Analysis
-
max time kernel
106s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
16/10/2023, 17:37
Behavioral task
behavioral1
Sample
NEAS.2689377888cb7847a060ffc515f5fcc0_JC.exe
Resource
win7-20230831-en
windows7-x64
11 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.2689377888cb7847a060ffc515f5fcc0_JC.exe
Resource
win10v2004-20230915-en
windows10-2004-x64
11 signatures
150 seconds
General
-
Target
NEAS.2689377888cb7847a060ffc515f5fcc0_JC.exe
-
Size
912KB
-
MD5
2689377888cb7847a060ffc515f5fcc0
-
SHA1
31c871ba5434e7651788c716ecbbfeaadcc09594
-
SHA256
9b7dbc9eef7420d38960a35d450dc87e3ee757122ecf29f73cbbd51025291681
-
SHA512
7c6d262267cdb880c37d22ebce17772918acf70adcd09f2cb0a11e28c5bf363d3e804dad5336780f66ec18ab43c37be92bd13292c97631cad2528ce2d1657042
-
SSDEEP
24576:ouLwoR5RNPjKoOAeh0PpS6NxNnwYeOHXAhWTM:RPjOa1NxyYtH1M
Score
10/10
Malware Config
Signatures
-
Gh0st RAT payload 64 IoCs
resource yara_rule behavioral1/memory/2912-0-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral1/files/0x0008000000012288-11.dat family_gh0strat behavioral1/files/0x002f000000015c9d-16.dat family_gh0strat behavioral1/files/0x002f000000015c9d-19.dat family_gh0strat behavioral1/memory/2912-27-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral1/files/0x002f000000015c9d-22.dat family_gh0strat behavioral1/memory/2568-26-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral1/files/0x002f000000015c9d-24.dat family_gh0strat behavioral1/files/0x002f000000015c9d-23.dat family_gh0strat behavioral1/files/0x002f000000015c9d-21.dat family_gh0strat behavioral1/files/0x0013000000015ca4-45.dat family_gh0strat behavioral1/files/0x0013000000015ca4-44.dat family_gh0strat behavioral1/files/0x0013000000015ca4-46.dat family_gh0strat behavioral1/memory/2964-53-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral1/memory/2568-55-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral1/files/0x0006000000016c12-78.dat family_gh0strat behavioral1/memory/2964-84-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral1/files/0x0006000000016c12-77.dat family_gh0strat behavioral1/memory/2432-83-0x0000000000230000-0x000000000025F000-memory.dmp family_gh0strat behavioral1/files/0x0006000000016c12-76.dat family_gh0strat behavioral1/files/0x0006000000016c12-75.dat family_gh0strat behavioral1/files/0x0006000000016c12-74.dat family_gh0strat behavioral1/files/0x0006000000016c12-69.dat family_gh0strat behavioral1/files/0x0013000000015ca4-52.dat family_gh0strat behavioral1/files/0x0013000000015ca4-51.dat family_gh0strat behavioral1/files/0x0013000000015ca4-50.dat family_gh0strat behavioral1/files/0x0013000000015ca4-49.dat family_gh0strat behavioral1/memory/2432-95-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral1/files/0x0006000000016cbc-99.dat family_gh0strat behavioral1/memory/2432-111-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral1/files/0x0006000000016cbc-108.dat family_gh0strat behavioral1/files/0x0006000000016cbc-107.dat family_gh0strat behavioral1/files/0x0006000000016ce8-125.dat family_gh0strat behavioral1/files/0x0006000000016cbc-106.dat family_gh0strat behavioral1/files/0x0006000000016cbc-105.dat family_gh0strat behavioral1/files/0x0006000000016cbc-104.dat family_gh0strat behavioral1/memory/1528-136-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral1/files/0x0006000000016ce8-133.dat family_gh0strat behavioral1/files/0x0006000000016ce8-132.dat family_gh0strat behavioral1/files/0x0006000000016ce8-131.dat family_gh0strat behavioral1/files/0x0006000000016ce8-130.dat family_gh0strat behavioral1/files/0x0006000000016ce8-129.dat family_gh0strat behavioral1/files/0x0006000000016d25-152.dat family_gh0strat behavioral1/files/0x0006000000016d25-160.dat family_gh0strat behavioral1/files/0x0006000000016d25-159.dat family_gh0strat behavioral1/files/0x0006000000016d25-158.dat family_gh0strat behavioral1/files/0x0006000000016d25-157.dat family_gh0strat behavioral1/files/0x0006000000016d25-154.dat family_gh0strat behavioral1/memory/2640-163-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral1/files/0x0006000000016d63-178.dat family_gh0strat behavioral1/memory/1920-190-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral1/files/0x0006000000016d63-187.dat family_gh0strat behavioral1/files/0x0006000000016d63-186.dat family_gh0strat behavioral1/files/0x0006000000016d63-185.dat family_gh0strat behavioral1/files/0x0006000000016d63-184.dat family_gh0strat behavioral1/files/0x0006000000016d63-183.dat family_gh0strat behavioral1/files/0x0006000000017084-204.dat family_gh0strat behavioral1/memory/1968-214-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral1/files/0x0006000000017084-213.dat family_gh0strat behavioral1/files/0x0006000000017084-212.dat family_gh0strat behavioral1/files/0x0006000000017084-211.dat family_gh0strat behavioral1/files/0x0006000000017084-210.dat family_gh0strat behavioral1/files/0x0006000000017084-209.dat family_gh0strat behavioral1/files/0x0006000000017560-230.dat family_gh0strat -
Modifies Installed Components in the registry 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AD285C86-168C-4802-BA03-E6F6D714F4CE}\stubpath = "C:\\Windows\\system32\\inuiybnpg.exe" inykmqjhq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{748AC16E-8134-4443-AF45-8ADED7E60199} incybtpgq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5444B9BC-4FF4-4d9e-A08C-48C172C34E10}\stubpath = "C:\\Windows\\system32\\inljswfrz.exe" inwpkmkez.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A9693DB8-E954-4870-AA07-B03E8452635B}\stubpath = "C:\\Windows\\system32\\innrmsqfx.exe" invxurwtq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9DE61CC0-BDFC-4afa-8530-99F6C001E513}\stubpath = "C:\\Windows\\system32\\insrzztuj.exe" inqgdzfrf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8020B639-0569-4641-B4EF-DB4D8069AA43}\stubpath = "C:\\Windows\\system32\\inaaajueu.exe" inrkqhiua.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9E8DA5B7-CB89-45ef-9E6D-5FA0640B613A} inlolxmlm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E696E454-3EFC-49a0-8ABA-478BC85D6570} inuonujxj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9DD6F5D0-90D8-4134-8C97-8D8AE1C5B175} inirveqyf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{626369B7-3C00-4b71-A9B8-C2605A51BD2C}\stubpath = "C:\\Windows\\system32\\inqtvunam.exe" infhthtec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7648638C-6CF1-4a02-980A-92475D55C675} intmsjkwc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FF1F7282-6A23-4c13-8291-D5EE3C313A10} inijzqpfx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{84E73557-807A-4e1f-B301-EAEAB5804D65} inxjymong.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9A9651D7-A797-403a-AE11-BF82B5D70387} inmkimmxk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DD63CAA1-5FD9-49ee-B1A6-5C983ABEF071}\stubpath = "C:\\Windows\\system32\\inujlcwuk.exe" ingiuiufd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B41059EA-6B92-4c03-A4F4-7C07E8807669}\stubpath = "C:\\Windows\\system32\\intetdxsy.exe" inwgusogd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{243CAFB3-BC07-4e2b-92F2-4A75930C811E} inxtleici.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F3219881-D985-4731-AC5B-EF13DCBC282F} inlgphgbd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DD7C01A8-E498-4368-B630-DDB09B93769F} indlyubtu.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C8901F6B-9269-46b5-8B0E-CB7586EB5A15} inpqffxwb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0C9A8053-0FCE-4ca7-A789-4C7A249213CC} inzydrlkr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8C2E54E0-D0F1-43ee-9148-B9941D7E7B24}\stubpath = "C:\\Windows\\system32\\inuvxhdct.exe" infxiosfk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4C6A2163-C717-40c9-9E6E-33C9AFDDF97D} inovtknpq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{544BCF52-66F2-4275-832E-6F70484A3E4C}\stubpath = "C:\\Windows\\system32\\inngmlnpt.exe" inqfmalkm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F7E3075C-854B-44e9-8F73-B80189F1CBE3} inmvbdomc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{28DBF457-B6C7-4a36-81D8-4DE7E9BDA3AB}\stubpath = "C:\\Windows\\system32\\ineqbmfxl.exe" inigtklnv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F1E635D3-A2A5-4751-B29F-7C1E11B31741}\stubpath = "C:\\Windows\\system32\\injhulmow.exe" incvdypdo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3540AE61-3D26-4c1b-B719-8D506F76CAAF} innfvgrkz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9DE61CC0-BDFC-4afa-8530-99F6C001E513} inqgdzfrf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{40993D8E-9440-4675-AC11-F2A28B385F8F}\stubpath = "C:\\Windows\\system32\\inxrycagn.exe" inuydrpyf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4CD1DF20-7D79-4f8b-94E4-2FDD9CDB6820} injaxsmjs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{490E25BF-ABC4-4a02-8C05-50440B42AD25}\stubpath = "C:\\Windows\\system32\\inclwgwbt.exe" indjvakex.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F978AB22-31DC-4fe0-B033-44C784C415CB}\stubpath = "C:\\Windows\\system32\\inigtklnv.exe" invrckwrg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{241C0024-4118-4459-BCBA-461146C0A320}\stubpath = "C:\\Windows\\system32\\inxitdtqe.exe" ineugyxhj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9AE7F044-58E2-4056-8826-880B8FA6C605} ingvetxyk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6A5E48D8-2D41-434d-9532-1832212A9647}\stubpath = "C:\\Windows\\system32\\invxurwtq.exe" ingkycsra.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{10CCBF6D-D7B7-4487-B354-C3B441C9C245}\stubpath = "C:\\Windows\\system32\\inwldhtuf.exe" inwjfatav.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D8B3D6D6-2C7E-4e6e-8A62-AE5B39D5308B}\stubpath = "C:\\Windows\\system32\\infumgnyd.exe" inbqiycju.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5FAD2A44-E64C-40a8-8E7B-9C80470050C7}\stubpath = "C:\\Windows\\system32\\initcmsrt.exe" inwyzbftn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{45013B38-93AC-4868-98C4-C736635DE308}\stubpath = "C:\\Windows\\system32\\inhuwzjax.exe" inocokdvj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AE23E43C-6189-46e7-9D9A-B44543EEC886}\stubpath = "C:\\Windows\\system32\\inmjhdsul.exe" inatybwnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2E86DC64-4FA2-40fa-A129-AE46066D1C45}\stubpath = "C:\\Windows\\system32\\inniyteex.exe" inldtepix.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D31A0326-54B2-4df2-AD32-76AC1AD3C8CA}\stubpath = "C:\\Windows\\system32\\inlgwrccv.exe" ineuxonvv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F6C25DE3-2C41-4eeb-8D3D-31C50AD6AADF} intsuvkkg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{05297EEA-1146-48d4-BED5-DD5DE77E3266} inltanpsp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C938EFC6-FEAC-49b9-AA57-3485BCA5A70B} inewrcnnk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6DC0DA56-0309-4c0a-8E35-4724B2B314B0} inwonikuc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{488B468F-25BA-4210-BAAB-CA096D480EB3} insanriau.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{46FCFDBE-A702-47af-A2E1-662724B9051B}\stubpath = "C:\\Windows\\system32\\inhegsgsd.exe" inortslka.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{36386284-DD2D-4e0d-BB0E-1158343CF728} inrdysgih.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{90F27CBB-CEE2-4f1b-9B5D-06B6B1F670A0} iniwaqpwa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BC35FF44-1156-4a6b-AB0A-8BD180DE2C49}\stubpath = "C:\\Windows\\system32\\inljyapnv.exe" inopeewva.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DE851143-8859-4a2f-8E28-24BD58630E92} incsnrmiw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D6D8AF8C-CAF4-4de0-BD5C-ABAC1666B2C3} ingfvhjng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D9B8C008-5592-45a2-8187-6ED02A22797A}\stubpath = "C:\\Windows\\system32\\inxzpbsoh.exe" inhzrfkoi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5BB8F0D9-D246-42a8-BFC3-B51ADB204AA7} indwztgsi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{18271501-FF3A-4d8c-9AD1-7159CBD62C06} injyixbhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DF3FFA27-D44F-4a2f-ABBB-47F17A381D99}\stubpath = "C:\\Windows\\system32\\inrurbsrs.exe" inhwoipfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DEFBF0C4-7BE6-41cc-86FC-4FFFA583E7A4}\stubpath = "C:\\Windows\\system32\\inaqceivb.exe" inisucehe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7B8CE505-E935-47ee-8304-607BA2E8D21A} innuocedv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8CF948AA-6ED4-4953-9ECA-52A2DCFBAFE8}\stubpath = "C:\\Windows\\system32\\ineugyxhj.exe" ingerepgv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D8DFBAAF-7BA8-4e7a-8838-4128ADEC1198} inmtiwity.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{284DEEDF-3897-4c92-88D4-4C39103EF1DB} inimthpzj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{355EC8D3-B72D-45a5-9C49-798AACBEC19B} inngmlnpt.exe -
ACProtect 1.3x - 1.4x DLL software 11 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral1/files/0x00060000000120e6-3.dat acprotect behavioral1/files/0x0009000000016300-31.dat acprotect behavioral1/files/0x0009000000016300-30.dat acprotect behavioral1/files/0x0006000000016c65-80.dat acprotect behavioral1/files/0x0006000000016adf-57.dat acprotect behavioral1/files/0x0006000000016cd5-112.dat acprotect behavioral1/files/0x0006000000016cf8-139.dat acprotect behavioral1/files/0x0006000000016d41-165.dat acprotect behavioral1/files/0x0006000000016d74-191.dat acprotect behavioral1/files/0x00060000000171ee-217.dat acprotect behavioral1/files/0x0005000000018693-244.dat acprotect -
Executes dropped EXE 64 IoCs
pid Process 2568 incrjzdkv.exe 2964 inmeufqjy.exe 2432 inoavpdfe.exe 1528 incgzwjvl.exe 2640 inwixlnmf.exe 1920 insezthji.exe 1968 indskelwb.exe 2356 inaphxbit.exe 2960 inwsdlxsh.exe 904 inbaqtkjr.exe 1140 inatwyxqd.exe 2008 intpaiupe.exe 2176 inaikwkwh.exe 2124 inetlfmxc.exe 1616 inqmfrmyb.exe 2924 inxjymong.exe 2436 infdqdofu.exe 2720 inwmpgfnn.exe 2896 invhwkmle.exe 1212 inhwnltjf.exe 868 inesqmezb.exe 1956 inmkxopbr.exe 1912 inpleqlxa.exe 2860 inbfyviuk.exe 756 inqcxrfhg.exe 2380 inmprqjiy.exe 2360 inpfzcyeq.exe 2996 indhxkwmb.exe 1440 invrckwrg.exe 2348 inigtklnv.exe 2848 ineqbmfxl.exe 320 inlsmacbt.exe 1716 inbuxzyre.exe 2556 indqsmlmh.exe 2580 inbbkvfva.exe 2452 inhiypoew.exe 2440 indwztgsi.exe 2492 inogwahsa.exe 388 injyqkarh.exe 1148 inomzqrdt.exe 2768 inyjbrycn.exe 2152 incvdypdo.exe 2792 injhulmow.exe 2856 infhthtec.exe 2264 inqtvunam.exe 1744 inkbaivic.exe 2380 inochlfll.exe 2524 inwhpwale.exe 400 inpbwqegf.exe 2980 inertnmni.exe 1068 indtwnmuu.exe 2088 incwvxbyn.exe 2248 injlxlxig.exe 2316 inecpcnet.exe 2928 incsnrmiw.exe 2592 inzvgovkd.exe 2808 inupkqjvx.exe 2500 inopeewva.exe 2896 inljyapnv.exe 2736 inxiaqxbm.exe 1996 innfvgrkz.exe 2204 inqgdzfrf.exe 808 insrzztuj.exe 1748 inapnrseu.exe -
Loads dropped DLL 64 IoCs
pid Process 2912 NEAS.2689377888cb7847a060ffc515f5fcc0_JC.exe 2912 NEAS.2689377888cb7847a060ffc515f5fcc0_JC.exe 2568 incrjzdkv.exe 2568 incrjzdkv.exe 2568 incrjzdkv.exe 2568 incrjzdkv.exe 2568 incrjzdkv.exe 2964 inmeufqjy.exe 2964 inmeufqjy.exe 2964 inmeufqjy.exe 2964 inmeufqjy.exe 2964 inmeufqjy.exe 2432 inoavpdfe.exe 2432 inoavpdfe.exe 2432 inoavpdfe.exe 2432 inoavpdfe.exe 2432 inoavpdfe.exe 1528 incgzwjvl.exe 1528 incgzwjvl.exe 1528 incgzwjvl.exe 1528 incgzwjvl.exe 1528 incgzwjvl.exe 2640 inwixlnmf.exe 2640 inwixlnmf.exe 2640 inwixlnmf.exe 2640 inwixlnmf.exe 2640 inwixlnmf.exe 1920 insezthji.exe 1920 insezthji.exe 1920 insezthji.exe 1920 insezthji.exe 1920 insezthji.exe 1968 indskelwb.exe 1968 indskelwb.exe 1968 indskelwb.exe 1968 indskelwb.exe 1968 indskelwb.exe 2356 inaphxbit.exe 2356 inaphxbit.exe 2356 inaphxbit.exe 2356 inaphxbit.exe 2356 inaphxbit.exe 2960 inwsdlxsh.exe 2960 inwsdlxsh.exe 2960 inwsdlxsh.exe 2960 inwsdlxsh.exe 2960 inwsdlxsh.exe 904 inbaqtkjr.exe 904 inbaqtkjr.exe 904 inbaqtkjr.exe 904 inbaqtkjr.exe 904 inbaqtkjr.exe 1140 inatwyxqd.exe 1140 inatwyxqd.exe 1140 inatwyxqd.exe 1140 inatwyxqd.exe 1140 inatwyxqd.exe 2008 intpaiupe.exe 2008 intpaiupe.exe 2008 intpaiupe.exe 2008 intpaiupe.exe 2008 intpaiupe.exe 2176 inaikwkwh.exe 2176 inaikwkwh.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\injaxsmjs.exe injfzedyv.exe File created C:\Windows\SysWOW64\invbdruwx.exe inblsqhkm.exe File opened for modification C:\Windows\SysWOW64\invxurwtq.exe_lang.ini ingkycsra.exe File created C:\Windows\SysWOW64\inqrgtvyi.exe invlbrhjx.exe File created C:\Windows\SysWOW64\infsuonoj.exe insaljfpw.exe File opened for modification C:\Windows\SysWOW64\syslog.dat invqmdynu.exe File opened for modification C:\Windows\SysWOW64\syslog.dat injmdckxk.exe File created C:\Windows\SysWOW64\infumgnyd.exe inbqiycju.exe File opened for modification C:\Windows\SysWOW64\syslog.dat innlypqcs.exe File opened for modification C:\Windows\SysWOW64\inzkcszdo.exe_lang.ini inzhuwqpq.exe File opened for modification C:\Windows\SysWOW64\syslog.dat iniqgcwmo.exe File opened for modification C:\Windows\SysWOW64\syslog.dat indkntxkp.exe File opened for modification C:\Windows\SysWOW64\indskelwb.exe_lang.ini insezthji.exe File created C:\Windows\SysWOW64\inrfpuysy.exe inujlcwuk.exe File created C:\Windows\SysWOW64\inqfeufhj.exe inmxiifwj.exe File opened for modification C:\Windows\SysWOW64\indtfhlye.exe_lang.ini infrgacrf.exe File opened for modification C:\Windows\SysWOW64\syslog.dat innhouwkt.exe File opened for modification C:\Windows\SysWOW64\indcsegkx.exe_lang.ini inkietvme.exe File created C:\Windows\SysWOW64\inwhpwale.exe inochlfll.exe File opened for modification C:\Windows\SysWOW64\syslog.dat inujlcwuk.exe File opened for modification C:\Windows\SysWOW64\syslog.dat inpdimgmm.exe File opened for modification C:\Windows\SysWOW64\injfqeotx.exe_lang.ini inbobfwma.exe File created C:\Windows\SysWOW64\inrxixhwa.exe innptoush.exe File created C:\Windows\SysWOW64\innoddvuk.exe inrhnxdft.exe File opened for modification C:\Windows\SysWOW64\infsuonoj.exe_lang.ini insaljfpw.exe File created C:\Windows\SysWOW64\inclwgwbt.exe indjvakex.exe File opened for modification C:\Windows\SysWOW64\inwsdlxsh.exe_lang.ini inaphxbit.exe File created C:\Windows\SysWOW64\inqgdzfrf.exe innfvgrkz.exe File opened for modification C:\Windows\SysWOW64\inlgwrccv.exe_lang.ini ineuxonvv.exe File opened for modification C:\Windows\SysWOW64\syslog.dat inxbxjcyj.exe File opened for modification C:\Windows\SysWOW64\syslog.dat inpbwqegf.exe File opened for modification C:\Windows\SysWOW64\inasgqvzt.exe_lang.ini inwemzvcu.exe File created C:\Windows\SysWOW64\inrgbjark.exe indkntxkp.exe File opened for modification C:\Windows\SysWOW64\syslog.dat invxurwtq.exe File opened for modification C:\Windows\SysWOW64\syslog.dat inqfeufhj.exe File created C:\Windows\SysWOW64\inpiofygs.exe insohtodl.exe File opened for modification C:\Windows\SysWOW64\syslog.dat invpovkyk.exe File created C:\Windows\SysWOW64\invlbrhjx.exe inrurbsrs.exe File created C:\Windows\SysWOW64\inigtklnv.exe invrckwrg.exe File opened for modification C:\Windows\SysWOW64\syslog.dat inykznpoh.exe File opened for modification C:\Windows\SysWOW64\syslog.dat inrhnxdft.exe File opened for modification C:\Windows\SysWOW64\inrshhzyd.exe_lang.ini inswrxvke.exe File opened for modification C:\Windows\SysWOW64\inaouaylq.exe_lang.ini inzbfsfjq.exe File opened for modification C:\Windows\SysWOW64\syslog.dat inirveqyf.exe File opened for modification C:\Windows\SysWOW64\syslog.dat inyegrpfl.exe File opened for modification C:\Windows\SysWOW64\syslog.dat inrmslxzd.exe File created C:\Windows\SysWOW64\inciujlvs.exe inbuzcxoc.exe File created C:\Windows\SysWOW64\invzzdxxz.exe inaeepccp.exe File created C:\Windows\SysWOW64\inuiybnpg.exe inykmqjhq.exe File opened for modification C:\Windows\SysWOW64\inowqgwxz.exe_lang.ini inmflkmos.exe File opened for modification C:\Windows\SysWOW64\injmdckxk.exe_lang.ini inhegsgsd.exe File opened for modification C:\Windows\SysWOW64\inbmkzbqa.exe_lang.ini inqjpgzht.exe File opened for modification C:\Windows\SysWOW64\inbbmmbxa.exe_lang.ini incbrdfjw.exe File created C:\Windows\SysWOW64\inhjvjvge.exe inscqyokc.exe File opened for modification C:\Windows\SysWOW64\syslog.dat inkivmnpx.exe File created C:\Windows\SysWOW64\insywlfel.exe inpdimgmm.exe File opened for modification C:\Windows\SysWOW64\inhuwzjax.exe_lang.ini inocokdvj.exe File created C:\Windows\SysWOW64\inoxdfqoe.exe inqfmalkm.exe File opened for modification C:\Windows\SysWOW64\inbxslgig.exe_lang.ini indigocxg.exe File opened for modification C:\Windows\SysWOW64\syslog.dat insezthji.exe File opened for modification C:\Windows\SysWOW64\intfuikjc.exe_lang.ini inrfpuysy.exe File opened for modification C:\Windows\SysWOW64\inbjudnts.exe_lang.ini incbrdfjw.exe File opened for modification C:\Windows\SysWOW64\syslog.dat inrcangym.exe File opened for modification C:\Windows\SysWOW64\insofpwae.exe_lang.ini inirveqyf.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2912 NEAS.2689377888cb7847a060ffc515f5fcc0_JC.exe 2568 incrjzdkv.exe 2964 inmeufqjy.exe 2432 inoavpdfe.exe 1528 incgzwjvl.exe 2640 inwixlnmf.exe 1920 insezthji.exe 1968 indskelwb.exe 2356 inaphxbit.exe 2960 inwsdlxsh.exe 904 inbaqtkjr.exe 1140 inatwyxqd.exe 2008 intpaiupe.exe 2176 inaikwkwh.exe 2124 inetlfmxc.exe 1616 inqmfrmyb.exe 2924 inxjymong.exe 2436 infdqdofu.exe 2720 inwmpgfnn.exe 2896 invhwkmle.exe 1212 inhwnltjf.exe 868 inesqmezb.exe 1956 inmkxopbr.exe 1912 inpleqlxa.exe 2860 inbfyviuk.exe 756 inqcxrfhg.exe 2380 inmprqjiy.exe 2360 inpfzcyeq.exe 2996 indhxkwmb.exe 1440 invrckwrg.exe 2348 inigtklnv.exe 2848 ineqbmfxl.exe 320 inlsmacbt.exe 1716 inbuxzyre.exe 2556 indqsmlmh.exe 2580 inbbkvfva.exe 2452 inhiypoew.exe 2440 indwztgsi.exe 2492 inogwahsa.exe 388 injyqkarh.exe 1148 inomzqrdt.exe 2768 inyjbrycn.exe 2152 incvdypdo.exe 2792 injhulmow.exe 2856 infhthtec.exe 2264 inqtvunam.exe 1744 inkbaivic.exe 2380 inochlfll.exe 2524 inwhpwale.exe 400 inpbwqegf.exe 2980 inertnmni.exe 1068 indtwnmuu.exe 2088 incwvxbyn.exe 2248 injlxlxig.exe 2316 inecpcnet.exe 2928 incsnrmiw.exe 2592 inzvgovkd.exe 2808 inupkqjvx.exe 2500 inopeewva.exe 2896 inljyapnv.exe 2736 inxiaqxbm.exe 1996 innfvgrkz.exe 2204 inqgdzfrf.exe 808 insrzztuj.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2912 NEAS.2689377888cb7847a060ffc515f5fcc0_JC.exe Token: SeDebugPrivilege 2568 incrjzdkv.exe Token: SeDebugPrivilege 2964 inmeufqjy.exe Token: SeDebugPrivilege 2432 inoavpdfe.exe Token: SeDebugPrivilege 1528 incgzwjvl.exe Token: SeDebugPrivilege 2640 inwixlnmf.exe Token: SeDebugPrivilege 1920 insezthji.exe Token: SeDebugPrivilege 1968 indskelwb.exe Token: SeDebugPrivilege 2356 inaphxbit.exe Token: SeDebugPrivilege 2960 inwsdlxsh.exe Token: SeDebugPrivilege 904 inbaqtkjr.exe Token: SeDebugPrivilege 1140 inatwyxqd.exe Token: SeDebugPrivilege 2008 intpaiupe.exe Token: SeDebugPrivilege 2176 inaikwkwh.exe Token: SeDebugPrivilege 2124 inetlfmxc.exe Token: SeDebugPrivilege 1616 inqmfrmyb.exe Token: SeDebugPrivilege 2924 inxjymong.exe Token: SeDebugPrivilege 2436 infdqdofu.exe Token: SeDebugPrivilege 2720 inwmpgfnn.exe Token: SeDebugPrivilege 2896 invhwkmle.exe Token: SeDebugPrivilege 1212 inhwnltjf.exe Token: SeDebugPrivilege 868 inesqmezb.exe Token: SeDebugPrivilege 1956 inmkxopbr.exe Token: SeDebugPrivilege 1912 inpleqlxa.exe Token: SeDebugPrivilege 2860 inbfyviuk.exe Token: SeDebugPrivilege 756 inqcxrfhg.exe Token: SeDebugPrivilege 2380 inmprqjiy.exe Token: SeDebugPrivilege 2360 inpfzcyeq.exe Token: SeDebugPrivilege 2996 indhxkwmb.exe Token: SeDebugPrivilege 1440 invrckwrg.exe Token: SeDebugPrivilege 2348 inigtklnv.exe Token: SeDebugPrivilege 2848 ineqbmfxl.exe Token: SeDebugPrivilege 320 inlsmacbt.exe Token: SeDebugPrivilege 1716 inbuxzyre.exe Token: SeDebugPrivilege 2556 indqsmlmh.exe Token: SeDebugPrivilege 2580 inbbkvfva.exe Token: SeDebugPrivilege 2452 inhiypoew.exe Token: SeDebugPrivilege 2440 indwztgsi.exe Token: SeDebugPrivilege 2492 inogwahsa.exe Token: SeDebugPrivilege 388 injyqkarh.exe Token: SeDebugPrivilege 1148 inomzqrdt.exe Token: SeDebugPrivilege 2768 inyjbrycn.exe Token: SeDebugPrivilege 2152 incvdypdo.exe Token: SeDebugPrivilege 2792 injhulmow.exe Token: SeDebugPrivilege 2856 infhthtec.exe Token: SeDebugPrivilege 2264 inqtvunam.exe Token: SeDebugPrivilege 1744 inkbaivic.exe Token: SeDebugPrivilege 2380 inochlfll.exe Token: SeDebugPrivilege 2524 inwhpwale.exe Token: SeDebugPrivilege 400 inpbwqegf.exe Token: SeDebugPrivilege 2980 inertnmni.exe Token: SeDebugPrivilege 1068 indtwnmuu.exe Token: SeDebugPrivilege 2088 incwvxbyn.exe Token: SeDebugPrivilege 2248 injlxlxig.exe Token: SeDebugPrivilege 2316 inecpcnet.exe Token: SeDebugPrivilege 2928 incsnrmiw.exe Token: SeDebugPrivilege 2592 inzvgovkd.exe Token: SeDebugPrivilege 2808 inupkqjvx.exe Token: SeDebugPrivilege 2500 inopeewva.exe Token: SeDebugPrivilege 2896 inljyapnv.exe Token: SeDebugPrivilege 2736 inxiaqxbm.exe Token: SeDebugPrivilege 1996 innfvgrkz.exe Token: SeDebugPrivilege 2204 inqgdzfrf.exe Token: SeDebugPrivilege 808 insrzztuj.exe -
Suspicious use of SetWindowsHookEx 29 IoCs
pid Process 2912 NEAS.2689377888cb7847a060ffc515f5fcc0_JC.exe 2568 incrjzdkv.exe 2964 inmeufqjy.exe 2432 inoavpdfe.exe 1528 incgzwjvl.exe 2640 inwixlnmf.exe 1920 insezthji.exe 1968 indskelwb.exe 2356 inaphxbit.exe 2960 inwsdlxsh.exe 904 inbaqtkjr.exe 1140 inatwyxqd.exe 2008 intpaiupe.exe 2176 inaikwkwh.exe 2124 inetlfmxc.exe 1616 inqmfrmyb.exe 2924 inxjymong.exe 2436 infdqdofu.exe 2720 inwmpgfnn.exe 2896 invhwkmle.exe 1212 inhwnltjf.exe 868 inesqmezb.exe 1956 inmkxopbr.exe 1912 inpleqlxa.exe 2860 inbfyviuk.exe 756 inqcxrfhg.exe 2380 inmprqjiy.exe 2360 inpfzcyeq.exe 2996 indhxkwmb.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2912 wrote to memory of 2568 2912 NEAS.2689377888cb7847a060ffc515f5fcc0_JC.exe 28 PID 2912 wrote to memory of 2568 2912 NEAS.2689377888cb7847a060ffc515f5fcc0_JC.exe 28 PID 2912 wrote to memory of 2568 2912 NEAS.2689377888cb7847a060ffc515f5fcc0_JC.exe 28 PID 2912 wrote to memory of 2568 2912 NEAS.2689377888cb7847a060ffc515f5fcc0_JC.exe 28 PID 2912 wrote to memory of 2568 2912 NEAS.2689377888cb7847a060ffc515f5fcc0_JC.exe 28 PID 2912 wrote to memory of 2568 2912 NEAS.2689377888cb7847a060ffc515f5fcc0_JC.exe 28 PID 2912 wrote to memory of 2568 2912 NEAS.2689377888cb7847a060ffc515f5fcc0_JC.exe 28 PID 2568 wrote to memory of 2964 2568 incrjzdkv.exe 29 PID 2568 wrote to memory of 2964 2568 incrjzdkv.exe 29 PID 2568 wrote to memory of 2964 2568 incrjzdkv.exe 29 PID 2568 wrote to memory of 2964 2568 incrjzdkv.exe 29 PID 2568 wrote to memory of 2964 2568 incrjzdkv.exe 29 PID 2568 wrote to memory of 2964 2568 incrjzdkv.exe 29 PID 2568 wrote to memory of 2964 2568 incrjzdkv.exe 29 PID 2964 wrote to memory of 2432 2964 inmeufqjy.exe 30 PID 2964 wrote to memory of 2432 2964 inmeufqjy.exe 30 PID 2964 wrote to memory of 2432 2964 inmeufqjy.exe 30 PID 2964 wrote to memory of 2432 2964 inmeufqjy.exe 30 PID 2964 wrote to memory of 2432 2964 inmeufqjy.exe 30 PID 2964 wrote to memory of 2432 2964 inmeufqjy.exe 30 PID 2964 wrote to memory of 2432 2964 inmeufqjy.exe 30 PID 2432 wrote to memory of 1528 2432 inoavpdfe.exe 31 PID 2432 wrote to memory of 1528 2432 inoavpdfe.exe 31 PID 2432 wrote to memory of 1528 2432 inoavpdfe.exe 31 PID 2432 wrote to memory of 1528 2432 inoavpdfe.exe 31 PID 2432 wrote to memory of 1528 2432 inoavpdfe.exe 31 PID 2432 wrote to memory of 1528 2432 inoavpdfe.exe 31 PID 2432 wrote to memory of 1528 2432 inoavpdfe.exe 31 PID 1528 wrote to memory of 2640 1528 incgzwjvl.exe 32 PID 1528 wrote to memory of 2640 1528 incgzwjvl.exe 32 PID 1528 wrote to memory of 2640 1528 incgzwjvl.exe 32 PID 1528 wrote to memory of 2640 1528 incgzwjvl.exe 32 PID 1528 wrote to memory of 2640 1528 incgzwjvl.exe 32 PID 1528 wrote to memory of 2640 1528 incgzwjvl.exe 32 PID 1528 wrote to memory of 2640 1528 incgzwjvl.exe 32 PID 2640 wrote to memory of 1920 2640 inwixlnmf.exe 33 PID 2640 wrote to memory of 1920 2640 inwixlnmf.exe 33 PID 2640 wrote to memory of 1920 2640 inwixlnmf.exe 33 PID 2640 wrote to memory of 1920 2640 inwixlnmf.exe 33 PID 2640 wrote to memory of 1920 2640 inwixlnmf.exe 33 PID 2640 wrote to memory of 1920 2640 inwixlnmf.exe 33 PID 2640 wrote to memory of 1920 2640 inwixlnmf.exe 33 PID 1920 wrote to memory of 1968 1920 insezthji.exe 34 PID 1920 wrote to memory of 1968 1920 insezthji.exe 34 PID 1920 wrote to memory of 1968 1920 insezthji.exe 34 PID 1920 wrote to memory of 1968 1920 insezthji.exe 34 PID 1920 wrote to memory of 1968 1920 insezthji.exe 34 PID 1920 wrote to memory of 1968 1920 insezthji.exe 34 PID 1920 wrote to memory of 1968 1920 insezthji.exe 34 PID 1968 wrote to memory of 2356 1968 indskelwb.exe 35 PID 1968 wrote to memory of 2356 1968 indskelwb.exe 35 PID 1968 wrote to memory of 2356 1968 indskelwb.exe 35 PID 1968 wrote to memory of 2356 1968 indskelwb.exe 35 PID 1968 wrote to memory of 2356 1968 indskelwb.exe 35 PID 1968 wrote to memory of 2356 1968 indskelwb.exe 35 PID 1968 wrote to memory of 2356 1968 indskelwb.exe 35 PID 2356 wrote to memory of 2960 2356 inaphxbit.exe 36 PID 2356 wrote to memory of 2960 2356 inaphxbit.exe 36 PID 2356 wrote to memory of 2960 2356 inaphxbit.exe 36 PID 2356 wrote to memory of 2960 2356 inaphxbit.exe 36 PID 2356 wrote to memory of 2960 2356 inaphxbit.exe 36 PID 2356 wrote to memory of 2960 2356 inaphxbit.exe 36 PID 2356 wrote to memory of 2960 2356 inaphxbit.exe 36 PID 2960 wrote to memory of 904 2960 inwsdlxsh.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.2689377888cb7847a060ffc515f5fcc0_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.2689377888cb7847a060ffc515f5fcc0_JC.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\SysWOW64\incrjzdkv.exeC:\Windows\system32\incrjzdkv.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\SysWOW64\inmeufqjy.exeC:\Windows\system32\inmeufqjy.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\SysWOW64\inoavpdfe.exeC:\Windows\system32\inoavpdfe.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Windows\SysWOW64\incgzwjvl.exeC:\Windows\system32\incgzwjvl.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1528 -
C:\Windows\SysWOW64\inwixlnmf.exeC:\Windows\system32\inwixlnmf.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\insezthji.exeC:\Windows\system32\insezthji.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Windows\SysWOW64\indskelwb.exeC:\Windows\system32\indskelwb.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\SysWOW64\inaphxbit.exeC:\Windows\system32\inaphxbit.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Windows\SysWOW64\inwsdlxsh.exeC:\Windows\system32\inwsdlxsh.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\SysWOW64\inbaqtkjr.exeC:\Windows\system32\inbaqtkjr.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:904 -
C:\Windows\SysWOW64\inatwyxqd.exeC:\Windows\system32\inatwyxqd.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1140 -
C:\Windows\SysWOW64\intpaiupe.exeC:\Windows\system32\intpaiupe.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2008 -
C:\Windows\SysWOW64\inaikwkwh.exeC:\Windows\system32\inaikwkwh.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2176 -
C:\Windows\SysWOW64\inetlfmxc.exeC:\Windows\system32\inetlfmxc.exe15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2124 -
C:\Windows\SysWOW64\inqmfrmyb.exeC:\Windows\system32\inqmfrmyb.exe16⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1616 -
C:\Windows\SysWOW64\inxjymong.exeC:\Windows\system32\inxjymong.exe17⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2924 -
C:\Windows\SysWOW64\infdqdofu.exeC:\Windows\system32\infdqdofu.exe18⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2436 -
C:\Windows\SysWOW64\inwmpgfnn.exeC:\Windows\system32\inwmpgfnn.exe19⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2720 -
C:\Windows\SysWOW64\invhwkmle.exeC:\Windows\system32\invhwkmle.exe20⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2896 -
C:\Windows\SysWOW64\inhwnltjf.exeC:\Windows\system32\inhwnltjf.exe21⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1212 -
C:\Windows\SysWOW64\inesqmezb.exeC:\Windows\system32\inesqmezb.exe22⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:868 -
C:\Windows\SysWOW64\inmkxopbr.exeC:\Windows\system32\inmkxopbr.exe23⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1956 -
C:\Windows\SysWOW64\inpleqlxa.exeC:\Windows\system32\inpleqlxa.exe24⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1912 -
C:\Windows\SysWOW64\inbfyviuk.exeC:\Windows\system32\inbfyviuk.exe25⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2860 -
C:\Windows\SysWOW64\inqcxrfhg.exeC:\Windows\system32\inqcxrfhg.exe26⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:756 -
C:\Windows\SysWOW64\inmprqjiy.exeC:\Windows\system32\inmprqjiy.exe27⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2380 -
C:\Windows\SysWOW64\inpfzcyeq.exeC:\Windows\system32\inpfzcyeq.exe28⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2360 -
C:\Windows\SysWOW64\indhxkwmb.exeC:\Windows\system32\indhxkwmb.exe29⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2996 -
C:\Windows\SysWOW64\invrckwrg.exeC:\Windows\system32\invrckwrg.exe30⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1440 -
C:\Windows\SysWOW64\inigtklnv.exeC:\Windows\system32\inigtklnv.exe31⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2348 -
C:\Windows\SysWOW64\ineqbmfxl.exeC:\Windows\system32\ineqbmfxl.exe32⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2848 -
C:\Windows\SysWOW64\inlsmacbt.exeC:\Windows\system32\inlsmacbt.exe33⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:320 -
C:\Windows\SysWOW64\inbuxzyre.exeC:\Windows\system32\inbuxzyre.exe34⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1716 -
C:\Windows\SysWOW64\indqsmlmh.exeC:\Windows\system32\indqsmlmh.exe35⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2556 -
C:\Windows\SysWOW64\inbbkvfva.exeC:\Windows\system32\inbbkvfva.exe36⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2580 -
C:\Windows\SysWOW64\inhiypoew.exeC:\Windows\system32\inhiypoew.exe37⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2452 -
C:\Windows\SysWOW64\indwztgsi.exeC:\Windows\system32\indwztgsi.exe38⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2440 -
C:\Windows\SysWOW64\inogwahsa.exeC:\Windows\system32\inogwahsa.exe39⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2492 -
C:\Windows\SysWOW64\injyqkarh.exeC:\Windows\system32\injyqkarh.exe40⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:388 -
C:\Windows\SysWOW64\inomzqrdt.exeC:\Windows\system32\inomzqrdt.exe41⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1148 -
C:\Windows\SysWOW64\inyjbrycn.exeC:\Windows\system32\inyjbrycn.exe42⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2768 -
C:\Windows\SysWOW64\incvdypdo.exeC:\Windows\system32\incvdypdo.exe43⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2152 -
C:\Windows\SysWOW64\injhulmow.exeC:\Windows\system32\injhulmow.exe44⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2792 -
C:\Windows\SysWOW64\infhthtec.exeC:\Windows\system32\infhthtec.exe45⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2856 -
C:\Windows\SysWOW64\inqtvunam.exeC:\Windows\system32\inqtvunam.exe46⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2264 -
C:\Windows\SysWOW64\inkbaivic.exeC:\Windows\system32\inkbaivic.exe47⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1744 -
C:\Windows\SysWOW64\inochlfll.exeC:\Windows\system32\inochlfll.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2380 -
C:\Windows\SysWOW64\inwhpwale.exeC:\Windows\system32\inwhpwale.exe49⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2524 -
C:\Windows\SysWOW64\inpbwqegf.exeC:\Windows\system32\inpbwqegf.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:400 -
C:\Windows\SysWOW64\inertnmni.exeC:\Windows\system32\inertnmni.exe51⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2980 -
C:\Windows\SysWOW64\indtwnmuu.exeC:\Windows\system32\indtwnmuu.exe52⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1068 -
C:\Windows\SysWOW64\incwvxbyn.exeC:\Windows\system32\incwvxbyn.exe53⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2088 -
C:\Windows\SysWOW64\injlxlxig.exeC:\Windows\system32\injlxlxig.exe54⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2248 -
C:\Windows\SysWOW64\inecpcnet.exeC:\Windows\system32\inecpcnet.exe55⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2316 -
C:\Windows\SysWOW64\incsnrmiw.exeC:\Windows\system32\incsnrmiw.exe56⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2928 -
C:\Windows\SysWOW64\inzvgovkd.exeC:\Windows\system32\inzvgovkd.exe57⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2592 -
C:\Windows\SysWOW64\inupkqjvx.exeC:\Windows\system32\inupkqjvx.exe58⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2808 -
C:\Windows\SysWOW64\inopeewva.exeC:\Windows\system32\inopeewva.exe59⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2500 -
C:\Windows\SysWOW64\inljyapnv.exeC:\Windows\system32\inljyapnv.exe60⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2896 -
C:\Windows\SysWOW64\inxiaqxbm.exeC:\Windows\system32\inxiaqxbm.exe61⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2736 -
C:\Windows\SysWOW64\innfvgrkz.exeC:\Windows\system32\innfvgrkz.exe62⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1996 -
C:\Windows\SysWOW64\inqgdzfrf.exeC:\Windows\system32\inqgdzfrf.exe63⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2204 -
C:\Windows\SysWOW64\insrzztuj.exeC:\Windows\system32\insrzztuj.exe64⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:808 -
C:\Windows\SysWOW64\inapnrseu.exeC:\Windows\system32\inapnrseu.exe65⤵
- Executes dropped EXE
PID:1748 -
C:\Windows\SysWOW64\inykznpoh.exeC:\Windows\system32\inykznpoh.exe66⤵
- Drops file in System32 directory
PID:676 -
C:\Windows\SysWOW64\inbjwysrs.exeC:\Windows\system32\inbjwysrs.exe67⤵PID:2608
-
C:\Windows\SysWOW64\inlhzufqa.exeC:\Windows\system32\inlhzufqa.exe68⤵PID:2324
-
C:\Windows\SysWOW64\indtkzjxv.exeC:\Windows\system32\indtkzjxv.exe69⤵PID:1820
-
C:\Windows\SysWOW64\inzloqpih.exeC:\Windows\system32\inzloqpih.exe70⤵PID:960
-
C:\Windows\SysWOW64\inyorihpp.exeC:\Windows\system32\inyorihpp.exe71⤵PID:1824
-
C:\Windows\SysWOW64\inxsdoolp.exeC:\Windows\system32\inxsdoolp.exe72⤵PID:1088
-
C:\Windows\SysWOW64\incvyzsfr.exeC:\Windows\system32\incvyzsfr.exe73⤵PID:1584
-
C:\Windows\SysWOW64\inixomukg.exeC:\Windows\system32\inixomukg.exe74⤵PID:876
-
C:\Windows\SysWOW64\inixpjqgj.exeC:\Windows\system32\inixpjqgj.exe75⤵PID:1616
-
C:\Windows\SysWOW64\inxnqhgoo.exeC:\Windows\system32\inxnqhgoo.exe76⤵PID:2676
-
C:\Windows\SysWOW64\inldtepix.exeC:\Windows\system32\inldtepix.exe77⤵
- Modifies Installed Components in the registry
PID:2964 -
C:\Windows\SysWOW64\inniyteex.exeC:\Windows\system32\inniyteex.exe78⤵PID:1512
-
C:\Windows\SysWOW64\inahuhbcs.exeC:\Windows\system32\inahuhbcs.exe79⤵PID:2424
-
C:\Windows\SysWOW64\inruwvobn.exeC:\Windows\system32\inruwvobn.exe80⤵PID:2896
-
C:\Windows\SysWOW64\inxrqyyst.exeC:\Windows\system32\inxrqyyst.exe81⤵PID:1212
-
C:\Windows\SysWOW64\inbsfowhf.exeC:\Windows\system32\inbsfowhf.exe82⤵PID:3016
-
C:\Windows\SysWOW64\inyegrpfl.exeC:\Windows\system32\inyegrpfl.exe83⤵
- Drops file in System32 directory
PID:1912 -
C:\Windows\SysWOW64\inadbobmd.exeC:\Windows\system32\inadbobmd.exe84⤵PID:1700
-
C:\Windows\SysWOW64\iniizepdz.exeC:\Windows\system32\iniizepdz.exe85⤵PID:2988
-
C:\Windows\SysWOW64\inzhuwqpq.exeC:\Windows\system32\inzhuwqpq.exe86⤵
- Drops file in System32 directory
PID:1640 -
C:\Windows\SysWOW64\inzkcszdo.exeC:\Windows\system32\inzkcszdo.exe87⤵PID:1624
-
C:\Windows\SysWOW64\inortslka.exeC:\Windows\system32\inortslka.exe88⤵
- Modifies Installed Components in the registry
PID:1940 -
C:\Windows\SysWOW64\inhegsgsd.exeC:\Windows\system32\inhegsgsd.exe89⤵
- Drops file in System32 directory
PID:2980 -
C:\Windows\SysWOW64\injmdckxk.exeC:\Windows\system32\injmdckxk.exe90⤵
- Drops file in System32 directory
PID:1296 -
C:\Windows\SysWOW64\inaexuhtj.exeC:\Windows\system32\inaexuhtj.exe91⤵PID:2644
-
C:\Windows\SysWOW64\inuqbjvqf.exeC:\Windows\system32\inuqbjvqf.exe92⤵PID:2336
-
C:\Windows\SysWOW64\ineuxonvv.exeC:\Windows\system32\ineuxonvv.exe93⤵
- Modifies Installed Components in the registry
- Drops file in System32 directory
PID:2928 -
C:\Windows\SysWOW64\inlgwrccv.exeC:\Windows\system32\inlgwrccv.exe94⤵PID:2528
-
C:\Windows\SysWOW64\injyiwuqi.exeC:\Windows\system32\injyiwuqi.exe95⤵PID:836
-
C:\Windows\SysWOW64\inrdysgih.exeC:\Windows\system32\inrdysgih.exe96⤵
- Modifies Installed Components in the registry
PID:2964 -
C:\Windows\SysWOW64\intmsjkwc.exeC:\Windows\system32\intmsjkwc.exe97⤵
- Modifies Installed Components in the registry
PID:868 -
C:\Windows\SysWOW64\injkrqgyq.exeC:\Windows\system32\injkrqgyq.exe98⤵PID:1528
-
C:\Windows\SysWOW64\infslrijv.exeC:\Windows\system32\infslrijv.exe99⤵PID:1656
-
C:\Windows\SysWOW64\inazpsjiq.exeC:\Windows\system32\inazpsjiq.exe100⤵PID:1432
-
C:\Windows\SysWOW64\inbobfwma.exeC:\Windows\system32\inbobfwma.exe101⤵
- Drops file in System32 directory
PID:2352 -
C:\Windows\SysWOW64\injfqeotx.exeC:\Windows\system32\injfqeotx.exe102⤵PID:3044
-
C:\Windows\SysWOW64\inhnmoqun.exeC:\Windows\system32\inhnmoqun.exe103⤵PID:936
-
C:\Windows\SysWOW64\innswqwhw.exeC:\Windows\system32\innswqwhw.exe104⤵PID:3004
-
C:\Windows\SysWOW64\inblsqhkm.exeC:\Windows\system32\inblsqhkm.exe105⤵
- Drops file in System32 directory
PID:1476 -
C:\Windows\SysWOW64\invbdruwx.exeC:\Windows\system32\invbdruwx.exe106⤵PID:2036
-
C:\Windows\SysWOW64\inlubyhti.exeC:\Windows\system32\inlubyhti.exe107⤵PID:1688
-
C:\Windows\SysWOW64\inefvmlzb.exeC:\Windows\system32\inefvmlzb.exe108⤵PID:1612
-
C:\Windows\SysWOW64\innptoush.exeC:\Windows\system32\innptoush.exe109⤵
- Drops file in System32 directory
PID:2316 -
C:\Windows\SysWOW64\inrxixhwa.exeC:\Windows\system32\inrxixhwa.exe110⤵PID:1580
-
C:\Windows\SysWOW64\inscqyokc.exeC:\Windows\system32\inscqyokc.exe111⤵
- Drops file in System32 directory
PID:2504 -
C:\Windows\SysWOW64\inhjvjvge.exeC:\Windows\system32\inhjvjvge.exe112⤵PID:1516
-
C:\Windows\SysWOW64\inbqiycju.exeC:\Windows\system32\inbqiycju.exe113⤵
- Modifies Installed Components in the registry
- Drops file in System32 directory
PID:2748 -
C:\Windows\SysWOW64\infumgnyd.exeC:\Windows\system32\infumgnyd.exe114⤵PID:2784
-
C:\Windows\SysWOW64\inqnbrgit.exeC:\Windows\system32\inqnbrgit.exe115⤵PID:1684
-
C:\Windows\SysWOW64\inpqffxwb.exeC:\Windows\system32\inpqffxwb.exe116⤵
- Modifies Installed Components in the registry
PID:1948 -
C:\Windows\SysWOW64\inpsutmlb.exeC:\Windows\system32\inpsutmlb.exe117⤵PID:1104
-
C:\Windows\SysWOW64\infvypoww.exeC:\Windows\system32\infvypoww.exe118⤵PID:2836
-
C:\Windows\SysWOW64\innlypqcs.exeC:\Windows\system32\innlypqcs.exe119⤵
- Drops file in System32 directory
PID:2096 -
C:\Windows\SysWOW64\insgwlney.exeC:\Windows\system32\insgwlney.exe120⤵PID:1208
-
C:\Windows\SysWOW64\invuwaxma.exeC:\Windows\system32\invuwaxma.exe121⤵PID:1216
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-