Analysis
-
max time kernel
117s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
09/10/2023, 15:52
Behavioral task
behavioral1
Sample
NEAS.793bba9fba7b970d4a5af2a2aaaf53d1_JC.exe
Resource
win7-20230831-en
windows7-x64
11 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.793bba9fba7b970d4a5af2a2aaaf53d1_JC.exe
Resource
win10v2004-20230915-en
windows10-2004-x64
11 signatures
150 seconds
General
-
Target
NEAS.793bba9fba7b970d4a5af2a2aaaf53d1_JC.exe
-
Size
348KB
-
MD5
793bba9fba7b970d4a5af2a2aaaf53d1
-
SHA1
834f1ecbeabb17c99263c9df2a50225ad4716ecc
-
SHA256
f50e367dcb89dd3398c973ab195912d7c3136ed28f106491bbeb39bada9bd727
-
SHA512
7626d8e5bd24f522b9162ea05af99e6f1d4a21a7203d5eca277f42099a9188ffd2baf9435881c75fedade40920f6b9543d284c038745f6aa3f0f833ffd4c1f60
-
SSDEEP
6144:MJueTkwOwoWOQ3dwaWB28edeP/deUv80P80Ap8UGwoTGHZOWJkqd0K4rG7eVT0Sx:ouLwoZQGpnedeP/deUe1ppGjTGHZRT09
Score
10/10
Malware Config
Signatures
-
Gh0st RAT payload 64 IoCs
resource yara_rule behavioral1/memory/2300-0-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral1/files/0x001b000000015c5a-17.dat family_gh0strat behavioral1/files/0x001b000000015c5a-20.dat family_gh0strat behavioral1/files/0x001b000000015c5a-25.dat family_gh0strat behavioral1/memory/2300-27-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral1/files/0x001b000000015c5a-24.dat family_gh0strat behavioral1/files/0x001b000000015c5a-23.dat family_gh0strat behavioral1/files/0x0007000000015daf-30.dat family_gh0strat behavioral1/files/0x0009000000015e2b-39.dat family_gh0strat behavioral1/files/0x0009000000015e2b-42.dat family_gh0strat behavioral1/files/0x001b000000015c5a-22.dat family_gh0strat behavioral1/files/0x0009000000015e2b-48.dat family_gh0strat behavioral1/files/0x0009000000015e2b-51.dat family_gh0strat behavioral1/memory/1668-54-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral1/memory/2664-65-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral1/files/0x0009000000015e2b-50.dat family_gh0strat behavioral1/files/0x0009000000015e2b-49.dat family_gh0strat behavioral1/files/0x0009000000015e2b-47.dat family_gh0strat behavioral1/files/0x00060000000162e2-70.dat family_gh0strat behavioral1/files/0x00060000000162e2-72.dat family_gh0strat behavioral1/memory/2672-80-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral1/memory/2664-82-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral1/files/0x00060000000162e2-78.dat family_gh0strat behavioral1/files/0x00060000000162e2-77.dat family_gh0strat behavioral1/files/0x00060000000162e2-76.dat family_gh0strat behavioral1/files/0x00060000000162e2-75.dat family_gh0strat behavioral1/files/0x00060000000167ef-96.dat family_gh0strat behavioral1/files/0x00060000000167ef-104.dat family_gh0strat behavioral1/memory/3000-109-0x0000000000230000-0x000000000025F000-memory.dmp family_gh0strat behavioral1/memory/2672-108-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral1/memory/3000-114-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral1/files/0x00060000000167ef-106.dat family_gh0strat behavioral1/files/0x00060000000167ef-105.dat family_gh0strat behavioral1/files/0x00060000000167ef-103.dat family_gh0strat behavioral1/files/0x00060000000167ef-102.dat family_gh0strat behavioral1/files/0x0006000000016c26-126.dat family_gh0strat behavioral1/files/0x0006000000016c26-135.dat family_gh0strat behavioral1/memory/1568-138-0x0000000000230000-0x000000000025F000-memory.dmp family_gh0strat behavioral1/memory/3000-137-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral1/files/0x0006000000016c26-134.dat family_gh0strat behavioral1/files/0x0006000000016c26-133.dat family_gh0strat behavioral1/files/0x0006000000016c26-132.dat family_gh0strat behavioral1/files/0x0006000000016c26-131.dat family_gh0strat behavioral1/memory/1568-151-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral1/files/0x0006000000016cda-155.dat family_gh0strat behavioral1/files/0x0006000000016cda-160.dat family_gh0strat behavioral1/files/0x0006000000016cda-163.dat family_gh0strat behavioral1/files/0x0006000000016cda-164.dat family_gh0strat behavioral1/memory/2720-176-0x0000000000230000-0x000000000025F000-memory.dmp family_gh0strat behavioral1/memory/2720-178-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral1/files/0x0006000000016cda-162.dat family_gh0strat behavioral1/files/0x0006000000016cda-161.dat family_gh0strat behavioral1/files/0x0006000000016cfe-183.dat family_gh0strat behavioral1/files/0x0006000000016cfe-186.dat family_gh0strat behavioral1/files/0x0006000000016cfe-188.dat family_gh0strat behavioral1/files/0x0006000000016cfe-191.dat family_gh0strat behavioral1/files/0x0006000000016cfe-190.dat family_gh0strat behavioral1/files/0x0006000000016cfe-189.dat family_gh0strat behavioral1/files/0x0006000000016d48-208.dat family_gh0strat behavioral1/files/0x0006000000016d48-213.dat family_gh0strat behavioral1/files/0x0006000000016d48-215.dat family_gh0strat behavioral1/files/0x0006000000016d48-216.dat family_gh0strat behavioral1/files/0x0006000000016d48-217.dat family_gh0strat behavioral1/memory/1368-220-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat -
Modifies Installed Components in the registry 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5624269A-5E80-4668-977D-DF857A18EB57}\stubpath = "C:\\Windows\\system32\\inuwegjgs.exe" inhwoipfi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F13E7FE1-76B5-4eb6-9AFD-7CE8AF83E275} injdwyyif.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7E1AC284-5499-472e-9EBA-FD8DCE585B30} inckxztas.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2D4EA9F4-A3EC-42e4-871B-FEA262DB8039} inmeufqjy.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6435005C-1470-4f7e-BADB-034DA00B01FD}\stubpath = "C:\\Windows\\system32\\inmtiwity.exe" inlnqnzon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E549B19F-25B2-4b5e-921A-432441ADF98A} incxuerhz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FBE1A9F4-8EC2-4ee0-92D7-0DCE46C59EE8} inkveoutv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{382C4145-EE6F-4bd0-8419-15C11A9435E2} inmibthrw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4FABC8B7-1018-4b67-8E72-E99931484D38}\stubpath = "C:\\Windows\\system32\\inlmosntr.exe" ingxqnxqy.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A706011D-27EC-4825-B719-45121A0D4F0E}\stubpath = "C:\\Windows\\system32\\inrshhzyd.exe" inrurbsrs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{45B935E8-5052-4227-8D15-F5A66F76945F}\stubpath = "C:\\Windows\\system32\\ingyagyjp.exe" injhepyti.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{52BE8CFD-D14D-410b-B7F7-F0818BD99820} inuytzxmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8050F7F4-E9ED-4a76-9161-6AB4C71E2478}\stubpath = "C:\\Windows\\system32\\inycopaqa.exe" inaeepccp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{990DF20A-4B5D-47ab-9F49-3E0FD3500D85}\stubpath = "C:\\Windows\\system32\\inuonujxj.exe" inclpwksm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AF233EB6-EE1B-4858-9E3F-68F2172D2FE3}\stubpath = "C:\\Windows\\system32\\inetlfmxc.exe" inhqlgymf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D330A13B-E45F-4190-AB61-11F1D7D73578}\stubpath = "C:\\Windows\\system32\\inqnbrgit.exe" injyiwuqi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1D18BF7E-0D8F-4d21-AF84-16563E51B7F9}\stubpath = "C:\\Windows\\system32\\inqpqfsux.exe" inlmosntr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0DDC8B18-F32D-45b6-A53D-607B252AEF72}\stubpath = "C:\\Windows\\system32\\innqmfdal.exe" inkmpnlpp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1A6A5D73-764F-449d-BBDF-60F77C17F127} incwvxbyn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C2C1790F-8881-4e08-9B22-1870A597C670} insohtodl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9FD1BFE1-4E32-4b67-827D-3E749127EB73}\stubpath = "C:\\Windows\\system32\\intikurgv.exe" invgvfzue.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{54343E73-3E66-4441-8506-DA3073F31BB2}\stubpath = "C:\\Windows\\system32\\inlgisalg.exe" inboqtqar.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6A451F1D-248C-47a7-A39D-DCF80CADC4C3}\stubpath = "C:\\Windows\\system32\\inloiwrfv.exe" inuonujxj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{13234317-F18C-4cd3-8133-5C14BCB31EE1}\stubpath = "C:\\Windows\\system32\\inckxztas.exe" injwnoaqy.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C29673E2-040F-4f5f-8F3E-4432360E4038} inumafjdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5B8C093D-CA14-4d8e-B37E-758637F4BAC1}\stubpath = "C:\\Windows\\system32\\inbrulkss.exe" inhzrfkoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3F0A04A6-1E81-436e-9B86-72692DB8028B}\stubpath = "C:\\Windows\\system32\\inztjzmib.exe" inlgphgbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{92EED50F-AD74-4459-88C8-45B09E1B6C22}\stubpath = "C:\\Windows\\system32\\inhyqlaum.exe" inenfezbl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C31C86C2-3E4C-490a-BAD5-709BCE4D1EB8} incrjzdkv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{03D0CD9D-FAD4-4735-B9B1-01A906F5B42F}\stubpath = "C:\\Windows\\system32\\inbqiycju.exe" ingvzmksi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{341B649D-22EA-4ae8-8A5D-438344464CC5} innswqwhw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3BAB44E5-F94A-4082-9028-66C4BD9E7232}\stubpath = "C:\\Windows\\system32\\insrmoybg.exe" inofbieyd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1C46A2FF-7149-4ed7-AC05-C125DFA34C74}\stubpath = "C:\\Windows\\system32\\incxuerhz.exe" incsnrmiw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9F52C9D6-1164-4391-8EA2-19C14F519CCC}\stubpath = "C:\\Windows\\system32\\inmbydanh.exe" inpscqoss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2C114A93-24BE-4111-814C-22C685B3A34C} innoqupvt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EE1D7535-69B7-4bf6-839B-2411C3BDF648}\stubpath = "C:\\Windows\\system32\\insnajxry.exe" inhgwhjlo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2071CD81-0078-46b5-96E7-67ADEE1DA831}\stubpath = "C:\\Windows\\system32\\inepndjtb.exe" innptoush.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{12D7EA68-8554-4f92-9A14-CADD9A064EEE}\stubpath = "C:\\Windows\\system32\\inzkzjyci.exe" inbpjipes.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AE45EC0F-D26D-4e0b-A09C-113C8F928081} infakywft.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{99FE1CAA-1487-48d9-9D4E-EC5EF6790180} inahuhbcs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F5264A03-8CB5-4bd1-8697-15ACB406F264} innljnnyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F5264A03-8CB5-4bd1-8697-15ACB406F264}\stubpath = "C:\\Windows\\system32\\inlubyhti.exe" innljnnyl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7BB5642B-EEF5-4415-A860-7A0882DE4B27} inqmksego.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7C3E4D93-D058-4b82-9695-4CF3D11CDA67}\stubpath = "C:\\Windows\\system32\\inzyhfjju.exe" inpdlvxfh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C5AA836D-D92A-4560-8FAD-9A1A68C3F3F7}\stubpath = "C:\\Windows\\system32\\invgvfzue.exe" inxhvtpha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{739A61DC-EEFC-44ae-9AE9-990F9AD19821}\stubpath = "C:\\Windows\\system32\\inenfzwlg.exe" inokiqcye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{61F84126-CD91-4a1f-8E4E-C3829F713C36} inhjvjvge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2071CD81-0078-46b5-96E7-67ADEE1DA831} innptoush.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{52BE8CFD-D14D-410b-B7F7-F0818BD99820}\stubpath = "C:\\Windows\\system32\\infsilnih.exe" inuytzxmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{68503174-E810-4f03-B62F-8D405F0BF368}\stubpath = "C:\\Windows\\system32\\inogytvbt.exe" inomvcziu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{74606964-2494-42e0-B6D8-7B3F62F5408A}\stubpath = "C:\\Windows\\system32\\indskelwb.exe" injmdckxk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{09858C8C-A8B0-445b-A536-14A4BF931631} inhnmoqun.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0C2669B4-CBC6-44f6-9233-AA30C75401BC} ingvfeugi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{95A2038E-149F-4f22-9FAE-4D967D96EE70}\stubpath = "C:\\Windows\\system32\\inwyzbftn.exe" iniqgcwmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DF7B78FE-1597-494c-864B-44482EAD03D9}\stubpath = "C:\\Windows\\system32\\innuoakaq.exe" inlcfvhzy.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8B3C6EAE-FAB8-47bf-A82F-EE9D60964678} inxzfxryi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3CA7F4AF-649C-4e81-9A07-FC176C9C3484} indryibnm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6A451F1D-248C-47a7-A39D-DCF80CADC4C3} inuonujxj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{455987CE-5381-4641-AF12-8622D0025015}\stubpath = "C:\\Windows\\system32\\inqrggyxc.exe" inecpcnet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C31C0E49-6E5F-4172-8297-9807EC78BE43}\stubpath = "C:\\Windows\\system32\\inzpesupo.exe" iniwaqpwa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{38DBCE3A-9CB2-4ee6-AEDE-CAD7E7C4C5D3}\stubpath = "C:\\Windows\\system32\\injqftzfq.exe" insuhmxsm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B605633B-E8C7-48f9-9366-0F8AD13F3D17}\stubpath = "C:\\Windows\\system32\\inkwlklan.exe" inarenvge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FBEE02D9-0EF6-4581-84D9-3BF4166E49F3}\stubpath = "C:\\Windows\\system32\\inxiaqxbm.exe" intojzuff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{382C4145-EE6F-4bd0-8419-15C11A9435E2}\stubpath = "C:\\Windows\\system32\\infjxbrqx.exe" inmibthrw.exe -
ACProtect 1.3x - 1.4x DLL software 11 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral1/files/0x0008000000012021-4.dat acprotect behavioral1/files/0x0007000000015cd0-29.dat acprotect behavioral1/files/0x0007000000015cd0-28.dat acprotect behavioral1/files/0x0006000000016279-56.dat acprotect behavioral1/files/0x0006000000016599-84.dat acprotect behavioral1/files/0x0006000000016ba4-112.dat acprotect behavioral1/files/0x0006000000016c9e-140.dat acprotect behavioral1/files/0x0006000000016cf1-167.dat acprotect behavioral1/files/0x0006000000016d2a-194.dat acprotect behavioral1/files/0x0006000000016d68-222.dat acprotect behavioral1/files/0x0006000000016fdb-249.dat acprotect -
Executes dropped EXE 64 IoCs
pid Process 1668 inrngsnzc.exe 2664 inzvgovkd.exe 2672 inrdysgih.exe 3000 inruwvobn.exe 1568 ingvnhoze.exe 2720 inkzrlbas.exe 1368 innqsrkjz.exe 532 inwhpwale.exe 1476 indwztgsi.exe 1108 intfuikjc.exe 932 inqtvunam.exe 816 innfvgrkz.exe 2960 inxjymong.exe 1748 inwsdlxsh.exe 1688 inzkcszdo.exe 2096 indxawycz.exe 2284 inmtnbdcu.exe 2252 inapnrseu.exe 2504 inhwfuyzl.exe 2564 invrckwrg.exe 1432 infvypoww.exe 1804 inogwahsa.exe 2560 inaexuhtj.exe 268 inocokdvj.exe 2980 incgzwjvl.exe 1356 incwvxbyn.exe 1472 inhfsfaqh.exe 548 inaphxbit.exe 1776 invhwkmle.exe 1716 inilcbjwj.exe 2164 inazpsjiq.exe 812 injyqkarh.exe 2332 inbmkzbqa.exe 2032 inyjbrycn.exe 2788 insohtodl.exe 2996 inwgusogd.exe 2800 inpsutmlb.exe 2404 infumgnyd.exe 1600 incrjzdkv.exe 1632 inkbaivic.exe 2192 inaikwkwh.exe 1048 inpbwqegf.exe 1344 inddmxhxc.exe 2856 inqmfrmyb.exe 1996 insezthji.exe 552 injwnoaqy.exe 2204 inckxztas.exe 2940 inlsmacbt.exe 1720 inbaqtkjr.exe 3024 inknedlyl.exe 1080 inugvjlkd.exe 812 intsuvkkg.exe 2756 infrfrcan.exe 2104 indeulkya.exe 2712 intojzuff.exe 2776 inxiaqxbm.exe 2508 inoavpdfe.exe 1796 ingerepgv.exe 1676 ingtvpopk.exe 1564 incvyzsfr.exe 1036 injmdckxk.exe 2732 indskelwb.exe 1308 inwskdhbh.exe 1272 inadbobmd.exe -
Loads dropped DLL 64 IoCs
pid Process 2300 NEAS.793bba9fba7b970d4a5af2a2aaaf53d1_JC.exe 2300 NEAS.793bba9fba7b970d4a5af2a2aaaf53d1_JC.exe 1668 inrngsnzc.exe 1668 inrngsnzc.exe 1668 inrngsnzc.exe 1668 inrngsnzc.exe 1668 inrngsnzc.exe 2664 inzvgovkd.exe 2664 inzvgovkd.exe 2664 inzvgovkd.exe 2664 inzvgovkd.exe 2664 inzvgovkd.exe 2672 inrdysgih.exe 2672 inrdysgih.exe 2672 inrdysgih.exe 2672 inrdysgih.exe 2672 inrdysgih.exe 3000 inruwvobn.exe 3000 inruwvobn.exe 3000 inruwvobn.exe 3000 inruwvobn.exe 3000 inruwvobn.exe 1568 ingvnhoze.exe 1568 ingvnhoze.exe 1568 ingvnhoze.exe 1568 ingvnhoze.exe 1568 ingvnhoze.exe 2720 inkzrlbas.exe 2720 inkzrlbas.exe 2720 inkzrlbas.exe 2720 inkzrlbas.exe 2720 inkzrlbas.exe 1368 innqsrkjz.exe 1368 innqsrkjz.exe 1368 innqsrkjz.exe 1368 innqsrkjz.exe 1368 innqsrkjz.exe 532 inwhpwale.exe 532 inwhpwale.exe 532 inwhpwale.exe 532 inwhpwale.exe 532 inwhpwale.exe 1476 indwztgsi.exe 1476 indwztgsi.exe 1476 indwztgsi.exe 1476 indwztgsi.exe 1476 indwztgsi.exe 1108 intfuikjc.exe 1108 intfuikjc.exe 1108 intfuikjc.exe 1108 intfuikjc.exe 1108 intfuikjc.exe 932 inqtvunam.exe 932 inqtvunam.exe 932 inqtvunam.exe 932 inqtvunam.exe 932 inqtvunam.exe 816 innfvgrkz.exe 816 innfvgrkz.exe 816 innfvgrkz.exe 816 innfvgrkz.exe 816 innfvgrkz.exe 2960 inxjymong.exe 2960 inxjymong.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\syslog.dat innezovdr.exe File created C:\Windows\SysWOW64\injvkjzkm.exe insuxuebv.exe File opened for modification C:\Windows\SysWOW64\syslog.dat invpovkyk.exe File opened for modification C:\Windows\SysWOW64\syslog.dat inkuaczqt.exe File opened for modification C:\Windows\SysWOW64\invmdukgq.exe_lang.ini insgwlney.exe File opened for modification C:\Windows\SysWOW64\inikbvtjp.exe_lang.ini indhodkji.exe File created C:\Windows\SysWOW64\inzavthnp.exe inmiqkaqr.exe File opened for modification C:\Windows\SysWOW64\syslog.dat inxuxrboe.exe File opened for modification C:\Windows\SysWOW64\inrcangym.exe_lang.ini injyixbhg.exe File created C:\Windows\SysWOW64\inrhnxdft.exe iniqzgcyz.exe File opened for modification C:\Windows\SysWOW64\syslog.dat inhscspdt.exe File opened for modification C:\Windows\SysWOW64\inatwyxqd.exe_lang.ini inortslka.exe File opened for modification C:\Windows\SysWOW64\inumafjdj.exe_lang.ini indcsegkx.exe File opened for modification C:\Windows\SysWOW64\indtosnaj.exe_lang.ini inczogbkc.exe File opened for modification C:\Windows\SysWOW64\syslog.dat invhwkmle.exe File opened for modification C:\Windows\SysWOW64\syslog.dat insanriau.exe File opened for modification C:\Windows\SysWOW64\syslog.dat incbrdfjw.exe File opened for modification C:\Windows\SysWOW64\inhgwhjlo.exe_lang.ini inzgzfvqn.exe File opened for modification C:\Windows\SysWOW64\incsvmltt.exe_lang.ini infgwnmcy.exe File opened for modification C:\Windows\SysWOW64\inofbieyd.exe_lang.ini indqsmlmh.exe File created C:\Windows\SysWOW64\intuwvzao.exe incjmswjo.exe File created C:\Windows\SysWOW64\inbmmjnwc.exe inbsfowhf.exe File opened for modification C:\Windows\SysWOW64\inecpcnet.exe_lang.ini inykznpoh.exe File created C:\Windows\SysWOW64\inclzteci.exe intcrvwiy.exe File opened for modification C:\Windows\SysWOW64\syslog.dat inhzrfkoi.exe File opened for modification C:\Windows\SysWOW64\syslog.dat inhrmfavc.exe File opened for modification C:\Windows\SysWOW64\inlofemzm.exe_lang.ini inctckufj.exe File created C:\Windows\SysWOW64\incsnrmiw.exe inhxamofz.exe File created C:\Windows\SysWOW64\inymcufhc.exe inhrmfavc.exe File opened for modification C:\Windows\SysWOW64\syslog.dat innljnnyl.exe File opened for modification C:\Windows\SysWOW64\syslog.dat inmktaxgs.exe File created C:\Windows\SysWOW64\inbjdjvkm.exe inelaxlvq.exe File created C:\Windows\SysWOW64\infauwnfj.exe inxitdtqe.exe File opened for modification C:\Windows\SysWOW64\syslog.dat inrgfvgik.exe File opened for modification C:\Windows\SysWOW64\inmtiwity.exe_lang.ini inlnqnzon.exe File opened for modification C:\Windows\SysWOW64\syslog.dat inzloqpih.exe File opened for modification C:\Windows\SysWOW64\inbjudnts.exe_lang.ini inrlmbbts.exe File created C:\Windows\SysWOW64\inufueytz.exe inwmpgfnn.exe File created C:\Windows\SysWOW64\inmxiifwj.exe inrhnxdft.exe File created C:\Windows\SysWOW64\innptoush.exe innswqwhw.exe File created C:\Windows\SysWOW64\inergdafx.exe inyazesml.exe File opened for modification C:\Windows\SysWOW64\syslog.dat invnbgkek.exe File opened for modification C:\Windows\SysWOW64\syslog.dat innqaomqq.exe File opened for modification C:\Windows\SysWOW64\infvypoww.exe_lang.ini invrckwrg.exe File opened for modification C:\Windows\SysWOW64\syslog.dat inetlfmxc.exe File created C:\Windows\SysWOW64\inftrnfcc.exe inochlfll.exe File created C:\Windows\SysWOW64\inboqtqar.exe innoqupvt.exe File opened for modification C:\Windows\SysWOW64\invqmdynu.exe_lang.ini infakywft.exe File opened for modification C:\Windows\SysWOW64\syslog.dat indwztgsi.exe File created C:\Windows\SysWOW64\intcrvwiy.exe inyorihpp.exe File created C:\Windows\SysWOW64\injwylczx.exe inhgncqwc.exe File opened for modification C:\Windows\SysWOW64\inrlmbbts.exe_lang.ini injlxlxig.exe File opened for modification C:\Windows\SysWOW64\injtvdfif.exe_lang.ini inyoqadam.exe File opened for modification C:\Windows\SysWOW64\indhxkwmb.exe_lang.ini inatwyxqd.exe File opened for modification C:\Windows\SysWOW64\syslog.dat inzprbebn.exe File opened for modification C:\Windows\SysWOW64\syslog.dat inuvxhdct.exe File opened for modification C:\Windows\SysWOW64\syslog.dat injqftzfq.exe File opened for modification C:\Windows\SysWOW64\syslog.dat inrkqhiua.exe File opened for modification C:\Windows\SysWOW64\inbuzcxoc.exe_lang.ini inudpxert.exe File created C:\Windows\SysWOW64\injkrqgyq.exe inooxsntm.exe File opened for modification C:\Windows\SysWOW64\inlgisalg.exe_lang.ini inboqtqar.exe File opened for modification C:\Windows\SysWOW64\invirzkie.exe_lang.ini insbznvcp.exe File opened for modification C:\Windows\SysWOW64\syslog.dat inovtknpq.exe File opened for modification C:\Windows\SysWOW64\syslog.dat inhqlgymf.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2300 NEAS.793bba9fba7b970d4a5af2a2aaaf53d1_JC.exe 1668 inrngsnzc.exe 2664 inzvgovkd.exe 2672 inrdysgih.exe 3000 inruwvobn.exe 1568 ingvnhoze.exe 2720 inkzrlbas.exe 1368 innqsrkjz.exe 532 inwhpwale.exe 1476 indwztgsi.exe 1108 intfuikjc.exe 932 inqtvunam.exe 816 innfvgrkz.exe 2960 inxjymong.exe 1748 inwsdlxsh.exe 1688 inzkcszdo.exe 2096 indxawycz.exe 2284 inmtnbdcu.exe 2252 inapnrseu.exe 2504 inhwfuyzl.exe 2564 invrckwrg.exe 1432 infvypoww.exe 1804 inogwahsa.exe 2560 inaexuhtj.exe 268 inocokdvj.exe 2980 incgzwjvl.exe 1356 incwvxbyn.exe 1472 inhfsfaqh.exe 548 inaphxbit.exe 1776 invhwkmle.exe 1716 inilcbjwj.exe 2164 inazpsjiq.exe 812 injyqkarh.exe 2332 inbmkzbqa.exe 2032 inyjbrycn.exe 2788 insohtodl.exe 2996 inwgusogd.exe 2800 inpsutmlb.exe 2404 infumgnyd.exe 1600 incrjzdkv.exe 1632 inkbaivic.exe 2192 inaikwkwh.exe 1048 inpbwqegf.exe 1344 inddmxhxc.exe 2856 inqmfrmyb.exe 1996 insezthji.exe 552 injwnoaqy.exe 2204 inckxztas.exe 2940 inlsmacbt.exe 1720 inbaqtkjr.exe 3024 inknedlyl.exe 1080 inugvjlkd.exe 812 intsuvkkg.exe 2756 infrfrcan.exe 2104 indeulkya.exe 2712 intojzuff.exe 2776 inxiaqxbm.exe 2508 inoavpdfe.exe 1796 ingerepgv.exe 1676 ingtvpopk.exe 1564 incvyzsfr.exe 1036 injmdckxk.exe 2732 indskelwb.exe 1308 inwskdhbh.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2300 NEAS.793bba9fba7b970d4a5af2a2aaaf53d1_JC.exe Token: SeDebugPrivilege 1668 inrngsnzc.exe Token: SeDebugPrivilege 2664 inzvgovkd.exe Token: SeDebugPrivilege 2672 inrdysgih.exe Token: SeDebugPrivilege 3000 inruwvobn.exe Token: SeDebugPrivilege 1568 ingvnhoze.exe Token: SeDebugPrivilege 2720 inkzrlbas.exe Token: SeDebugPrivilege 1368 innqsrkjz.exe Token: SeDebugPrivilege 532 inwhpwale.exe Token: SeDebugPrivilege 1476 indwztgsi.exe Token: SeDebugPrivilege 1108 intfuikjc.exe Token: SeDebugPrivilege 932 inqtvunam.exe Token: SeDebugPrivilege 816 innfvgrkz.exe Token: SeDebugPrivilege 2960 inxjymong.exe Token: SeDebugPrivilege 1748 inwsdlxsh.exe Token: SeDebugPrivilege 1688 inzkcszdo.exe Token: SeDebugPrivilege 2096 indxawycz.exe Token: SeDebugPrivilege 2284 inmtnbdcu.exe Token: SeDebugPrivilege 2252 inapnrseu.exe Token: SeDebugPrivilege 2504 inhwfuyzl.exe Token: SeDebugPrivilege 2564 invrckwrg.exe Token: SeDebugPrivilege 1432 infvypoww.exe Token: SeDebugPrivilege 1804 inogwahsa.exe Token: SeDebugPrivilege 2560 inaexuhtj.exe Token: SeDebugPrivilege 268 inocokdvj.exe Token: SeDebugPrivilege 2980 incgzwjvl.exe Token: SeDebugPrivilege 1356 incwvxbyn.exe Token: SeDebugPrivilege 1472 inhfsfaqh.exe Token: SeDebugPrivilege 548 inaphxbit.exe Token: SeDebugPrivilege 1776 invhwkmle.exe Token: SeDebugPrivilege 1716 inilcbjwj.exe Token: SeDebugPrivilege 2164 inazpsjiq.exe Token: SeDebugPrivilege 812 injyqkarh.exe Token: SeDebugPrivilege 2332 inbmkzbqa.exe Token: SeDebugPrivilege 2032 inyjbrycn.exe Token: SeDebugPrivilege 2788 insohtodl.exe Token: SeDebugPrivilege 2996 inwgusogd.exe Token: SeDebugPrivilege 2800 inpsutmlb.exe Token: SeDebugPrivilege 2404 infumgnyd.exe Token: SeDebugPrivilege 1600 incrjzdkv.exe Token: SeDebugPrivilege 1632 inkbaivic.exe Token: SeDebugPrivilege 2192 inaikwkwh.exe Token: SeDebugPrivilege 1048 inpbwqegf.exe Token: SeDebugPrivilege 1344 inddmxhxc.exe Token: SeDebugPrivilege 2856 inqmfrmyb.exe Token: SeDebugPrivilege 1996 insezthji.exe Token: SeDebugPrivilege 552 injwnoaqy.exe Token: SeDebugPrivilege 2204 inckxztas.exe Token: SeDebugPrivilege 2940 inlsmacbt.exe Token: SeDebugPrivilege 1720 inbaqtkjr.exe Token: SeDebugPrivilege 3024 inknedlyl.exe Token: SeDebugPrivilege 1080 inugvjlkd.exe Token: SeDebugPrivilege 812 intsuvkkg.exe Token: SeDebugPrivilege 2756 infrfrcan.exe Token: SeDebugPrivilege 2104 indeulkya.exe Token: SeDebugPrivilege 2712 intojzuff.exe Token: SeDebugPrivilege 2776 inxiaqxbm.exe Token: SeDebugPrivilege 2508 inoavpdfe.exe Token: SeDebugPrivilege 1796 ingerepgv.exe Token: SeDebugPrivilege 1676 ingtvpopk.exe Token: SeDebugPrivilege 1564 incvyzsfr.exe Token: SeDebugPrivilege 1036 injmdckxk.exe Token: SeDebugPrivilege 2732 indskelwb.exe Token: SeDebugPrivilege 1308 inwskdhbh.exe -
Suspicious use of SetWindowsHookEx 29 IoCs
pid Process 2300 NEAS.793bba9fba7b970d4a5af2a2aaaf53d1_JC.exe 1668 inrngsnzc.exe 2664 inzvgovkd.exe 2672 inrdysgih.exe 3000 inruwvobn.exe 1568 ingvnhoze.exe 2720 inkzrlbas.exe 1368 innqsrkjz.exe 532 inwhpwale.exe 1476 indwztgsi.exe 1108 intfuikjc.exe 932 inqtvunam.exe 816 innfvgrkz.exe 2960 inxjymong.exe 1748 inwsdlxsh.exe 1688 inzkcszdo.exe 2096 indxawycz.exe 2284 inmtnbdcu.exe 2252 inapnrseu.exe 2504 inhwfuyzl.exe 2564 invrckwrg.exe 1432 infvypoww.exe 1804 inogwahsa.exe 2560 inaexuhtj.exe 268 inocokdvj.exe 2980 incgzwjvl.exe 1356 incwvxbyn.exe 1472 inhfsfaqh.exe 548 inaphxbit.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2300 wrote to memory of 1668 2300 NEAS.793bba9fba7b970d4a5af2a2aaaf53d1_JC.exe 28 PID 2300 wrote to memory of 1668 2300 NEAS.793bba9fba7b970d4a5af2a2aaaf53d1_JC.exe 28 PID 2300 wrote to memory of 1668 2300 NEAS.793bba9fba7b970d4a5af2a2aaaf53d1_JC.exe 28 PID 2300 wrote to memory of 1668 2300 NEAS.793bba9fba7b970d4a5af2a2aaaf53d1_JC.exe 28 PID 2300 wrote to memory of 1668 2300 NEAS.793bba9fba7b970d4a5af2a2aaaf53d1_JC.exe 28 PID 2300 wrote to memory of 1668 2300 NEAS.793bba9fba7b970d4a5af2a2aaaf53d1_JC.exe 28 PID 2300 wrote to memory of 1668 2300 NEAS.793bba9fba7b970d4a5af2a2aaaf53d1_JC.exe 28 PID 1668 wrote to memory of 2664 1668 inrngsnzc.exe 29 PID 1668 wrote to memory of 2664 1668 inrngsnzc.exe 29 PID 1668 wrote to memory of 2664 1668 inrngsnzc.exe 29 PID 1668 wrote to memory of 2664 1668 inrngsnzc.exe 29 PID 1668 wrote to memory of 2664 1668 inrngsnzc.exe 29 PID 1668 wrote to memory of 2664 1668 inrngsnzc.exe 29 PID 1668 wrote to memory of 2664 1668 inrngsnzc.exe 29 PID 2664 wrote to memory of 2672 2664 inzvgovkd.exe 30 PID 2664 wrote to memory of 2672 2664 inzvgovkd.exe 30 PID 2664 wrote to memory of 2672 2664 inzvgovkd.exe 30 PID 2664 wrote to memory of 2672 2664 inzvgovkd.exe 30 PID 2664 wrote to memory of 2672 2664 inzvgovkd.exe 30 PID 2664 wrote to memory of 2672 2664 inzvgovkd.exe 30 PID 2664 wrote to memory of 2672 2664 inzvgovkd.exe 30 PID 2672 wrote to memory of 3000 2672 inrdysgih.exe 31 PID 2672 wrote to memory of 3000 2672 inrdysgih.exe 31 PID 2672 wrote to memory of 3000 2672 inrdysgih.exe 31 PID 2672 wrote to memory of 3000 2672 inrdysgih.exe 31 PID 2672 wrote to memory of 3000 2672 inrdysgih.exe 31 PID 2672 wrote to memory of 3000 2672 inrdysgih.exe 31 PID 2672 wrote to memory of 3000 2672 inrdysgih.exe 31 PID 3000 wrote to memory of 1568 3000 inruwvobn.exe 32 PID 3000 wrote to memory of 1568 3000 inruwvobn.exe 32 PID 3000 wrote to memory of 1568 3000 inruwvobn.exe 32 PID 3000 wrote to memory of 1568 3000 inruwvobn.exe 32 PID 3000 wrote to memory of 1568 3000 inruwvobn.exe 32 PID 3000 wrote to memory of 1568 3000 inruwvobn.exe 32 PID 3000 wrote to memory of 1568 3000 inruwvobn.exe 32 PID 1568 wrote to memory of 2720 1568 ingvnhoze.exe 33 PID 1568 wrote to memory of 2720 1568 ingvnhoze.exe 33 PID 1568 wrote to memory of 2720 1568 ingvnhoze.exe 33 PID 1568 wrote to memory of 2720 1568 ingvnhoze.exe 33 PID 1568 wrote to memory of 2720 1568 ingvnhoze.exe 33 PID 1568 wrote to memory of 2720 1568 ingvnhoze.exe 33 PID 1568 wrote to memory of 2720 1568 ingvnhoze.exe 33 PID 2720 wrote to memory of 1368 2720 inkzrlbas.exe 34 PID 2720 wrote to memory of 1368 2720 inkzrlbas.exe 34 PID 2720 wrote to memory of 1368 2720 inkzrlbas.exe 34 PID 2720 wrote to memory of 1368 2720 inkzrlbas.exe 34 PID 2720 wrote to memory of 1368 2720 inkzrlbas.exe 34 PID 2720 wrote to memory of 1368 2720 inkzrlbas.exe 34 PID 2720 wrote to memory of 1368 2720 inkzrlbas.exe 34 PID 1368 wrote to memory of 532 1368 innqsrkjz.exe 35 PID 1368 wrote to memory of 532 1368 innqsrkjz.exe 35 PID 1368 wrote to memory of 532 1368 innqsrkjz.exe 35 PID 1368 wrote to memory of 532 1368 innqsrkjz.exe 35 PID 1368 wrote to memory of 532 1368 innqsrkjz.exe 35 PID 1368 wrote to memory of 532 1368 innqsrkjz.exe 35 PID 1368 wrote to memory of 532 1368 innqsrkjz.exe 35 PID 532 wrote to memory of 1476 532 inwhpwale.exe 36 PID 532 wrote to memory of 1476 532 inwhpwale.exe 36 PID 532 wrote to memory of 1476 532 inwhpwale.exe 36 PID 532 wrote to memory of 1476 532 inwhpwale.exe 36 PID 532 wrote to memory of 1476 532 inwhpwale.exe 36 PID 532 wrote to memory of 1476 532 inwhpwale.exe 36 PID 532 wrote to memory of 1476 532 inwhpwale.exe 36 PID 1476 wrote to memory of 1108 1476 indwztgsi.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.793bba9fba7b970d4a5af2a2aaaf53d1_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.793bba9fba7b970d4a5af2a2aaaf53d1_JC.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Windows\SysWOW64\inrngsnzc.exeC:\Windows\system32\inrngsnzc.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1668 -
C:\Windows\SysWOW64\inzvgovkd.exeC:\Windows\system32\inzvgovkd.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\inrdysgih.exeC:\Windows\system32\inrdysgih.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\inruwvobn.exeC:\Windows\system32\inruwvobn.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Windows\SysWOW64\ingvnhoze.exeC:\Windows\system32\ingvnhoze.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1568 -
C:\Windows\SysWOW64\inkzrlbas.exeC:\Windows\system32\inkzrlbas.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\SysWOW64\innqsrkjz.exeC:\Windows\system32\innqsrkjz.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\Windows\SysWOW64\inwhpwale.exeC:\Windows\system32\inwhpwale.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:532 -
C:\Windows\SysWOW64\indwztgsi.exeC:\Windows\system32\indwztgsi.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1476 -
C:\Windows\SysWOW64\intfuikjc.exeC:\Windows\system32\intfuikjc.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1108 -
C:\Windows\SysWOW64\inqtvunam.exeC:\Windows\system32\inqtvunam.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:932 -
C:\Windows\SysWOW64\innfvgrkz.exeC:\Windows\system32\innfvgrkz.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:816 -
C:\Windows\SysWOW64\inxjymong.exeC:\Windows\system32\inxjymong.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2960 -
C:\Windows\SysWOW64\inwsdlxsh.exeC:\Windows\system32\inwsdlxsh.exe15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1748 -
C:\Windows\SysWOW64\inzkcszdo.exeC:\Windows\system32\inzkcszdo.exe16⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1688 -
C:\Windows\SysWOW64\indxawycz.exeC:\Windows\system32\indxawycz.exe17⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2096 -
C:\Windows\SysWOW64\inmtnbdcu.exeC:\Windows\system32\inmtnbdcu.exe18⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2284 -
C:\Windows\SysWOW64\inapnrseu.exeC:\Windows\system32\inapnrseu.exe19⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2252 -
C:\Windows\SysWOW64\inhwfuyzl.exeC:\Windows\system32\inhwfuyzl.exe20⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2504 -
C:\Windows\SysWOW64\invrckwrg.exeC:\Windows\system32\invrckwrg.exe21⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2564 -
C:\Windows\SysWOW64\infvypoww.exeC:\Windows\system32\infvypoww.exe22⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1432 -
C:\Windows\SysWOW64\inogwahsa.exeC:\Windows\system32\inogwahsa.exe23⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1804 -
C:\Windows\SysWOW64\inaexuhtj.exeC:\Windows\system32\inaexuhtj.exe24⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2560 -
C:\Windows\SysWOW64\inocokdvj.exeC:\Windows\system32\inocokdvj.exe25⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:268 -
C:\Windows\SysWOW64\incgzwjvl.exeC:\Windows\system32\incgzwjvl.exe26⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2980 -
C:\Windows\SysWOW64\incwvxbyn.exeC:\Windows\system32\incwvxbyn.exe27⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1356 -
C:\Windows\SysWOW64\inhfsfaqh.exeC:\Windows\system32\inhfsfaqh.exe28⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1472 -
C:\Windows\SysWOW64\inaphxbit.exeC:\Windows\system32\inaphxbit.exe29⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:548 -
C:\Windows\SysWOW64\invhwkmle.exeC:\Windows\system32\invhwkmle.exe30⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1776 -
C:\Windows\SysWOW64\inilcbjwj.exeC:\Windows\system32\inilcbjwj.exe31⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1716 -
C:\Windows\SysWOW64\inazpsjiq.exeC:\Windows\system32\inazpsjiq.exe32⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2164 -
C:\Windows\SysWOW64\injyqkarh.exeC:\Windows\system32\injyqkarh.exe33⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:812 -
C:\Windows\SysWOW64\inbmkzbqa.exeC:\Windows\system32\inbmkzbqa.exe34⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2332 -
C:\Windows\SysWOW64\inyjbrycn.exeC:\Windows\system32\inyjbrycn.exe35⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2032 -
C:\Windows\SysWOW64\insohtodl.exeC:\Windows\system32\insohtodl.exe36⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2788 -
C:\Windows\SysWOW64\inwgusogd.exeC:\Windows\system32\inwgusogd.exe37⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2996 -
C:\Windows\SysWOW64\inpsutmlb.exeC:\Windows\system32\inpsutmlb.exe38⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2800 -
C:\Windows\SysWOW64\infumgnyd.exeC:\Windows\system32\infumgnyd.exe39⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2404 -
C:\Windows\SysWOW64\incrjzdkv.exeC:\Windows\system32\incrjzdkv.exe40⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1600 -
C:\Windows\SysWOW64\inkbaivic.exeC:\Windows\system32\inkbaivic.exe41⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1632 -
C:\Windows\SysWOW64\inaikwkwh.exeC:\Windows\system32\inaikwkwh.exe42⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2192 -
C:\Windows\SysWOW64\inpbwqegf.exeC:\Windows\system32\inpbwqegf.exe43⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1048 -
C:\Windows\SysWOW64\inddmxhxc.exeC:\Windows\system32\inddmxhxc.exe44⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1344 -
C:\Windows\SysWOW64\inqmfrmyb.exeC:\Windows\system32\inqmfrmyb.exe45⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2856 -
C:\Windows\SysWOW64\insezthji.exeC:\Windows\system32\insezthji.exe46⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1996 -
C:\Windows\SysWOW64\injwnoaqy.exeC:\Windows\system32\injwnoaqy.exe47⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:552 -
C:\Windows\SysWOW64\inckxztas.exeC:\Windows\system32\inckxztas.exe48⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2204 -
C:\Windows\SysWOW64\inlsmacbt.exeC:\Windows\system32\inlsmacbt.exe49⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2940 -
C:\Windows\SysWOW64\inbaqtkjr.exeC:\Windows\system32\inbaqtkjr.exe50⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1720 -
C:\Windows\SysWOW64\inknedlyl.exeC:\Windows\system32\inknedlyl.exe51⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3024 -
C:\Windows\SysWOW64\inugvjlkd.exeC:\Windows\system32\inugvjlkd.exe52⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1080 -
C:\Windows\SysWOW64\intsuvkkg.exeC:\Windows\system32\intsuvkkg.exe53⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:812 -
C:\Windows\SysWOW64\infrfrcan.exeC:\Windows\system32\infrfrcan.exe54⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2756 -
C:\Windows\SysWOW64\indeulkya.exeC:\Windows\system32\indeulkya.exe55⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2104 -
C:\Windows\SysWOW64\intojzuff.exeC:\Windows\system32\intojzuff.exe56⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2712 -
C:\Windows\SysWOW64\inxiaqxbm.exeC:\Windows\system32\inxiaqxbm.exe57⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2776 -
C:\Windows\SysWOW64\inoavpdfe.exeC:\Windows\system32\inoavpdfe.exe58⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2508 -
C:\Windows\SysWOW64\ingerepgv.exeC:\Windows\system32\ingerepgv.exe59⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1796 -
C:\Windows\SysWOW64\ingtvpopk.exeC:\Windows\system32\ingtvpopk.exe60⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1676 -
C:\Windows\SysWOW64\incvyzsfr.exeC:\Windows\system32\incvyzsfr.exe61⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1564 -
C:\Windows\SysWOW64\injmdckxk.exeC:\Windows\system32\injmdckxk.exe62⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1036 -
C:\Windows\SysWOW64\indskelwb.exeC:\Windows\system32\indskelwb.exe63⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2732 -
C:\Windows\SysWOW64\inwskdhbh.exeC:\Windows\system32\inwskdhbh.exe64⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1308 -
C:\Windows\SysWOW64\inadbobmd.exeC:\Windows\system32\inadbobmd.exe65⤵
- Executes dropped EXE
PID:1272 -
C:\Windows\SysWOW64\inwixlnmf.exeC:\Windows\system32\inwixlnmf.exe66⤵PID:788
-
C:\Windows\SysWOW64\inefvmlzb.exeC:\Windows\system32\inefvmlzb.exe67⤵PID:1736
-
C:\Windows\SysWOW64\inqcxrfhg.exeC:\Windows\system32\inqcxrfhg.exe68⤵PID:1324
-
C:\Windows\SysWOW64\infhthtec.exeC:\Windows\system32\infhthtec.exe69⤵PID:368
-
C:\Windows\SysWOW64\inxnqhgoo.exeC:\Windows\system32\inxnqhgoo.exe70⤵PID:1236
-
C:\Windows\SysWOW64\inortslka.exeC:\Windows\system32\inortslka.exe71⤵
- Drops file in System32 directory
PID:816 -
C:\Windows\SysWOW64\inatwyxqd.exeC:\Windows\system32\inatwyxqd.exe72⤵
- Drops file in System32 directory
PID:2468 -
C:\Windows\SysWOW64\indhxkwmb.exeC:\Windows\system32\indhxkwmb.exe73⤵PID:1500
-
C:\Windows\SysWOW64\insvxwpco.exeC:\Windows\system32\insvxwpco.exe74⤵PID:1592
-
C:\Windows\SysWOW64\inhqlgymf.exeC:\Windows\system32\inhqlgymf.exe75⤵
- Modifies Installed Components in the registry
- Drops file in System32 directory
PID:2748 -
C:\Windows\SysWOW64\inetlfmxc.exeC:\Windows\system32\inetlfmxc.exe76⤵
- Drops file in System32 directory
PID:2300 -
C:\Windows\SysWOW64\inldtepix.exeC:\Windows\system32\inldtepix.exe77⤵PID:2676
-
C:\Windows\SysWOW64\inowmiavg.exeC:\Windows\system32\inowmiavg.exe78⤵PID:1664
-
C:\Windows\SysWOW64\inixpjqgj.exeC:\Windows\system32\inixpjqgj.exe79⤵PID:1692
-
C:\Windows\SysWOW64\inijzqpfx.exeC:\Windows\system32\inijzqpfx.exe80⤵PID:2188
-
C:\Windows\SysWOW64\inuiybnpg.exeC:\Windows\system32\inuiybnpg.exe81⤵PID:1568
-
C:\Windows\SysWOW64\inrfpuysy.exeC:\Windows\system32\inrfpuysy.exe82⤵PID:2008
-
C:\Windows\SysWOW64\inyufnzuj.exeC:\Windows\system32\inyufnzuj.exe83⤵PID:2848
-
C:\Windows\SysWOW64\infslrijv.exeC:\Windows\system32\infslrijv.exe84⤵PID:2852
-
C:\Windows\SysWOW64\inpfzcyeq.exeC:\Windows\system32\inpfzcyeq.exe85⤵PID:2000
-
C:\Windows\SysWOW64\injlxlxig.exeC:\Windows\system32\injlxlxig.exe86⤵
- Drops file in System32 directory
PID:996 -
C:\Windows\SysWOW64\inrlmbbts.exeC:\Windows\system32\inrlmbbts.exe87⤵
- Drops file in System32 directory
PID:1824 -
C:\Windows\SysWOW64\inbjudnts.exeC:\Windows\system32\inbjudnts.exe88⤵PID:1580
-
C:\Windows\SysWOW64\inbnjcuis.exeC:\Windows\system32\inbnjcuis.exe89⤵PID:3036
-
C:\Windows\SysWOW64\intmsjkwc.exeC:\Windows\system32\intmsjkwc.exe90⤵PID:1584
-
C:\Windows\SysWOW64\inomzqrdt.exeC:\Windows\system32\inomzqrdt.exe91⤵PID:624
-
C:\Windows\SysWOW64\inutvwllh.exeC:\Windows\system32\inutvwllh.exe92⤵PID:2032
-
C:\Windows\SysWOW64\inhegsgsd.exeC:\Windows\system32\inhegsgsd.exe93⤵PID:1592
-
C:\Windows\SysWOW64\inkveoutv.exeC:\Windows\system32\inkveoutv.exe94⤵
- Modifies Installed Components in the registry
PID:2664 -
C:\Windows\SysWOW64\inbuxzyre.exeC:\Windows\system32\inbuxzyre.exe95⤵PID:2252
-
C:\Windows\SysWOW64\inmeufqjy.exeC:\Windows\system32\inmeufqjy.exe96⤵
- Modifies Installed Components in the registry
PID:2504 -
C:\Windows\SysWOW64\inbfyviuk.exeC:\Windows\system32\inbfyviuk.exe97⤵PID:1948
-
C:\Windows\SysWOW64\insbquvhx.exeC:\Windows\system32\insbquvhx.exe98⤵PID:1564
-
C:\Windows\SysWOW64\inxtleici.exeC:\Windows\system32\inxtleici.exe99⤵PID:1908
-
C:\Windows\SysWOW64\inpcoeybx.exeC:\Windows\system32\inpcoeybx.exe100⤵PID:1488
-
C:\Windows\SysWOW64\inrtkbsie.exeC:\Windows\system32\inrtkbsie.exe101⤵PID:2060
-
C:\Windows\SysWOW64\inuqbjvqf.exeC:\Windows\system32\inuqbjvqf.exe102⤵PID:1356
-
C:\Windows\SysWOW64\ineuxonvv.exeC:\Windows\system32\ineuxonvv.exe103⤵PID:1852
-
C:\Windows\SysWOW64\inixomukg.exeC:\Windows\system32\inixomukg.exe104⤵PID:1816
-
C:\Windows\SysWOW64\inpiofygs.exeC:\Windows\system32\inpiofygs.exe105⤵PID:1108
-
C:\Windows\SysWOW64\inljyapnv.exeC:\Windows\system32\inljyapnv.exe106⤵PID:916
-
C:\Windows\SysWOW64\infnwdvwr.exeC:\Windows\system32\infnwdvwr.exe107⤵PID:3020
-
C:\Windows\SysWOW64\inykznpoh.exeC:\Windows\system32\inykznpoh.exe108⤵
- Drops file in System32 directory
PID:3048 -
C:\Windows\SysWOW64\inecpcnet.exeC:\Windows\system32\inecpcnet.exe109⤵
- Modifies Installed Components in the registry
PID:2296 -
C:\Windows\SysWOW64\inqrggyxc.exeC:\Windows\system32\inqrggyxc.exe110⤵PID:2264
-
C:\Windows\SysWOW64\infgwnmcy.exeC:\Windows\system32\infgwnmcy.exe111⤵
- Drops file in System32 directory
PID:2688 -
C:\Windows\SysWOW64\incsvmltt.exeC:\Windows\system32\incsvmltt.exe112⤵PID:2712
-
C:\Windows\SysWOW64\inirmhzng.exeC:\Windows\system32\inirmhzng.exe113⤵PID:2652
-
C:\Windows\SysWOW64\indrzpldy.exeC:\Windows\system32\indrzpldy.exe114⤵PID:2704
-
C:\Windows\SysWOW64\innbxlquo.exeC:\Windows\system32\innbxlquo.exe115⤵PID:2424
-
C:\Windows\SysWOW64\inlhzufqa.exeC:\Windows\system32\inlhzufqa.exe116⤵PID:1512
-
C:\Windows\SysWOW64\inhjvjvge.exeC:\Windows\system32\inhjvjvge.exe117⤵
- Modifies Installed Components in the registry
PID:2496 -
C:\Windows\SysWOW64\inrbrocsh.exeC:\Windows\system32\inrbrocsh.exe118⤵PID:2740
-
C:\Windows\SysWOW64\ingvetxyk.exeC:\Windows\system32\ingvetxyk.exe119⤵PID:2144
-
C:\Windows\SysWOW64\infvqbbup.exeC:\Windows\system32\infvqbbup.exe120⤵PID:1980
-
C:\Windows\SysWOW64\inqklaasr.exeC:\Windows\system32\inqklaasr.exe121⤵PID:2272
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-