Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
13/10/2023, 01:12
Behavioral task
behavioral1
Sample
ce40357821569e1e889d54e9e0e52b10exe_JC.exe
Resource
win7-20230831-en
windows7-x64
11 signatures
150 seconds
Behavioral task
behavioral2
Sample
ce40357821569e1e889d54e9e0e52b10exe_JC.exe
Resource
win10v2004-20230915-en
windows10-2004-x64
11 signatures
150 seconds
General
-
Target
ce40357821569e1e889d54e9e0e52b10exe_JC.exe
-
Size
348KB
-
MD5
ce40357821569e1e889d54e9e0e52b10
-
SHA1
5fc6a0ce09d9ffbec3f03e3b0be9b5f113905366
-
SHA256
2c90724c8ec00db4fe236cbbad0006748223885bb2101d79a663a75cf234d52b
-
SHA512
30e18c680068c853c85f0d00ecee9e76f59310adf66d8343e06ccf6c0ddae1a4c16ed8f8c6f6211a3800fd278592b0d3fac795a5216a96a9641da7fb9a58d668
-
SSDEEP
6144:MJueTkwOwoWOQ3dwaWB28edeP/deUv80P80Ap8UGwoTGHZOWJkqd0K4rG7eVT0SU:ouLwoZQGpnedeP/deUe1ppGjTGHZRT04
Score
10/10
Malware Config
Signatures
-
Gh0st RAT payload 60 IoCs
resource yara_rule behavioral2/memory/2736-0-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/files/0x00040000000211da-14.dat family_gh0strat behavioral2/files/0x000c000000023133-20.dat family_gh0strat behavioral2/files/0x000c000000023133-21.dat family_gh0strat behavioral2/memory/2736-37-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/files/0x00070000000231fc-42.dat family_gh0strat behavioral2/memory/4608-46-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/files/0x0007000000023200-60.dat family_gh0strat behavioral2/memory/4704-69-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/files/0x0007000000023200-65.dat family_gh0strat behavioral2/memory/5100-84-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/files/0x0007000000023204-90.dat family_gh0strat behavioral2/memory/4704-105-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/files/0x0007000000023204-89.dat family_gh0strat behavioral2/files/0x0007000000023200-64.dat family_gh0strat behavioral2/files/0x00070000000231fc-44.dat family_gh0strat behavioral2/files/0x000700000002320a-111.dat family_gh0strat behavioral2/memory/4624-113-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/files/0x000700000002320a-114.dat family_gh0strat behavioral2/files/0x000700000002320f-134.dat family_gh0strat behavioral2/memory/4824-136-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/files/0x000700000002320f-137.dat family_gh0strat behavioral2/files/0x0007000000023213-158.dat family_gh0strat behavioral2/memory/992-175-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/files/0x0007000000023213-157.dat family_gh0strat behavioral2/files/0x0007000000023217-180.dat family_gh0strat behavioral2/memory/4140-189-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/files/0x0007000000023217-181.dat family_gh0strat behavioral2/files/0x000700000002321b-203.dat family_gh0strat behavioral2/memory/3752-204-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/files/0x000700000002321b-205.dat family_gh0strat behavioral2/files/0x000700000002321f-224.dat family_gh0strat behavioral2/files/0x000700000002321f-226.dat family_gh0strat behavioral2/memory/1280-228-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/files/0x0007000000023223-246.dat family_gh0strat behavioral2/files/0x0007000000023223-247.dat family_gh0strat behavioral2/memory/4924-256-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/files/0x000700000002322a-270.dat family_gh0strat behavioral2/files/0x000700000002322a-269.dat family_gh0strat behavioral2/memory/4724-294-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/memory/2088-297-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/files/0x0007000000023230-293.dat family_gh0strat behavioral2/files/0x0007000000023234-316.dat family_gh0strat behavioral2/memory/4724-332-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/files/0x0007000000023238-338.dat family_gh0strat behavioral2/files/0x0007000000023238-339.dat family_gh0strat behavioral2/memory/2700-355-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/files/0x000700000002323c-361.dat family_gh0strat behavioral2/memory/4752-362-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/files/0x000700000002323c-360.dat family_gh0strat behavioral2/files/0x0007000000023234-315.dat family_gh0strat behavioral2/files/0x0007000000023230-292.dat family_gh0strat behavioral2/memory/4412-279-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/memory/4676-394-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/memory/2144-399-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/memory/436-419-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/memory/1520-433-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/memory/1968-458-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/memory/2196-477-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/memory/2528-495-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat -
Modifies Installed Components in the registry 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3E00FA18-E844-4052-84DE-68FDA6AC62A1} inakrpgjz.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B55DB511-33D8-4a2e-A6CA-4C951B1E6E6A} inokbwlsa.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6C4D35ED-9E73-4f1d-AA87-3A2A0E88D61C} inldtepix.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5EA07998-6FCA-4d68-9671-AA3A2DCFCCDD} inbqiycju.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{72A337B4-E925-4713-BB16-643449C9A8E9} ingvetxyk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7C0A76D5-2B2A-4288-BB6D-C3852585E79D}\stubpath = "C:\\Windows\\system32\\indwezqep.exe" incanalcr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D693E8CC-E9A2-41ec-8CD5-2F73FA9013D1}\stubpath = "C:\\Windows\\system32\\indeoeuxa.exe" inisucehe.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4709E5C6-C3C3-4cda-B3B1-376DE83D51F7} inuytzxmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8457EFD3-A7D0-49a6-AD2F-73E712A93D50}\stubpath = "C:\\Windows\\system32\\inbpftoif.exe" inuonujxj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5224DFD7-D541-44a0-8491-C5C84B6364DF}\stubpath = "C:\\Windows\\system32\\injmdckxk.exe" inmnccutj.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B48FC4EC-641A-43fa-816D-EA5A4BD40579} inirmhzng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8D51AA00-4DC2-49de-9C1E-E57A9FC2D080}\stubpath = "C:\\Windows\\system32\\inxujybfr.exe" inyteppma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E645C1D2-91BD-48f9-979F-9536ABA80DD4}\stubpath = "C:\\Windows\\system32\\inionprva.exe" inyorihpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E57FF99C-F7B4-498c-88D3-7F22060DA2E2}\stubpath = "C:\\Windows\\system32\\inpleqlxa.exe" ineeenyiy.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6DA56F85-4D93-4ca0-B140-F342EA9FA417} inbbkvfva.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{65812131-7AC6-4f14-BFFA-3FE1AE1ACB6B} inrfpuysy.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BD33D62B-B080-47de-B16A-197988C6F559} ingrakqpr.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{920A977C-7DB7-4f82-BBAF-877931EE1FBD} incehxwfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3E872F8D-7CDD-4447-B627-822393533E4A}\stubpath = "C:\\Windows\\system32\\inhwnltjf.exe" inxhvtpha.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A89A8C3A-2A2E-4ec6-AAEE-4D175D098C64} inaaajueu.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{76111046-767F-41d9-BA7B-BC4EA4A5F6C7} inrurbsrs.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6797E3CF-8DAF-4e9d-8AD6-CE9B466DB411} inuinrlrc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F66F6B0A-D1FD-4ba8-99A9-3CCF74CD1260}\stubpath = "C:\\Windows\\system32\\invzzdxxz.exe" inrtuwvza.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A5A467A6-A204-4ea6-8155-023D2F937475}\stubpath = "C:\\Windows\\system32\\inscqyokc.exe" invbdruwx.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{192AC4A8-1D48-442d-8166-2B9181A171A3} inmrxryds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6F9E6EC0-A674-493e-9AA7-841BD73481BD}\stubpath = "C:\\Windows\\system32\\incanalcr.exe" inapnrseu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B3848356-F979-4a50-A296-AF4D0101C6DE}\stubpath = "C:\\Windows\\system32\\ineybxzdp.exe" inecpcnet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{67D858BE-372C-4d74-893E-B774F91E77AE}\stubpath = "C:\\Windows\\system32\\ineuxonvv.exe" ineybxzdp.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E9AE347E-585E-46e1-9DFB-09002D377C90} intsuvkkg.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F732D9BF-9369-4aaa-AE41-4E5232ACA4F6} inbohznex.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8276B475-CC52-4281-9F00-99826B27D2F7}\stubpath = "C:\\Windows\\system32\\inktbmkag.exe" inthmqkqb.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6F62E260-ACAE-4e29-9A3C-BC33BE5E78C2} inzhuwqpq.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{36E4AF01-9564-459d-BE16-E3A07F02F6A6} inocymrvp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0C89666E-D98D-4a7f-96EA-940CAAE59CD3}\stubpath = "C:\\Windows\\system32\\inmbydanh.exe" inddmxhxc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{11C89015-8C93-43f7-A898-61268EBFCC30}\stubpath = "C:\\Windows\\system32\\inhzpfbvl.exe" inyaereiz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C087BE4F-C04A-469a-BAFA-8AD4D4B8FABD}\stubpath = "C:\\Windows\\system32\\insrzztuj.exe" invhwkmle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E9EA1C5B-C85D-40a2-B14A-17D6B060CEDC}\stubpath = "C:\\Windows\\system32\\inapnrseu.exe" inoxdfqoe.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{975D4BD4-CEDB-4b88-AF77-C12C7E43ADA8} indscwrxb.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{75A3F262-DFC6-4dea-9CB2-5D0FF3FCA62E} inesqmezb.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{10E0A14A-351A-4d1c-9F5E-68814A1B5B32} indwztgsi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AB5B0644-C3E9-46a8-82C6-C5FAC362B06C}\stubpath = "C:\\Windows\\system32\\ingvetxyk.exe" inetlfmxc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{60EF9744-99BE-451d-B8A1-A043309088F5}\stubpath = "C:\\Windows\\system32\\injfqeotx.exe" insezthji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B55DB511-33D8-4a2e-A6CA-4C951B1E6E6A}\stubpath = "C:\\Windows\\system32\\inhbuwzwg.exe" inokbwlsa.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A5F39A2F-EA7C-45a4-8C98-CD4EA7328B0D} inrbvqwap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C8459287-838C-4f58-919A-8EA1F02D1147}\stubpath = "C:\\Windows\\system32\\inisucehe.exe" inwauuwtq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{120B1BF7-6BAC-4053-941A-BAAA1D1C7568}\stubpath = "C:\\Windows\\system32\\inatybwnb.exe" inaikwkwh.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9FB3225D-17B6-413b-875C-B2FD72B0D7BA} inrbrocsh.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{518CB413-93F6-4f96-82B7-854A2DA3B16B} inxtleici.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0B2C3871-4BFE-4041-B7E8-BCE66DCB2933} innusjmop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{923D8F9B-6873-4ad6-8811-38ED2C013AE7}\stubpath = "C:\\Windows\\system32\\inarenvge.exe" inmtnbdcu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6B13CBA7-A75D-468c-9BF4-CCA5F839207A}\stubpath = "C:\\Windows\\system32\\incraptug.exe" inmktaxgs.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{25E9AF72-8A30-452a-8D34-444B4B582D96} ingfvhjng.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{42AB63D2-4035-452f-8E6F-3AFCD2477518} inixpjqgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0C5AD84F-10FC-44cd-9F2A-76FCF753DB11}\stubpath = "C:\\Windows\\system32\\infacmfam.exe" inrhnxdft.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AD4CEC05-5F2A-41a5-A527-651E4E8D5859}\stubpath = "C:\\Windows\\system32\\inzjlpkqo.exe" invaiaqlz.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{54C7AE22-FA28-4255-9516-0B5DE0833948} inclzteci.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2249F4A8-83B8-4267-ABF1-AFC12614FB98} inuwftrhn.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A238E3F7-E659-4075-AD66-94703072E939} inejnhnnw.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C9FCCA42-A179-4947-B930-70694658F870} inipelkjl.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{15EA6F73-5758-40ff-9F5F-70B5956645F5} inmprqjiy.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BB09CE57-9A54-4150-BA63-6AD94C6281DC}\stubpath = "C:\\Windows\\system32\\incvyzsfr.exe" inoavpdfe.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1BEF6DA0-D007-4a96-9CF9-E78AD324070F} incvyzsfr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E9AE347E-585E-46e1-9DFB-09002D377C90}\stubpath = "C:\\Windows\\system32\\inyorihpp.exe" intsuvkkg.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F9641F14-4859-471a-8A1F-F14476A25625} inbmkzbqa.exe -
ACProtect 1.3x - 1.4x DLL software 33 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral2/files/0x00040000000211d7-2.dat acprotect behavioral2/files/0x00040000000211d7-4.dat acprotect behavioral2/files/0x00040000000211d7-13.dat acprotect behavioral2/files/0x000b000000023138-25.dat acprotect behavioral2/files/0x000b000000023138-23.dat acprotect behavioral2/files/0x00070000000231fe-47.dat acprotect behavioral2/files/0x00070000000231fe-49.dat acprotect behavioral2/files/0x0007000000023202-72.dat acprotect behavioral2/files/0x0007000000023202-70.dat acprotect behavioral2/files/0x0007000000023206-95.dat acprotect behavioral2/files/0x0007000000023206-93.dat acprotect behavioral2/files/0x000700000002320c-118.dat acprotect behavioral2/files/0x000700000002320c-116.dat acprotect behavioral2/files/0x0007000000023211-141.dat acprotect behavioral2/files/0x0007000000023211-139.dat acprotect behavioral2/files/0x0007000000023215-163.dat acprotect behavioral2/files/0x0007000000023215-161.dat acprotect behavioral2/files/0x0007000000023219-184.dat acprotect behavioral2/files/0x0007000000023219-186.dat acprotect behavioral2/files/0x000700000002321d-207.dat acprotect behavioral2/files/0x000700000002321d-209.dat acprotect behavioral2/files/0x0007000000023221-229.dat acprotect behavioral2/files/0x0007000000023221-231.dat acprotect behavioral2/files/0x0007000000023227-253.dat acprotect behavioral2/files/0x0007000000023227-251.dat acprotect behavioral2/files/0x000700000002322c-273.dat acprotect behavioral2/files/0x0007000000023232-300.dat acprotect behavioral2/files/0x0007000000023236-321.dat acprotect behavioral2/files/0x0007000000023236-319.dat acprotect behavioral2/files/0x000700000002323a-344.dat acprotect behavioral2/files/0x000700000002323a-342.dat acprotect behavioral2/files/0x0007000000023232-298.dat acprotect behavioral2/files/0x000700000002322c-275.dat acprotect -
Executes dropped EXE 64 IoCs
pid Process 4608 inuqbjvqf.exe 5100 inyjbrycn.exe 4704 intfuikjc.exe 4624 inldtepix.exe 4824 inbuxzyre.exe 992 inwhpwale.exe 4140 inugvjlkd.exe 3752 ingvzmksi.exe 1280 inewrcnnk.exe 4924 inaexuhtj.exe 4412 indwztgsi.exe 2088 insohtodl.exe 4724 inbfyviuk.exe 2700 inrdysgih.exe 4752 ingvnhoze.exe 4676 insvxwpco.exe 2144 inmprqjiy.exe 436 inruwvobn.exe 1520 inkzrlbas.exe 1968 inpbwqegf.exe 2196 inhjvjvge.exe 2528 inbqiycju.exe 3252 inxiaqxbm.exe 4824 indskelwb.exe 1652 inzkcszdo.exe 2680 indxawycz.exe 2240 invhwkmle.exe 808 insrzztuj.exe 5012 inocokdvj.exe 1996 incsvmltt.exe 2844 inzloqpih.exe 4588 inoavpdfe.exe 684 incvyzsfr.exe 3292 indhxkwmb.exe 3788 innlypqcs.exe 1360 inwixlnmf.exe 960 innqsrkjz.exe 3392 inhegsgsd.exe 3384 inykznpoh.exe 5016 intpaiupe.exe 4360 intcrvwiy.exe 4952 injwnoaqy.exe 2528 inxtemyti.exe 3052 inilcbjwj.exe 4824 inbqostfv.exe 1844 inhwoipfi.exe 2872 inrngsnzc.exe 4208 inwsdlxsh.exe 4008 injyqkarh.exe 4748 inmkxopbr.exe 2592 indtwnmuu.exe 4916 inqmfrmyb.exe 208 inqcxrfhg.exe 3296 ingtgabri.exe 3260 inortslka.exe 4968 inetlfmxc.exe 3816 ingvetxyk.exe 384 inkivmnpx.exe 2620 infdqdofu.exe 404 inkbaivic.exe 536 injhulmow.exe 4364 inqgdzfrf.exe 4624 incgzwjvl.exe 3420 invrckwrg.exe -
Loads dropped DLL 64 IoCs
pid Process 2736 ce40357821569e1e889d54e9e0e52b10exe_JC.exe 2736 ce40357821569e1e889d54e9e0e52b10exe_JC.exe 4608 inuqbjvqf.exe 4608 inuqbjvqf.exe 5100 inyjbrycn.exe 5100 inyjbrycn.exe 4704 intfuikjc.exe 4704 intfuikjc.exe 4624 inldtepix.exe 4624 inldtepix.exe 4824 inbuxzyre.exe 4824 inbuxzyre.exe 992 inwhpwale.exe 992 inwhpwale.exe 4140 inugvjlkd.exe 4140 inugvjlkd.exe 3752 ingvzmksi.exe 3752 ingvzmksi.exe 1280 inewrcnnk.exe 1280 inewrcnnk.exe 4924 inaexuhtj.exe 4924 inaexuhtj.exe 4412 indwztgsi.exe 4412 indwztgsi.exe 2088 insohtodl.exe 2088 insohtodl.exe 4724 inbfyviuk.exe 4724 inbfyviuk.exe 2700 inrdysgih.exe 2700 inrdysgih.exe 4752 ingvnhoze.exe 4752 ingvnhoze.exe 4676 insvxwpco.exe 4676 insvxwpco.exe 2144 inmprqjiy.exe 2144 inmprqjiy.exe 436 inruwvobn.exe 436 inruwvobn.exe 1520 inkzrlbas.exe 1520 inkzrlbas.exe 1968 inpbwqegf.exe 1968 inpbwqegf.exe 2196 inhjvjvge.exe 2196 inhjvjvge.exe 2528 inbqiycju.exe 2528 inbqiycju.exe 3252 inxiaqxbm.exe 3252 inxiaqxbm.exe 4824 indskelwb.exe 4824 indskelwb.exe 1652 inzkcszdo.exe 1652 inzkcszdo.exe 2680 indxawycz.exe 2680 indxawycz.exe 2240 invhwkmle.exe 2240 invhwkmle.exe 808 insrzztuj.exe 808 insrzztuj.exe 5012 inocokdvj.exe 5012 inocokdvj.exe 1996 incsvmltt.exe 1996 incsvmltt.exe 2844 inzloqpih.exe 2844 inzloqpih.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\syslog.dat inqcxrfhg.exe File opened for modification C:\Windows\SysWOW64\syslog.dat indlyubtu.exe File created C:\Windows\SysWOW64\inlbvuwax.exe inlolxmlm.exe File opened for modification C:\Windows\SysWOW64\incbzwztd.exe_lang.ini inulkzdji.exe File opened for modification C:\Windows\SysWOW64\intglbjrf.exe_lang.ini innjrlbrs.exe File created C:\Windows\SysWOW64\inpdlvxfh.exe ineugyxhj.exe File opened for modification C:\Windows\SysWOW64\syslog.dat injhulmow.exe File opened for modification C:\Windows\SysWOW64\syslog.dat injqftzfq.exe File created C:\Windows\SysWOW64\ineeenyiy.exe inrbrocsh.exe File created C:\Windows\SysWOW64\inwmcsiky.exe inpprolqn.exe File created C:\Windows\SysWOW64\inulkzdji.exe indwbuqoc.exe File created C:\Windows\SysWOW64\inngmlnpt.exe invzzdxxz.exe File created C:\Windows\SysWOW64\inqgyjlgf.exe inzydrlkr.exe File created C:\Windows\SysWOW64\inyluacnl.exe inhbuwzwg.exe File opened for modification C:\Windows\SysWOW64\syslog.dat insaljfpw.exe File opened for modification C:\Windows\SysWOW64\insbznvcp.exe_lang.ini incbrdfjw.exe File opened for modification C:\Windows\SysWOW64\syslog.dat inboqtqar.exe File opened for modification C:\Windows\SysWOW64\incwvxbyn.exe_lang.ini infacmfam.exe File opened for modification C:\Windows\SysWOW64\syslog.dat inulkzdji.exe File opened for modification C:\Windows\SysWOW64\syslog.dat inkietvme.exe File opened for modification C:\Windows\SysWOW64\syslog.dat inxavmale.exe File created C:\Windows\SysWOW64\invrckwrg.exe incgzwjvl.exe File opened for modification C:\Windows\SysWOW64\syslog.dat inaqceivb.exe File created C:\Windows\SysWOW64\inorbpnrr.exe inochlfll.exe File opened for modification C:\Windows\SysWOW64\inxbftvlo.exe_lang.ini intglbjrf.exe File opened for modification C:\Windows\SysWOW64\syslog.dat intcrvwiy.exe File opened for modification C:\Windows\SysWOW64\inijzqpfx.exe_lang.ini inmrhdpxe.exe File created C:\Windows\SysWOW64\injrhdzvq.exe inaqceivb.exe File opened for modification C:\Windows\SysWOW64\syslog.dat inlmosntr.exe File opened for modification C:\Windows\SysWOW64\syslog.dat injausioy.exe File created C:\Windows\SysWOW64\inuinrlrc.exe incpcgxnb.exe File opened for modification C:\Windows\SysWOW64\inqrggyxc.exe_lang.ini inscqyokc.exe File created C:\Windows\SysWOW64\inyoeaukm.exe inngmlnpt.exe File created C:\Windows\SysWOW64\inzhpyfbx.exe incwvxbyn.exe File opened for modification C:\Windows\SysWOW64\inuinrlrc.exe_lang.ini incpcgxnb.exe File opened for modification C:\Windows\SysWOW64\inmqlrpew.exe_lang.ini inuydrpyf.exe File opened for modification C:\Windows\SysWOW64\syslog.dat ineqbmfxl.exe File created C:\Windows\SysWOW64\inbpftoif.exe inuonujxj.exe File created C:\Windows\SysWOW64\inzjlpkqo.exe invaiaqlz.exe File opened for modification C:\Windows\SysWOW64\inopeewva.exe_lang.ini inmflkmos.exe File opened for modification C:\Windows\SysWOW64\invgvfzue.exe_lang.ini inomvcziu.exe File created C:\Windows\SysWOW64\inxsdoolp.exe indscwrxb.exe File opened for modification C:\Windows\SysWOW64\intuwvzao.exe_lang.ini indkgfezw.exe File opened for modification C:\Windows\SysWOW64\syslog.dat inupkqjvx.exe File opened for modification C:\Windows\SysWOW64\injdwyyif.exe_lang.ini inepndjtb.exe File opened for modification C:\Windows\SysWOW64\syslog.dat inuhqyjhd.exe File created C:\Windows\SysWOW64\inyegrpfl.exe inmzesqny.exe File created C:\Windows\SysWOW64\inyazesml.exe inligcrtk.exe File opened for modification C:\Windows\SysWOW64\syslog.dat innptoush.exe File opened for modification C:\Windows\SysWOW64\infmbpvbz.exe_lang.ini inuhmcksg.exe File opened for modification C:\Windows\SysWOW64\incvyzsfr.exe_lang.ini inoavpdfe.exe File created C:\Windows\SysWOW64\innlypqcs.exe indhxkwmb.exe File created C:\Windows\SysWOW64\infnwdvwr.exe inypsuvxw.exe File opened for modification C:\Windows\SysWOW64\incpcgxnb.exe_lang.ini inyoqadam.exe File opened for modification C:\Windows\SysWOW64\syslog.dat inzvgovkd.exe File created C:\Windows\SysWOW64\inlhzufqa.exe inbjudnts.exe File opened for modification C:\Windows\SysWOW64\inbpftoif.exe_lang.ini inuonujxj.exe File opened for modification C:\Windows\SysWOW64\syslog.dat inokbwlsa.exe File opened for modification C:\Windows\SysWOW64\inokiqcye.exe_lang.ini inujqmuoe.exe File opened for modification C:\Windows\SysWOW64\inocokdvj.exe_lang.ini insrzztuj.exe File created C:\Windows\SysWOW64\indeulkya.exe inopeewva.exe File opened for modification C:\Windows\SysWOW64\inuytzxmg.exe_lang.ini inblsqhkm.exe File opened for modification C:\Windows\SysWOW64\syslog.dat inlhpjpqs.exe File opened for modification C:\Windows\SysWOW64\syslog.dat inenraymu.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2736 ce40357821569e1e889d54e9e0e52b10exe_JC.exe 2736 ce40357821569e1e889d54e9e0e52b10exe_JC.exe 4608 inuqbjvqf.exe 4608 inuqbjvqf.exe 5100 inyjbrycn.exe 5100 inyjbrycn.exe 4704 intfuikjc.exe 4704 intfuikjc.exe 4624 inldtepix.exe 4624 inldtepix.exe 4824 inbuxzyre.exe 4824 inbuxzyre.exe 992 inwhpwale.exe 992 inwhpwale.exe 4140 inugvjlkd.exe 4140 inugvjlkd.exe 3752 ingvzmksi.exe 3752 ingvzmksi.exe 1280 inewrcnnk.exe 1280 inewrcnnk.exe 4924 inaexuhtj.exe 4924 inaexuhtj.exe 4412 indwztgsi.exe 4412 indwztgsi.exe 2088 insohtodl.exe 2088 insohtodl.exe 4724 inbfyviuk.exe 4724 inbfyviuk.exe 2700 inrdysgih.exe 2700 inrdysgih.exe 4752 ingvnhoze.exe 4752 ingvnhoze.exe 4676 insvxwpco.exe 4676 insvxwpco.exe 2144 inmprqjiy.exe 2144 inmprqjiy.exe 436 inruwvobn.exe 436 inruwvobn.exe 1520 inkzrlbas.exe 1520 inkzrlbas.exe 1968 inpbwqegf.exe 1968 inpbwqegf.exe 2196 inhjvjvge.exe 2196 inhjvjvge.exe 2528 inbqiycju.exe 2528 inbqiycju.exe 3252 inxiaqxbm.exe 3252 inxiaqxbm.exe 4824 indskelwb.exe 4824 indskelwb.exe 1652 inzkcszdo.exe 1652 inzkcszdo.exe 2680 indxawycz.exe 2680 indxawycz.exe 2240 invhwkmle.exe 2240 invhwkmle.exe 808 insrzztuj.exe 808 insrzztuj.exe 5012 inocokdvj.exe 5012 inocokdvj.exe 1996 incsvmltt.exe 1996 incsvmltt.exe 2844 inzloqpih.exe 2844 inzloqpih.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2736 ce40357821569e1e889d54e9e0e52b10exe_JC.exe Token: SeDebugPrivilege 4608 inuqbjvqf.exe Token: SeDebugPrivilege 5100 inyjbrycn.exe Token: SeDebugPrivilege 4704 intfuikjc.exe Token: SeDebugPrivilege 4624 inldtepix.exe Token: SeDebugPrivilege 4824 inbuxzyre.exe Token: SeDebugPrivilege 992 inwhpwale.exe Token: SeDebugPrivilege 4140 inugvjlkd.exe Token: SeDebugPrivilege 3752 ingvzmksi.exe Token: SeDebugPrivilege 1280 inewrcnnk.exe Token: SeDebugPrivilege 4924 inaexuhtj.exe Token: SeDebugPrivilege 4412 indwztgsi.exe Token: SeDebugPrivilege 2088 insohtodl.exe Token: SeDebugPrivilege 4724 inbfyviuk.exe Token: SeDebugPrivilege 2700 inrdysgih.exe Token: SeDebugPrivilege 4752 ingvnhoze.exe Token: SeDebugPrivilege 4676 insvxwpco.exe Token: SeDebugPrivilege 2144 inmprqjiy.exe Token: SeDebugPrivilege 436 inruwvobn.exe Token: SeDebugPrivilege 1520 inkzrlbas.exe Token: SeDebugPrivilege 1968 inpbwqegf.exe Token: SeDebugPrivilege 2196 inhjvjvge.exe Token: SeDebugPrivilege 2528 inbqiycju.exe Token: SeDebugPrivilege 3252 inxiaqxbm.exe Token: SeDebugPrivilege 4824 indskelwb.exe Token: SeDebugPrivilege 1652 inzkcszdo.exe Token: SeDebugPrivilege 2680 indxawycz.exe Token: SeDebugPrivilege 2240 invhwkmle.exe Token: SeDebugPrivilege 808 insrzztuj.exe Token: SeDebugPrivilege 5012 inocokdvj.exe Token: SeDebugPrivilege 1996 incsvmltt.exe Token: SeDebugPrivilege 2844 inzloqpih.exe Token: SeDebugPrivilege 4588 inoavpdfe.exe Token: SeDebugPrivilege 684 incvyzsfr.exe Token: SeDebugPrivilege 3292 indhxkwmb.exe Token: SeDebugPrivilege 3788 innlypqcs.exe Token: SeDebugPrivilege 1360 inwixlnmf.exe Token: SeDebugPrivilege 960 innqsrkjz.exe Token: SeDebugPrivilege 3392 inhegsgsd.exe Token: SeDebugPrivilege 3384 inykznpoh.exe Token: SeDebugPrivilege 5016 intpaiupe.exe Token: SeDebugPrivilege 4360 intcrvwiy.exe Token: SeDebugPrivilege 4952 injwnoaqy.exe Token: SeDebugPrivilege 2528 inxtemyti.exe Token: SeDebugPrivilege 3052 inilcbjwj.exe Token: SeDebugPrivilege 4824 inbqostfv.exe Token: SeDebugPrivilege 1844 inhwoipfi.exe Token: SeDebugPrivilege 2872 inrngsnzc.exe Token: SeDebugPrivilege 4208 inwsdlxsh.exe Token: SeDebugPrivilege 4008 injyqkarh.exe Token: SeDebugPrivilege 4748 inmkxopbr.exe Token: SeDebugPrivilege 2592 indtwnmuu.exe Token: SeDebugPrivilege 4916 inqmfrmyb.exe Token: SeDebugPrivilege 208 inqcxrfhg.exe Token: SeDebugPrivilege 3296 ingtgabri.exe Token: SeDebugPrivilege 3260 inortslka.exe Token: SeDebugPrivilege 4968 inetlfmxc.exe Token: SeDebugPrivilege 3816 ingvetxyk.exe Token: SeDebugPrivilege 384 inkivmnpx.exe Token: SeDebugPrivilege 2620 infdqdofu.exe Token: SeDebugPrivilege 404 inkbaivic.exe Token: SeDebugPrivilege 536 injhulmow.exe Token: SeDebugPrivilege 4364 inqgdzfrf.exe Token: SeDebugPrivilege 4624 incgzwjvl.exe -
Suspicious use of SetWindowsHookEx 28 IoCs
pid Process 2736 ce40357821569e1e889d54e9e0e52b10exe_JC.exe 4608 inuqbjvqf.exe 5100 inyjbrycn.exe 4704 intfuikjc.exe 4624 inldtepix.exe 4824 inbuxzyre.exe 992 inwhpwale.exe 4140 inugvjlkd.exe 3752 ingvzmksi.exe 1280 inewrcnnk.exe 4924 inaexuhtj.exe 4412 indwztgsi.exe 2088 insohtodl.exe 4724 inbfyviuk.exe 2700 inrdysgih.exe 4752 ingvnhoze.exe 4676 insvxwpco.exe 2144 inmprqjiy.exe 436 inruwvobn.exe 1520 inkzrlbas.exe 1968 inpbwqegf.exe 2196 inhjvjvge.exe 2528 inbqiycju.exe 3252 inxiaqxbm.exe 4824 indskelwb.exe 1652 inzkcszdo.exe 2680 indxawycz.exe 2240 invhwkmle.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2736 wrote to memory of 4608 2736 ce40357821569e1e889d54e9e0e52b10exe_JC.exe 83 PID 2736 wrote to memory of 4608 2736 ce40357821569e1e889d54e9e0e52b10exe_JC.exe 83 PID 2736 wrote to memory of 4608 2736 ce40357821569e1e889d54e9e0e52b10exe_JC.exe 83 PID 4608 wrote to memory of 5100 4608 inuqbjvqf.exe 84 PID 4608 wrote to memory of 5100 4608 inuqbjvqf.exe 84 PID 4608 wrote to memory of 5100 4608 inuqbjvqf.exe 84 PID 5100 wrote to memory of 4704 5100 inyjbrycn.exe 86 PID 5100 wrote to memory of 4704 5100 inyjbrycn.exe 86 PID 5100 wrote to memory of 4704 5100 inyjbrycn.exe 86 PID 4704 wrote to memory of 4624 4704 intfuikjc.exe 85 PID 4704 wrote to memory of 4624 4704 intfuikjc.exe 85 PID 4704 wrote to memory of 4624 4704 intfuikjc.exe 85 PID 4624 wrote to memory of 4824 4624 inldtepix.exe 87 PID 4624 wrote to memory of 4824 4624 inldtepix.exe 87 PID 4624 wrote to memory of 4824 4624 inldtepix.exe 87 PID 4824 wrote to memory of 992 4824 inbuxzyre.exe 88 PID 4824 wrote to memory of 992 4824 inbuxzyre.exe 88 PID 4824 wrote to memory of 992 4824 inbuxzyre.exe 88 PID 992 wrote to memory of 4140 992 inwhpwale.exe 89 PID 992 wrote to memory of 4140 992 inwhpwale.exe 89 PID 992 wrote to memory of 4140 992 inwhpwale.exe 89 PID 4140 wrote to memory of 3752 4140 inugvjlkd.exe 90 PID 4140 wrote to memory of 3752 4140 inugvjlkd.exe 90 PID 4140 wrote to memory of 3752 4140 inugvjlkd.exe 90 PID 3752 wrote to memory of 1280 3752 ingvzmksi.exe 91 PID 3752 wrote to memory of 1280 3752 ingvzmksi.exe 91 PID 3752 wrote to memory of 1280 3752 ingvzmksi.exe 91 PID 1280 wrote to memory of 4924 1280 inewrcnnk.exe 92 PID 1280 wrote to memory of 4924 1280 inewrcnnk.exe 92 PID 1280 wrote to memory of 4924 1280 inewrcnnk.exe 92 PID 4924 wrote to memory of 4412 4924 inaexuhtj.exe 93 PID 4924 wrote to memory of 4412 4924 inaexuhtj.exe 93 PID 4924 wrote to memory of 4412 4924 inaexuhtj.exe 93 PID 4412 wrote to memory of 2088 4412 indwztgsi.exe 94 PID 4412 wrote to memory of 2088 4412 indwztgsi.exe 94 PID 4412 wrote to memory of 2088 4412 indwztgsi.exe 94 PID 2088 wrote to memory of 4724 2088 insohtodl.exe 95 PID 2088 wrote to memory of 4724 2088 insohtodl.exe 95 PID 2088 wrote to memory of 4724 2088 insohtodl.exe 95 PID 4724 wrote to memory of 2700 4724 inbfyviuk.exe 96 PID 4724 wrote to memory of 2700 4724 inbfyviuk.exe 96 PID 4724 wrote to memory of 2700 4724 inbfyviuk.exe 96 PID 2700 wrote to memory of 4752 2700 inrdysgih.exe 97 PID 2700 wrote to memory of 4752 2700 inrdysgih.exe 97 PID 2700 wrote to memory of 4752 2700 inrdysgih.exe 97 PID 4752 wrote to memory of 4676 4752 ingvnhoze.exe 98 PID 4752 wrote to memory of 4676 4752 ingvnhoze.exe 98 PID 4752 wrote to memory of 4676 4752 ingvnhoze.exe 98 PID 4676 wrote to memory of 2144 4676 insvxwpco.exe 99 PID 4676 wrote to memory of 2144 4676 insvxwpco.exe 99 PID 4676 wrote to memory of 2144 4676 insvxwpco.exe 99 PID 2144 wrote to memory of 436 2144 inmprqjiy.exe 100 PID 2144 wrote to memory of 436 2144 inmprqjiy.exe 100 PID 2144 wrote to memory of 436 2144 inmprqjiy.exe 100 PID 436 wrote to memory of 1520 436 inruwvobn.exe 101 PID 436 wrote to memory of 1520 436 inruwvobn.exe 101 PID 436 wrote to memory of 1520 436 inruwvobn.exe 101 PID 1520 wrote to memory of 1968 1520 inkzrlbas.exe 102 PID 1520 wrote to memory of 1968 1520 inkzrlbas.exe 102 PID 1520 wrote to memory of 1968 1520 inkzrlbas.exe 102 PID 1968 wrote to memory of 2196 1968 inpbwqegf.exe 103 PID 1968 wrote to memory of 2196 1968 inpbwqegf.exe 103 PID 1968 wrote to memory of 2196 1968 inpbwqegf.exe 103 PID 2196 wrote to memory of 2528 2196 inhjvjvge.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\ce40357821569e1e889d54e9e0e52b10exe_JC.exe"C:\Users\Admin\AppData\Local\Temp\ce40357821569e1e889d54e9e0e52b10exe_JC.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\inuqbjvqf.exeC:\Windows\system32\inuqbjvqf.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4608 -
C:\Windows\SysWOW64\inyjbrycn.exeC:\Windows\system32\inyjbrycn.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5100 -
C:\Windows\SysWOW64\intfuikjc.exeC:\Windows\system32\intfuikjc.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4704
-
-
-
-
C:\Windows\SysWOW64\inldtepix.exeC:\Windows\system32\inldtepix.exe1⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4624 -
C:\Windows\SysWOW64\inbuxzyre.exeC:\Windows\system32\inbuxzyre.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4824 -
C:\Windows\SysWOW64\inwhpwale.exeC:\Windows\system32\inwhpwale.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:992 -
C:\Windows\SysWOW64\inugvjlkd.exeC:\Windows\system32\inugvjlkd.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4140 -
C:\Windows\SysWOW64\ingvzmksi.exeC:\Windows\system32\ingvzmksi.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3752 -
C:\Windows\SysWOW64\inewrcnnk.exeC:\Windows\system32\inewrcnnk.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1280 -
C:\Windows\SysWOW64\inaexuhtj.exeC:\Windows\system32\inaexuhtj.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4924 -
C:\Windows\SysWOW64\indwztgsi.exeC:\Windows\system32\indwztgsi.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4412 -
C:\Windows\SysWOW64\insohtodl.exeC:\Windows\system32\insohtodl.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\SysWOW64\inbfyviuk.exeC:\Windows\system32\inbfyviuk.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4724 -
C:\Windows\SysWOW64\inrdysgih.exeC:\Windows\system32\inrdysgih.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\SysWOW64\ingvnhoze.exeC:\Windows\system32\ingvnhoze.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4752 -
C:\Windows\SysWOW64\insvxwpco.exeC:\Windows\system32\insvxwpco.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4676 -
C:\Windows\SysWOW64\inmprqjiy.exeC:\Windows\system32\inmprqjiy.exe14⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Windows\SysWOW64\inruwvobn.exeC:\Windows\system32\inruwvobn.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:436 -
C:\Windows\SysWOW64\inkzrlbas.exeC:\Windows\system32\inkzrlbas.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1520 -
C:\Windows\SysWOW64\inpbwqegf.exeC:\Windows\system32\inpbwqegf.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\SysWOW64\inhjvjvge.exeC:\Windows\system32\inhjvjvge.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Windows\SysWOW64\inbqiycju.exeC:\Windows\system32\inbqiycju.exe19⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2528 -
C:\Windows\SysWOW64\inxiaqxbm.exeC:\Windows\system32\inxiaqxbm.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3252 -
C:\Windows\SysWOW64\indskelwb.exeC:\Windows\system32\indskelwb.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4824 -
C:\Windows\SysWOW64\inzkcszdo.exeC:\Windows\system32\inzkcszdo.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1652 -
C:\Windows\SysWOW64\indxawycz.exeC:\Windows\system32\indxawycz.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2680 -
C:\Windows\SysWOW64\invhwkmle.exeC:\Windows\system32\invhwkmle.exe24⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2240 -
C:\Windows\SysWOW64\insrzztuj.exeC:\Windows\system32\insrzztuj.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:808 -
C:\Windows\SysWOW64\inocokdvj.exeC:\Windows\system32\inocokdvj.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5012 -
C:\Windows\SysWOW64\incsvmltt.exeC:\Windows\system32\incsvmltt.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1996 -
C:\Windows\SysWOW64\inzloqpih.exeC:\Windows\system32\inzloqpih.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2844 -
C:\Windows\SysWOW64\inoavpdfe.exeC:\Windows\system32\inoavpdfe.exe29⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4588 -
C:\Windows\SysWOW64\incvyzsfr.exeC:\Windows\system32\incvyzsfr.exe30⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:684 -
C:\Windows\SysWOW64\indhxkwmb.exeC:\Windows\system32\indhxkwmb.exe31⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3292 -
C:\Windows\SysWOW64\innlypqcs.exeC:\Windows\system32\innlypqcs.exe32⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3788 -
C:\Windows\SysWOW64\inwixlnmf.exeC:\Windows\system32\inwixlnmf.exe33⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1360 -
C:\Windows\SysWOW64\innqsrkjz.exeC:\Windows\system32\innqsrkjz.exe34⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:960 -
C:\Windows\SysWOW64\inhegsgsd.exeC:\Windows\system32\inhegsgsd.exe35⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3392 -
C:\Windows\SysWOW64\inykznpoh.exeC:\Windows\system32\inykznpoh.exe36⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3384 -
C:\Windows\SysWOW64\intpaiupe.exeC:\Windows\system32\intpaiupe.exe37⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5016 -
C:\Windows\SysWOW64\intcrvwiy.exeC:\Windows\system32\intcrvwiy.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4360 -
C:\Windows\SysWOW64\injwnoaqy.exeC:\Windows\system32\injwnoaqy.exe39⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4952 -
C:\Windows\SysWOW64\inxtemyti.exeC:\Windows\system32\inxtemyti.exe40⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2528 -
C:\Windows\SysWOW64\inilcbjwj.exeC:\Windows\system32\inilcbjwj.exe41⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3052 -
C:\Windows\SysWOW64\inbqostfv.exeC:\Windows\system32\inbqostfv.exe42⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4824 -
C:\Windows\SysWOW64\inhwoipfi.exeC:\Windows\system32\inhwoipfi.exe43⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1844 -
C:\Windows\SysWOW64\inrngsnzc.exeC:\Windows\system32\inrngsnzc.exe44⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2872 -
C:\Windows\SysWOW64\inwsdlxsh.exeC:\Windows\system32\inwsdlxsh.exe45⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4208 -
C:\Windows\SysWOW64\injyqkarh.exeC:\Windows\system32\injyqkarh.exe46⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4008 -
C:\Windows\SysWOW64\inmkxopbr.exeC:\Windows\system32\inmkxopbr.exe47⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4748 -
C:\Windows\SysWOW64\indtwnmuu.exeC:\Windows\system32\indtwnmuu.exe48⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2592 -
C:\Windows\SysWOW64\inqmfrmyb.exeC:\Windows\system32\inqmfrmyb.exe49⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4916 -
C:\Windows\SysWOW64\inqcxrfhg.exeC:\Windows\system32\inqcxrfhg.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:208 -
C:\Windows\SysWOW64\ingtgabri.exeC:\Windows\system32\ingtgabri.exe51⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3296 -
C:\Windows\SysWOW64\inortslka.exeC:\Windows\system32\inortslka.exe52⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3260 -
C:\Windows\SysWOW64\inetlfmxc.exeC:\Windows\system32\inetlfmxc.exe53⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4968 -
C:\Windows\SysWOW64\ingvetxyk.exeC:\Windows\system32\ingvetxyk.exe54⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3816 -
C:\Windows\SysWOW64\inkivmnpx.exeC:\Windows\system32\inkivmnpx.exe55⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:384 -
C:\Windows\SysWOW64\infdqdofu.exeC:\Windows\system32\infdqdofu.exe56⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2620 -
C:\Windows\SysWOW64\inkbaivic.exeC:\Windows\system32\inkbaivic.exe57⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:404 -
C:\Windows\SysWOW64\injhulmow.exeC:\Windows\system32\injhulmow.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:536 -
C:\Windows\SysWOW64\inqgdzfrf.exeC:\Windows\system32\inqgdzfrf.exe59⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4364 -
C:\Windows\SysWOW64\incgzwjvl.exeC:\Windows\system32\incgzwjvl.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4624 -
C:\Windows\SysWOW64\invrckwrg.exeC:\Windows\system32\invrckwrg.exe61⤵
- Executes dropped EXE
PID:3420 -
C:\Windows\SysWOW64\inaikwkwh.exeC:\Windows\system32\inaikwkwh.exe62⤵
- Modifies Installed Components in the registry
PID:2160 -
C:\Windows\SysWOW64\inatybwnb.exeC:\Windows\system32\inatybwnb.exe63⤵PID:1920
-
C:\Windows\SysWOW64\inatwyxqd.exeC:\Windows\system32\inatwyxqd.exe64⤵PID:2448
-
C:\Windows\SysWOW64\iniqzgcyz.exeC:\Windows\system32\iniqzgcyz.exe65⤵PID:2572
-
C:\Windows\SysWOW64\inogwahsa.exeC:\Windows\system32\inogwahsa.exe66⤵PID:2136
-
C:\Windows\SysWOW64\inbohznex.exeC:\Windows\system32\inbohznex.exe67⤵
- Modifies Installed Components in the registry
PID:3692 -
C:\Windows\SysWOW64\indtkzjxv.exeC:\Windows\system32\indtkzjxv.exe68⤵PID:920
-
C:\Windows\SysWOW64\inertnmni.exeC:\Windows\system32\inertnmni.exe69⤵PID:3288
-
C:\Windows\SysWOW64\inomzqrdt.exeC:\Windows\system32\inomzqrdt.exe70⤵PID:1480
-
C:\Windows\SysWOW64\ingoxeawx.exeC:\Windows\system32\ingoxeawx.exe71⤵PID:996
-
C:\Windows\SysWOW64\inmeufqjy.exeC:\Windows\system32\inmeufqjy.exe72⤵PID:1568
-
C:\Windows\SysWOW64\insezthji.exeC:\Windows\system32\insezthji.exe73⤵
- Modifies Installed Components in the registry
PID:1760 -
C:\Windows\SysWOW64\injfqeotx.exeC:\Windows\system32\injfqeotx.exe74⤵PID:4428
-
C:\Windows\SysWOW64\inutvwllh.exeC:\Windows\system32\inutvwllh.exe75⤵PID:1732
-
C:\Windows\SysWOW64\inbrulkss.exeC:\Windows\system32\inbrulkss.exe76⤵PID:3392
-
C:\Windows\SysWOW64\ingwzqpxx.exeC:\Windows\system32\ingwzqpxx.exe77⤵PID:2716
-
C:\Windows\SysWOW64\innfvgrkz.exeC:\Windows\system32\innfvgrkz.exe78⤵PID:804
-
C:\Windows\SysWOW64\inbjwysrs.exeC:\Windows\system32\inbjwysrs.exe79⤵PID:3404
-
C:\Windows\SysWOW64\insnyjjgx.exeC:\Windows\system32\insnyjjgx.exe80⤵PID:3696
-
C:\Windows\SysWOW64\inlsmacbt.exeC:\Windows\system32\inlsmacbt.exe81⤵PID:2908
-
C:\Windows\SysWOW64\inaphxbit.exeC:\Windows\system32\inaphxbit.exe82⤵PID:4192
-
C:\Windows\SysWOW64\inrcangym.exeC:\Windows\system32\inrcangym.exe83⤵PID:2056
-
C:\Windows\SysWOW64\infslrijv.exeC:\Windows\system32\infslrijv.exe84⤵PID:4340
-
C:\Windows\SysWOW64\inaivxrqr.exeC:\Windows\system32\inaivxrqr.exe85⤵PID:2448
-
C:\Windows\SysWOW64\inrkqhiua.exeC:\Windows\system32\inrkqhiua.exe86⤵PID:316
-
C:\Windows\SysWOW64\inoxdfqoe.exeC:\Windows\system32\inoxdfqoe.exe87⤵
- Modifies Installed Components in the registry
PID:2884 -
C:\Windows\SysWOW64\inapnrseu.exeC:\Windows\system32\inapnrseu.exe88⤵
- Modifies Installed Components in the registry
PID:3532 -
C:\Windows\SysWOW64\incanalcr.exeC:\Windows\system32\incanalcr.exe89⤵
- Modifies Installed Components in the registry
PID:3904 -
C:\Windows\SysWOW64\indwezqep.exeC:\Windows\system32\indwezqep.exe90⤵PID:3760
-
C:\Windows\SysWOW64\inhwfuyzl.exeC:\Windows\system32\inhwfuyzl.exe91⤵PID:1036
-
C:\Windows\SysWOW64\inmflkmos.exeC:\Windows\system32\inmflkmos.exe92⤵
- Drops file in System32 directory
PID:4204 -
C:\Windows\SysWOW64\inopeewva.exeC:\Windows\system32\inopeewva.exe93⤵
- Drops file in System32 directory
PID:4184 -
C:\Windows\SysWOW64\indeulkya.exeC:\Windows\system32\indeulkya.exe94⤵PID:3324
-
C:\Windows\SysWOW64\ingtvpopk.exeC:\Windows\system32\ingtvpopk.exe95⤵PID:4324
-
C:\Windows\SysWOW64\inpfzcyeq.exeC:\Windows\system32\inpfzcyeq.exe96⤵PID:3124
-
C:\Windows\SysWOW64\initcmsrt.exeC:\Windows\system32\initcmsrt.exe97⤵PID:2760
-
C:\Windows\SysWOW64\inmhxsddw.exeC:\Windows\system32\inmhxsddw.exe98⤵PID:3436
-
C:\Windows\SysWOW64\inmnccutj.exeC:\Windows\system32\inmnccutj.exe99⤵
- Modifies Installed Components in the registry
PID:1980 -
C:\Windows\SysWOW64\injmdckxk.exeC:\Windows\system32\injmdckxk.exe100⤵PID:2160
-
C:\Windows\SysWOW64\inthmqkqb.exeC:\Windows\system32\inthmqkqb.exe101⤵
- Modifies Installed Components in the registry
PID:3240 -
C:\Windows\SysWOW64\inktbmkag.exeC:\Windows\system32\inktbmkag.exe102⤵PID:4392
-
C:\Windows\SysWOW64\inrxixhwa.exeC:\Windows\system32\inrxixhwa.exe103⤵PID:3812
-
C:\Windows\SysWOW64\inniyteex.exeC:\Windows\system32\inniyteex.exe104⤵PID:3428
-
C:\Windows\SysWOW64\indlyubtu.exeC:\Windows\system32\indlyubtu.exe105⤵
- Drops file in System32 directory
PID:3576 -
C:\Windows\SysWOW64\inwskdhbh.exeC:\Windows\system32\inwskdhbh.exe106⤵PID:4620
-
C:\Windows\SysWOW64\inljswfrz.exeC:\Windows\system32\inljswfrz.exe107⤵PID:1000
-
C:\Windows\SysWOW64\infhthtec.exeC:\Windows\system32\infhthtec.exe108⤵PID:1480
-
C:\Windows\SysWOW64\inkuaczqt.exeC:\Windows\system32\inkuaczqt.exe109⤵PID:1772
-
C:\Windows\SysWOW64\inwmpgfnn.exeC:\Windows\system32\inwmpgfnn.exe110⤵PID:4172
-
C:\Windows\SysWOW64\inqzaupvo.exeC:\Windows\system32\inqzaupvo.exe111⤵PID:1584
-
C:\Windows\SysWOW64\invwyxcqk.exeC:\Windows\system32\invwyxcqk.exe112⤵PID:4520
-
C:\Windows\SysWOW64\inecpcnet.exeC:\Windows\system32\inecpcnet.exe113⤵
- Modifies Installed Components in the registry
PID:3324 -
C:\Windows\SysWOW64\ineybxzdp.exeC:\Windows\system32\ineybxzdp.exe114⤵
- Modifies Installed Components in the registry
PID:2716 -
C:\Windows\SysWOW64\ineuxonvv.exeC:\Windows\system32\ineuxonvv.exe115⤵PID:4444
-
C:\Windows\SysWOW64\intsuvkkg.exeC:\Windows\system32\intsuvkkg.exe116⤵
- Modifies Installed Components in the registry
PID:784 -
C:\Windows\SysWOW64\inyorihpp.exeC:\Windows\system32\inyorihpp.exe117⤵
- Modifies Installed Components in the registry
PID:3552 -
C:\Windows\SysWOW64\inionprva.exeC:\Windows\system32\inionprva.exe118⤵PID:2056
-
C:\Windows\SysWOW64\inqxvmprs.exeC:\Windows\system32\inqxvmprs.exe119⤵PID:2476
-
C:\Windows\SysWOW64\innuocedv.exeC:\Windows\system32\innuocedv.exe120⤵PID:2560
-
C:\Windows\SysWOW64\inbsfowhf.exeC:\Windows\system32\inbsfowhf.exe121⤵PID:2864
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-