Analysis
-
max time kernel
163s -
max time network
164s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
13-10-2023 20:33
Behavioral task
behavioral1
Sample
NEAS.a5ac4d3363fff3a2ab8388c25592fce0.exe
Resource
win7-20230831-en
windows7-x64
11 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.a5ac4d3363fff3a2ab8388c25592fce0.exe
Resource
win10v2004-20230915-en
windows10-2004-x64
11 signatures
150 seconds
General
-
Target
NEAS.a5ac4d3363fff3a2ab8388c25592fce0.exe
-
Size
348KB
-
MD5
a5ac4d3363fff3a2ab8388c25592fce0
-
SHA1
0e9898bc8cc708f6313017218a10dc1a09030625
-
SHA256
d84bd33dc321831fb6ba02e66408c72116987ed8ecb285ba361222a501094ec6
-
SHA512
33d536eb8d7d4c8ee3cdd1db10c88e27b15a11b1df6ca7da02532ae01472ede574065ec3991ea042dad455c05b60d32c138b5dc40b6a89461a48e04fd08c8693
-
SSDEEP
6144:MJueTkwOwoWOQ3dwaWB28edeP/deUv80P80Ap8UGwoTGHZOWJkqd0K4rG7eVT0SB:ouLwoZQGpnedeP/deUe1ppGjTGHZRT0t
Score
10/10
Malware Config
Signatures
-
Gh0st RAT payload 59 IoCs
resource yara_rule behavioral2/memory/1180-0-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/memory/1180-5-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/files/0x0008000000023091-12.dat family_gh0strat behavioral2/files/0x0009000000023094-20.dat family_gh0strat behavioral2/files/0x0009000000023094-21.dat family_gh0strat behavioral2/memory/1180-24-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/files/0x000600000002309a-43.dat family_gh0strat behavioral2/files/0x000600000002309a-42.dat family_gh0strat behavioral2/memory/3260-47-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/files/0x000600000002309a-44.dat family_gh0strat behavioral2/files/0x000600000002309e-65.dat family_gh0strat behavioral2/files/0x000600000002309e-66.dat family_gh0strat behavioral2/memory/2340-69-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/files/0x00060000000230a1-89.dat family_gh0strat behavioral2/memory/4492-90-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/memory/1424-99-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/memory/4492-114-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/files/0x00060000000230a6-113.dat family_gh0strat behavioral2/files/0x00060000000230a6-115.dat family_gh0strat behavioral2/files/0x00060000000230a1-88.dat family_gh0strat behavioral2/files/0x00060000000230a8-135.dat family_gh0strat behavioral2/files/0x00060000000230a8-136.dat family_gh0strat behavioral2/memory/3500-139-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/files/0x00060000000230ac-158.dat family_gh0strat behavioral2/files/0x00060000000230ac-159.dat family_gh0strat behavioral2/memory/1216-161-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/files/0x00060000000230b0-180.dat family_gh0strat behavioral2/files/0x00060000000230b0-182.dat family_gh0strat behavioral2/memory/2844-184-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/files/0x00060000000230b4-203.dat family_gh0strat behavioral2/files/0x00060000000230b4-205.dat family_gh0strat behavioral2/memory/4240-206-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/files/0x00060000000230bb-226.dat family_gh0strat behavioral2/files/0x00060000000230bb-228.dat family_gh0strat behavioral2/memory/4068-230-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/files/0x00060000000230c0-249.dat family_gh0strat behavioral2/files/0x00060000000230c0-251.dat family_gh0strat behavioral2/memory/632-266-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/files/0x00060000000230c5-272.dat family_gh0strat behavioral2/files/0x00060000000230c5-274.dat family_gh0strat behavioral2/memory/4232-276-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/files/0x00060000000230cb-297.dat family_gh0strat behavioral2/files/0x00060000000230cb-296.dat family_gh0strat behavioral2/memory/4132-299-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/files/0x00060000000230cf-318.dat family_gh0strat behavioral2/files/0x00060000000230cf-319.dat family_gh0strat behavioral2/memory/1980-322-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/files/0x00070000000230b7-340.dat family_gh0strat behavioral2/files/0x00070000000230b7-342.dat family_gh0strat behavioral2/memory/1304-344-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/files/0x00070000000230d9-362.dat family_gh0strat behavioral2/files/0x00070000000230d9-363.dat family_gh0strat behavioral2/memory/5100-366-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/memory/1176-385-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/memory/3500-404-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/memory/1628-423-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/memory/2876-442-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/memory/3516-461-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/memory/3044-480-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat -
Modifies Installed Components in the registry 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E32E9925-3A85-4f1b-890D-75213587EDCD} insrzztuj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6D45D6B1-4B73-476b-AA78-3CFE6151CFDE}\stubpath = "C:\\Windows\\system32\\inmxiifwj.exe" inrxixhwa.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9D3E6C66-D950-4e3a-8227-A3751ECA8C4C} injmdckxk.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B4908A31-35A7-458d-84AA-34017E4BB240} inwtdautu.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1F6FBE1B-6CD5-4ff2-B956-63331267D354} inthmqkqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F584A94-7534-43e4-9CF5-F21CB4809A65}\stubpath = "C:\\Windows\\system32\\inqmfrmyb.exe" infvypoww.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{37419462-6DB9-4cfc-961C-86FDB7ED623E}\stubpath = "C:\\Windows\\system32\\incvyzsfr.exe" inugvjlkd.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{172FB632-3BAD-4ded-8CAE-23DC5A8C9D18} inqcxrfhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B06E6D44-90B5-4d8d-A751-F4E99846BDD6}\stubpath = "C:\\Windows\\system32\\injyixbhg.exe" inyorihpp.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1E75DAB1-35AF-47ab-A586-7847A363E25C} incwvxbyn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2AE4CA93-2C55-4e04-A579-33E3FA877135}\stubpath = "C:\\Windows\\system32\\inaqceivb.exe" inxrycagn.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1AD3ABF9-AA3F-40f1-A130-6EAB2737F26F} inlsmacbt.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{13868288-137A-4395-AD0C-A03F24E1C152} ineuxonvv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{05D24224-F67F-4a41-980A-92201EA4956F}\stubpath = "C:\\Windows\\system32\\incraptug.exe" incvyzsfr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8A07DF4D-5A7B-4660-9692-BF270752B668}\stubpath = "C:\\Windows\\system32\\inhwnltjf.exe" incraptug.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{422363FE-D5BF-41d1-8652-040F2A71DFAD}\stubpath = "C:\\Windows\\system32\\inxtemyti.exe" intpaiupe.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{12D9714C-4A91-493e-85E3-B2A8D507FD4E} inhwoipfi.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E571295F-C2B6-435e-AC15-558DE58D73FB} inniyteex.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{98ED6F31-69CF-46a7-AC01-936F6D7EA83B} inopeewva.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C5E4A91D-26D1-4da7-95F5-B0A3CD66E7BB}\stubpath = "C:\\Windows\\system32\\injqftzfq.exe" injwnoaqy.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9231A847-6B58-481c-BF0D-A6C85368C47E}\stubpath = "C:\\Windows\\system32\\inpkvggzd.exe" inwmpgfnn.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{48B521C6-E944-470f-B07D-07D07DFD0862} innqsrkjz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AD996EA5-A13F-44ac-AD8E-310E7E712E98}\stubpath = "C:\\Windows\\system32\\inbuxzyre.exe" inrngsnzc.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BFAFC3E2-1AFF-450a-90DB-C78A0D09B084} intetdxsy.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3D727B78-D744-4c90-97BE-240DE0679273}\stubpath = "C:\\Windows\\system32\\injyiwuqi.exe" inikbvtjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D606A5ED-22A2-41ff-955D-2F690B5D19EB}\stubpath = "C:\\Windows\\system32\\inkbaivic.exe" inbmkzbqa.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{05BDC69D-D5D6-4333-8A3C-33DD6EA38C7D} inuqbjvqf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7BD140B9-970E-4f42-9A92-79191D79B48E}\stubpath = "C:\\Windows\\system32\\inqrggyxc.exe" inxiaqxbm.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EF673D4A-6754-4920-8280-264693B34359} inddmxhxc.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8CE1B09C-36D7-484b-8936-15CF8ACE2817} inkbaivic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{576A0161-2076-48dc-A330-334A334B747B}\stubpath = "C:\\Windows\\system32\\inaexuhtj.exe" innlypqcs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4D01FE96-EDFE-4d7f-BBAD-46645FCC4C26}\stubpath = "C:\\Windows\\system32\\inqklaasr.exe" inbqostfv.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{84F38709-0CDA-4be5-B049-D8790221D723} innuocedv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{37FDFA08-6D38-4600-89BC-3FCCF2023FB8}\stubpath = "C:\\Windows\\system32\\incanalcr.exe" intcrvwiy.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B7A52224-4635-43bd-B713-3A24A9A85BF8} injyqkarh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5B0076A7-F021-4783-A44D-3B39AB4A793B}\stubpath = "C:\\Windows\\system32\\inpqffxwb.exe" ingoxeawx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6A636D69-1669-4621-8DB9-28713C9654B2}\stubpath = "C:\\Windows\\system32\\indtosnaj.exe" inefvmlzb.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{84B62464-273B-46af-84F1-B80E8E029856} inyegrpfl.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{18EEB712-798B-40b0-8CE5-CE2F7DC012D4} inclzteci.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A0FB1AFA-623B-4a73-BEF0-A5670AB73314} indwztgsi.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{09371F16-5785-4bd3-B8D6-8544435294B4} inmhxsddw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{172FB632-3BAD-4ded-8CAE-23DC5A8C9D18}\stubpath = "C:\\Windows\\system32\\ingfvhjng.exe" inqcxrfhg.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BD792382-1868-4519-9BDB-C755F52582DF} intxcqoxe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{48B521C6-E944-470f-B07D-07D07DFD0862}\stubpath = "C:\\Windows\\system32\\inxjymong.exe" innqsrkjz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CE2D23A0-28A1-42ee-9F71-8EEFDFB4D83F}\stubpath = "C:\\Windows\\system32\\inpiofygs.exe" inxtemyti.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{06CC58B4-AAE3-4f80-A9AD-F569224D7CEB}\stubpath = "C:\\Windows\\system32\\inooxsntm.exe" iniqzgcyz.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F584A94-7534-43e4-9CF5-F21CB4809A65} infvypoww.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{97A6CEBC-47A7-4e5b-B0ED-5C51ADAB06FC}\stubpath = "C:\\Windows\\system32\\inwhpwale.exe" inogwahsa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E571295F-C2B6-435e-AC15-558DE58D73FB}\stubpath = "C:\\Windows\\system32\\inljyapnv.exe" inniyteex.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6E6D65B3-12BD-4990-A828-09079A3C7B75} inmnccutj.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6D2FE7F4-0F61-4ba4-A801-4388E0C61305} injyiwuqi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9BC1C90A-A327-4f6e-A466-3DA9FB1129BD}\stubpath = "C:\\Windows\\system32\\inldtepix.exe" invhwkmle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B3BED360-C5CB-4b85-B2D0-AC680492BFC7}\stubpath = "C:\\Windows\\system32\\insohtodl.exe" inzvgovkd.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{18DC5672-D184-493e-A348-8C093111E929} inbjwysrs.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{94C3192F-4769-4c51-BDCC-F52AEC2C3828} insnyjjgx.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D606A5ED-22A2-41ff-955D-2F690B5D19EB} inbmkzbqa.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ED0958A9-11B7-4301-BF4E-2B7C1B565212} invlhtipl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1E614D16-F97F-4f4e-917A-570FF10F06BC}\stubpath = "C:\\Windows\\system32\\inlofemzm.exe" inbuxzyre.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{79D84158-8C84-465a-826B-0BD01E9C834B} infdqdofu.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{90A20341-6DEF-4ce3-A3D5-97D333EB3F36} inqklaasr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{01D7760E-C7D6-42eb-BD8E-C07D2A6A5A56}\stubpath = "C:\\Windows\\system32\\ingtvpopk.exe" inpkvggzd.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A500C222-9410-414b-A410-3C04C1AF14D1} inzkcszdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C19AEEAF-1D70-4236-9AF4-C4CA42E2C181}\stubpath = "C:\\Windows\\system32\\inyjbrycn.exe" inzprbebn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{785498B0-D808-4b5f-96A5-D3CE786A1048}\stubpath = "C:\\Windows\\system32\\invuwaxma.exe" inazpsjiq.exe -
ACProtect 1.3x - 1.4x DLL software 33 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral2/files/0x000700000002308e-2.dat acprotect behavioral2/files/0x000700000002308e-4.dat acprotect behavioral2/files/0x000700000002308e-13.dat acprotect behavioral2/files/0x0006000000023097-25.dat acprotect behavioral2/files/0x0006000000023097-27.dat acprotect behavioral2/files/0x000600000002309c-50.dat acprotect behavioral2/files/0x000600000002309c-48.dat acprotect behavioral2/files/0x000900000002308f-70.dat acprotect behavioral2/files/0x000900000002308f-72.dat acprotect behavioral2/files/0x00060000000230a4-95.dat acprotect behavioral2/files/0x00060000000230a4-93.dat acprotect behavioral2/files/0x000c00000001e589-119.dat acprotect behavioral2/files/0x000c00000001e589-117.dat acprotect behavioral2/files/0x00060000000230aa-142.dat acprotect behavioral2/files/0x00060000000230aa-140.dat acprotect behavioral2/files/0x00060000000230ae-162.dat acprotect behavioral2/files/0x00060000000230ae-164.dat acprotect behavioral2/files/0x00060000000230b2-187.dat acprotect behavioral2/files/0x00060000000230b2-185.dat acprotect behavioral2/files/0x00060000000230b9-208.dat acprotect behavioral2/files/0x00060000000230b9-210.dat acprotect behavioral2/files/0x00060000000230bd-231.dat acprotect behavioral2/files/0x00060000000230bd-233.dat acprotect behavioral2/files/0x00060000000230c2-253.dat acprotect behavioral2/files/0x00060000000230c2-255.dat acprotect behavioral2/files/0x00060000000230c8-279.dat acprotect behavioral2/files/0x00060000000230c8-277.dat acprotect behavioral2/files/0x00060000000230cd-302.dat acprotect behavioral2/files/0x00060000000230cd-300.dat acprotect behavioral2/files/0x00060000000230d1-323.dat acprotect behavioral2/files/0x00060000000230d1-325.dat acprotect behavioral2/files/0x00060000000230d4-345.dat acprotect behavioral2/files/0x00060000000230d4-347.dat acprotect -
Executes dropped EXE 64 IoCs
pid Process 3260 inbqiycju.exe 2340 inwixlnmf.exe 1424 inyufnzuj.exe 4492 inmprqjiy.exe 3500 inetlfmxc.exe 1216 invrckwrg.exe 2844 inrdysgih.exe 4240 innqsrkjz.exe 4068 inxjymong.exe 632 intfuikjc.exe 4232 invhwkmle.exe 4132 inldtepix.exe 1980 inpsutmlb.exe 1304 inmeufqjy.exe 5100 infvypoww.exe 1176 inqmfrmyb.exe 3500 indwztgsi.exe 1628 inykznpoh.exe 2876 inzvgovkd.exe 3516 insohtodl.exe 3044 inogwahsa.exe 2976 inwhpwale.exe 632 inazpsjiq.exe 1256 invuwaxma.exe 1844 inlsmacbt.exe 3748 insbquvhx.exe 1728 inqtvunam.exe 3204 innuocedv.exe 3392 ineuxonvv.exe 4504 inomzqrdt.exe 4024 inugvjlkd.exe 2804 incvyzsfr.exe 2644 incraptug.exe 3096 inhwnltjf.exe 5116 inhwoipfi.exe 4068 intcrvwiy.exe 3636 incanalcr.exe 4500 infhthtec.exe 1092 inrngsnzc.exe 4244 inbuxzyre.exe 3600 inlofemzm.exe 3928 infnwdvwr.exe 180 inmibthrw.exe 260 inuqbjvqf.exe 748 inbjwysrs.exe 1216 intpaiupe.exe 5008 inxtemyti.exe 2116 inpiofygs.exe 2584 inpleqlxa.exe 4252 incsvmltt.exe 2976 insrzztuj.exe 720 indtwnmuu.exe 4820 inbfyviuk.exe 3988 injfqeotx.exe 228 inbpxnjbw.exe 5100 inulkzdji.exe 4356 infdqdofu.exe 3744 ingvzmksi.exe 4448 ingoxeawx.exe 1216 inpqffxwb.exe 3364 injhulmow.exe 3324 inruwvobn.exe 1720 inewrcnnk.exe 4220 inoxdfqoe.exe -
Loads dropped DLL 64 IoCs
pid Process 1180 NEAS.a5ac4d3363fff3a2ab8388c25592fce0.exe 1180 NEAS.a5ac4d3363fff3a2ab8388c25592fce0.exe 3260 inbqiycju.exe 3260 inbqiycju.exe 2340 inwixlnmf.exe 2340 inwixlnmf.exe 1424 inyufnzuj.exe 1424 inyufnzuj.exe 4492 inmprqjiy.exe 4492 inmprqjiy.exe 3500 inetlfmxc.exe 3500 inetlfmxc.exe 1216 invrckwrg.exe 1216 invrckwrg.exe 2844 inrdysgih.exe 2844 inrdysgih.exe 4240 innqsrkjz.exe 4240 innqsrkjz.exe 4068 inxjymong.exe 4068 inxjymong.exe 632 intfuikjc.exe 632 intfuikjc.exe 4232 invhwkmle.exe 4232 invhwkmle.exe 4132 inldtepix.exe 4132 inldtepix.exe 1980 inpsutmlb.exe 1980 inpsutmlb.exe 1304 inmeufqjy.exe 1304 inmeufqjy.exe 5100 infvypoww.exe 5100 infvypoww.exe 1176 inqmfrmyb.exe 1176 inqmfrmyb.exe 3500 indwztgsi.exe 3500 indwztgsi.exe 1628 inykznpoh.exe 1628 inykznpoh.exe 2876 inzvgovkd.exe 2876 inzvgovkd.exe 3516 insohtodl.exe 3516 insohtodl.exe 3044 inogwahsa.exe 3044 inogwahsa.exe 2976 inwhpwale.exe 2976 inwhpwale.exe 632 inazpsjiq.exe 632 inazpsjiq.exe 1256 invuwaxma.exe 1256 invuwaxma.exe 1844 inlsmacbt.exe 1844 inlsmacbt.exe 3748 insbquvhx.exe 3748 insbquvhx.exe 1728 inqtvunam.exe 1728 inqtvunam.exe 3204 innuocedv.exe 3204 innuocedv.exe 3392 ineuxonvv.exe 3392 ineuxonvv.exe 4504 inomzqrdt.exe 4504 inomzqrdt.exe 4024 inugvjlkd.exe 4024 inugvjlkd.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\invuwaxma.exe inazpsjiq.exe File opened for modification C:\Windows\SysWOW64\syslog.dat inuqbjvqf.exe File opened for modification C:\Windows\SysWOW64\syslog.dat inniyteex.exe File created C:\Windows\SysWOW64\inlhzufqa.exe indskelwb.exe File opened for modification C:\Windows\SysWOW64\syslog.dat injyixbhg.exe File opened for modification C:\Windows\SysWOW64\insulctjf.exe_lang.ini innptoush.exe File opened for modification C:\Windows\SysWOW64\ingvzmksi.exe_lang.ini infdqdofu.exe File created C:\Windows\SysWOW64\injwnoaqy.exe inrfpuysy.exe File opened for modification C:\Windows\SysWOW64\injmdckxk.exe_lang.ini inaivxrqr.exe File created C:\Windows\SysWOW64\inutvwllh.exe injmdckxk.exe File opened for modification C:\Windows\SysWOW64\syslog.dat inhscspdt.exe File opened for modification C:\Windows\SysWOW64\inxrycagn.exe_lang.ini infvqbbup.exe File opened for modification C:\Windows\SysWOW64\inqgdzfrf.exe_lang.ini intsuvkkg.exe File created C:\Windows\SysWOW64\inrfpuysy.exe indpalewk.exe File opened for modification C:\Windows\SysWOW64\syslog.dat inyjbrycn.exe File created C:\Windows\SysWOW64\innqsrkjz.exe inrdysgih.exe File opened for modification C:\Windows\SysWOW64\syslog.dat innbxlquo.exe File opened for modification C:\Windows\SysWOW64\syslog.dat inadbobmd.exe File opened for modification C:\Windows\SysWOW64\syslog.dat inlsmacbt.exe File opened for modification C:\Windows\SysWOW64\syslog.dat inpleqlxa.exe File created C:\Windows\SysWOW64\indtwnmuu.exe insrzztuj.exe File created C:\Windows\SysWOW64\inadbobmd.exe infudswxj.exe File opened for modification C:\Windows\SysWOW64\intcrvwiy.exe_lang.ini inhwoipfi.exe File opened for modification C:\Windows\SysWOW64\infhthtec.exe_lang.ini incanalcr.exe File opened for modification C:\Windows\SysWOW64\inewrcnnk.exe_lang.ini inruwvobn.exe File created C:\Windows\SysWOW64\innlypqcs.exe incgzwjvl.exe File opened for modification C:\Windows\SysWOW64\inxsdoolp.exe_lang.ini inckxztas.exe File created C:\Windows\SysWOW64\inixpjqgj.exe inlhzufqa.exe File opened for modification C:\Windows\SysWOW64\syslog.dat inhwnltjf.exe File opened for modification C:\Windows\SysWOW64\syslog.dat inbuxzyre.exe File opened for modification C:\Windows\SysWOW64\inadbobmd.exe_lang.ini infudswxj.exe File created C:\Windows\SysWOW64\inzprbebn.exe inddmxhxc.exe File created C:\Windows\SysWOW64\inljyapnv.exe inniyteex.exe File opened for modification C:\Windows\SysWOW64\syslog.dat inaphxbit.exe File opened for modification C:\Windows\SysWOW64\inlhzufqa.exe_lang.ini indskelwb.exe File opened for modification C:\Windows\SysWOW64\syslog.dat inatwyxqd.exe File opened for modification C:\Windows\SysWOW64\infudswxj.exe_lang.ini inwikohfo.exe File created C:\Windows\SysWOW64\ineiwaqpw.exe inblsqhkm.exe File opened for modification C:\Windows\SysWOW64\infnwdvwr.exe_lang.ini inlofemzm.exe File created C:\Windows\SysWOW64\injfqeotx.exe inbfyviuk.exe File opened for modification C:\Windows\SysWOW64\ingwzqpxx.exe_lang.ini inmawkptn.exe File opened for modification C:\Windows\SysWOW64\syslog.dat ingtgabri.exe File opened for modification C:\Windows\SysWOW64\syslog.dat ineybxzdp.exe File opened for modification C:\Windows\SysWOW64\indskelwb.exe_lang.ini inqklaasr.exe File created C:\Windows\SysWOW64\inefvmlzb.exe ingvnhoze.exe File created C:\Windows\SysWOW64\ineeenyiy.exe ingtvpopk.exe File created C:\Windows\SysWOW64\inenraymu.exe inftrnfcc.exe File created C:\Windows\SysWOW64\inddmxhxc.exe inejnhnnw.exe File opened for modification C:\Windows\SysWOW64\indwztgsi.exe_lang.ini inqmfrmyb.exe File created C:\Windows\SysWOW64\inpleqlxa.exe inpiofygs.exe File opened for modification C:\Windows\SysWOW64\syslog.dat insnyjjgx.exe File opened for modification C:\Windows\SysWOW64\syslog.dat intxcqoxe.exe File opened for modification C:\Windows\SysWOW64\inftrnfcc.exe_lang.ini inxtleici.exe File opened for modification C:\Windows\SysWOW64\syslog.dat inikbvtjp.exe File created C:\Windows\SysWOW64\inbmkzbqa.exe inzkcszdo.exe File created C:\Windows\SysWOW64\inimthpzj.exe inhzpfbvl.exe File opened for modification C:\Windows\SysWOW64\syslog.dat inddmxhxc.exe File opened for modification C:\Windows\SysWOW64\inthmqkqb.exe_lang.ini inyegrpfl.exe File opened for modification C:\Windows\SysWOW64\inzvgovkd.exe_lang.ini inykznpoh.exe File opened for modification C:\Windows\SysWOW64\injfqeotx.exe_lang.ini inbfyviuk.exe File opened for modification C:\Windows\SysWOW64\syslog.dat ingiuiufd.exe File created C:\Windows\SysWOW64\innptoush.exe inimthpzj.exe File created C:\Windows\SysWOW64\inqmfrmyb.exe infvypoww.exe File opened for modification C:\Windows\SysWOW64\inljyapnv.exe_lang.ini inniyteex.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1180 NEAS.a5ac4d3363fff3a2ab8388c25592fce0.exe 1180 NEAS.a5ac4d3363fff3a2ab8388c25592fce0.exe 3260 inbqiycju.exe 3260 inbqiycju.exe 2340 inwixlnmf.exe 2340 inwixlnmf.exe 1424 inyufnzuj.exe 1424 inyufnzuj.exe 4492 inmprqjiy.exe 4492 inmprqjiy.exe 3500 inetlfmxc.exe 3500 inetlfmxc.exe 1216 invrckwrg.exe 1216 invrckwrg.exe 2844 inrdysgih.exe 2844 inrdysgih.exe 4240 innqsrkjz.exe 4240 innqsrkjz.exe 4068 inxjymong.exe 4068 inxjymong.exe 632 intfuikjc.exe 632 intfuikjc.exe 4232 invhwkmle.exe 4232 invhwkmle.exe 4132 inldtepix.exe 4132 inldtepix.exe 1980 inpsutmlb.exe 1980 inpsutmlb.exe 1304 inmeufqjy.exe 1304 inmeufqjy.exe 5100 infvypoww.exe 5100 infvypoww.exe 1176 inqmfrmyb.exe 1176 inqmfrmyb.exe 3500 indwztgsi.exe 3500 indwztgsi.exe 1628 inykznpoh.exe 1628 inykznpoh.exe 2876 inzvgovkd.exe 2876 inzvgovkd.exe 3516 insohtodl.exe 3516 insohtodl.exe 3044 inogwahsa.exe 3044 inogwahsa.exe 2976 inwhpwale.exe 2976 inwhpwale.exe 632 inazpsjiq.exe 632 inazpsjiq.exe 1256 invuwaxma.exe 1256 invuwaxma.exe 1844 inlsmacbt.exe 1844 inlsmacbt.exe 3748 insbquvhx.exe 3748 insbquvhx.exe 1728 inqtvunam.exe 1728 inqtvunam.exe 3204 innuocedv.exe 3204 innuocedv.exe 3392 ineuxonvv.exe 3392 ineuxonvv.exe 4504 inomzqrdt.exe 4504 inomzqrdt.exe 4024 inugvjlkd.exe 4024 inugvjlkd.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1180 NEAS.a5ac4d3363fff3a2ab8388c25592fce0.exe Token: SeDebugPrivilege 3260 inbqiycju.exe Token: SeDebugPrivilege 2340 inwixlnmf.exe Token: SeDebugPrivilege 1424 inyufnzuj.exe Token: SeDebugPrivilege 4492 inmprqjiy.exe Token: SeDebugPrivilege 3500 inetlfmxc.exe Token: SeDebugPrivilege 1216 invrckwrg.exe Token: SeDebugPrivilege 2844 inrdysgih.exe Token: SeDebugPrivilege 4240 innqsrkjz.exe Token: SeDebugPrivilege 4068 inxjymong.exe Token: SeDebugPrivilege 632 intfuikjc.exe Token: SeDebugPrivilege 4232 invhwkmle.exe Token: SeDebugPrivilege 4132 inldtepix.exe Token: SeDebugPrivilege 1980 inpsutmlb.exe Token: SeDebugPrivilege 1304 inmeufqjy.exe Token: SeDebugPrivilege 5100 infvypoww.exe Token: SeDebugPrivilege 1176 inqmfrmyb.exe Token: SeDebugPrivilege 3500 indwztgsi.exe Token: SeDebugPrivilege 1628 inykznpoh.exe Token: SeDebugPrivilege 2876 inzvgovkd.exe Token: SeDebugPrivilege 3516 insohtodl.exe Token: SeDebugPrivilege 3044 inogwahsa.exe Token: SeDebugPrivilege 2976 inwhpwale.exe Token: SeDebugPrivilege 632 inazpsjiq.exe Token: SeDebugPrivilege 1256 invuwaxma.exe Token: SeDebugPrivilege 1844 inlsmacbt.exe Token: SeDebugPrivilege 3748 insbquvhx.exe Token: SeDebugPrivilege 1728 inqtvunam.exe Token: SeDebugPrivilege 3204 innuocedv.exe Token: SeDebugPrivilege 3392 ineuxonvv.exe Token: SeDebugPrivilege 4504 inomzqrdt.exe Token: SeDebugPrivilege 4024 inugvjlkd.exe Token: SeDebugPrivilege 2804 incvyzsfr.exe Token: SeDebugPrivilege 2644 incraptug.exe Token: SeDebugPrivilege 3096 inhwnltjf.exe Token: SeDebugPrivilege 5116 inhwoipfi.exe Token: SeDebugPrivilege 4068 intcrvwiy.exe Token: SeDebugPrivilege 3636 incanalcr.exe Token: SeDebugPrivilege 4500 infhthtec.exe Token: SeDebugPrivilege 1092 inrngsnzc.exe Token: SeDebugPrivilege 4244 inbuxzyre.exe Token: SeDebugPrivilege 3600 inlofemzm.exe Token: SeDebugPrivilege 3928 infnwdvwr.exe Token: SeDebugPrivilege 180 inmibthrw.exe Token: SeDebugPrivilege 260 inuqbjvqf.exe Token: SeDebugPrivilege 748 inbjwysrs.exe Token: SeDebugPrivilege 1216 intpaiupe.exe Token: SeDebugPrivilege 5008 inxtemyti.exe Token: SeDebugPrivilege 2116 inpiofygs.exe Token: SeDebugPrivilege 2584 inpleqlxa.exe Token: SeDebugPrivilege 4252 incsvmltt.exe Token: SeDebugPrivilege 2976 insrzztuj.exe Token: SeDebugPrivilege 720 indtwnmuu.exe Token: SeDebugPrivilege 4820 inbfyviuk.exe Token: SeDebugPrivilege 3988 injfqeotx.exe Token: SeDebugPrivilege 228 inbpxnjbw.exe Token: SeDebugPrivilege 5100 inulkzdji.exe Token: SeDebugPrivilege 4356 infdqdofu.exe Token: SeDebugPrivilege 3744 ingvzmksi.exe Token: SeDebugPrivilege 4448 ingoxeawx.exe Token: SeDebugPrivilege 1216 inpqffxwb.exe Token: SeDebugPrivilege 3364 injhulmow.exe Token: SeDebugPrivilege 3324 inruwvobn.exe Token: SeDebugPrivilege 1720 inewrcnnk.exe -
Suspicious use of SetWindowsHookEx 28 IoCs
pid Process 1180 NEAS.a5ac4d3363fff3a2ab8388c25592fce0.exe 3260 inbqiycju.exe 2340 inwixlnmf.exe 1424 inyufnzuj.exe 4492 inmprqjiy.exe 3500 inetlfmxc.exe 1216 invrckwrg.exe 2844 inrdysgih.exe 4240 innqsrkjz.exe 4068 inxjymong.exe 632 intfuikjc.exe 4232 invhwkmle.exe 4132 inldtepix.exe 1980 inpsutmlb.exe 1304 inmeufqjy.exe 5100 infvypoww.exe 1176 inqmfrmyb.exe 3500 indwztgsi.exe 1628 inykznpoh.exe 2876 inzvgovkd.exe 3516 insohtodl.exe 3044 inogwahsa.exe 2976 inwhpwale.exe 632 inazpsjiq.exe 1256 invuwaxma.exe 1844 inlsmacbt.exe 3748 insbquvhx.exe 1728 inqtvunam.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1180 wrote to memory of 3260 1180 NEAS.a5ac4d3363fff3a2ab8388c25592fce0.exe 88 PID 1180 wrote to memory of 3260 1180 NEAS.a5ac4d3363fff3a2ab8388c25592fce0.exe 88 PID 1180 wrote to memory of 3260 1180 NEAS.a5ac4d3363fff3a2ab8388c25592fce0.exe 88 PID 3260 wrote to memory of 2340 3260 inbqiycju.exe 89 PID 3260 wrote to memory of 2340 3260 inbqiycju.exe 89 PID 3260 wrote to memory of 2340 3260 inbqiycju.exe 89 PID 2340 wrote to memory of 1424 2340 inwixlnmf.exe 90 PID 2340 wrote to memory of 1424 2340 inwixlnmf.exe 90 PID 2340 wrote to memory of 1424 2340 inwixlnmf.exe 90 PID 1424 wrote to memory of 4492 1424 inyufnzuj.exe 91 PID 1424 wrote to memory of 4492 1424 inyufnzuj.exe 91 PID 1424 wrote to memory of 4492 1424 inyufnzuj.exe 91 PID 4492 wrote to memory of 3500 4492 inmprqjiy.exe 92 PID 4492 wrote to memory of 3500 4492 inmprqjiy.exe 92 PID 4492 wrote to memory of 3500 4492 inmprqjiy.exe 92 PID 3500 wrote to memory of 1216 3500 inetlfmxc.exe 93 PID 3500 wrote to memory of 1216 3500 inetlfmxc.exe 93 PID 3500 wrote to memory of 1216 3500 inetlfmxc.exe 93 PID 1216 wrote to memory of 2844 1216 invrckwrg.exe 94 PID 1216 wrote to memory of 2844 1216 invrckwrg.exe 94 PID 1216 wrote to memory of 2844 1216 invrckwrg.exe 94 PID 2844 wrote to memory of 4240 2844 inrdysgih.exe 95 PID 2844 wrote to memory of 4240 2844 inrdysgih.exe 95 PID 2844 wrote to memory of 4240 2844 inrdysgih.exe 95 PID 4240 wrote to memory of 4068 4240 innqsrkjz.exe 96 PID 4240 wrote to memory of 4068 4240 innqsrkjz.exe 96 PID 4240 wrote to memory of 4068 4240 innqsrkjz.exe 96 PID 4068 wrote to memory of 632 4068 inxjymong.exe 97 PID 4068 wrote to memory of 632 4068 inxjymong.exe 97 PID 4068 wrote to memory of 632 4068 inxjymong.exe 97 PID 632 wrote to memory of 4232 632 intfuikjc.exe 98 PID 632 wrote to memory of 4232 632 intfuikjc.exe 98 PID 632 wrote to memory of 4232 632 intfuikjc.exe 98 PID 4232 wrote to memory of 4132 4232 invhwkmle.exe 100 PID 4232 wrote to memory of 4132 4232 invhwkmle.exe 100 PID 4232 wrote to memory of 4132 4232 invhwkmle.exe 100 PID 4132 wrote to memory of 1980 4132 inldtepix.exe 102 PID 4132 wrote to memory of 1980 4132 inldtepix.exe 102 PID 4132 wrote to memory of 1980 4132 inldtepix.exe 102 PID 1980 wrote to memory of 1304 1980 inpsutmlb.exe 103 PID 1980 wrote to memory of 1304 1980 inpsutmlb.exe 103 PID 1980 wrote to memory of 1304 1980 inpsutmlb.exe 103 PID 1304 wrote to memory of 5100 1304 inmeufqjy.exe 104 PID 1304 wrote to memory of 5100 1304 inmeufqjy.exe 104 PID 1304 wrote to memory of 5100 1304 inmeufqjy.exe 104 PID 5100 wrote to memory of 1176 5100 infvypoww.exe 105 PID 5100 wrote to memory of 1176 5100 infvypoww.exe 105 PID 5100 wrote to memory of 1176 5100 infvypoww.exe 105 PID 1176 wrote to memory of 3500 1176 inqmfrmyb.exe 106 PID 1176 wrote to memory of 3500 1176 inqmfrmyb.exe 106 PID 1176 wrote to memory of 3500 1176 inqmfrmyb.exe 106 PID 3500 wrote to memory of 1628 3500 indwztgsi.exe 107 PID 3500 wrote to memory of 1628 3500 indwztgsi.exe 107 PID 3500 wrote to memory of 1628 3500 indwztgsi.exe 107 PID 1628 wrote to memory of 2876 1628 inykznpoh.exe 108 PID 1628 wrote to memory of 2876 1628 inykznpoh.exe 108 PID 1628 wrote to memory of 2876 1628 inykznpoh.exe 108 PID 2876 wrote to memory of 3516 2876 inzvgovkd.exe 109 PID 2876 wrote to memory of 3516 2876 inzvgovkd.exe 109 PID 2876 wrote to memory of 3516 2876 inzvgovkd.exe 109 PID 3516 wrote to memory of 3044 3516 insohtodl.exe 110 PID 3516 wrote to memory of 3044 3516 insohtodl.exe 110 PID 3516 wrote to memory of 3044 3516 insohtodl.exe 110 PID 3044 wrote to memory of 2976 3044 inogwahsa.exe 111
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.a5ac4d3363fff3a2ab8388c25592fce0.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.a5ac4d3363fff3a2ab8388c25592fce0.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1180 -
C:\Windows\SysWOW64\inbqiycju.exeC:\Windows\system32\inbqiycju.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3260 -
C:\Windows\SysWOW64\inwixlnmf.exeC:\Windows\system32\inwixlnmf.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Windows\SysWOW64\inyufnzuj.exeC:\Windows\system32\inyufnzuj.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1424 -
C:\Windows\SysWOW64\inmprqjiy.exeC:\Windows\system32\inmprqjiy.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4492 -
C:\Windows\SysWOW64\inetlfmxc.exeC:\Windows\system32\inetlfmxc.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3500 -
C:\Windows\SysWOW64\invrckwrg.exeC:\Windows\system32\invrckwrg.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1216 -
C:\Windows\SysWOW64\inrdysgih.exeC:\Windows\system32\inrdysgih.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\innqsrkjz.exeC:\Windows\system32\innqsrkjz.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4240 -
C:\Windows\SysWOW64\inxjymong.exeC:\Windows\system32\inxjymong.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4068 -
C:\Windows\SysWOW64\intfuikjc.exeC:\Windows\system32\intfuikjc.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:632 -
C:\Windows\SysWOW64\invhwkmle.exeC:\Windows\system32\invhwkmle.exe12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4232 -
C:\Windows\SysWOW64\inldtepix.exeC:\Windows\system32\inldtepix.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4132 -
C:\Windows\SysWOW64\inpsutmlb.exeC:\Windows\system32\inpsutmlb.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\SysWOW64\inmeufqjy.exeC:\Windows\system32\inmeufqjy.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1304 -
C:\Windows\SysWOW64\infvypoww.exeC:\Windows\system32\infvypoww.exe16⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5100 -
C:\Windows\SysWOW64\inqmfrmyb.exeC:\Windows\system32\inqmfrmyb.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1176 -
C:\Windows\SysWOW64\indwztgsi.exeC:\Windows\system32\indwztgsi.exe18⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3500 -
C:\Windows\SysWOW64\inykznpoh.exeC:\Windows\system32\inykznpoh.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Windows\SysWOW64\inzvgovkd.exeC:\Windows\system32\inzvgovkd.exe20⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\SysWOW64\insohtodl.exeC:\Windows\system32\insohtodl.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3516 -
C:\Windows\SysWOW64\inogwahsa.exeC:\Windows\system32\inogwahsa.exe22⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\SysWOW64\inwhpwale.exeC:\Windows\system32\inwhpwale.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2976 -
C:\Windows\SysWOW64\inazpsjiq.exeC:\Windows\system32\inazpsjiq.exe24⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:632 -
C:\Windows\SysWOW64\invuwaxma.exeC:\Windows\system32\invuwaxma.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1256 -
C:\Windows\SysWOW64\inlsmacbt.exeC:\Windows\system32\inlsmacbt.exe26⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1844 -
C:\Windows\SysWOW64\insbquvhx.exeC:\Windows\system32\insbquvhx.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3748 -
C:\Windows\SysWOW64\inqtvunam.exeC:\Windows\system32\inqtvunam.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1728 -
C:\Windows\SysWOW64\innuocedv.exeC:\Windows\system32\innuocedv.exe29⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3204 -
C:\Windows\SysWOW64\ineuxonvv.exeC:\Windows\system32\ineuxonvv.exe30⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3392 -
C:\Windows\SysWOW64\inomzqrdt.exeC:\Windows\system32\inomzqrdt.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4504 -
C:\Windows\SysWOW64\inugvjlkd.exeC:\Windows\system32\inugvjlkd.exe32⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4024 -
C:\Windows\SysWOW64\incvyzsfr.exeC:\Windows\system32\incvyzsfr.exe33⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2804 -
C:\Windows\SysWOW64\incraptug.exeC:\Windows\system32\incraptug.exe34⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2644 -
C:\Windows\SysWOW64\inhwnltjf.exeC:\Windows\system32\inhwnltjf.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3096 -
C:\Windows\SysWOW64\inhwoipfi.exeC:\Windows\system32\inhwoipfi.exe36⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:5116 -
C:\Windows\SysWOW64\intcrvwiy.exeC:\Windows\system32\intcrvwiy.exe37⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4068 -
C:\Windows\SysWOW64\incanalcr.exeC:\Windows\system32\incanalcr.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3636 -
C:\Windows\SysWOW64\infhthtec.exeC:\Windows\system32\infhthtec.exe39⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4500 -
C:\Windows\SysWOW64\inrngsnzc.exeC:\Windows\system32\inrngsnzc.exe40⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1092 -
C:\Windows\SysWOW64\inbuxzyre.exeC:\Windows\system32\inbuxzyre.exe41⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4244 -
C:\Windows\SysWOW64\inlofemzm.exeC:\Windows\system32\inlofemzm.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3600 -
C:\Windows\SysWOW64\infnwdvwr.exeC:\Windows\system32\infnwdvwr.exe43⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3928 -
C:\Windows\SysWOW64\inmibthrw.exeC:\Windows\system32\inmibthrw.exe44⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:180 -
C:\Windows\SysWOW64\inuqbjvqf.exeC:\Windows\system32\inuqbjvqf.exe45⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:260 -
C:\Windows\SysWOW64\inbjwysrs.exeC:\Windows\system32\inbjwysrs.exe46⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:748 -
C:\Windows\SysWOW64\intpaiupe.exeC:\Windows\system32\intpaiupe.exe47⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1216 -
C:\Windows\SysWOW64\inxtemyti.exeC:\Windows\system32\inxtemyti.exe48⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5008 -
C:\Windows\SysWOW64\inpiofygs.exeC:\Windows\system32\inpiofygs.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2116 -
C:\Windows\SysWOW64\inpleqlxa.exeC:\Windows\system32\inpleqlxa.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2584 -
C:\Windows\SysWOW64\incsvmltt.exeC:\Windows\system32\incsvmltt.exe51⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4252 -
C:\Windows\SysWOW64\insrzztuj.exeC:\Windows\system32\insrzztuj.exe52⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2976 -
C:\Windows\SysWOW64\indtwnmuu.exeC:\Windows\system32\indtwnmuu.exe53⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:720 -
C:\Windows\SysWOW64\inbfyviuk.exeC:\Windows\system32\inbfyviuk.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4820 -
C:\Windows\SysWOW64\injfqeotx.exeC:\Windows\system32\injfqeotx.exe55⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3988 -
C:\Windows\SysWOW64\inbpxnjbw.exeC:\Windows\system32\inbpxnjbw.exe56⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:228 -
C:\Windows\SysWOW64\inulkzdji.exeC:\Windows\system32\inulkzdji.exe57⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5100 -
C:\Windows\SysWOW64\infdqdofu.exeC:\Windows\system32\infdqdofu.exe58⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4356 -
C:\Windows\SysWOW64\ingvzmksi.exeC:\Windows\system32\ingvzmksi.exe59⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3744 -
C:\Windows\SysWOW64\ingoxeawx.exeC:\Windows\system32\ingoxeawx.exe60⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4448 -
C:\Windows\SysWOW64\inpqffxwb.exeC:\Windows\system32\inpqffxwb.exe61⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1216 -
C:\Windows\SysWOW64\injhulmow.exeC:\Windows\system32\injhulmow.exe62⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3364 -
C:\Windows\SysWOW64\inruwvobn.exeC:\Windows\system32\inruwvobn.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3324 -
C:\Windows\SysWOW64\inewrcnnk.exeC:\Windows\system32\inewrcnnk.exe64⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1720 -
C:\Windows\SysWOW64\inoxdfqoe.exeC:\Windows\system32\inoxdfqoe.exe65⤵
- Executes dropped EXE
PID:4220 -
C:\Windows\SysWOW64\inniyteex.exeC:\Windows\system32\inniyteex.exe66⤵
- Modifies Installed Components in the registry
- Drops file in System32 directory
PID:740 -
C:\Windows\SysWOW64\inljyapnv.exeC:\Windows\system32\inljyapnv.exe67⤵PID:4624
-
C:\Windows\SysWOW64\inmawkptn.exeC:\Windows\system32\inmawkptn.exe68⤵
- Drops file in System32 directory
PID:3896 -
C:\Windows\SysWOW64\ingwzqpxx.exeC:\Windows\system32\ingwzqpxx.exe69⤵PID:4344
-
C:\Windows\SysWOW64\inoavpdfe.exeC:\Windows\system32\inoavpdfe.exe70⤵PID:228
-
C:\Windows\SysWOW64\inbrulkss.exeC:\Windows\system32\inbrulkss.exe71⤵PID:4496
-
C:\Windows\SysWOW64\inopeewva.exeC:\Windows\system32\inopeewva.exe72⤵
- Modifies Installed Components in the registry
PID:416 -
C:\Windows\SysWOW64\inmkxopbr.exeC:\Windows\system32\inmkxopbr.exe73⤵PID:2096
-
C:\Windows\SysWOW64\intetdxsy.exeC:\Windows\system32\intetdxsy.exe74⤵
- Modifies Installed Components in the registry
PID:2468 -
C:\Windows\SysWOW64\inkuaczqt.exeC:\Windows\system32\inkuaczqt.exe75⤵PID:1032
-
C:\Windows\SysWOW64\inaphxbit.exeC:\Windows\system32\inaphxbit.exe76⤵
- Drops file in System32 directory
PID:4240 -
C:\Windows\SysWOW64\intsuvkkg.exeC:\Windows\system32\intsuvkkg.exe77⤵
- Drops file in System32 directory
PID:760 -
C:\Windows\SysWOW64\inqgdzfrf.exeC:\Windows\system32\inqgdzfrf.exe78⤵PID:3636
-
C:\Windows\SysWOW64\inwsdlxsh.exeC:\Windows\system32\inwsdlxsh.exe79⤵PID:3724
-
C:\Windows\SysWOW64\innfvgrkz.exeC:\Windows\system32\innfvgrkz.exe80⤵PID:4616
-
C:\Windows\SysWOW64\inbsfowhf.exeC:\Windows\system32\inbsfowhf.exe81⤵PID:3788
-
C:\Windows\SysWOW64\ingtgabri.exeC:\Windows\system32\ingtgabri.exe82⤵
- Drops file in System32 directory
PID:2236 -
C:\Windows\SysWOW64\inxiaqxbm.exeC:\Windows\system32\inxiaqxbm.exe83⤵
- Modifies Installed Components in the registry
PID:3104 -
C:\Windows\SysWOW64\inqrggyxc.exeC:\Windows\system32\inqrggyxc.exe84⤵PID:3340
-
C:\Windows\SysWOW64\inapnrseu.exeC:\Windows\system32\inapnrseu.exe85⤵PID:2076
-
C:\Windows\SysWOW64\inykmqjhq.exeC:\Windows\system32\inykmqjhq.exe86⤵PID:4356
-
C:\Windows\SysWOW64\incgzwjvl.exeC:\Windows\system32\incgzwjvl.exe87⤵
- Drops file in System32 directory
PID:2540 -
C:\Windows\SysWOW64\innlypqcs.exeC:\Windows\system32\innlypqcs.exe88⤵
- Modifies Installed Components in the registry
PID:1196 -
C:\Windows\SysWOW64\inaexuhtj.exeC:\Windows\system32\inaexuhtj.exe89⤵PID:3096
-
C:\Windows\SysWOW64\insvxwpco.exeC:\Windows\system32\insvxwpco.exe90⤵PID:1248
-
C:\Windows\SysWOW64\ineybxzdp.exeC:\Windows\system32\ineybxzdp.exe91⤵
- Drops file in System32 directory
PID:808 -
C:\Windows\SysWOW64\incrjzdkv.exeC:\Windows\system32\incrjzdkv.exe92⤵PID:4732
-
C:\Windows\SysWOW64\invwyxcqk.exeC:\Windows\system32\invwyxcqk.exe93⤵PID:3728
-
C:\Windows\SysWOW64\inckxztas.exeC:\Windows\system32\inckxztas.exe94⤵
- Drops file in System32 directory
PID:2296 -
C:\Windows\SysWOW64\inxsdoolp.exeC:\Windows\system32\inxsdoolp.exe95⤵PID:3204
-
C:\Windows\SysWOW64\inrshhzyd.exeC:\Windows\system32\inrshhzyd.exe96⤵PID:3692
-
C:\Windows\SysWOW64\inortslka.exeC:\Windows\system32\inortslka.exe97⤵PID:564
-
C:\Windows\SysWOW64\inrxixhwa.exeC:\Windows\system32\inrxixhwa.exe98⤵
- Modifies Installed Components in the registry
PID:3784 -
C:\Windows\SysWOW64\inmxiifwj.exeC:\Windows\system32\inmxiifwj.exe99⤵PID:3376
-
C:\Windows\SysWOW64\innbxlquo.exeC:\Windows\system32\innbxlquo.exe100⤵
- Drops file in System32 directory
PID:3480 -
C:\Windows\SysWOW64\inbqostfv.exeC:\Windows\system32\inbqostfv.exe101⤵
- Modifies Installed Components in the registry
PID:3404 -
C:\Windows\SysWOW64\inqklaasr.exeC:\Windows\system32\inqklaasr.exe102⤵
- Modifies Installed Components in the registry
- Drops file in System32 directory
PID:1256 -
C:\Windows\SysWOW64\indskelwb.exeC:\Windows\system32\indskelwb.exe103⤵
- Drops file in System32 directory
PID:3852 -
C:\Windows\SysWOW64\inlhzufqa.exeC:\Windows\system32\inlhzufqa.exe104⤵
- Drops file in System32 directory
PID:368 -
C:\Windows\SysWOW64\inixpjqgj.exeC:\Windows\system32\inixpjqgj.exe105⤵PID:3764
-
C:\Windows\SysWOW64\inmnccutj.exeC:\Windows\system32\inmnccutj.exe106⤵
- Modifies Installed Components in the registry
PID:4084 -
C:\Windows\SysWOW64\inertnmni.exeC:\Windows\system32\inertnmni.exe107⤵PID:3152
-
C:\Windows\SysWOW64\indpalewk.exeC:\Windows\system32\indpalewk.exe108⤵
- Drops file in System32 directory
PID:3892 -
C:\Windows\SysWOW64\inrfpuysy.exeC:\Windows\system32\inrfpuysy.exe109⤵
- Drops file in System32 directory
PID:3888 -
C:\Windows\SysWOW64\injwnoaqy.exeC:\Windows\system32\injwnoaqy.exe110⤵
- Modifies Installed Components in the registry
PID:520 -
C:\Windows\SysWOW64\injqftzfq.exeC:\Windows\system32\injqftzfq.exe111⤵PID:1416
-
C:\Windows\SysWOW64\inlvjosms.exeC:\Windows\system32\inlvjosms.exe112⤵PID:564
-
C:\Windows\SysWOW64\ingrakqpr.exeC:\Windows\system32\ingrakqpr.exe113⤵PID:4436
-
C:\Windows\SysWOW64\inaivxrqr.exeC:\Windows\system32\inaivxrqr.exe114⤵
- Drops file in System32 directory
PID:1072 -
C:\Windows\SysWOW64\injmdckxk.exeC:\Windows\system32\injmdckxk.exe115⤵
- Modifies Installed Components in the registry
- Drops file in System32 directory
PID:4356 -
C:\Windows\SysWOW64\inutvwllh.exeC:\Windows\system32\inutvwllh.exe116⤵PID:392
-
C:\Windows\SysWOW64\inqcxrfhg.exeC:\Windows\system32\inqcxrfhg.exe117⤵
- Modifies Installed Components in the registry
PID:2952 -
C:\Windows\SysWOW64\ingfvhjng.exeC:\Windows\system32\ingfvhjng.exe118⤵PID:3792
-
C:\Windows\SysWOW64\invlhtipl.exeC:\Windows\system32\invlhtipl.exe119⤵
- Modifies Installed Components in the registry
PID:808 -
C:\Windows\SysWOW64\injyqkarh.exeC:\Windows\system32\injyqkarh.exe120⤵
- Modifies Installed Components in the registry
PID:1340 -
C:\Windows\SysWOW64\indlyubtu.exeC:\Windows\system32\indlyubtu.exe121⤵PID:2172
-
C:\Windows\SysWOW64\inkzrlbas.exeC:\Windows\system32\inkzrlbas.exe122⤵PID:2528
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-