Analysis
-
max time kernel
145s -
max time network
47s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
03/10/2022, 11:13
Behavioral task
behavioral1
Sample
e7553fa51ecb0e35e290dc3a7ae00760fee07489c10b725c86e556cf1140cf9e.exe
Resource
win7-20220812-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
e7553fa51ecb0e35e290dc3a7ae00760fee07489c10b725c86e556cf1140cf9e.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
e7553fa51ecb0e35e290dc3a7ae00760fee07489c10b725c86e556cf1140cf9e.exe
-
Size
149KB
-
MD5
38b14bb6299d587fc81c2d936a76efe7
-
SHA1
32e142a8b41bbd5fcd85f3ab05a71c1a5b8dfdc8
-
SHA256
e7553fa51ecb0e35e290dc3a7ae00760fee07489c10b725c86e556cf1140cf9e
-
SHA512
42ea5c505d16111fe73813fb7ae03dfe065ab772d5cb26d988fea437560ce2913ea4d9ef66e900bd1cdee7fd1e9a730dfcb7bbee3327fee64c9386c4360e1290
-
SSDEEP
3072:P2T7uCWOhANdpgMxsdSyg4TvtcMk8Lyzb8ckivlu5KsiCbmN:PW7uCWOh4pl2GkGMkSgb8Svlu5KsON
Score
10/10
Malware Config
Signatures
-
Gh0st RAT payload 64 IoCs
resource yara_rule behavioral1/files/0x000c0000000054a8-56.dat family_gh0strat behavioral1/files/0x000c0000000054a8-58.dat family_gh0strat behavioral1/files/0x000c0000000054a8-62.dat family_gh0strat behavioral1/files/0x000c0000000054a8-61.dat family_gh0strat behavioral1/files/0x000c0000000054a8-63.dat family_gh0strat behavioral1/files/0x000c0000000054a8-64.dat family_gh0strat behavioral1/files/0x000900000001230d-65.dat family_gh0strat behavioral1/files/0x000900000001230d-67.dat family_gh0strat behavioral1/files/0x000900000001230d-72.dat family_gh0strat behavioral1/files/0x000900000001230d-73.dat family_gh0strat behavioral1/files/0x000900000001230d-71.dat family_gh0strat behavioral1/files/0x000900000001230d-70.dat family_gh0strat behavioral1/files/0x0008000000012315-74.dat family_gh0strat behavioral1/files/0x0008000000012315-76.dat family_gh0strat behavioral1/files/0x0008000000012315-80.dat family_gh0strat behavioral1/files/0x0008000000012315-79.dat family_gh0strat behavioral1/files/0x0008000000012315-81.dat family_gh0strat behavioral1/files/0x0008000000012315-82.dat family_gh0strat behavioral1/files/0x000800000001231e-83.dat family_gh0strat behavioral1/files/0x000800000001231e-85.dat family_gh0strat behavioral1/files/0x000800000001231e-88.dat family_gh0strat behavioral1/files/0x000800000001231e-89.dat family_gh0strat behavioral1/files/0x000800000001231e-90.dat family_gh0strat behavioral1/files/0x000800000001231e-91.dat family_gh0strat behavioral1/files/0x0008000000012326-92.dat family_gh0strat behavioral1/files/0x0008000000012326-95.dat family_gh0strat behavioral1/files/0x0008000000012326-97.dat family_gh0strat behavioral1/files/0x0008000000012326-98.dat family_gh0strat behavioral1/files/0x0008000000012326-99.dat family_gh0strat behavioral1/files/0x0008000000012326-100.dat family_gh0strat behavioral1/files/0x0008000000012346-101.dat family_gh0strat behavioral1/files/0x0008000000012346-103.dat family_gh0strat behavioral1/files/0x0008000000012346-106.dat family_gh0strat behavioral1/files/0x0008000000012346-109.dat family_gh0strat behavioral1/files/0x0008000000012346-108.dat family_gh0strat behavioral1/files/0x0008000000012346-107.dat family_gh0strat behavioral1/files/0x00070000000126a6-110.dat family_gh0strat behavioral1/files/0x00070000000126a6-112.dat family_gh0strat behavioral1/files/0x00070000000126a6-116.dat family_gh0strat behavioral1/files/0x00070000000126a6-115.dat family_gh0strat behavioral1/files/0x00070000000126a6-117.dat family_gh0strat behavioral1/files/0x00070000000126a6-118.dat family_gh0strat behavioral1/files/0x00070000000126f1-121.dat family_gh0strat behavioral1/files/0x00070000000126f1-119.dat family_gh0strat behavioral1/files/0x00070000000126f1-126.dat family_gh0strat behavioral1/files/0x00070000000126f1-127.dat family_gh0strat behavioral1/files/0x00070000000126f1-125.dat family_gh0strat behavioral1/files/0x00070000000126f1-124.dat family_gh0strat behavioral1/files/0x0007000000012741-128.dat family_gh0strat behavioral1/files/0x0007000000012741-131.dat family_gh0strat behavioral1/files/0x0007000000012741-133.dat family_gh0strat behavioral1/files/0x0007000000012741-135.dat family_gh0strat behavioral1/files/0x0007000000012741-134.dat family_gh0strat behavioral1/files/0x0007000000012741-136.dat family_gh0strat behavioral1/files/0x000a000000012303-140.dat family_gh0strat behavioral1/files/0x000a000000012303-137.dat family_gh0strat behavioral1/files/0x000a000000012303-142.dat family_gh0strat behavioral1/files/0x000a000000012303-143.dat family_gh0strat behavioral1/files/0x000a000000012303-145.dat family_gh0strat behavioral1/files/0x000a000000012303-144.dat family_gh0strat behavioral1/files/0x000700000001318e-147.dat family_gh0strat behavioral1/files/0x000700000001318e-150.dat family_gh0strat behavioral1/files/0x000700000001318e-153.dat family_gh0strat behavioral1/files/0x000700000001318e-152.dat family_gh0strat -
Executes dropped EXE 64 IoCs
pid Process 936 incgzwjvl.exe 1520 indwztgsi.exe 1388 inldtepix.exe 1704 inqcxrfhg.exe 1732 inixpjqgj.exe 1612 inpbwqegf.exe 668 inhwoipfi.exe 984 inoavpdfe.exe 1468 inbuxzyre.exe 1752 inqmfrmyb.exe 644 insezthji.exe 908 infhthtec.exe 1976 inbfyviuk.exe 1472 inmtnbdcu.exe 1816 innuocedv.exe 1020 inruwvobn.exe 1136 inetlfmxc.exe 1572 inykznpoh.exe 1760 inmeufqjy.exe 1492 indxawycz.exe 1748 inxtemyti.exe 1580 inhjvjvge.exe 1388 ingvzmksi.exe 1724 ingwzqpxx.exe 1712 insohtodl.exe 1828 indskelwb.exe 1680 innfvgrkz.exe 1016 inrdysgih.exe 1944 inugvjlkd.exe 2040 inewrcnnk.exe 572 inwsdlxsh.exe 1468 inlsmacbt.exe 956 inxnqhgoo.exe 812 inyjbrycn.exe 388 inrngsnzc.exe 852 inazpsjiq.exe 1204 inxiaqxbm.exe 1628 inmprqjiy.exe 1472 inijzqpfx.exe 2008 ingtgabri.exe 2036 inecpcnet.exe 936 inpiofygs.exe 1444 inpleqlxa.exe 1248 inbqiycju.exe 1196 incvyzsfr.exe 1584 infudswxj.exe 568 insrzztuj.exe 1388 invrckwrg.exe 1984 ingrakqpr.exe 1604 inzloqpih.exe 1732 inogwahsa.exe 1272 incanalcr.exe 1188 indrzpldy.exe 824 inzhpyfbx.exe 808 injfqeotx.exe 756 inaphxbit.exe 580 inbqostfv.exe 1948 innqsrkjz.exe 456 inbpxnjbw.exe 1092 ingvnhoze.exe 1140 inpdimgmm.exe 1464 infumgnyd.exe 1964 inigtklnv.exe 1936 inwmpgfnn.exe -
Modifies Installed Components in the registry 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{gvfegifm-xlas-pqxv-xxwt-asdafjaxmsbx}\stubpath = "C:\\Windows\\System32\\innswqwhw.exe" inqrggyxc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3mnpz690-ht8f-6rfp-dtyt-3tfh3f968w3n} inqgyjlgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ewkdiqgc-mo65-obgv-cgre-2dafx4ckufj9}\stubpath = "C:\\Windows\\System32\\inbfffozj.exe" inddmxhxc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{rt2z081y-7z7b-9p7z-oify-jk20v9dv878l}\stubpath = "C:\\Windows\\System32\\inadsfdch.exe" infhrodsv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{xgeitggt-fchz-mwhl-rduq-eyiutodtoipj}\ = "ϵͳÉèÖÃ" inbbmmbxa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{lhagxp7k-66fr-ac7p-mkez-rthql601i6zs}\stubpath = "C:\\Windows\\System32\\incqysiyz.exe" inzkzjyci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ybzlzcnm-pmas-zgxw-bedx-rhzkhqhzzigr}\stubpath = "C:\\Windows\\System32\\insvxwpco.exe" intsuvkkg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{dnoqnbti-yxyc-eysi-iria-hsojsicytcdt} inbmkzbqa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{vjomscrx-aceb-mthz-oxml-trptrtnspswo} inckekwln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{507t9icb-0lr9-12la-9d2l-oy583gs7ee5q}\stubpath = "C:\\Windows\\System32\\ingcmtril.exe" inxavmale.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{lpvhyuni-myxs-xsmt-jska-xryiuykowgkv} inqfmalkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{bqosfvdy-b9v4-6duh-214d-s618u71ms23a}\ = "ϵͳÉèÖÃ" indxawycz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{vqb1pcl7-cipn-7km3-5ewe-2n5e0hdy3h1t} inhwfuyzl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{btarqryw-yyxu-bteb-kbyn-cykavhwcrulw}\ = "ϵͳÉèÖÃ" inbhrywnq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3eojcsxs-2seg-e857-2m8q-e233rt2z081y}\ = "ϵͳÉèÖÃ" inyvyscpf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6lh1zfqa-b82t-hndf-zb0f-nmtiity6o8bl} inmayveeq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ycufchlc-oaud-lbwi-dsam-cmtxsnjsvnti}\stubpath = "C:\\Windows\\System32\\inwtyvsvp.exe" inbdhuahl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{zlgvdpxw-qmay-wlzs-mbpi-cakpkrolnlrg}\stubpath = "C:\\Windows\\System32\\inxgoheoh.exe" insacfcod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ebdv2ais-h7qm-al25-kwel-b50rpjqwamvq}\ = "ϵͳÉèÖÃ" indlflxmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{uetzdceg-kovj-qzon-vtrv-vuruyqbidhvk}\stubpath = "C:\\Windows\\System32\\innbxlquo.exe" inhxamofz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{zmmdmebw-ndch-tkte-ijrg-dbygjcyvdbwi} incvdypdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{cbrejyhf-uhhu-gdif-xims-vrkfzjvupeup}\ = "ϵͳÉèÖÃ" inlubyhti.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1nu2cbsk-fa15-a026-f1mo-6141uny6m30j} ingcowdkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{bh0wq0zu-y2nh-0cw3-9qf7-1ph83x8c0287}\stubpath = "C:\\Windows\\System32\\inyluacnl.exe" incraptug.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{tosnaj5y-agnl-5ik8-n3cu-u0l93c3zf56i} inyluacnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{rveqfxev-vdyc-ycpf-ifof-xgezlgvdpxwv}\ = "ϵͳÉèÖÃ" ineuxonvv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{70m2btbt-k82b-ye45-6064-0l0n85354hcl}\stubpath = "C:\\Windows\\System32\\ineugyxhj.exe" inxndtjlz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{j2hd3bmm-n84p-dj2b-vx72-pji2ey15k4sh}\ = "ϵͳÉèÖÃ" inytozkkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4bnc9n4n-qaxm-iu9g-7sgq-euzus4ugi04g}\stubpath = "C:\\Windows\\System32\\indkntxkp.exe" inaivxrqr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ucu0l93c-zf56-7175-1m1o-6465idmrmk25}\ = "ϵͳÉèÖÃ" indtfhlye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{id484dpe-94ik-2xjp-9942-4xqc9p63mh4q} ingtjmoji.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{rveqfxev-vdyc-ycpf-ifof-xgezlgvdpxwv} ineuxonvv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{uvdycbyc-fxif-fxxg-zlgv-pxwvqmayqwlz}\ = "ϵͳÉèÖÃ" inniombtb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{yhfjuhhu-gdif-xims-vrkf-jvupeupjqkgp} incbrdfjw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5h606480-0n85-54hc-qlj1-3147o71jfllu}\ = "ϵͳÉèÖÃ" indscwrxb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{xmeiu9gg-sgql-uzus-ugi0-g79x4o50g0cu}\stubpath = "C:\\Windows\\System32\\innhnzoqa.exe" inngmlnpt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{nmnpmash-gxwx-edxe-hzkh-hzzigrnirzbx} inupkqjvx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ejhnrmsl-dhoc-wejs-gwom-ozmmzoinknrx} inzfhvydh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{lynhmjmq-izva-ynzy-iytn-oaktlbgyszjv} inivxkbyw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{whexnewc-fndy-zfuc-zevz-pluxpvkyrola} intndtuwg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{xcxlqoue-zdce-dkov-lqzo-ovtrvtvuruyq}\stubpath = "C:\\Windows\\System32\\infvypoww.exe" inapytoun.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{gc4rl507-9icb-0lr9-12la-9d2lmoy583gs} inhomdgwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{c1klnxuj-fr6d-94pd-ibrw-p1rdf1d746u1} inhswlgxa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{kougxtmh-lxwr-wrls-irjw-wqxhtxjnvfju}\stubpath = "C:\\Windows\\System32\\injwlifkh.exe" inkbaivic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{au1g7od5-prby-fa61-6008-hrmfa5va5vhj}\ = "ϵͳÉèÖÃ" inyaereiz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{l3gb262b-30nb-2gig-vhnp-72032voaz7n4} inxmeiauv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0zu0y2nh-0cw3-9qf7-1ph8-x8c0287tohc7}\stubpath = "C:\\Windows\\System32\\inbhrywnq.exe" infdqdofu.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{qrywuyyx-xbte-gkby-tcyk-vhwcrulwblsw} inwixlnmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ejhnrmsl-dhoc-wejs-gwom-ozmmzoinknrx}\stubpath = "C:\\Windows\\System32\\injkrqgyq.exe" inzfhvydh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8qme233r-2z08-y97z-bn9p-zeoifyqjk20v}\ = "ϵͳÉèÖÃ" inrgfvgik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ubsrszav-yvyc-fchl-zoau-zlbwixdsamxc}\stubpath = "C:\\Windows\\System32\\insbznvcp.exe" inyoeaukm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{iapktjdz-euqp-qbft-fgod-vbaprpvydgnv}\stubpath = "C:\\Windows\\System32\\invshckbs.exe" inmkoozmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{zcnmnpma-hzgx-xbed-erhz-hqhzzigrnirz}\ = "ϵͳÉèÖÃ" inochlfll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{xuj2fr6d-94pd-ibrw-p1rd-1d746u1l7pld}\ = "ϵͳÉèÖÃ" inwrtglwr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{vir325e6-729v-2nt0-6nc9-4noqaxmeiu9g}\ = "ϵͳÉèÖÃ" insbquvhx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{wywqxhtx-nvfj-vjeh-jfuo-iwvmbuyimzmu}\ = "ϵͳÉèÖÃ" inrurbsrs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{kxmglilp-hyun-xmyx-hxsm-njskazxryiuy}\stubpath = "C:\\Windows\\System32\\inmkimmxk.exe" invlhtipl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{qmfal256-welf-50rp-qwam-qcgog6nocdaa}\stubpath = "C:\\Windows\\System32\\iniszdhvx.exe" inmnccutj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ddxhcuiy-gyoe-km43-7mbe-caepcc0bdv2a} innlypqcs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{fh7d2hvo-kkvq-dn3c-szlh-gxp7kf66frga}\ = "ϵͳÉèÖÃ" inortslka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6o8bl1a4-xzjf-vn5i-484d-ea94iki2xjpr}\ = "ϵͳÉèÖÃ" indcsegkx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{k51mkag8-p944-mgf4-v2h8-e6pqsczogb72} inljswfrz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{rt2z081y-7z7b-9p7z-oify-jk20v9dv878l} infhrodsv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{hgwomkoz-mzoi-knrx-wpka-odzujzuovpbl}\stubpath = "C:\\Windows\\System32\\inuwegjgs.exe" inhuwzjax.exe -
resource yara_rule behavioral1/memory/1916-55-0x0000000000400000-0x0000000000416000-memory.dmp upx behavioral1/files/0x000c0000000054a8-56.dat upx behavioral1/memory/1916-59-0x0000000000400000-0x0000000000416000-memory.dmp upx behavioral1/files/0x000c0000000054a8-58.dat upx behavioral1/files/0x000c0000000054a8-62.dat upx behavioral1/files/0x000c0000000054a8-61.dat upx behavioral1/files/0x000c0000000054a8-63.dat upx behavioral1/files/0x000c0000000054a8-64.dat upx behavioral1/files/0x000900000001230d-65.dat upx behavioral1/memory/936-68-0x0000000000400000-0x0000000000416000-memory.dmp upx behavioral1/files/0x000900000001230d-67.dat upx behavioral1/files/0x000900000001230d-72.dat upx behavioral1/files/0x000900000001230d-73.dat upx behavioral1/files/0x000900000001230d-71.dat upx behavioral1/files/0x000900000001230d-70.dat upx behavioral1/files/0x0008000000012315-74.dat upx behavioral1/memory/1520-77-0x0000000000400000-0x0000000000416000-memory.dmp upx behavioral1/files/0x0008000000012315-76.dat upx behavioral1/files/0x0008000000012315-80.dat upx behavioral1/files/0x0008000000012315-79.dat upx behavioral1/files/0x0008000000012315-81.dat upx behavioral1/files/0x0008000000012315-82.dat upx behavioral1/files/0x000800000001231e-83.dat upx behavioral1/files/0x000800000001231e-85.dat upx behavioral1/memory/1388-86-0x0000000000400000-0x0000000000416000-memory.dmp upx behavioral1/files/0x000800000001231e-88.dat upx behavioral1/files/0x000800000001231e-89.dat upx behavioral1/files/0x000800000001231e-90.dat upx behavioral1/files/0x000800000001231e-91.dat upx behavioral1/files/0x0008000000012326-92.dat upx behavioral1/files/0x0008000000012326-95.dat upx behavioral1/memory/1704-94-0x0000000000400000-0x0000000000416000-memory.dmp upx behavioral1/files/0x0008000000012326-97.dat upx behavioral1/files/0x0008000000012326-98.dat upx behavioral1/files/0x0008000000012326-99.dat upx behavioral1/files/0x0008000000012326-100.dat upx behavioral1/files/0x0008000000012346-101.dat upx behavioral1/memory/1732-104-0x0000000000400000-0x0000000000416000-memory.dmp upx behavioral1/files/0x0008000000012346-103.dat upx behavioral1/files/0x0008000000012346-106.dat upx behavioral1/files/0x0008000000012346-109.dat upx behavioral1/files/0x0008000000012346-108.dat upx behavioral1/files/0x0008000000012346-107.dat upx behavioral1/files/0x00070000000126a6-110.dat upx behavioral1/files/0x00070000000126a6-112.dat upx behavioral1/memory/1612-113-0x0000000000400000-0x0000000000416000-memory.dmp upx behavioral1/files/0x00070000000126a6-116.dat upx behavioral1/files/0x00070000000126a6-115.dat upx behavioral1/files/0x00070000000126a6-117.dat upx behavioral1/files/0x00070000000126a6-118.dat upx behavioral1/memory/668-122-0x0000000000400000-0x0000000000416000-memory.dmp upx behavioral1/files/0x00070000000126f1-121.dat upx behavioral1/files/0x00070000000126f1-119.dat upx behavioral1/files/0x00070000000126f1-126.dat upx behavioral1/files/0x00070000000126f1-127.dat upx behavioral1/files/0x00070000000126f1-125.dat upx behavioral1/files/0x00070000000126f1-124.dat upx behavioral1/files/0x0007000000012741-128.dat upx behavioral1/files/0x0007000000012741-131.dat upx behavioral1/memory/984-130-0x0000000000400000-0x0000000000416000-memory.dmp upx behavioral1/files/0x0007000000012741-133.dat upx behavioral1/files/0x0007000000012741-135.dat upx behavioral1/files/0x0007000000012741-134.dat upx behavioral1/files/0x0007000000012741-136.dat upx -
Loads dropped DLL 64 IoCs
pid Process 1916 e7553fa51ecb0e35e290dc3a7ae00760fee07489c10b725c86e556cf1140cf9e.exe 936 incgzwjvl.exe 936 incgzwjvl.exe 936 incgzwjvl.exe 936 incgzwjvl.exe 1520 indwztgsi.exe 1520 indwztgsi.exe 1520 indwztgsi.exe 1520 indwztgsi.exe 1388 inldtepix.exe 1388 inldtepix.exe 1388 inldtepix.exe 1388 inldtepix.exe 1704 inqcxrfhg.exe 1704 inqcxrfhg.exe 1704 inqcxrfhg.exe 1704 inqcxrfhg.exe 1732 inixpjqgj.exe 1732 inixpjqgj.exe 1732 inixpjqgj.exe 1732 inixpjqgj.exe 1612 inpbwqegf.exe 1612 inpbwqegf.exe 1612 inpbwqegf.exe 1612 inpbwqegf.exe 668 inhwoipfi.exe 668 inhwoipfi.exe 668 inhwoipfi.exe 668 inhwoipfi.exe 984 inoavpdfe.exe 984 inoavpdfe.exe 984 inoavpdfe.exe 984 inoavpdfe.exe 1468 inbuxzyre.exe 1468 inbuxzyre.exe 1468 inbuxzyre.exe 1468 inbuxzyre.exe 1752 inqmfrmyb.exe 1752 inqmfrmyb.exe 1752 inqmfrmyb.exe 1752 inqmfrmyb.exe 644 insezthji.exe 644 insezthji.exe 644 insezthji.exe 644 insezthji.exe 908 infhthtec.exe 908 infhthtec.exe 908 infhthtec.exe 908 infhthtec.exe 1976 inbfyviuk.exe 1976 inbfyviuk.exe 1976 inbfyviuk.exe 1976 inbfyviuk.exe 1472 inmtnbdcu.exe 1472 inmtnbdcu.exe 1472 inmtnbdcu.exe 1472 inmtnbdcu.exe 1816 innuocedv.exe 1816 innuocedv.exe 1816 innuocedv.exe 1816 innuocedv.exe 1020 inruwvobn.exe 1020 inruwvobn.exe 1020 inruwvobn.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\inxmeiauv.exe_lang.ini intbpxrhx.exe File created C:\Windows\SysWOW64\inlhzufqa.exe_lang.ini innswqwhw.exe File created C:\Windows\SysWOW64\incqysiyz.exe_lang.ini inzkzjyci.exe File created C:\Windows\SysWOW64\indqsmlmh.exe_lang.ini inxjymong.exe File created C:\Windows\SysWOW64\inhvtxxbv.exe_lang.ini intcrvwiy.exe File created C:\Windows\SysWOW64\inqmksego.exe inyofxrod.exe File opened for modification C:\Windows\SysWOW64\injfevnir.exe_lang.ini ingtjmoji.exe File created C:\Windows\SysWOW64\inwmcsiky.exe_lang.ini injtvdfif.exe File created C:\Windows\SysWOW64\infudswxj.exe incvyzsfr.exe File opened for modification C:\Windows\SysWOW64\intpaiupe.exe_lang.ini inwikohfo.exe File created C:\Windows\SysWOW64\incldxuje.exe_lang.ini inuwegjgs.exe File created C:\Windows\SysWOW64\inmibthrw.exe_lang.ini inbmmjnwc.exe File created C:\Windows\SysWOW64\inwhpwale.exe_lang.ini inemwygil.exe File created C:\Windows\SysWOW64\inyaereiz.exe_lang.ini inxikfepk.exe File opened for modification C:\Windows\SysWOW64\infauwnfj.exe_lang.ini inkvbdqbu.exe File created C:\Windows\SysWOW64\inlynkhmj.exe invmdukgq.exe File created C:\Windows\SysWOW64\incraptug.exe incwvxbyn.exe File opened for modification C:\Windows\SysWOW64\ineupaato.exe_lang.ini initcmsrt.exe File created C:\Windows\SysWOW64\inqrggyxc.exe_lang.ini inzbfsfjq.exe File created C:\Windows\SysWOW64\inqxvmprs.exe_lang.ini indtkzjxv.exe File created C:\Windows\SysWOW64\iniszdhvx.exe_lang.ini inmnccutj.exe File created C:\Windows\SysWOW64\inmkoozmm.exe_lang.ini inxgoheoh.exe File opened for modification C:\Windows\SysWOW64\inlynkhmj.exe_lang.ini invmdukgq.exe File created C:\Windows\SysWOW64\inkbaivic.exe indjvakex.exe File opened for modification C:\Windows\SysWOW64\intsuvkkg.exe_lang.ini ingvetxyk.exe File opened for modification C:\Windows\SysWOW64\inovtknpq.exe_lang.ini inuqbjvqf.exe File created C:\Windows\SysWOW64\inivlaoql.exe ineamubie.exe File opened for modification C:\Windows\SysWOW64\inqfeufhj.exe_lang.ini infcpjolj.exe File created C:\Windows\SysWOW64\intcrvwiy.exe_lang.ini indwezqep.exe File opened for modification C:\Windows\SysWOW64\inoropope.exe_lang.ini inpqffxwb.exe File created C:\Windows\SysWOW64\inhiypoew.exe inkivmnpx.exe File created C:\Windows\SysWOW64\inomzqrdt.exe inktojpiu.exe File created C:\Windows\SysWOW64\inikbvtjp.exe inortslka.exe File created C:\Windows\SysWOW64\inqgdzfrf.exe_lang.ini injausioy.exe File created C:\Windows\SysWOW64\inoxdfqoe.exe_lang.ini inrshhzyd.exe File opened for modification C:\Windows\SysWOW64\intlkfhrk.exe_lang.ini injsnioht.exe File created C:\Windows\SysWOW64\iniujiyjl.exe_lang.ini inljhllwj.exe File opened for modification C:\Windows\SysWOW64\indtosnaj.exe_lang.ini injyiwuqi.exe File opened for modification C:\Windows\SysWOW64\inqgdzfrf.exe_lang.ini injausioy.exe File opened for modification C:\Windows\SysWOW64\inujqmuoe.exe_lang.ini inipelkjl.exe File opened for modification C:\Windows\SysWOW64\inochlfll.exe_lang.ini inmzfdmqx.exe File opened for modification C:\Windows\SysWOW64\inzbahzkq.exe_lang.ini inwtdautu.exe File created C:\Windows\SysWOW64\infvqbbup.exe inlhzufqa.exe File opened for modification C:\Windows\SysWOW64\inupkqjvx.exe_lang.ini inhvtxxbv.exe File created C:\Windows\SysWOW64\ingvetxyk.exe ingerepgv.exe File created C:\Windows\SysWOW64\injqftzfq.exe inarenvge.exe File opened for modification C:\Windows\SysWOW64\indkgfezw.exe_lang.ini infzzbyva.exe File opened for modification C:\Windows\SysWOW64\inhnmoqun.exe_lang.ini inhxjlpig.exe File opened for modification C:\Windows\SysWOW64\inulrjenx.exe_lang.ini inrtkbsie.exe File opened for modification C:\Windows\SysWOW64\inlubyhti.exe_lang.ini inxbxjcyj.exe File created C:\Windows\SysWOW64\infzzbyva.exe inscqyokc.exe File created C:\Windows\SysWOW64\infrfqjpo.exe_lang.ini indpalewk.exe File created C:\Windows\SysWOW64\indcsegkx.exe_lang.ini inrfvkmdx.exe File opened for modification C:\Windows\SysWOW64\inrbrocsh.exe_lang.ini inixomukg.exe File created C:\Windows\SysWOW64\ingrakqpr.exe_lang.ini invrckwrg.exe File created C:\Windows\SysWOW64\intojzuff.exe_lang.ini inbkyszdb.exe File opened for modification C:\Windows\SysWOW64\infhrodsv.exe_lang.ini inisucehe.exe File created C:\Windows\SysWOW64\ingvnhoze.exe_lang.ini inbpxnjbw.exe File opened for modification C:\Windows\SysWOW64\inefvmlzb.exe_lang.ini inwgusogd.exe File created C:\Windows\SysWOW64\inhsblrqs.exe inzjlpkqo.exe File opened for modification C:\Windows\SysWOW64\inilcbjwj.exe_lang.ini invhwkmle.exe File opened for modification C:\Windows\SysWOW64\insulctjf.exe_lang.ini inoropope.exe File opened for modification C:\Windows\SysWOW64\inuvkxzmd.exe_lang.ini invbdruwx.exe File opened for modification C:\Windows\SysWOW64\iniszdhvx.exe_lang.ini inmnccutj.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1916 e7553fa51ecb0e35e290dc3a7ae00760fee07489c10b725c86e556cf1140cf9e.exe 936 incgzwjvl.exe 1520 indwztgsi.exe 1388 inldtepix.exe 1704 inqcxrfhg.exe 1732 inixpjqgj.exe 1612 inpbwqegf.exe 668 inhwoipfi.exe 984 inoavpdfe.exe 1468 inbuxzyre.exe 1752 inqmfrmyb.exe 644 insezthji.exe 908 infhthtec.exe 1976 inbfyviuk.exe 1472 inmtnbdcu.exe 1816 innuocedv.exe 1020 inruwvobn.exe 1136 inetlfmxc.exe 1572 inykznpoh.exe 1760 inmeufqjy.exe 1492 indxawycz.exe 1748 inxtemyti.exe 1580 inhjvjvge.exe 1388 ingvzmksi.exe 1724 ingwzqpxx.exe 1712 insohtodl.exe 1828 indskelwb.exe 1680 innfvgrkz.exe 1016 inrdysgih.exe 1944 inugvjlkd.exe 2040 inewrcnnk.exe 572 inwsdlxsh.exe 1468 inlsmacbt.exe 956 inxnqhgoo.exe 812 inyjbrycn.exe 388 inrngsnzc.exe 852 inazpsjiq.exe 1204 inxiaqxbm.exe 1628 inmprqjiy.exe 1472 inijzqpfx.exe 2008 ingtgabri.exe 2036 inecpcnet.exe 936 inpiofygs.exe 1444 inpleqlxa.exe 1248 inbqiycju.exe 1196 incvyzsfr.exe 1584 infudswxj.exe 568 insrzztuj.exe 1388 invrckwrg.exe 1984 ingrakqpr.exe 1604 inzloqpih.exe 1732 inogwahsa.exe 1272 incanalcr.exe 1188 indrzpldy.exe 824 inzhpyfbx.exe 808 injfqeotx.exe 756 inaphxbit.exe 580 inbqostfv.exe 1948 innqsrkjz.exe 456 inbpxnjbw.exe 1092 ingvnhoze.exe 1140 inpdimgmm.exe 1464 infumgnyd.exe 1964 inigtklnv.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1916 e7553fa51ecb0e35e290dc3a7ae00760fee07489c10b725c86e556cf1140cf9e.exe Token: SeDebugPrivilege 936 incgzwjvl.exe Token: SeDebugPrivilege 1520 indwztgsi.exe Token: SeDebugPrivilege 1388 inldtepix.exe Token: SeDebugPrivilege 1704 inqcxrfhg.exe Token: SeDebugPrivilege 1732 inixpjqgj.exe Token: SeDebugPrivilege 1612 inpbwqegf.exe Token: SeDebugPrivilege 668 inhwoipfi.exe Token: SeDebugPrivilege 984 inoavpdfe.exe Token: SeDebugPrivilege 1468 inbuxzyre.exe Token: SeDebugPrivilege 1752 inqmfrmyb.exe Token: SeDebugPrivilege 644 insezthji.exe Token: SeDebugPrivilege 908 infhthtec.exe Token: SeDebugPrivilege 1976 inbfyviuk.exe Token: SeDebugPrivilege 1472 inmtnbdcu.exe Token: SeDebugPrivilege 1816 innuocedv.exe Token: SeDebugPrivilege 1020 inruwvobn.exe Token: SeDebugPrivilege 1136 inetlfmxc.exe Token: SeDebugPrivilege 1572 inykznpoh.exe Token: SeDebugPrivilege 1760 inmeufqjy.exe Token: SeDebugPrivilege 1492 indxawycz.exe Token: SeDebugPrivilege 1748 inxtemyti.exe Token: SeDebugPrivilege 1580 inhjvjvge.exe Token: SeDebugPrivilege 1388 ingvzmksi.exe Token: SeDebugPrivilege 1724 ingwzqpxx.exe Token: SeDebugPrivilege 1712 insohtodl.exe Token: SeDebugPrivilege 1828 indskelwb.exe Token: SeDebugPrivilege 1680 innfvgrkz.exe Token: SeDebugPrivilege 1016 inrdysgih.exe Token: SeDebugPrivilege 1944 inugvjlkd.exe Token: SeDebugPrivilege 2040 inewrcnnk.exe Token: SeDebugPrivilege 572 inwsdlxsh.exe Token: SeDebugPrivilege 1468 inlsmacbt.exe Token: SeDebugPrivilege 956 inxnqhgoo.exe Token: SeDebugPrivilege 812 inyjbrycn.exe Token: SeDebugPrivilege 388 inrngsnzc.exe Token: SeDebugPrivilege 852 inazpsjiq.exe Token: SeDebugPrivilege 1204 inxiaqxbm.exe Token: SeDebugPrivilege 1628 inmprqjiy.exe Token: SeDebugPrivilege 1472 inijzqpfx.exe Token: SeDebugPrivilege 2008 ingtgabri.exe Token: SeDebugPrivilege 2036 inecpcnet.exe Token: SeDebugPrivilege 936 inpiofygs.exe Token: SeDebugPrivilege 1444 inpleqlxa.exe Token: SeDebugPrivilege 1248 inbqiycju.exe Token: SeDebugPrivilege 1196 incvyzsfr.exe Token: SeDebugPrivilege 1584 infudswxj.exe Token: SeDebugPrivilege 568 insrzztuj.exe Token: SeDebugPrivilege 1388 invrckwrg.exe Token: SeDebugPrivilege 1984 ingrakqpr.exe Token: SeDebugPrivilege 1604 inzloqpih.exe Token: SeDebugPrivilege 1732 inogwahsa.exe Token: SeDebugPrivilege 1272 incanalcr.exe Token: SeDebugPrivilege 1188 indrzpldy.exe Token: SeDebugPrivilege 824 inzhpyfbx.exe Token: SeDebugPrivilege 808 injfqeotx.exe Token: SeDebugPrivilege 756 inaphxbit.exe Token: SeDebugPrivilege 580 inbqostfv.exe Token: SeDebugPrivilege 1948 innqsrkjz.exe Token: SeDebugPrivilege 456 inbpxnjbw.exe Token: SeDebugPrivilege 1092 ingvnhoze.exe Token: SeDebugPrivilege 1140 inpdimgmm.exe Token: SeDebugPrivilege 1464 infumgnyd.exe Token: SeDebugPrivilege 1964 inigtklnv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1916 wrote to memory of 936 1916 e7553fa51ecb0e35e290dc3a7ae00760fee07489c10b725c86e556cf1140cf9e.exe 27 PID 1916 wrote to memory of 936 1916 e7553fa51ecb0e35e290dc3a7ae00760fee07489c10b725c86e556cf1140cf9e.exe 27 PID 1916 wrote to memory of 936 1916 e7553fa51ecb0e35e290dc3a7ae00760fee07489c10b725c86e556cf1140cf9e.exe 27 PID 1916 wrote to memory of 936 1916 e7553fa51ecb0e35e290dc3a7ae00760fee07489c10b725c86e556cf1140cf9e.exe 27 PID 1916 wrote to memory of 936 1916 e7553fa51ecb0e35e290dc3a7ae00760fee07489c10b725c86e556cf1140cf9e.exe 27 PID 1916 wrote to memory of 936 1916 e7553fa51ecb0e35e290dc3a7ae00760fee07489c10b725c86e556cf1140cf9e.exe 27 PID 1916 wrote to memory of 936 1916 e7553fa51ecb0e35e290dc3a7ae00760fee07489c10b725c86e556cf1140cf9e.exe 27 PID 936 wrote to memory of 1520 936 incgzwjvl.exe 28 PID 936 wrote to memory of 1520 936 incgzwjvl.exe 28 PID 936 wrote to memory of 1520 936 incgzwjvl.exe 28 PID 936 wrote to memory of 1520 936 incgzwjvl.exe 28 PID 936 wrote to memory of 1520 936 incgzwjvl.exe 28 PID 936 wrote to memory of 1520 936 incgzwjvl.exe 28 PID 936 wrote to memory of 1520 936 incgzwjvl.exe 28 PID 1520 wrote to memory of 1388 1520 indwztgsi.exe 29 PID 1520 wrote to memory of 1388 1520 indwztgsi.exe 29 PID 1520 wrote to memory of 1388 1520 indwztgsi.exe 29 PID 1520 wrote to memory of 1388 1520 indwztgsi.exe 29 PID 1520 wrote to memory of 1388 1520 indwztgsi.exe 29 PID 1520 wrote to memory of 1388 1520 indwztgsi.exe 29 PID 1520 wrote to memory of 1388 1520 indwztgsi.exe 29 PID 1388 wrote to memory of 1704 1388 inldtepix.exe 30 PID 1388 wrote to memory of 1704 1388 inldtepix.exe 30 PID 1388 wrote to memory of 1704 1388 inldtepix.exe 30 PID 1388 wrote to memory of 1704 1388 inldtepix.exe 30 PID 1388 wrote to memory of 1704 1388 inldtepix.exe 30 PID 1388 wrote to memory of 1704 1388 inldtepix.exe 30 PID 1388 wrote to memory of 1704 1388 inldtepix.exe 30 PID 1704 wrote to memory of 1732 1704 inqcxrfhg.exe 31 PID 1704 wrote to memory of 1732 1704 inqcxrfhg.exe 31 PID 1704 wrote to memory of 1732 1704 inqcxrfhg.exe 31 PID 1704 wrote to memory of 1732 1704 inqcxrfhg.exe 31 PID 1704 wrote to memory of 1732 1704 inqcxrfhg.exe 31 PID 1704 wrote to memory of 1732 1704 inqcxrfhg.exe 31 PID 1704 wrote to memory of 1732 1704 inqcxrfhg.exe 31 PID 1732 wrote to memory of 1612 1732 inixpjqgj.exe 32 PID 1732 wrote to memory of 1612 1732 inixpjqgj.exe 32 PID 1732 wrote to memory of 1612 1732 inixpjqgj.exe 32 PID 1732 wrote to memory of 1612 1732 inixpjqgj.exe 32 PID 1732 wrote to memory of 1612 1732 inixpjqgj.exe 32 PID 1732 wrote to memory of 1612 1732 inixpjqgj.exe 32 PID 1732 wrote to memory of 1612 1732 inixpjqgj.exe 32 PID 1612 wrote to memory of 668 1612 inpbwqegf.exe 33 PID 1612 wrote to memory of 668 1612 inpbwqegf.exe 33 PID 1612 wrote to memory of 668 1612 inpbwqegf.exe 33 PID 1612 wrote to memory of 668 1612 inpbwqegf.exe 33 PID 1612 wrote to memory of 668 1612 inpbwqegf.exe 33 PID 1612 wrote to memory of 668 1612 inpbwqegf.exe 33 PID 1612 wrote to memory of 668 1612 inpbwqegf.exe 33 PID 668 wrote to memory of 984 668 inhwoipfi.exe 34 PID 668 wrote to memory of 984 668 inhwoipfi.exe 34 PID 668 wrote to memory of 984 668 inhwoipfi.exe 34 PID 668 wrote to memory of 984 668 inhwoipfi.exe 34 PID 668 wrote to memory of 984 668 inhwoipfi.exe 34 PID 668 wrote to memory of 984 668 inhwoipfi.exe 34 PID 668 wrote to memory of 984 668 inhwoipfi.exe 34 PID 984 wrote to memory of 1468 984 inoavpdfe.exe 35 PID 984 wrote to memory of 1468 984 inoavpdfe.exe 35 PID 984 wrote to memory of 1468 984 inoavpdfe.exe 35 PID 984 wrote to memory of 1468 984 inoavpdfe.exe 35 PID 984 wrote to memory of 1468 984 inoavpdfe.exe 35 PID 984 wrote to memory of 1468 984 inoavpdfe.exe 35 PID 984 wrote to memory of 1468 984 inoavpdfe.exe 35 PID 1468 wrote to memory of 1752 1468 inbuxzyre.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\e7553fa51ecb0e35e290dc3a7ae00760fee07489c10b725c86e556cf1140cf9e.exe"C:\Users\Admin\AppData\Local\Temp\e7553fa51ecb0e35e290dc3a7ae00760fee07489c10b725c86e556cf1140cf9e.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Windows\SysWOW64\incgzwjvl.exeC:\Windows\System32\incgzwjvl.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:936 -
C:\Windows\SysWOW64\indwztgsi.exeC:\Windows\System32\indwztgsi.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1520 -
C:\Windows\SysWOW64\inldtepix.exeC:\Windows\System32\inldtepix.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1388 -
C:\Windows\SysWOW64\inqcxrfhg.exeC:\Windows\System32\inqcxrfhg.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Windows\SysWOW64\inixpjqgj.exeC:\Windows\System32\inixpjqgj.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Windows\SysWOW64\inpbwqegf.exeC:\Windows\System32\inpbwqegf.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Windows\SysWOW64\inhwoipfi.exeC:\Windows\System32\inhwoipfi.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:668 -
C:\Windows\SysWOW64\inoavpdfe.exeC:\Windows\System32\inoavpdfe.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:984 -
C:\Windows\SysWOW64\inbuxzyre.exeC:\Windows\System32\inbuxzyre.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1468 -
C:\Windows\SysWOW64\inqmfrmyb.exeC:\Windows\System32\inqmfrmyb.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1752 -
C:\Windows\SysWOW64\insezthji.exeC:\Windows\System32\insezthji.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:644 -
C:\Windows\SysWOW64\infhthtec.exeC:\Windows\System32\infhthtec.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:908 -
C:\Windows\SysWOW64\inbfyviuk.exeC:\Windows\System32\inbfyviuk.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1976 -
C:\Windows\SysWOW64\inmtnbdcu.exeC:\Windows\System32\inmtnbdcu.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1472 -
C:\Windows\SysWOW64\innuocedv.exeC:\Windows\System32\innuocedv.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1816 -
C:\Windows\SysWOW64\inruwvobn.exeC:\Windows\System32\inruwvobn.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1020 -
C:\Windows\SysWOW64\inetlfmxc.exeC:\Windows\System32\inetlfmxc.exe18⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1136 -
C:\Windows\SysWOW64\inykznpoh.exeC:\Windows\System32\inykznpoh.exe19⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1572 -
C:\Windows\SysWOW64\inmeufqjy.exeC:\Windows\System32\inmeufqjy.exe20⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1760 -
C:\Windows\SysWOW64\indxawycz.exeC:\Windows\System32\indxawycz.exe21⤵
- Executes dropped EXE
- Modifies Installed Components in the registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1492 -
C:\Windows\SysWOW64\inxtemyti.exeC:\Windows\System32\inxtemyti.exe22⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1748 -
C:\Windows\SysWOW64\inhjvjvge.exeC:\Windows\System32\inhjvjvge.exe23⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1580 -
C:\Windows\SysWOW64\ingvzmksi.exeC:\Windows\System32\ingvzmksi.exe24⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1388 -
C:\Windows\SysWOW64\ingwzqpxx.exeC:\Windows\System32\ingwzqpxx.exe25⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1724 -
C:\Windows\SysWOW64\insohtodl.exeC:\Windows\System32\insohtodl.exe26⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1712 -
C:\Windows\SysWOW64\indskelwb.exeC:\Windows\System32\indskelwb.exe27⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1828 -
C:\Windows\SysWOW64\innfvgrkz.exeC:\Windows\System32\innfvgrkz.exe28⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1680 -
C:\Windows\SysWOW64\inrdysgih.exeC:\Windows\System32\inrdysgih.exe29⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1016 -
C:\Windows\SysWOW64\inugvjlkd.exeC:\Windows\System32\inugvjlkd.exe30⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1944 -
C:\Windows\SysWOW64\inewrcnnk.exeC:\Windows\System32\inewrcnnk.exe31⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2040 -
C:\Windows\SysWOW64\inwsdlxsh.exeC:\Windows\System32\inwsdlxsh.exe32⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:572 -
C:\Windows\SysWOW64\inlsmacbt.exeC:\Windows\System32\inlsmacbt.exe33⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1468 -
C:\Windows\SysWOW64\inxnqhgoo.exeC:\Windows\System32\inxnqhgoo.exe34⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:956 -
C:\Windows\SysWOW64\inyjbrycn.exeC:\Windows\System32\inyjbrycn.exe35⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:812 -
C:\Windows\SysWOW64\inrngsnzc.exeC:\Windows\System32\inrngsnzc.exe36⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:388 -
C:\Windows\SysWOW64\inazpsjiq.exeC:\Windows\System32\inazpsjiq.exe37⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:852 -
C:\Windows\SysWOW64\inxiaqxbm.exeC:\Windows\System32\inxiaqxbm.exe38⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1204 -
C:\Windows\SysWOW64\inmprqjiy.exeC:\Windows\System32\inmprqjiy.exe39⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1628 -
C:\Windows\SysWOW64\inijzqpfx.exeC:\Windows\System32\inijzqpfx.exe40⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1472 -
C:\Windows\SysWOW64\ingtgabri.exeC:\Windows\System32\ingtgabri.exe41⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2008 -
C:\Windows\SysWOW64\inecpcnet.exeC:\Windows\System32\inecpcnet.exe42⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2036 -
C:\Windows\SysWOW64\inpiofygs.exeC:\Windows\System32\inpiofygs.exe43⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:936 -
C:\Windows\SysWOW64\inpleqlxa.exeC:\Windows\System32\inpleqlxa.exe44⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1444 -
C:\Windows\SysWOW64\inbqiycju.exeC:\Windows\System32\inbqiycju.exe45⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1248 -
C:\Windows\SysWOW64\incvyzsfr.exeC:\Windows\System32\incvyzsfr.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1196 -
C:\Windows\SysWOW64\infudswxj.exeC:\Windows\System32\infudswxj.exe47⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1584 -
C:\Windows\SysWOW64\insrzztuj.exeC:\Windows\System32\insrzztuj.exe48⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:568 -
C:\Windows\SysWOW64\invrckwrg.exeC:\Windows\System32\invrckwrg.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1388 -
C:\Windows\SysWOW64\ingrakqpr.exeC:\Windows\System32\ingrakqpr.exe50⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1984 -
C:\Windows\SysWOW64\inzloqpih.exeC:\Windows\System32\inzloqpih.exe51⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1604 -
C:\Windows\SysWOW64\inogwahsa.exeC:\Windows\System32\inogwahsa.exe52⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1732 -
C:\Windows\SysWOW64\incanalcr.exeC:\Windows\System32\incanalcr.exe53⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1272 -
C:\Windows\SysWOW64\indrzpldy.exeC:\Windows\System32\indrzpldy.exe54⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1188 -
C:\Windows\SysWOW64\inzhpyfbx.exeC:\Windows\System32\inzhpyfbx.exe55⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:824 -
C:\Windows\SysWOW64\injfqeotx.exeC:\Windows\System32\injfqeotx.exe56⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:808 -
C:\Windows\SysWOW64\inaphxbit.exeC:\Windows\System32\inaphxbit.exe57⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:756 -
C:\Windows\SysWOW64\inbqostfv.exeC:\Windows\System32\inbqostfv.exe58⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:580 -
C:\Windows\SysWOW64\innqsrkjz.exeC:\Windows\System32\innqsrkjz.exe59⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1948 -
C:\Windows\SysWOW64\inbpxnjbw.exeC:\Windows\System32\inbpxnjbw.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:456 -
C:\Windows\SysWOW64\ingvnhoze.exeC:\Windows\System32\ingvnhoze.exe61⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1092 -
C:\Windows\SysWOW64\inpdimgmm.exeC:\Windows\System32\inpdimgmm.exe62⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1140 -
C:\Windows\SysWOW64\infumgnyd.exeC:\Windows\System32\infumgnyd.exe63⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1464 -
C:\Windows\SysWOW64\inigtklnv.exeC:\Windows\System32\inigtklnv.exe64⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1964 -
C:\Windows\SysWOW64\inwmpgfnn.exeC:\Windows\System32\inwmpgfnn.exe65⤵
- Executes dropped EXE
PID:1936 -
C:\Windows\SysWOW64\inapnrseu.exeC:\Windows\System32\inapnrseu.exe66⤵PID:964
-
C:\Windows\SysWOW64\inhfsfaqh.exeC:\Windows\System32\inhfsfaqh.exe67⤵PID:1628
-
C:\Windows\SysWOW64\inzkcszdo.exeC:\Windows\System32\inzkcszdo.exe68⤵PID:1124
-
C:\Windows\SysWOW64\inlofemzm.exeC:\Windows\System32\inlofemzm.exe69⤵PID:1136
-
C:\Windows\SysWOW64\incsvmltt.exeC:\Windows\System32\incsvmltt.exe70⤵PID:1756
-
C:\Windows\SysWOW64\inxrqyyst.exeC:\Windows\System32\inxrqyyst.exe71⤵PID:1572
-
C:\Windows\SysWOW64\inqtvunam.exeC:\Windows\System32\inqtvunam.exe72⤵PID:1428
-
C:\Windows\SysWOW64\innoddvuk.exeC:\Windows\System32\innoddvuk.exe73⤵PID:1504
-
C:\Windows\SysWOW64\inrshhzyd.exeC:\Windows\System32\inrshhzyd.exe74⤵
- Drops file in System32 directory
PID:1980 -
C:\Windows\SysWOW64\inoxdfqoe.exeC:\Windows\System32\inoxdfqoe.exe75⤵PID:1576
-
C:\Windows\SysWOW64\inrxixhwa.exeC:\Windows\System32\inrxixhwa.exe76⤵PID:1888
-
C:\Windows\SysWOW64\injwnoaqy.exeC:\Windows\System32\injwnoaqy.exe77⤵PID:1364
-
C:\Windows\SysWOW64\ingerepgv.exeC:\Windows\System32\ingerepgv.exe78⤵
- Drops file in System32 directory
PID:344 -
C:\Windows\SysWOW64\ingvetxyk.exeC:\Windows\System32\ingvetxyk.exe79⤵
- Drops file in System32 directory
PID:888 -
C:\Windows\SysWOW64\intsuvkkg.exeC:\Windows\System32\intsuvkkg.exe80⤵
- Modifies Installed Components in the registry
PID:1984 -
C:\Windows\SysWOW64\insvxwpco.exeC:\Windows\System32\insvxwpco.exe81⤵PID:1616
-
C:\Windows\SysWOW64\inyufnzuj.exeC:\Windows\System32\inyufnzuj.exe82⤵PID:1524
-
C:\Windows\SysWOW64\inytozkkh.exeC:\Windows\System32\inytozkkh.exe83⤵
- Modifies Installed Components in the registry
PID:1044 -
C:\Windows\SysWOW64\inhwfuyzl.exeC:\Windows\System32\inhwfuyzl.exe84⤵
- Modifies Installed Components in the registry
PID:332 -
C:\Windows\SysWOW64\ingtvpopk.exeC:\Windows\System32\ingtvpopk.exe85⤵PID:1188
-
C:\Windows\SysWOW64\inhscspdt.exeC:\Windows\System32\inhscspdt.exe86⤵PID:824
-
C:\Windows\SysWOW64\inhegsgsd.exeC:\Windows\System32\inhegsgsd.exe87⤵PID:1052
-
C:\Windows\SysWOW64\inaexuhtj.exeC:\Windows\System32\inaexuhtj.exe88⤵PID:2012
-
C:\Windows\SysWOW64\inhwnltjf.exeC:\Windows\System32\inhwnltjf.exe89⤵PID:572
-
C:\Windows\SysWOW64\inatwyxqd.exeC:\Windows\System32\inatwyxqd.exe90⤵PID:1620
-
C:\Windows\SysWOW64\ingiuiufd.exeC:\Windows\System32\ingiuiufd.exe91⤵PID:1468
-
C:\Windows\SysWOW64\inaikwkwh.exeC:\Windows\System32\inaikwkwh.exe92⤵PID:2032
-
C:\Windows\SysWOW64\inghxondz.exeC:\Windows\System32\inghxondz.exe93⤵PID:812
-
C:\Windows\SysWOW64\inbaqtkjr.exeC:\Windows\System32\inbaqtkjr.exe94⤵PID:1384
-
C:\Windows\SysWOW64\inrfpuysy.exeC:\Windows\System32\inrfpuysy.exe95⤵PID:1360
-
C:\Windows\SysWOW64\inbohznex.exeC:\Windows\System32\inbohznex.exe96⤵PID:860
-
C:\Windows\SysWOW64\inahuhbcs.exeC:\Windows\System32\inahuhbcs.exe97⤵PID:1592
-
C:\Windows\SysWOW64\injhulmow.exeC:\Windows\System32\injhulmow.exe98⤵PID:1716
-
C:\Windows\SysWOW64\incrjzdkv.exeC:\Windows\System32\incrjzdkv.exe99⤵PID:1072
-
C:\Windows\SysWOW64\inftrnfcc.exeC:\Windows\System32\inftrnfcc.exe100⤵PID:1628
-
C:\Windows\SysWOW64\inrkqhiua.exeC:\Windows\System32\inrkqhiua.exe101⤵PID:1048
-
C:\Windows\SysWOW64\incwvxbyn.exeC:\Windows\System32\incwvxbyn.exe102⤵
- Drops file in System32 directory
PID:1308 -
C:\Windows\SysWOW64\incraptug.exeC:\Windows\System32\incraptug.exe103⤵
- Modifies Installed Components in the registry
PID:1756 -
C:\Windows\SysWOW64\inyluacnl.exeC:\Windows\System32\inyluacnl.exe104⤵
- Modifies Installed Components in the registry
PID:1492 -
C:\Windows\SysWOW64\inertnmni.exeC:\Windows\System32\inertnmni.exe105⤵PID:1520
-
C:\Windows\SysWOW64\inpfzcyeq.exeC:\Windows\System32\inpfzcyeq.exe106⤵PID:1740
-
C:\Windows\SysWOW64\intxcqoxe.exeC:\Windows\System32\intxcqoxe.exe107⤵PID:1968
-
C:\Windows\SysWOW64\iniizepdz.exeC:\Windows\System32\iniizepdz.exe108⤵PID:1552
-
C:\Windows\SysWOW64\inkivmnpx.exeC:\Windows\System32\inkivmnpx.exe109⤵
- Drops file in System32 directory
PID:320 -
C:\Windows\SysWOW64\inhiypoew.exeC:\Windows\System32\inhiypoew.exe110⤵PID:1704
-
C:\Windows\SysWOW64\inckxztas.exeC:\Windows\System32\inckxztas.exe111⤵PID:1836
-
C:\Windows\SysWOW64\inwemzvcu.exeC:\Windows\System32\inwemzvcu.exe112⤵PID:892
-
C:\Windows\SysWOW64\injyiwuqi.exeC:\Windows\System32\injyiwuqi.exe113⤵
- Drops file in System32 directory
PID:888 -
C:\Windows\SysWOW64\indtosnaj.exeC:\Windows\System32\indtosnaj.exe114⤵PID:1560
-
C:\Windows\SysWOW64\inbmkzbqa.exeC:\Windows\System32\inbmkzbqa.exe115⤵
- Modifies Installed Components in the registry
PID:272 -
C:\Windows\SysWOW64\ineqbmfxl.exeC:\Windows\System32\ineqbmfxl.exe116⤵PID:968
-
C:\Windows\SysWOW64\inzvgovkd.exeC:\Windows\System32\inzvgovkd.exe117⤵PID:1108
-
C:\Windows\SysWOW64\inkuaczqt.exeC:\Windows\System32\inkuaczqt.exe118⤵PID:332
-
C:\Windows\SysWOW64\ingfvhjng.exeC:\Windows\System32\ingfvhjng.exe119⤵PID:1188
-
C:\Windows\SysWOW64\invnbgkek.exeC:\Windows\System32\invnbgkek.exe120⤵PID:824
-
C:\Windows\SysWOW64\inocokdvj.exeC:\Windows\System32\inocokdvj.exe121⤵PID:984
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-