Ehdpcahk.exe File opened for modification C:\Windows\SysWOW64\Ioooiack.exe Iegjqk32.exe File opened for modification C:\Windows\SysWOW64\Dbmlal32.exe Dlcceboa.exe File created C:\Windows\SysWOW64\Cahcle32.dll Keango32.exe File created C:\Windows\SysWOW64\Ojoppamn.dll Ioefdpne.exe File created C:\Windows\SysWOW64\Eoalpaaa.exe Elcpdeam.exe File opened for modification C:\Windows\SysWOW64\Pfgcff32.exe Ppmkilbp.exe File created C:\Windows\SysWOW64\Hlhgpq32.dll Gfcqkafl.exe File created C:\Windows\SysWOW64\Kpfbegei.exe Keango32.exe File opened for modification C:\Windows\SysWOW64\Ifbaapfk.exe Ijlaloaf.exe File opened for modification C:\Windows\SysWOW64\Pilfpqaa.exe Pgnjde32.exe File opened for modification C:\Windows\SysWOW64\Immjnj32.exe Ifbaapfk.exe File opened for modification C:\Windows\SysWOW64\Dkgldm32.exe Dboglhna.exe File created C:\Windows\SysWOW64\Ieipfd32.dll Gjnbmlmj.exe File opened for modification C:\Windows\SysWOW64\Ofpmegpe.exe Odaqikaa.exe File created C:\Windows\SysWOW64\Mgogqmha.dll Fclmem32.exe File opened for modification C:\Windows\SysWOW64\Nfidjbdg.exe Nfghdcfj.exe File created C:\Windows\SysWOW64\Nabcho32.dll Immjnj32.exe File opened for modification C:\Windows\SysWOW64\Okbapi32.exe Oehicoom.exe File created C:\Windows\SysWOW64\Qicoleno.exe Qkpnph32.exe File opened for modification C:\Windows\SysWOW64\Ohagbj32.exe Oagoep32.exe File opened for modification C:\Windows\SysWOW64\Hggeeo32.exe Gopnca32.exe File opened for modification C:\Windows\SysWOW64\Ncbdjhnf.exe Nmhlnngi.exe File created C:\Windows\SysWOW64\Bnofaf32.exe Boleejag.exe File opened for modification C:\Windows\SysWOW64\Hjieapck.exe Hqpahkmj.exe File opened for modification C:\Windows\SysWOW64\Phabdmgq.exe Pahjgb32.exe File created C:\Windows\SysWOW64\Bmfamg32.exe Bkheal32.exe File opened for modification C:\Windows\SysWOW64\Hkdgecna.exe Hdjoii32.exe File opened for modification C:\Windows\SysWOW64\Ihooog32.exe Ieqbbl32.exe File opened for modification C:\Windows\SysWOW64\Bbolge32.exe Bgihjl32.exe File created C:\Windows\SysWOW64\Imekmp32.dll Ekblplgo.exe File created C:\Windows\SysWOW64\Ldcnnnje.dll Fejjah32.exe File created C:\Windows\SysWOW64\Nlfbcikh.dll Amfeodoh.exe File opened for modification C:\Windows\SysWOW64\Hdlkpd32.exe Hmbbcjic.exe File opened for modification C:\Windows\SysWOW64\Didgig32.exe Deikhhhe.exe File created C:\Windows\SysWOW64\Cpfhcjhd.dll Ndfpnl32.exe File created C:\Windows\SysWOW64\Dcffmb32.exe Dllnphkd.exe File opened for modification C:\Windows\SysWOW64\Hlmnogkl.exe Hagianlf.exe File created C:\Windows\SysWOW64\Dhfjmfen.dll Mkddnf32.exe File created C:\Windows\SysWOW64\Fimmkm32.dll Mnifja32.exe File opened for modification C:\Windows\SysWOW64\Gigkbm32.exe Bheaiekc.exe File created C:\Windows\SysWOW64\Bimphc32.exe Bbchkime.exe File opened for modification C:\Windows\SysWOW64\Mqjehngm.exe Mjpmkdpp.exe File opened for modification C:\Windows\SysWOW64\Hmdohj32.exe Hfjglppd.exe File created C:\Windows\SysWOW64\Epphbb32.dll Kgfoie32.exe File created C:\Windows\SysWOW64\Kphgke32.dll Fdjddf32.exe File opened for modification C:\Windows\SysWOW64\Bqhbcqmj.exe Bjnjfffm.exe File created C:\Windows\SysWOW64\Onjgkf32.exe Ohmoco32.exe File created C:\Windows\SysWOW64\Lpkadj32.dll Miehak32.exe File opened for modification C:\Windows\SysWOW64\Eikimeff.exe Ecnpdnho.exe File created C:\Windows\SysWOW64\Ilgjmckn.dll Emkfmioh.exe File opened for modification C:\Windows\SysWOW64\Klgpmgod.exe Kihcakpa.exe File opened for modification C:\Windows\SysWOW64\Bebjdjal.exe Bljeke32.exe File created C:\Windows\SysWOW64\Daipqhdg.exe NEAS.58b219a67d35b8a40318a16c986f9dd0.exe File created C:\Windows\SysWOW64\Fiopah32.exe Fcegdnna.exe File created C:\Windows\SysWOW64\Bggjjlnb.exe Bhdjno32.exe File created C:\Windows\SysWOW64\Bfmkge32.dll Dcfknooi.exe File opened for modification C:\Windows\SysWOW64\Kaieai32.exe Kmmiaknb.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bmjjmbgc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ccmcfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fkmqdpce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phbleodi.dll" Jecnnk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Efhcej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eabjhf32.dll" Mjgclcjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Oaeacppk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckcpfp32.dll" Pfgcff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpkadj32.dll" Miehak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kggedf32.dll" Jnlbgq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehameajg.dll" Golgon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Oddmokoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfhchf32.dll" Bkheal32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hclhjpjc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Faikbkhj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ggmjkapi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efaglp32.dll" Odaqikaa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bgihjl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ldgnmhhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aeackjhh.dll" Ecnpdnho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mqjehngm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhmplgki.dll" Hgbhibio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcclhg32.dll" Ohhmcinf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jijacjnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nliqma32.dll" Cnhhge32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ebcmfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dlqgob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcelpdef.dll" Fialggcl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dijjgegh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Keango32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ibillk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndhemaec.dll" Fofekp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mcmkoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kidjfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jdaqmg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bdfahaaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imekmp32.dll" Ekblplgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epphbb32.dll" Kgfoie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ecjgio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hafjcm32.dll" Dlqgob32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ipimic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Oeehln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfnkaj32.dll" Kmclmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pemjdi32.dll" Eekdmk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dimfmeef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Khjkiikl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcnhokob.dll" Fcegdnna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbaipg32.dll" Eqninhmc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jdaqmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Malbbh32.dll" Dboglhna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mgfjjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hafimk32.dll" Ppfomk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejkohlcb.dll" Hehhqk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dqddmd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Einebddd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hblhqf32.dll" Kmmiaknb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hoqnikmd.dll" Allbpqcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kickkg32.dll" Igmepdbc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ohmoco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gkaljdaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfmkge32.dll" Dcfknooi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhfljfho.dll" Fnmjpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljmdkm32.dll" Glnkcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmchaflb.dll" Ikapdqoc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2272 wrote to memory of 1832 2272 NEAS.58b219a67d35b8a40318a16c986f9dd0.exe 28 PID 2272 wrote to memory of 1832 2272 NEAS.58b219a67d35b8a40318a16c986f9dd0.exe 28 PID 2272 wrote to memory of 1832 2272 NEAS.58b219a67d35b8a40318a16c986f9dd0.exe 28 PID 2272 wrote to memory of 1832 2272 NEAS.58b219a67d35b8a40318a16c986f9dd0.exe 28 PID 1832 wrote to memory of 2720 1832 Daipqhdg.exe 30 PID 1832 wrote to memory of 2720 1832 Daipqhdg.exe 30 PID 1832 wrote to memory of 2720 1832 Daipqhdg.exe 30 PID 1832 wrote to memory of 2720 1832 Daipqhdg.exe 30 PID 2720 wrote to memory of 2732 2720 Ejkkfjkj.exe 29 PID 2720 wrote to memory of 2732 2720 Ejkkfjkj.exe 29 PID 2720 wrote to memory of 2732 2720 Ejkkfjkj.exe 29 PID 2720 wrote to memory of 2732 2720 Ejkkfjkj.exe 29 PID 2732 wrote to memory of 2160 2732 Epecbd32.exe 31 PID 2732 wrote to memory of 2160 2732 Epecbd32.exe 31 PID 2732 wrote to memory of 2160 2732 Epecbd32.exe 31 PID 2732 wrote to memory of 2160 2732 Epecbd32.exe 31 PID 2160 wrote to memory of 2448 2160 Egokonjc.exe 32 PID 2160 wrote to memory of 2448 2160 Egokonjc.exe 32 PID 2160 wrote to memory of 2448 2160 Egokonjc.exe 32 PID 2160 wrote to memory of 2448 2160 Egokonjc.exe 32 PID 2448 wrote to memory of 2608 2448 Epgphcqd.exe 33 PID 2448 wrote to memory of 2608 2448 Epgphcqd.exe 33 PID 2448 wrote to memory of 2608 2448 Epgphcqd.exe 33 PID 2448 wrote to memory of 2608 2448 Epgphcqd.exe 33 PID 2608 wrote to memory of 2312 2608 Enkpahon.exe 34 PID 2608 wrote to memory of 2312 2608 Enkpahon.exe 34 PID 2608 wrote to memory of 2312 2608 Enkpahon.exe 34 PID 2608 wrote to memory of 2312 2608 Enkpahon.exe 34 PID 2312 wrote to memory of 2804 2312 Eolmip32.exe 35 PID 2312 wrote to memory of 2804 2312 Eolmip32.exe 35 PID 2312 wrote to memory of 2804 2312 Eolmip32.exe 35 PID 2312 wrote to memory of 2804 2312 Eolmip32.exe 35 PID 2804 wrote to memory of 2664 2804 Fjbafi32.exe 36 PID 2804 wrote to memory of 2664 2804 Fjbafi32.exe 36 PID 2804 wrote to memory of 2664 2804 Fjbafi32.exe 36 PID 2804 wrote to memory of 2664 2804 Fjbafi32.exe 36 PID 2664 wrote to memory of 2436 2664 Fqlicclo.exe 37 PID 2664 wrote to memory of 2436 2664 Fqlicclo.exe 37 PID 2664 wrote to memory of 2436 2664 Fqlicclo.exe 37 PID 2664 wrote to memory of 2436 2664 Fqlicclo.exe 37 PID 2436 wrote to memory of 1992 2436 Fbmfkkbm.exe 38 PID 2436 wrote to memory of 1992 2436 Fbmfkkbm.exe 38 PID 2436 wrote to memory of 1992 2436 Fbmfkkbm.exe 38 PID 2436 wrote to memory of 1992 2436 Fbmfkkbm.exe 38 PID 1992 wrote to memory of 2244 1992 Fmcjhdbc.exe 39 PID 1992 wrote to memory of 2244 1992 Fmcjhdbc.exe 39 PID 1992 wrote to memory of 2244 1992 Fmcjhdbc.exe 39 PID 1992 wrote to memory of 2244 1992 Fmcjhdbc.exe 39 PID 2244 wrote to memory of 1060 2244 Fhikme32.exe 40 PID 2244 wrote to memory of 1060 2244 Fhikme32.exe 40 PID 2244 wrote to memory of 1060 2244 Fhikme32.exe 40 PID 2244 wrote to memory of 1060 2244 Fhikme32.exe 40 PID 1060 wrote to memory of 1924 1060 Fnfcel32.exe 41 PID 1060 wrote to memory of 1924 1060 Fnfcel32.exe 41 PID 1060 wrote to memory of 1924 1060 Fnfcel32.exe 41 PID 1060 wrote to memory of 1924 1060 Fnfcel32.exe 41 PID 1924 wrote to memory of 2992 1924 Fgohna32.exe 42 PID 1924 wrote to memory of 2992 1924 Fgohna32.exe 42 PID 1924 wrote to memory of 2992 1924 Fgohna32.exe 42 PID 1924 wrote to memory of 2992 1924 Fgohna32.exe 42 PID 2992 wrote to memory of 2388 2992 Fkmqdpce.exe 43 PID 2992 wrote to memory of 2388 2992 Fkmqdpce.exe 43 PID 2992 wrote to memory of 2388 2992 Fkmqdpce.exe 43 PID 2992 wrote to memory of 2388 2992 Fkmqdpce.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.58b219a67d35b8a40318a16c986f9dd0.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.58b219a67d35b8a40318a16c986f9dd0.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Windows\SysWOW64\Daipqhdg.exeC:\Windows\system32\Daipqhdg.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1832 -
C:\Windows\SysWOW64\Ejkkfjkj.exeC:\Windows\system32\Ejkkfjkj.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2720
-
-
-
C:\Windows\SysWOW64\Epecbd32.exeC:\Windows\system32\Epecbd32.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\Egokonjc.exeC:\Windows\system32\Egokonjc.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Windows\SysWOW64\Epgphcqd.exeC:\Windows\system32\Epgphcqd.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Windows\SysWOW64\Enkpahon.exeC:\Windows\system32\Enkpahon.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\SysWOW64\Eolmip32.exeC:\Windows\system32\Eolmip32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2312 -
C:\Windows\SysWOW64\Fjbafi32.exeC:\Windows\system32\Fjbafi32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\SysWOW64\Fqlicclo.exeC:\Windows\system32\Fqlicclo.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\Fbmfkkbm.exeC:\Windows\system32\Fbmfkkbm.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Windows\SysWOW64\Fmcjhdbc.exeC:\Windows\system32\Fmcjhdbc.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Windows\SysWOW64\Fhikme32.exeC:\Windows\system32\Fhikme32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Windows\SysWOW64\Fnfcel32.exeC:\Windows\system32\Fnfcel32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1060 -
C:\Windows\SysWOW64\Fgohna32.exeC:\Windows\system32\Fgohna32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1924 -
C:\Windows\SysWOW64\Fkmqdpce.exeC:\Windows\system32\Fkmqdpce.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Windows\SysWOW64\Gbaken32.exeC:\Windows\system32\Gbaken32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2388 -
C:\Windows\SysWOW64\Hinqgg32.exeC:\Windows\system32\Hinqgg32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
PID:900 -
C:\Windows\SysWOW64\Hipmmg32.exeC:\Windows\system32\Hipmmg32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1412 -
C:\Windows\SysWOW64\Hegnahjo.exeC:\Windows\system32\Hegnahjo.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1660 -
C:\Windows\SysWOW64\Hlafnbal.exeC:\Windows\system32\Hlafnbal.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1640 -
C:\Windows\SysWOW64\Hnbopmnm.exeC:\Windows\system32\Hnbopmnm.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1652 -
C:\Windows\SysWOW64\Iabhah32.exeC:\Windows\system32\Iabhah32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1392 -
C:\Windows\SysWOW64\Iphecepe.exeC:\Windows\system32\Iphecepe.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1808 -
C:\Windows\SysWOW64\Imleli32.exeC:\Windows\system32\Imleli32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3016 -
C:\Windows\SysWOW64\Iegjqk32.exeC:\Windows\system32\Iegjqk32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1948 -
C:\Windows\SysWOW64\Ioooiack.exeC:\Windows\system32\Ioooiack.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1336 -
C:\Windows\SysWOW64\Ioakoq32.exeC:\Windows\system32\Ioakoq32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2728 -
C:\Windows\SysWOW64\Ielclkhe.exeC:\Windows\system32\Ielclkhe.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2428 -
C:\Windows\SysWOW64\Jdaqmg32.exeC:\Windows\system32\Jdaqmg32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2844 -
C:\Windows\SysWOW64\Jdcmbgkj.exeC:\Windows\system32\Jdcmbgkj.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2880 -
C:\Windows\SysWOW64\Jpjngh32.exeC:\Windows\system32\Jpjngh32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2592 -
C:\Windows\SysWOW64\Jnnnalph.exeC:\Windows\system32\Jnnnalph.exe30⤵
- Executes dropped EXE
PID:1988 -
C:\Windows\SysWOW64\Jgfcja32.exeC:\Windows\system32\Jgfcja32.exe31⤵
- Executes dropped EXE
PID:2580 -
C:\Windows\SysWOW64\Jnpkflne.exeC:\Windows\system32\Jnpkflne.exe32⤵
- Executes dropped EXE
PID:2908 -
C:\Windows\SysWOW64\Kcmcoblm.exeC:\Windows\system32\Kcmcoblm.exe33⤵
- Executes dropped EXE
PID:2292 -
C:\Windows\SysWOW64\Kfkpknkq.exeC:\Windows\system32\Kfkpknkq.exe34⤵
- Executes dropped EXE
PID:332 -
C:\Windows\SysWOW64\Kpcqnf32.exeC:\Windows\system32\Kpcqnf32.exe35⤵
- Executes dropped EXE
PID:2016 -
C:\Windows\SysWOW64\Kkmand32.exeC:\Windows\system32\Kkmand32.exe36⤵
- Executes dropped EXE
PID:1160 -
C:\Windows\SysWOW64\Kbgjkn32.exeC:\Windows\system32\Kbgjkn32.exe37⤵
- Executes dropped EXE
PID:564 -
C:\Windows\SysWOW64\Kdefgj32.exeC:\Windows\system32\Kdefgj32.exe38⤵
- Executes dropped EXE
PID:2396 -
C:\Windows\SysWOW64\Kkoncdcp.exeC:\Windows\system32\Kkoncdcp.exe39⤵
- Executes dropped EXE
PID:3004 -
C:\Windows\SysWOW64\Knnkpobc.exeC:\Windows\system32\Knnkpobc.exe40⤵
- Executes dropped EXE
PID:1032 -
C:\Windows\SysWOW64\Kgfoie32.exeC:\Windows\system32\Kgfoie32.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1540 -
C:\Windows\SysWOW64\Lkakicam.exeC:\Windows\system32\Lkakicam.exe42⤵
- Executes dropped EXE
PID:2268 -
C:\Windows\SysWOW64\Lblcfnhj.exeC:\Windows\system32\Lblcfnhj.exe43⤵
- Executes dropped EXE
PID:1684 -
C:\Windows\SysWOW64\Lghlndfa.exeC:\Windows\system32\Lghlndfa.exe44⤵
- Executes dropped EXE
PID:1760 -
C:\Windows\SysWOW64\Ljghjpfe.exeC:\Windows\system32\Ljghjpfe.exe45⤵
- Executes dropped EXE
PID:556 -
C:\Windows\SysWOW64\Ldllgiek.exeC:\Windows\system32\Ldllgiek.exe46⤵
- Executes dropped EXE
PID:2180 -
C:\Windows\SysWOW64\Lmgalkcf.exeC:\Windows\system32\Lmgalkcf.exe47⤵
- Executes dropped EXE
PID:1200 -
C:\Windows\SysWOW64\Lqcmmjko.exeC:\Windows\system32\Lqcmmjko.exe48⤵
- Executes dropped EXE
PID:2264 -
C:\Windows\SysWOW64\Lngnfnji.exeC:\Windows\system32\Lngnfnji.exe49⤵
- Executes dropped EXE
PID:2460 -
C:\Windows\SysWOW64\Lgoboc32.exeC:\Windows\system32\Lgoboc32.exe50⤵
- Executes dropped EXE
PID:2860 -
C:\Windows\SysWOW64\Ljnnko32.exeC:\Windows\system32\Ljnnko32.exe51⤵
- Executes dropped EXE
PID:2980 -
C:\Windows\SysWOW64\Lcfbdd32.exeC:\Windows\system32\Lcfbdd32.exe52⤵
- Executes dropped EXE
PID:2740 -
C:\Windows\SysWOW64\Mjpkqonj.exeC:\Windows\system32\Mjpkqonj.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2624 -
C:\Windows\SysWOW64\Mbkpeake.exeC:\Windows\system32\Mbkpeake.exe54⤵
- Executes dropped EXE
PID:3040 -
C:\Windows\SysWOW64\Miehak32.exeC:\Windows\system32\Miehak32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2076 -
C:\Windows\SysWOW64\Mkddnf32.exeC:\Windows\system32\Mkddnf32.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2956 -
C:\Windows\SysWOW64\Melifl32.exeC:\Windows\system32\Melifl32.exe57⤵
- Executes dropped EXE
PID:2936 -
C:\Windows\SysWOW64\Mgjebg32.exeC:\Windows\system32\Mgjebg32.exe58⤵
- Executes dropped EXE
PID:2548 -
C:\Windows\SysWOW64\Meoell32.exeC:\Windows\system32\Meoell32.exe59⤵
- Executes dropped EXE
PID:1044 -
C:\Windows\SysWOW64\Mjkndb32.exeC:\Windows\system32\Mjkndb32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:756 -
C:\Windows\SysWOW64\Mbbfep32.exeC:\Windows\system32\Mbbfep32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1108 -
C:\Windows\SysWOW64\Mhonngce.exeC:\Windows\system32\Mhonngce.exe62⤵
- Executes dropped EXE
PID:2644 -
C:\Windows\SysWOW64\Mnifja32.exeC:\Windows\system32\Mnifja32.exe63⤵
- Drops file in System32 directory
PID:1648 -
C:\Windows\SysWOW64\Necogkbo.exeC:\Windows\system32\Necogkbo.exe64⤵PID:2984
-
C:\Windows\SysWOW64\Nfdkoc32.exeC:\Windows\system32\Nfdkoc32.exe65⤵PID:2508
-
C:\Windows\SysWOW64\Nnkcpq32.exeC:\Windows\system32\Nnkcpq32.exe66⤵PID:2200
-
C:\Windows\SysWOW64\Ndhlhg32.exeC:\Windows\system32\Ndhlhg32.exe67⤵PID:2044
-
C:\Windows\SysWOW64\Nfghdcfj.exeC:\Windows\system32\Nfghdcfj.exe68⤵
- Drops file in System32 directory
PID:684 -
C:\Windows\SysWOW64\Nfidjbdg.exeC:\Windows\system32\Nfidjbdg.exe69⤵PID:3032
-
C:\Windows\SysWOW64\Nmcmgm32.exeC:\Windows\system32\Nmcmgm32.exe70⤵PID:2108
-
C:\Windows\SysWOW64\Nenakoho.exeC:\Windows\system32\Nenakoho.exe71⤵PID:868
-
C:\Windows\SysWOW64\Nfnneb32.exeC:\Windows\system32\Nfnneb32.exe72⤵PID:844
-
C:\Windows\SysWOW64\Ooicid32.exeC:\Windows\system32\Ooicid32.exe73⤵PID:616
-
C:\Windows\SysWOW64\Oagoep32.exeC:\Windows\system32\Oagoep32.exe74⤵
- Drops file in System32 directory
PID:2468 -
C:\Windows\SysWOW64\Ohagbj32.exeC:\Windows\system32\Ohagbj32.exe75⤵PID:2112
-
C:\Windows\SysWOW64\Oeehln32.exeC:\Windows\system32\Oeehln32.exe76⤵
- Modifies registry class
PID:2444 -
C:\Windows\SysWOW64\Ohcdhi32.exeC:\Windows\system32\Ohcdhi32.exe77⤵PID:2824
-
C:\Windows\SysWOW64\Oonldcih.exeC:\Windows\system32\Oonldcih.exe78⤵PID:2948
-
C:\Windows\SysWOW64\Ogiaif32.exeC:\Windows\system32\Ogiaif32.exe79⤵PID:3044
-
C:\Windows\SysWOW64\Oopijc32.exeC:\Windows\system32\Oopijc32.exe80⤵PID:1168
-
C:\Windows\SysWOW64\Opaebkmc.exeC:\Windows\system32\Opaebkmc.exe81⤵PID:2008
-
C:\Windows\SysWOW64\Ohhmcinf.exeC:\Windows\system32\Ohhmcinf.exe82⤵
- Modifies registry class
PID:3056 -
C:\Windows\SysWOW64\Oijjka32.exeC:\Windows\system32\Oijjka32.exe83⤵PID:2648
-
C:\Windows\SysWOW64\Ppcbgkka.exeC:\Windows\system32\Ppcbgkka.exe84⤵PID:520
-
C:\Windows\SysWOW64\Pgnjde32.exeC:\Windows\system32\Pgnjde32.exe85⤵
- Drops file in System32 directory
PID:1696 -
C:\Windows\SysWOW64\Pilfpqaa.exeC:\Windows\system32\Pilfpqaa.exe86⤵PID:1504
-
C:\Windows\SysWOW64\Ppfomk32.exeC:\Windows\system32\Ppfomk32.exe87⤵
- Modifies registry class
PID:276 -
C:\Windows\SysWOW64\Pcdkif32.exeC:\Windows\system32\Pcdkif32.exe88⤵PID:2248
-
C:\Windows\SysWOW64\Pincfpoo.exeC:\Windows\system32\Pincfpoo.exe89⤵PID:2188
-
C:\Windows\SysWOW64\Pnjofo32.exeC:\Windows\system32\Pnjofo32.exe90⤵
- Drops file in System32 directory
PID:1100 -
C:\Windows\SysWOW64\Pcghof32.exeC:\Windows\system32\Pcghof32.exe91⤵PID:1384
-
C:\Windows\SysWOW64\Pnbojmmp.exeC:\Windows\system32\Pnbojmmp.exe92⤵PID:1672
-
C:\Windows\SysWOW64\Hqiqjlga.exeC:\Windows\system32\Hqiqjlga.exe93⤵PID:2300
-
C:\Windows\SysWOW64\Bheaiekc.exeC:\Windows\system32\Bheaiekc.exe94⤵
- Drops file in System32 directory
PID:2676 -
C:\Windows\SysWOW64\Gigkbm32.exeC:\Windows\system32\Gigkbm32.exe95⤵PID:2632
-
C:\Windows\SysWOW64\Gpacogjm.exeC:\Windows\system32\Gpacogjm.exe96⤵PID:1216
-
C:\Windows\SysWOW64\Ggklka32.exeC:\Windows\system32\Ggklka32.exe97⤵PID:672
-
C:\Windows\SysWOW64\Haemloni.exeC:\Windows\system32\Haemloni.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1612 -
C:\Windows\SysWOW64\Hljaigmo.exeC:\Windows\system32\Hljaigmo.exe99⤵PID:1516
-
C:\Windows\SysWOW64\Hagianlf.exeC:\Windows\system32\Hagianlf.exe100⤵
- Drops file in System32 directory
PID:1616 -
C:\Windows\SysWOW64\Hlmnogkl.exeC:\Windows\system32\Hlmnogkl.exe101⤵PID:976
-
C:\Windows\SysWOW64\Hokjkbkp.exeC:\Windows\system32\Hokjkbkp.exe102⤵PID:1708
-
C:\Windows\SysWOW64\Hajfgnjc.exeC:\Windows\system32\Hajfgnjc.exe103⤵PID:2196
-
C:\Windows\SysWOW64\Hkbkpcpd.exeC:\Windows\system32\Hkbkpcpd.exe104⤵PID:2432
-
C:\Windows\SysWOW64\Halcmn32.exeC:\Windows\system32\Halcmn32.exe105⤵PID:2720
-
C:\Windows\SysWOW64\Hdjoii32.exeC:\Windows\system32\Hdjoii32.exe106⤵
- Drops file in System32 directory
PID:2400 -
C:\Windows\SysWOW64\Hkdgecna.exeC:\Windows\system32\Hkdgecna.exe107⤵PID:1992
-
C:\Windows\SysWOW64\Hbnpbm32.exeC:\Windows\system32\Hbnpbm32.exe108⤵PID:1340
-
C:\Windows\SysWOW64\Idmlniea.exeC:\Windows\system32\Idmlniea.exe109⤵PID:2992
-
C:\Windows\SysWOW64\Ikfdkc32.exeC:\Windows\system32\Ikfdkc32.exe110⤵PID:1804
-
C:\Windows\SysWOW64\Imhqbkbm.exeC:\Windows\system32\Imhqbkbm.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2496 -
C:\Windows\SysWOW64\Idohdhbo.exeC:\Windows\system32\Idohdhbo.exe112⤵PID:1932
-
C:\Windows\SysWOW64\Igmepdbc.exeC:\Windows\system32\Igmepdbc.exe113⤵
- Modifies registry class
PID:2592 -
C:\Windows\SysWOW64\Ijlaloaf.exeC:\Windows\system32\Ijlaloaf.exe114⤵
- Drops file in System32 directory
PID:332 -
C:\Windows\SysWOW64\Ifbaapfk.exeC:\Windows\system32\Ifbaapfk.exe115⤵
- Drops file in System32 directory
PID:3004 -
C:\Windows\SysWOW64\Immjnj32.exeC:\Windows\system32\Immjnj32.exe116⤵
- Drops file in System32 directory
PID:1760 -
C:\Windows\SysWOW64\Iokfjf32.exeC:\Windows\system32\Iokfjf32.exe117⤵PID:2460
-
C:\Windows\SysWOW64\Ifengpdh.exeC:\Windows\system32\Ifengpdh.exe118⤵PID:3040
-
C:\Windows\SysWOW64\Imogcj32.exeC:\Windows\system32\Imogcj32.exe119⤵PID:1608
-
C:\Windows\SysWOW64\Iciopdca.exeC:\Windows\system32\Iciopdca.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2136 -
C:\Windows\SysWOW64\Iejkhlip.exeC:\Windows\system32\Iejkhlip.exe121⤵PID:1528
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-