Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
109s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
09/10/2023, 15:55
Behavioral task
behavioral1
Sample
NEAS.84446418e733266249b3ce6c8af14916_JC.exe
Resource
win7-20230831-en
windows7-x64
11 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.84446418e733266249b3ce6c8af14916_JC.exe
Resource
win10v2004-20230915-en
windows10-2004-x64
11 signatures
150 seconds
General
-
Target
NEAS.84446418e733266249b3ce6c8af14916_JC.exe
-
Size
348KB
-
MD5
84446418e733266249b3ce6c8af14916
-
SHA1
83e890c5660d19ceb2c44a3c7e6febc89a61a3cf
-
SHA256
e624ef743b6ae008716257de32231e9a4e9787d98c0702ee74c2e0452b3b3338
-
SHA512
bb0b369398575ff8037af90e3c4689405677df07af693e96e31e0e6fbc74242dd0570ee342003d4d3a8ab0e316dbb0f69b0b5620b01e7ed7aee3e4cffb8fb80b
-
SSDEEP
6144:MJueTkwOwoWOQ3dwaWB28edeP/deUv80P80Ap8UGwoTGHZOWJkqd0K4rG7eVT0SU:ouLwoZQGpnedeP/deUe1ppGjTGHZRT0o
Score
10/10
Malware Config
Signatures
-
Gh0st RAT payload 62 IoCs
resource yara_rule behavioral2/memory/3448-0-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/files/0x00070000000231e1-14.dat family_gh0strat behavioral2/files/0x00070000000231e2-20.dat family_gh0strat behavioral2/files/0x00070000000231e2-21.dat family_gh0strat behavioral2/memory/3448-24-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/files/0x00060000000231fd-42.dat family_gh0strat behavioral2/memory/2400-46-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/files/0x00060000000231fd-44.dat family_gh0strat behavioral2/files/0x0006000000023201-60.dat family_gh0strat behavioral2/files/0x0006000000023201-67.dat family_gh0strat behavioral2/files/0x0006000000023201-66.dat family_gh0strat behavioral2/memory/3436-70-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/memory/2020-69-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/files/0x0006000000023206-89.dat family_gh0strat behavioral2/files/0x0006000000023206-88.dat family_gh0strat behavioral2/memory/2020-92-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/files/0x000600000002320a-112.dat family_gh0strat behavioral2/files/0x000600000002320a-111.dat family_gh0strat behavioral2/memory/4352-114-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/files/0x000600000002320f-132.dat family_gh0strat behavioral2/memory/2980-135-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/files/0x000600000002320f-134.dat family_gh0strat behavioral2/files/0x0006000000023213-156.dat family_gh0strat behavioral2/files/0x0006000000023213-155.dat family_gh0strat behavioral2/memory/1820-157-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/memory/5008-165-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/memory/1820-195-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/files/0x000600000002321f-223.dat family_gh0strat behavioral2/files/0x000600000002321f-222.dat family_gh0strat behavioral2/files/0x0006000000023223-244.dat family_gh0strat behavioral2/files/0x0006000000023223-245.dat family_gh0strat behavioral2/memory/4448-261-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/files/0x0006000000023227-266.dat family_gh0strat behavioral2/memory/780-226-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/files/0x000600000002321b-202.dat family_gh0strat behavioral2/files/0x0006000000023227-267.dat family_gh0strat behavioral2/files/0x000600000002321b-201.dat family_gh0strat behavioral2/memory/556-194-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/files/0x0006000000023217-178.dat family_gh0strat behavioral2/files/0x0006000000023217-179.dat family_gh0strat behavioral2/memory/2236-282-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/files/0x000600000002322b-288.dat family_gh0strat behavioral2/files/0x000600000002322b-291.dat family_gh0strat behavioral2/memory/4256-290-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/files/0x0006000000023232-310.dat family_gh0strat behavioral2/files/0x0006000000023232-311.dat family_gh0strat behavioral2/memory/1148-319-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/files/0x0006000000023236-332.dat family_gh0strat behavioral2/files/0x0006000000023236-333.dat family_gh0strat behavioral2/memory/3404-336-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/files/0x000600000002323a-354.dat family_gh0strat behavioral2/files/0x000600000002323a-355.dat family_gh0strat behavioral2/memory/4664-369-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/memory/3036-376-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/memory/4088-406-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/memory/3796-413-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/memory/1572-431-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/memory/1544-451-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/memory/5060-469-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/memory/4524-489-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/memory/1648-507-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/memory/1864-526-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat -
Modifies Installed Components in the registry 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B53E5C59-60BA-44d7-B841-93B29EA0BB47} inaphxbit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{13A62362-9D05-45fc-BD59-A0224D0BEA45}\stubpath = "C:\\Windows\\system32\\inochlfll.exe" inewrcnnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1C24EAF3-0265-4787-A6A6-BA956C796668}\stubpath = "C:\\Windows\\system32\\inugvjlkd.exe" inijzqpfx.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5E9B67AD-F7C9-47d3-911D-078623162B88} innnpmjol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{42D0BA2A-C3AB-43b1-B92D-34AE38AAFEB9}\stubpath = "C:\\Windows\\system32\\insrzztuj.exe" inimthpzj.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{91E4E313-DD82-4e2f-9E23-D833E9BA1916} insfkvqkr.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A3B3B7BA-F6AD-4e39-A8EB-E9F73BD37A16} inhrmfavc.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{647806CD-3F4C-41ab-9E55-6DA5AF828A34} Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{998F9501-263F-4cd2-97A2-EE8CB5CCB6E6}\stubpath = "C:\\Windows\\system32\\inbdhuahl.exe" inowqgwxz.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{29643EED-B89C-4507-A281-3CF2FAEE89A3} indvpwggs.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6AF38BA9-BDCD-4de5-AB3D-1409DE3411E7} insuhmxsm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9503F0B6-2AA8-4ed2-A7FE-469A8587FB7C}\stubpath = "C:\\Windows\\system32\\inmwcesvx.exe" inkmpnlpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0FC546C5-1DC4-467c-A4C5-4F7A1D397FA0}\stubpath = "C:\\Windows\\system32\\ingudcapz.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5674E654-8D9A-4d59-885D-331C186ACC06}\stubpath = "C:\\Windows\\system32\\inzhfgmfs.exe" inmpleckt.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2B1879A4-47B3-4a25-AF17-083542C4D6E5} inxiaqxbm.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F5C4E54F-4351-4d24-BD69-EAEE7D6749A5} invkhejgd.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D728EA6E-F1C8-4e00-9CD8-54C6697DF871} inhhsffsh.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FEF7C2BC-28B1-4c27-BBCB-C7A22E1CA8CD} inbuzcxoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{82A81DDD-E3F4-41ae-B12C-5DB866224934}\stubpath = "C:\\Windows\\system32\\inivlaoql.exe" inkdpokcq.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{378A6331-6C0E-4e7b-BB2D-F178C0FCB73C} innnpmjol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8D7002A0-168C-4f63-A6F8-767487365C03}\stubpath = "C:\\Windows\\system32\\innxkgbub.exe" inhbuwzwg.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4EF0525F-04C7-446b-A932-D8F048B65146} inbnjcuis.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C70AE12E-FA7E-4a84-A399-D596CB4C8177} inrvkfwvq.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{72415BE7-D99F-429c-B33B-6FF92408AE1E} insgwlney.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DE7FF10F-52C5-4836-B5E9-4EB7C0773D65} inqzfhsqg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5E9B67AD-F7C9-47d3-911D-078623162B88}\stubpath = "C:\\Windows\\system32\\inqrgtvyi.exe" innnpmjol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FE5A228D-15B7-4ad4-9DF0-F66FEB35FB21}\stubpath = "C:\\Windows\\system32\\inzrcejxv.exe" inpprolqn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A4508716-0651-4783-9CB5-F46857346304}\stubpath = "C:\\Windows\\system32\\inupeyqpk.exe" inwfngdng.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{459AC7C2-675C-4e08-A59B-3E7D631F4A1C} inzuolauz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B53E5C59-60BA-44d7-B841-93B29EA0BB47}\stubpath = "C:\\Windows\\system32\\inlvjosms.exe" inaphxbit.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3342ED8D-A28A-4505-9021-2FB28AE75A92} inertnmni.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AF4BFAD3-9E1A-43e1-BA97-3CE4548DD340} invzesqzg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EEF5F669-A424-4947-8077-3F6E25127E94}\stubpath = "C:\\Windows\\system32\\inbmkzbqa.exe" inzyhfjju.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DCC8B9B2-A016-4a79-9F0D-6B7AF096B0C2} intglbjrf.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F72E6109-9936-48d7-AAF4-F3FA292A706A} inmfhnkkt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{378A6331-6C0E-4e7b-BB2D-F178C0FCB73C}\stubpath = "C:\\Windows\\system32\\inhgfxhuk.exe" innnpmjol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6E672605-5539-45bd-B058-A26E05F35E5F}\stubpath = "C:\\Windows\\system32\\inxnewqnc.exe" incpdebyb.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{51CF3B81-EC42-47bc-99E8-472AF5740E64} infhfyusg.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{49B95C08-F15A-4bd9-8841-89EADBD250F2} innbxlquo.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{736F6FC1-3746-447b-AFE5-37BFDA54B90B} inlhpjpqs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0DE6B27C-B846-4609-BCDF-23EBE9DDACCA}\stubpath = "C:\\Windows\\system32\\inzewkdpr.exe" inomvcziu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{87D0E691-E49E-4e8b-A2CF-6D7A628B86D9}\stubpath = "C:\\Windows\\system32\\invspsmvj.exe" inivlaoql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{81ED837A-D868-4e85-B882-20CCBC0BE694}\stubpath = "C:\\Windows\\system32\\infxiosfk.exe" inpfvwyie.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{072D48D0-5D89-429b-81C2-339186222047} injrhdzvq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A53ED7B4-0D67-4576-9886-4489D95FF176}\stubpath = "C:\\Windows\\system32\\insvsctst.exe" ingcowdkg.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4302801E-FD75-4cfc-BA8E-AB682C987F53} inxzpbsoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{50940ECC-629C-41fe-A5BD-F4345DE9C1CC}\stubpath = "C:\\Windows\\system32\\inqcxrfhg.exe" NEAS.84446418e733266249b3ce6c8af14916_JC.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2083BEBF-6722-48f2-AE85-B75561C55456} inqcxrfhg.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D5659229-B8A6-4e92-80A0-0EA18E8954C7} inpleqlxa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D115C003-17F8-40ff-82F2-2E2FF794F21F}\stubpath = "C:\\Windows\\system32\\inhfsfaqh.exe" infvypoww.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C498159F-1AED-458c-8B5B-B080536397C2} inyegrpfl.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6C88D1FB-B6B7-4fca-B45B-866D093C7BE7} inwhjedoj.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9AF70671-46F4-44a6-AD60-F44FA3767710} inkfaovfk.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9E33367C-0A88-4b2a-B252-29ADC529D19A} inmpxhlyc.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AC2D26C2-A0EF-48d9-A14A-334CBBFDA9CA} inhjvjvge.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{550D3B5A-DDE4-474f-9796-18F609CC8D1F} inpfzcyeq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2D0A66AE-F064-4fca-BFF5-D62D86F1FD06}\stubpath = "C:\\Windows\\system32\\invudbffq.exe" inpdlvxfh.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CF97D1AA-0160-4a10-9176-8FA9B795752B} innoqupvt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{62AEA89B-97A8-40a2-B7EA-50D785EA9822}\stubpath = "C:\\Windows\\system32\\inpiextzn.exe" inedyzakd.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3EE570C4-5862-4efc-806B-FD58B2354A80} innrmiwqx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4B29983A-9710-4e8a-8CDD-10BBCD534E63}\stubpath = "C:\\Windows\\system32\\intkkwbze.exe" inwhjedoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A3B3E3A2-9001-45ae-910D-646919DA88D2}\stubpath = "C:\\Windows\\system32\\inmvblntu.exe" innfajbav.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{35651C26-9CFC-458c-A773-0620FD2E4F6F}\stubpath = "C:\\Windows\\system32\\inbjdjvkm.exe" inwyoarng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D6663A72-4D4F-4540-A196-979B54D3BFFA}\stubpath = "C:\\Windows\\system32\\inzzjgeaz.exe" inngmlnpt.exe -
ACProtect 1.3x - 1.4x DLL software 33 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral2/files/0x00070000000231e0-2.dat acprotect behavioral2/files/0x00070000000231e0-4.dat acprotect behavioral2/files/0x00070000000231e0-13.dat acprotect behavioral2/files/0x00070000000231f0-27.dat acprotect behavioral2/files/0x00070000000231f0-25.dat acprotect behavioral2/files/0x00060000000231ff-49.dat acprotect behavioral2/files/0x00060000000231ff-47.dat acprotect behavioral2/files/0x00090000000231dc-73.dat acprotect behavioral2/files/0x00090000000231dc-71.dat acprotect behavioral2/files/0x0006000000023208-95.dat acprotect behavioral2/files/0x0006000000023208-93.dat acprotect behavioral2/files/0x000600000002320c-117.dat acprotect behavioral2/files/0x000600000002320c-115.dat acprotect behavioral2/files/0x0006000000023211-139.dat acprotect behavioral2/files/0x0006000000023211-137.dat acprotect behavioral2/files/0x0006000000023215-162.dat acprotect behavioral2/files/0x0006000000023215-160.dat acprotect behavioral2/files/0x0006000000023219-184.dat acprotect behavioral2/files/0x000600000002321d-207.dat acprotect behavioral2/files/0x000600000002321d-205.dat acprotect behavioral2/files/0x0006000000023221-229.dat acprotect behavioral2/files/0x0006000000023225-248.dat acprotect behavioral2/files/0x0006000000023225-250.dat acprotect behavioral2/files/0x0006000000023221-227.dat acprotect behavioral2/files/0x0006000000023219-182.dat acprotect behavioral2/files/0x0006000000023229-270.dat acprotect behavioral2/files/0x0006000000023229-272.dat acprotect behavioral2/files/0x000600000002322f-293.dat acprotect behavioral2/files/0x000600000002322f-295.dat acprotect behavioral2/files/0x0006000000023234-314.dat acprotect behavioral2/files/0x0006000000023234-316.dat acprotect behavioral2/files/0x0006000000023238-339.dat acprotect behavioral2/files/0x0006000000023238-337.dat acprotect -
Executes dropped EXE 64 IoCs
pid Process 2400 inqcxrfhg.exe 3436 inlsmacbt.exe 2020 invhwkmle.exe 4352 inuqbjvqf.exe 2980 inbfyviuk.exe 5008 inwixlnmf.exe 1820 inyorihpp.exe 556 inmprqjiy.exe 780 inxtemyti.exe 4448 inpbwqegf.exe 2236 inzvgovkd.exe 4256 inmtnbdcu.exe 1148 inykznpoh.exe 3404 inwhpwale.exe 4664 injkrqgyq.exe 3036 inoavpdfe.exe 4088 inxiaqxbm.exe 3796 invrckwrg.exe 1572 inixpjqgj.exe 1544 infumgnyd.exe 5060 inwmpgfnn.exe 4524 ineuxonvv.exe 1648 intpaiupe.exe 1864 indtwnmuu.exe 4320 insohtodl.exe 2784 inopeewva.exe 3476 inknedlyl.exe 3324 incrjzdkv.exe 4680 indwztgsi.exe 2400 inyjbrycn.exe 4912 incanalcr.exe 1780 insbquvhx.exe 4460 inldtepix.exe 2428 inomzqrdt.exe 2276 ingwzqpxx.exe 4496 inaphxbit.exe 3304 inlvjosms.exe 1304 infgwnmcy.exe 1932 inrdysgih.exe 4232 inhwoipfi.exe 2784 inumafjdj.exe 4216 inbqiycju.exe 3328 ingvnhoze.exe 3696 injmdckxk.exe 4912 incanalcr.exe 2324 inyufnzuj.exe 3332 inqmfrmyb.exe 1616 inadbobmd.exe 1680 intcrvwiy.exe 320 injwnoaqy.exe 3304 injhulmow.exe 4320 intfuikjc.exe 3500 inahuhbcs.exe 3396 innuocedv.exe 2632 inscqyokc.exe 1760 ingoxeawx.exe 2892 injsnioht.exe 3000 inaivxrqr.exe 3520 ingtgabri.exe 2624 invmdukgq.exe 1196 inazpsjiq.exe 2104 infudswxj.exe 2732 inmkxopbr.exe 3916 indscwrxb.exe -
Loads dropped DLL 64 IoCs
pid Process 3448 NEAS.84446418e733266249b3ce6c8af14916_JC.exe 3448 NEAS.84446418e733266249b3ce6c8af14916_JC.exe 2400 inqcxrfhg.exe 2400 inqcxrfhg.exe 3436 inlsmacbt.exe 3436 inlsmacbt.exe 2020 invhwkmle.exe 2020 invhwkmle.exe 4352 inuqbjvqf.exe 4352 inuqbjvqf.exe 2980 inbfyviuk.exe 2980 inbfyviuk.exe 5008 inwixlnmf.exe 5008 inwixlnmf.exe 1820 inyorihpp.exe 1820 inyorihpp.exe 556 inmprqjiy.exe 556 inmprqjiy.exe 780 inxtemyti.exe 780 inxtemyti.exe 4448 inpbwqegf.exe 4448 inpbwqegf.exe 2236 inzvgovkd.exe 2236 inzvgovkd.exe 4256 inmtnbdcu.exe 4256 inmtnbdcu.exe 1148 inykznpoh.exe 1148 inykznpoh.exe 3404 inwhpwale.exe 3404 inwhpwale.exe 4664 injkrqgyq.exe 4664 injkrqgyq.exe 3036 inoavpdfe.exe 3036 inoavpdfe.exe 4088 inxiaqxbm.exe 4088 inxiaqxbm.exe 3796 invrckwrg.exe 3796 invrckwrg.exe 1572 inixpjqgj.exe 1572 inixpjqgj.exe 1544 infumgnyd.exe 1544 infumgnyd.exe 5060 inwmpgfnn.exe 5060 inwmpgfnn.exe 4524 ineuxonvv.exe 4524 ineuxonvv.exe 1648 intpaiupe.exe 1648 intpaiupe.exe 1864 indtwnmuu.exe 1864 indtwnmuu.exe 4320 insohtodl.exe 4320 insohtodl.exe 2784 inopeewva.exe 2784 inopeewva.exe 3476 inknedlyl.exe 3476 inknedlyl.exe 3324 incrjzdkv.exe 3324 incrjzdkv.exe 4680 indwztgsi.exe 4680 indwztgsi.exe 2400 inyjbrycn.exe 2400 inyjbrycn.exe 4912 incanalcr.exe 4912 incanalcr.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\syslog.dat ineguxzcg.exe File created C:\Windows\SysWOW64\inbfyviuk.exe inuqbjvqf.exe File opened for modification C:\Windows\SysWOW64\syslog.dat inuhmcksg.exe File opened for modification C:\Windows\SysWOW64\inwtwqazn.exe_lang.ini invaiaqlz.exe File opened for modification C:\Windows\SysWOW64\intlkfhrk.exe_lang.ini inrurbsrs.exe File opened for modification C:\Windows\SysWOW64\indbxwxmz.exe_lang.ini inhomdgwi.exe File opened for modification C:\Windows\SysWOW64\syslog.dat injfdlthy.exe File created C:\Windows\SysWOW64\inwjfatav.exe innbpvwku.exe File created C:\Windows\SysWOW64\inhiypoew.exe inpleqlxa.exe File created C:\Windows\SysWOW64\inmlwcerc.exe invpovkyk.exe File opened for modification C:\Windows\SysWOW64\syslog.dat inkesnbrx.exe File opened for modification C:\Windows\SysWOW64\inwtdautu.exe_lang.ini intbosajb.exe File opened for modification C:\Windows\SysWOW64\inwikohfo.exe_lang.ini inokbwlsa.exe File created C:\Windows\SysWOW64\inbxslgig.exe inlzewbyp.exe File opened for modification C:\Windows\SysWOW64\inrgbjark.exe_lang.ini inidwdyvc.exe File opened for modification C:\Windows\SysWOW64\syslog.dat inpleqlxa.exe File created C:\Windows\SysWOW64\ingvetxyk.exe ingatvyvf.exe File opened for modification C:\Windows\SysWOW64\inkwblfyk.exe_lang.ini ineugyxhj.exe File opened for modification C:\Windows\SysWOW64\syslog.dat inliirakg.exe File created C:\Windows\SysWOW64\inokbwlsa.exe inwjfatav.exe File opened for modification C:\Windows\SysWOW64\inrfvkmdx.exe_lang.ini inhfnbzwf.exe File opened for modification C:\Windows\SysWOW64\inbuzcxoc.exe_lang.ini inixomukg.exe File created C:\Windows\SysWOW64\inypsuvxw.exe intidlctm.exe File opened for modification C:\Windows\SysWOW64\inwyzbftn.exe_lang.ini indhodkji.exe File opened for modification C:\Windows\SysWOW64\syslog.dat inomvcziu.exe File opened for modification C:\Windows\SysWOW64\syslog.dat inhpdyhbh.exe File created C:\Windows\SysWOW64\inaiqezai.exe inshvhsxn.exe File created C:\Windows\SysWOW64\inxtemyti.exe inmprqjiy.exe File opened for modification C:\Windows\SysWOW64\inxitdtqe.exe_lang.ini inortslka.exe File created C:\Windows\SysWOW64\inbmkzbqa.exe inzyhfjju.exe File opened for modification C:\Windows\SysWOW64\syslog.dat inbpftoif.exe File opened for modification C:\Windows\SysWOW64\syslog.dat inpqffxwb.exe File opened for modification C:\Windows\SysWOW64\injfqeotx.exe_lang.ini inkuaczqt.exe File opened for modification C:\Windows\SysWOW64\indryibnm.exe_lang.ini inbxslgig.exe File opened for modification C:\Windows\SysWOW64\syslog.dat infauwnfj.exe File opened for modification C:\Windows\SysWOW64\inlvjosms.exe_lang.ini inaphxbit.exe File opened for modification C:\Windows\SysWOW64\syslog.dat incsdfhkz.exe File opened for modification C:\Windows\SysWOW64\inbjudnts.exe_lang.ini ingiuiufd.exe File created C:\Windows\SysWOW64\injmgupdt.exe inhjrgabu.exe File created C:\Windows\SysWOW64\innptoush.exe inzydrlkr.exe File opened for modification C:\Windows\SysWOW64\syslog.dat innnpmjol.exe File opened for modification C:\Windows\SysWOW64\syslog.dat inoioprby.exe File opened for modification C:\Windows\SysWOW64\syslog.dat inpmytiuc.exe File created C:\Windows\SysWOW64\inzprbebn.exe indwezqep.exe File created C:\Windows\SysWOW64\insqkfzec.exe inndiulal.exe File opened for modification C:\Windows\SysWOW64\inmvblntu.exe_lang.ini innfajbav.exe File opened for modification C:\Windows\SysWOW64\syslog.dat inodazcuq.exe File opened for modification C:\Windows\SysWOW64\injfevnir.exe_lang.ini Process not Found File opened for modification C:\Windows\SysWOW64\inqfeufhj.exe_lang.ini inkuaczqt.exe File opened for modification C:\Windows\SysWOW64\inimbeutc.exe_lang.ini inkhtihxi.exe File created C:\Windows\SysWOW64\infrgispe.exe inaeepccp.exe File opened for modification C:\Windows\SysWOW64\inyegtexf.exe_lang.ini inltfhpes.exe File created C:\Windows\SysWOW64\infrfqjpo.exe insuhmxsm.exe File opened for modification C:\Windows\SysWOW64\intnjpska.exe_lang.ini inncprues.exe File created C:\Windows\SysWOW64\innfajbav.exe inkmhgrmq.exe File opened for modification C:\Windows\SysWOW64\inotjfrzg.exe_lang.ini intchxupt.exe File opened for modification C:\Windows\SysWOW64\inytomigo.exe_lang.ini inragwryq.exe File opened for modification C:\Windows\SysWOW64\infhfyusg.exe_lang.ini Process not Found File created C:\Windows\SysWOW64\ingtgabri.exe inaivxrqr.exe File created C:\Windows\SysWOW64\inocymrvp.exe inbjwysrs.exe File opened for modification C:\Windows\SysWOW64\inwldhtuf.exe_lang.ini inowmiavg.exe File created C:\Windows\SysWOW64\inwauuwtq.exe inqzfhsqg.exe File opened for modification C:\Windows\SysWOW64\ineamubie.exe_lang.ini inbjdjvkm.exe File opened for modification C:\Windows\SysWOW64\syslog.dat inmwepkwe.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3448 NEAS.84446418e733266249b3ce6c8af14916_JC.exe 3448 NEAS.84446418e733266249b3ce6c8af14916_JC.exe 2400 inqcxrfhg.exe 2400 inqcxrfhg.exe 3436 inlsmacbt.exe 3436 inlsmacbt.exe 2020 invhwkmle.exe 2020 invhwkmle.exe 4352 inuqbjvqf.exe 4352 inuqbjvqf.exe 2980 inbfyviuk.exe 2980 inbfyviuk.exe 5008 inwixlnmf.exe 5008 inwixlnmf.exe 1820 inyorihpp.exe 1820 inyorihpp.exe 556 inmprqjiy.exe 556 inmprqjiy.exe 780 inxtemyti.exe 780 inxtemyti.exe 4448 inpbwqegf.exe 4448 inpbwqegf.exe 2236 inzvgovkd.exe 2236 inzvgovkd.exe 4256 inmtnbdcu.exe 4256 inmtnbdcu.exe 1148 inykznpoh.exe 1148 inykznpoh.exe 3404 inwhpwale.exe 3404 inwhpwale.exe 4664 injkrqgyq.exe 4664 injkrqgyq.exe 3036 inoavpdfe.exe 3036 inoavpdfe.exe 4088 inxiaqxbm.exe 4088 inxiaqxbm.exe 3796 invrckwrg.exe 3796 invrckwrg.exe 1572 inixpjqgj.exe 1572 inixpjqgj.exe 1544 infumgnyd.exe 1544 infumgnyd.exe 5060 inwmpgfnn.exe 5060 inwmpgfnn.exe 4524 ineuxonvv.exe 4524 ineuxonvv.exe 1648 intpaiupe.exe 1648 intpaiupe.exe 1864 indtwnmuu.exe 1864 indtwnmuu.exe 4320 insohtodl.exe 4320 insohtodl.exe 2784 inopeewva.exe 2784 inopeewva.exe 3476 inknedlyl.exe 3476 inknedlyl.exe 3324 incrjzdkv.exe 3324 incrjzdkv.exe 4680 indwztgsi.exe 4680 indwztgsi.exe 2400 inyjbrycn.exe 2400 inyjbrycn.exe 4912 incanalcr.exe 4912 incanalcr.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3448 NEAS.84446418e733266249b3ce6c8af14916_JC.exe Token: SeDebugPrivilege 2400 inqcxrfhg.exe Token: SeDebugPrivilege 3436 inlsmacbt.exe Token: SeDebugPrivilege 2020 invhwkmle.exe Token: SeDebugPrivilege 4352 inuqbjvqf.exe Token: SeDebugPrivilege 2980 inbfyviuk.exe Token: SeDebugPrivilege 5008 inwixlnmf.exe Token: SeDebugPrivilege 1820 inyorihpp.exe Token: SeDebugPrivilege 556 inmprqjiy.exe Token: SeDebugPrivilege 780 inxtemyti.exe Token: SeDebugPrivilege 4448 inpbwqegf.exe Token: SeDebugPrivilege 2236 inzvgovkd.exe Token: SeDebugPrivilege 4256 inmtnbdcu.exe Token: SeDebugPrivilege 1148 inykznpoh.exe Token: SeDebugPrivilege 3404 inwhpwale.exe Token: SeDebugPrivilege 4664 injkrqgyq.exe Token: SeDebugPrivilege 3036 inoavpdfe.exe Token: SeDebugPrivilege 4088 inxiaqxbm.exe Token: SeDebugPrivilege 3796 invrckwrg.exe Token: SeDebugPrivilege 1572 inixpjqgj.exe Token: SeDebugPrivilege 1544 infumgnyd.exe Token: SeDebugPrivilege 5060 inwmpgfnn.exe Token: SeDebugPrivilege 4524 ineuxonvv.exe Token: SeDebugPrivilege 1648 intpaiupe.exe Token: SeDebugPrivilege 1864 indtwnmuu.exe Token: SeDebugPrivilege 4320 insohtodl.exe Token: SeDebugPrivilege 2784 inopeewva.exe Token: SeDebugPrivilege 3476 inknedlyl.exe Token: SeDebugPrivilege 3324 incrjzdkv.exe Token: SeDebugPrivilege 4680 indwztgsi.exe Token: SeDebugPrivilege 2400 inyjbrycn.exe Token: SeDebugPrivilege 4912 incanalcr.exe Token: SeDebugPrivilege 1780 insbquvhx.exe Token: SeDebugPrivilege 4460 inldtepix.exe Token: SeDebugPrivilege 2428 inomzqrdt.exe Token: SeDebugPrivilege 2276 ingwzqpxx.exe Token: SeDebugPrivilege 4496 inaphxbit.exe Token: SeDebugPrivilege 3304 inlvjosms.exe Token: SeDebugPrivilege 1304 infgwnmcy.exe Token: SeDebugPrivilege 1932 inrdysgih.exe Token: SeDebugPrivilege 4232 inhwoipfi.exe Token: SeDebugPrivilege 2784 inumafjdj.exe Token: SeDebugPrivilege 4216 inbqiycju.exe Token: SeDebugPrivilege 3328 ingvnhoze.exe Token: SeDebugPrivilege 3696 injmdckxk.exe Token: SeDebugPrivilege 4912 incanalcr.exe Token: SeDebugPrivilege 2324 inyufnzuj.exe Token: SeDebugPrivilege 3332 inqmfrmyb.exe Token: SeDebugPrivilege 1616 inadbobmd.exe Token: SeDebugPrivilege 1680 intcrvwiy.exe Token: SeDebugPrivilege 320 injwnoaqy.exe Token: SeDebugPrivilege 3304 injhulmow.exe Token: SeDebugPrivilege 4320 intfuikjc.exe Token: SeDebugPrivilege 3500 inahuhbcs.exe Token: SeDebugPrivilege 3396 innuocedv.exe Token: SeDebugPrivilege 2632 inscqyokc.exe Token: SeDebugPrivilege 1760 ingoxeawx.exe Token: SeDebugPrivilege 2892 injsnioht.exe Token: SeDebugPrivilege 3000 inaivxrqr.exe Token: SeDebugPrivilege 3520 ingtgabri.exe Token: SeDebugPrivilege 2624 invmdukgq.exe Token: SeDebugPrivilege 1196 inazpsjiq.exe Token: SeDebugPrivilege 2104 infudswxj.exe Token: SeDebugPrivilege 2732 inmkxopbr.exe -
Suspicious use of SetWindowsHookEx 28 IoCs
pid Process 3448 NEAS.84446418e733266249b3ce6c8af14916_JC.exe 2400 inqcxrfhg.exe 3436 inlsmacbt.exe 2020 invhwkmle.exe 4352 inuqbjvqf.exe 2980 inbfyviuk.exe 5008 inwixlnmf.exe 1820 inyorihpp.exe 556 inmprqjiy.exe 780 inxtemyti.exe 4448 inpbwqegf.exe 2236 inzvgovkd.exe 4256 inmtnbdcu.exe 1148 inykznpoh.exe 3404 inwhpwale.exe 4664 injkrqgyq.exe 3036 inoavpdfe.exe 4088 inxiaqxbm.exe 3796 invrckwrg.exe 1572 inixpjqgj.exe 1544 infumgnyd.exe 5060 inwmpgfnn.exe 4524 ineuxonvv.exe 1648 intpaiupe.exe 1864 indtwnmuu.exe 4320 insohtodl.exe 2784 inopeewva.exe 3476 inknedlyl.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3448 wrote to memory of 2400 3448 NEAS.84446418e733266249b3ce6c8af14916_JC.exe 85 PID 3448 wrote to memory of 2400 3448 NEAS.84446418e733266249b3ce6c8af14916_JC.exe 85 PID 3448 wrote to memory of 2400 3448 NEAS.84446418e733266249b3ce6c8af14916_JC.exe 85 PID 2400 wrote to memory of 3436 2400 inqcxrfhg.exe 86 PID 2400 wrote to memory of 3436 2400 inqcxrfhg.exe 86 PID 2400 wrote to memory of 3436 2400 inqcxrfhg.exe 86 PID 3436 wrote to memory of 2020 3436 inlsmacbt.exe 87 PID 3436 wrote to memory of 2020 3436 inlsmacbt.exe 87 PID 3436 wrote to memory of 2020 3436 inlsmacbt.exe 87 PID 2020 wrote to memory of 4352 2020 invhwkmle.exe 88 PID 2020 wrote to memory of 4352 2020 invhwkmle.exe 88 PID 2020 wrote to memory of 4352 2020 invhwkmle.exe 88 PID 4352 wrote to memory of 2980 4352 inuqbjvqf.exe 89 PID 4352 wrote to memory of 2980 4352 inuqbjvqf.exe 89 PID 4352 wrote to memory of 2980 4352 inuqbjvqf.exe 89 PID 2980 wrote to memory of 5008 2980 inbfyviuk.exe 91 PID 2980 wrote to memory of 5008 2980 inbfyviuk.exe 91 PID 2980 wrote to memory of 5008 2980 inbfyviuk.exe 91 PID 5008 wrote to memory of 1820 5008 inwixlnmf.exe 92 PID 5008 wrote to memory of 1820 5008 inwixlnmf.exe 92 PID 5008 wrote to memory of 1820 5008 inwixlnmf.exe 92 PID 1820 wrote to memory of 556 1820 inyorihpp.exe 93 PID 1820 wrote to memory of 556 1820 inyorihpp.exe 93 PID 1820 wrote to memory of 556 1820 inyorihpp.exe 93 PID 556 wrote to memory of 780 556 inmprqjiy.exe 94 PID 556 wrote to memory of 780 556 inmprqjiy.exe 94 PID 556 wrote to memory of 780 556 inmprqjiy.exe 94 PID 780 wrote to memory of 4448 780 inxtemyti.exe 95 PID 780 wrote to memory of 4448 780 inxtemyti.exe 95 PID 780 wrote to memory of 4448 780 inxtemyti.exe 95 PID 4448 wrote to memory of 2236 4448 inpbwqegf.exe 96 PID 4448 wrote to memory of 2236 4448 inpbwqegf.exe 96 PID 4448 wrote to memory of 2236 4448 inpbwqegf.exe 96 PID 2236 wrote to memory of 4256 2236 inzvgovkd.exe 97 PID 2236 wrote to memory of 4256 2236 inzvgovkd.exe 97 PID 2236 wrote to memory of 4256 2236 inzvgovkd.exe 97 PID 4256 wrote to memory of 1148 4256 inmtnbdcu.exe 98 PID 4256 wrote to memory of 1148 4256 inmtnbdcu.exe 98 PID 4256 wrote to memory of 1148 4256 inmtnbdcu.exe 98 PID 1148 wrote to memory of 3404 1148 inykznpoh.exe 99 PID 1148 wrote to memory of 3404 1148 inykznpoh.exe 99 PID 1148 wrote to memory of 3404 1148 inykznpoh.exe 99 PID 3404 wrote to memory of 4664 3404 inwhpwale.exe 100 PID 3404 wrote to memory of 4664 3404 inwhpwale.exe 100 PID 3404 wrote to memory of 4664 3404 inwhpwale.exe 100 PID 4664 wrote to memory of 3036 4664 injkrqgyq.exe 102 PID 4664 wrote to memory of 3036 4664 injkrqgyq.exe 102 PID 4664 wrote to memory of 3036 4664 injkrqgyq.exe 102 PID 3036 wrote to memory of 4088 3036 inoavpdfe.exe 103 PID 3036 wrote to memory of 4088 3036 inoavpdfe.exe 103 PID 3036 wrote to memory of 4088 3036 inoavpdfe.exe 103 PID 4088 wrote to memory of 3796 4088 inxiaqxbm.exe 104 PID 4088 wrote to memory of 3796 4088 inxiaqxbm.exe 104 PID 4088 wrote to memory of 3796 4088 inxiaqxbm.exe 104 PID 3796 wrote to memory of 1572 3796 invrckwrg.exe 105 PID 3796 wrote to memory of 1572 3796 invrckwrg.exe 105 PID 3796 wrote to memory of 1572 3796 invrckwrg.exe 105 PID 1572 wrote to memory of 1544 1572 inixpjqgj.exe 106 PID 1572 wrote to memory of 1544 1572 inixpjqgj.exe 106 PID 1572 wrote to memory of 1544 1572 inixpjqgj.exe 106 PID 1544 wrote to memory of 5060 1544 infumgnyd.exe 107 PID 1544 wrote to memory of 5060 1544 infumgnyd.exe 107 PID 1544 wrote to memory of 5060 1544 infumgnyd.exe 107 PID 5060 wrote to memory of 4524 5060 inwmpgfnn.exe 109
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.84446418e733266249b3ce6c8af14916_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.84446418e733266249b3ce6c8af14916_JC.exe"1⤵
- Modifies Installed Components in the registry
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3448 -
C:\Windows\SysWOW64\inqcxrfhg.exeC:\Windows\system32\inqcxrfhg.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Windows\SysWOW64\inlsmacbt.exeC:\Windows\system32\inlsmacbt.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3436 -
C:\Windows\SysWOW64\invhwkmle.exeC:\Windows\system32\invhwkmle.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Windows\SysWOW64\inuqbjvqf.exeC:\Windows\system32\inuqbjvqf.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4352 -
C:\Windows\SysWOW64\inbfyviuk.exeC:\Windows\system32\inbfyviuk.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Windows\SysWOW64\inwixlnmf.exeC:\Windows\system32\inwixlnmf.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5008 -
C:\Windows\SysWOW64\inyorihpp.exeC:\Windows\system32\inyorihpp.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1820 -
C:\Windows\SysWOW64\inmprqjiy.exeC:\Windows\system32\inmprqjiy.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:556 -
C:\Windows\SysWOW64\inxtemyti.exeC:\Windows\system32\inxtemyti.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:780 -
C:\Windows\SysWOW64\inpbwqegf.exeC:\Windows\system32\inpbwqegf.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4448 -
C:\Windows\SysWOW64\inzvgovkd.exeC:\Windows\system32\inzvgovkd.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\SysWOW64\inmtnbdcu.exeC:\Windows\system32\inmtnbdcu.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4256 -
C:\Windows\SysWOW64\inykznpoh.exeC:\Windows\system32\inykznpoh.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1148 -
C:\Windows\SysWOW64\inwhpwale.exeC:\Windows\system32\inwhpwale.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3404 -
C:\Windows\SysWOW64\injkrqgyq.exeC:\Windows\system32\injkrqgyq.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4664 -
C:\Windows\SysWOW64\inoavpdfe.exeC:\Windows\system32\inoavpdfe.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Windows\SysWOW64\inxiaqxbm.exeC:\Windows\system32\inxiaqxbm.exe18⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4088 -
C:\Windows\SysWOW64\invrckwrg.exeC:\Windows\system32\invrckwrg.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3796 -
C:\Windows\SysWOW64\inixpjqgj.exeC:\Windows\system32\inixpjqgj.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1572 -
C:\Windows\SysWOW64\infumgnyd.exeC:\Windows\system32\infumgnyd.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1544 -
C:\Windows\SysWOW64\inwmpgfnn.exeC:\Windows\system32\inwmpgfnn.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5060 -
C:\Windows\SysWOW64\ineuxonvv.exeC:\Windows\system32\ineuxonvv.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4524 -
C:\Windows\SysWOW64\intpaiupe.exeC:\Windows\system32\intpaiupe.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1648 -
C:\Windows\SysWOW64\indtwnmuu.exeC:\Windows\system32\indtwnmuu.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1864 -
C:\Windows\SysWOW64\insohtodl.exeC:\Windows\system32\insohtodl.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4320 -
C:\Windows\SysWOW64\inopeewva.exeC:\Windows\system32\inopeewva.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2784 -
C:\Windows\SysWOW64\inknedlyl.exeC:\Windows\system32\inknedlyl.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3476 -
C:\Windows\SysWOW64\incrjzdkv.exeC:\Windows\system32\incrjzdkv.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3324 -
C:\Windows\SysWOW64\indwztgsi.exeC:\Windows\system32\indwztgsi.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4680 -
C:\Windows\SysWOW64\inyjbrycn.exeC:\Windows\system32\inyjbrycn.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2400 -
C:\Windows\SysWOW64\innlypqcs.exeC:\Windows\system32\innlypqcs.exe32⤵PID:4912
-
C:\Windows\SysWOW64\insbquvhx.exeC:\Windows\system32\insbquvhx.exe33⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1780 -
C:\Windows\SysWOW64\inldtepix.exeC:\Windows\system32\inldtepix.exe34⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4460 -
C:\Windows\SysWOW64\inomzqrdt.exeC:\Windows\system32\inomzqrdt.exe35⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2428 -
C:\Windows\SysWOW64\ingwzqpxx.exeC:\Windows\system32\ingwzqpxx.exe36⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2276 -
C:\Windows\SysWOW64\inaphxbit.exeC:\Windows\system32\inaphxbit.exe37⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4496 -
C:\Windows\SysWOW64\inlvjosms.exeC:\Windows\system32\inlvjosms.exe38⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3304 -
C:\Windows\SysWOW64\infgwnmcy.exeC:\Windows\system32\infgwnmcy.exe39⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1304 -
C:\Windows\SysWOW64\inrdysgih.exeC:\Windows\system32\inrdysgih.exe40⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1932 -
C:\Windows\SysWOW64\inhwoipfi.exeC:\Windows\system32\inhwoipfi.exe41⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4232 -
C:\Windows\SysWOW64\inumafjdj.exeC:\Windows\system32\inumafjdj.exe42⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2784 -
C:\Windows\SysWOW64\inbqiycju.exeC:\Windows\system32\inbqiycju.exe43⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4216 -
C:\Windows\SysWOW64\ingvnhoze.exeC:\Windows\system32\ingvnhoze.exe44⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3328 -
C:\Windows\SysWOW64\injmdckxk.exeC:\Windows\system32\injmdckxk.exe45⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3696 -
C:\Windows\SysWOW64\incanalcr.exeC:\Windows\system32\incanalcr.exe46⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4912 -
C:\Windows\SysWOW64\inyufnzuj.exeC:\Windows\system32\inyufnzuj.exe47⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2324 -
C:\Windows\SysWOW64\inqmfrmyb.exeC:\Windows\system32\inqmfrmyb.exe48⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3332 -
C:\Windows\SysWOW64\inadbobmd.exeC:\Windows\system32\inadbobmd.exe49⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1616 -
C:\Windows\SysWOW64\intcrvwiy.exeC:\Windows\system32\intcrvwiy.exe50⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1680 -
C:\Windows\SysWOW64\injwnoaqy.exeC:\Windows\system32\injwnoaqy.exe51⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:320 -
C:\Windows\SysWOW64\injhulmow.exeC:\Windows\system32\injhulmow.exe52⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3304 -
C:\Windows\SysWOW64\intfuikjc.exeC:\Windows\system32\intfuikjc.exe53⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4320 -
C:\Windows\SysWOW64\inahuhbcs.exeC:\Windows\system32\inahuhbcs.exe54⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3500 -
C:\Windows\SysWOW64\innuocedv.exeC:\Windows\system32\innuocedv.exe55⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3396 -
C:\Windows\SysWOW64\inscqyokc.exeC:\Windows\system32\inscqyokc.exe56⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2632 -
C:\Windows\SysWOW64\ingoxeawx.exeC:\Windows\system32\ingoxeawx.exe57⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1760 -
C:\Windows\SysWOW64\injsnioht.exeC:\Windows\system32\injsnioht.exe58⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2892 -
C:\Windows\SysWOW64\inaivxrqr.exeC:\Windows\system32\inaivxrqr.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3000 -
C:\Windows\SysWOW64\ingtgabri.exeC:\Windows\system32\ingtgabri.exe60⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3520 -
C:\Windows\SysWOW64\invmdukgq.exeC:\Windows\system32\invmdukgq.exe61⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2624 -
C:\Windows\SysWOW64\inazpsjiq.exeC:\Windows\system32\inazpsjiq.exe62⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1196 -
C:\Windows\SysWOW64\infudswxj.exeC:\Windows\system32\infudswxj.exe63⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2104 -
C:\Windows\SysWOW64\inmkxopbr.exeC:\Windows\system32\inmkxopbr.exe64⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2732 -
C:\Windows\SysWOW64\indscwrxb.exeC:\Windows\system32\indscwrxb.exe65⤵
- Executes dropped EXE
PID:3916 -
C:\Windows\SysWOW64\inertnmni.exeC:\Windows\system32\inertnmni.exe66⤵
- Modifies Installed Components in the registry
PID:4376 -
C:\Windows\SysWOW64\inruwvobn.exeC:\Windows\system32\inruwvobn.exe67⤵PID:1976
-
C:\Windows\SysWOW64\inaqceivb.exeC:\Windows\system32\inaqceivb.exe68⤵PID:1128
-
C:\Windows\SysWOW64\insacfcod.exeC:\Windows\system32\insacfcod.exe69⤵PID:3160
-
C:\Windows\SysWOW64\inxhvtpha.exeC:\Windows\system32\inxhvtpha.exe70⤵PID:2400
-
C:\Windows\SysWOW64\inzloqpih.exeC:\Windows\system32\inzloqpih.exe71⤵PID:3512
-
C:\Windows\SysWOW64\inmhxsddw.exeC:\Windows\system32\inmhxsddw.exe72⤵PID:4088
-
C:\Windows\SysWOW64\inwsdlxsh.exeC:\Windows\system32\inwsdlxsh.exe73⤵PID:2912
-
C:\Windows\SysWOW64\inpqffxwb.exeC:\Windows\system32\inpqffxwb.exe74⤵
- Drops file in System32 directory
PID:4844 -
C:\Windows\SysWOW64\ingvzmksi.exeC:\Windows\system32\ingvzmksi.exe75⤵PID:1664
-
C:\Windows\SysWOW64\inzhuwqpq.exeC:\Windows\system32\inzhuwqpq.exe76⤵PID:2876
-
C:\Windows\SysWOW64\inbrulkss.exeC:\Windows\system32\inbrulkss.exe77⤵PID:3452
-
C:\Windows\SysWOW64\injyiwuqi.exeC:\Windows\system32\injyiwuqi.exe78⤵PID:2060
-
C:\Windows\SysWOW64\inpsutmlb.exeC:\Windows\system32\inpsutmlb.exe79⤵PID:3424
-
C:\Windows\SysWOW64\ineeenyiy.exeC:\Windows\system32\ineeenyiy.exe80⤵PID:1632
-
C:\Windows\SysWOW64\inpleqlxa.exeC:\Windows\system32\inpleqlxa.exe81⤵
- Modifies Installed Components in the registry
- Drops file in System32 directory
PID:944 -
C:\Windows\SysWOW64\inhiypoew.exeC:\Windows\system32\inhiypoew.exe82⤵PID:1108
-
C:\Windows\SysWOW64\insvxwpco.exeC:\Windows\system32\insvxwpco.exe83⤵PID:792
-
C:\Windows\SysWOW64\inewrcnnk.exeC:\Windows\system32\inewrcnnk.exe84⤵
- Modifies Installed Components in the registry
PID:2760 -
C:\Windows\SysWOW64\inochlfll.exeC:\Windows\system32\inochlfll.exe85⤵PID:1572
-
C:\Windows\SysWOW64\inmnccutj.exeC:\Windows\system32\inmnccutj.exe86⤵PID:2308
-
C:\Windows\SysWOW64\inrshhzyd.exeC:\Windows\system32\inrshhzyd.exe87⤵PID:2128
-
C:\Windows\SysWOW64\inmeufqjy.exeC:\Windows\system32\inmeufqjy.exe88⤵PID:2316
-
C:\Windows\SysWOW64\inejnhnnw.exeC:\Windows\system32\inejnhnnw.exe89⤵PID:1880
-
C:\Windows\SysWOW64\ingerepgv.exeC:\Windows\system32\ingerepgv.exe90⤵PID:440
-
C:\Windows\SysWOW64\inxjymong.exeC:\Windows\system32\inxjymong.exe91⤵PID:3252
-
C:\Windows\SysWOW64\inortslka.exeC:\Windows\system32\inortslka.exe92⤵
- Drops file in System32 directory
PID:4752 -
C:\Windows\SysWOW64\inxitdtqe.exeC:\Windows\system32\inxitdtqe.exe93⤵PID:1516
-
C:\Windows\SysWOW64\infhthtec.exeC:\Windows\system32\infhthtec.exe94⤵PID:3656
-
C:\Windows\SysWOW64\inhjvjvge.exeC:\Windows\system32\inhjvjvge.exe95⤵
- Modifies Installed Components in the registry
PID:3272 -
C:\Windows\SysWOW64\incsdfhkz.exeC:\Windows\system32\incsdfhkz.exe96⤵
- Drops file in System32 directory
PID:2052 -
C:\Windows\SysWOW64\inqtvunam.exeC:\Windows\system32\inqtvunam.exe97⤵PID:1464
-
C:\Windows\SysWOW64\incvyzsfr.exeC:\Windows\system32\incvyzsfr.exe98⤵PID:2652
-
C:\Windows\SysWOW64\injyqkarh.exeC:\Windows\system32\injyqkarh.exe99⤵PID:1624
-
C:\Windows\SysWOW64\inefvmlzb.exeC:\Windows\system32\inefvmlzb.exe100⤵PID:4596
-
C:\Windows\SysWOW64\inbjwysrs.exeC:\Windows\system32\inbjwysrs.exe101⤵
- Drops file in System32 directory
PID:2784 -
C:\Windows\SysWOW64\inocymrvp.exeC:\Windows\system32\inocymrvp.exe102⤵PID:3328
-
C:\Windows\SysWOW64\invuwaxma.exeC:\Windows\system32\invuwaxma.exe103⤵PID:2812
-
C:\Windows\SysWOW64\inftrnfcc.exeC:\Windows\system32\inftrnfcc.exe104⤵PID:2716
-
C:\Windows\SysWOW64\infvypoww.exeC:\Windows\system32\infvypoww.exe105⤵
- Modifies Installed Components in the registry
PID:2892 -
C:\Windows\SysWOW64\inhfsfaqh.exeC:\Windows\system32\inhfsfaqh.exe106⤵PID:4660
-
C:\Windows\SysWOW64\inxtleici.exeC:\Windows\system32\inxtleici.exe107⤵PID:2428
-
C:\Windows\SysWOW64\inniyteex.exeC:\Windows\system32\inniyteex.exe108⤵PID:4496
-
C:\Windows\SysWOW64\inimthpzj.exeC:\Windows\system32\inimthpzj.exe109⤵
- Modifies Installed Components in the registry
PID:1216 -
C:\Windows\SysWOW64\insrzztuj.exeC:\Windows\system32\insrzztuj.exe110⤵PID:2876
-
C:\Windows\SysWOW64\inujlcwuk.exeC:\Windows\system32\inujlcwuk.exe111⤵PID:4320
-
C:\Windows\SysWOW64\indvjzcoq.exeC:\Windows\system32\indvjzcoq.exe112⤵PID:2316
-
C:\Windows\SysWOW64\inutvwllh.exeC:\Windows\system32\inutvwllh.exe113⤵PID:1128
-
C:\Windows\SysWOW64\inbqostfv.exeC:\Windows\system32\inbqostfv.exe114⤵PID:4364
-
C:\Windows\SysWOW64\inkbaivic.exeC:\Windows\system32\inkbaivic.exe115⤵PID:2992
-
C:\Windows\SysWOW64\inhegsgsd.exeC:\Windows\system32\inhegsgsd.exe116⤵PID:2728
-
C:\Windows\SysWOW64\indtkzjxv.exeC:\Windows\system32\indtkzjxv.exe117⤵PID:4912
-
C:\Windows\SysWOW64\indskelwb.exeC:\Windows\system32\indskelwb.exe118⤵PID:4336
-
C:\Windows\SysWOW64\invgvfzue.exeC:\Windows\system32\invgvfzue.exe119⤵PID:780
-
C:\Windows\SysWOW64\inhwnltjf.exeC:\Windows\system32\inhwnltjf.exe120⤵PID:1424
-
C:\Windows\SysWOW64\inrmslxzd.exeC:\Windows\system32\inrmslxzd.exe121⤵PID:2236
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-