Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
16/10/2023, 17:37
Behavioral task
behavioral1
Sample
NEAS.2689377888cb7847a060ffc515f5fcc0_JC.exe
Resource
win7-20230831-en
windows7-x64
11 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.2689377888cb7847a060ffc515f5fcc0_JC.exe
Resource
win10v2004-20230915-en
windows10-2004-x64
11 signatures
150 seconds
General
-
Target
NEAS.2689377888cb7847a060ffc515f5fcc0_JC.exe
-
Size
912KB
-
MD5
2689377888cb7847a060ffc515f5fcc0
-
SHA1
31c871ba5434e7651788c716ecbbfeaadcc09594
-
SHA256
9b7dbc9eef7420d38960a35d450dc87e3ee757122ecf29f73cbbd51025291681
-
SHA512
7c6d262267cdb880c37d22ebce17772918acf70adcd09f2cb0a11e28c5bf363d3e804dad5336780f66ec18ab43c37be92bd13292c97631cad2528ce2d1657042
-
SSDEEP
24576:ouLwoR5RNPjKoOAeh0PpS6NxNnwYeOHXAhWTM:RPjOa1NxyYtH1M
Score
10/10
Malware Config
Signatures
-
Gh0st RAT payload 60 IoCs
resource yara_rule behavioral2/memory/2924-0-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/memory/2924-8-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/files/0x0007000000023251-15.dat family_gh0strat behavioral2/files/0x000200000002281a-21.dat family_gh0strat behavioral2/memory/2924-25-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/files/0x000200000002281a-23.dat family_gh0strat behavioral2/files/0x000b00000002317e-45.dat family_gh0strat behavioral2/files/0x000b00000002317e-44.dat family_gh0strat behavioral2/memory/3860-64-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/files/0x0007000000023258-67.dat family_gh0strat behavioral2/files/0x0007000000023258-66.dat family_gh0strat behavioral2/memory/4044-83-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/files/0x000700000002325c-89.dat family_gh0strat behavioral2/memory/2224-105-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/files/0x0007000000023260-111.dat family_gh0strat behavioral2/memory/3820-171-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/files/0x000600000002326d-177.dat family_gh0strat behavioral2/memory/1876-180-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/files/0x0006000000023271-199.dat family_gh0strat behavioral2/memory/2880-215-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/files/0x0006000000023276-221.dat family_gh0strat behavioral2/memory/752-238-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/files/0x0006000000023276-220.dat family_gh0strat behavioral2/files/0x0006000000023271-198.dat family_gh0strat behavioral2/files/0x000600000002326d-176.dat family_gh0strat behavioral2/files/0x0006000000023269-155.dat family_gh0strat behavioral2/files/0x0006000000023269-154.dat family_gh0strat behavioral2/memory/5048-149-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/files/0x0006000000023265-133.dat family_gh0strat behavioral2/files/0x0006000000023265-132.dat family_gh0strat behavioral2/memory/3400-242-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/memory/4668-127-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/files/0x0007000000023260-110.dat family_gh0strat behavioral2/files/0x000600000002327a-246.dat family_gh0strat behavioral2/files/0x000600000002327a-244.dat family_gh0strat behavioral2/files/0x000700000002325c-88.dat family_gh0strat behavioral2/files/0x0007000000023258-61.dat family_gh0strat behavioral2/files/0x000600000002327e-266.dat family_gh0strat behavioral2/files/0x0006000000023282-289.dat family_gh0strat behavioral2/memory/2504-305-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/files/0x0006000000023286-311.dat family_gh0strat behavioral2/memory/5080-314-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/files/0x0006000000023286-310.dat family_gh0strat behavioral2/files/0x000600000002328a-333.dat family_gh0strat behavioral2/files/0x000600000002328a-332.dat family_gh0strat behavioral2/memory/3544-337-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/files/0x000600000002328e-357.dat family_gh0strat behavioral2/files/0x000600000002328e-356.dat family_gh0strat behavioral2/memory/4552-351-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/memory/3632-393-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/memory/2920-389-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/files/0x0006000000023282-288.dat family_gh0strat behavioral2/memory/1728-282-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/files/0x000600000002327e-265.dat family_gh0strat behavioral2/memory/3420-416-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/memory/1300-438-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/memory/1976-453-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/memory/4192-475-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/memory/2404-490-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/memory/860-510-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat -
Modifies Installed Components in the registry 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D9B528D9-27BF-42f4-8D20-67CDDE3BF3FE}\stubpath = "C:\\Windows\\system32\\inxtemyti.exe" ingtvpopk.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{714A9615-5A91-4490-A9B3-09F654E46A42} indtkzjxv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7877C1D4-BFD7-4274-829F-C55FBBD93A45}\stubpath = "C:\\Windows\\system32\\insjarhdx.exe" inacgtgkr.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A63B79B3-A595-4fb9-AD04-128E8860AA71} inebmvqfa.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C0696538-6E00-4e5a-A585-317386BF3214} inzhpyfbx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{72297E3E-6509-48ba-A540-B2D9F0846C64}\stubpath = "C:\\Windows\\system32\\injmdckxk.exe" inwixlnmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9F2F25F6-4F54-4916-9F0E-EC4D517C4E61}\stubpath = "C:\\Windows\\system32\\inmxiifwj.exe" inruwvobn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6A751549-2078-42f9-A2BD-AE4E33D41B9F}\stubpath = "C:\\Windows\\system32\\inwemzvcu.exe" inbpxnjbw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FB1F44D8-5377-4f46-9A70-6B150F7A0BC4}\stubpath = "C:\\Windows\\system32\\inesqmezb.exe" inochlfll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{20887325-F413-44ef-8DC2-AE176C02E95E}\stubpath = "C:\\Windows\\system32\\inogwahsa.exe" inhwoipfi.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FD1FA735-A8DA-456a-9DFC-DAD6D6D1E16D} inopeewva.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{566696AC-9A13-483f-B53B-C21C738EE2AC} inhgwhjlo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{21812B33-9E70-43bb-A8EF-082E3D3ACB67}\stubpath = "C:\\Windows\\system32\\inlgisalg.exe" intbosajb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{119F1725-62CD-42b3-AF2D-1090960EF0E8}\stubpath = "C:\\Windows\\system32\\inertnmni.exe" insnyjjgx.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C4263DC1-FB10-4181-AA81-4F8D31EB5520} inorbpnrr.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D5471946-984E-4973-B229-433EA4464DBE} inbfffozj.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1B95DB31-2492-4f4d-8D7B-791F17936AD1} inxtleici.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4E5A19EA-47D2-4add-BD9D-41415181EA7D}\stubpath = "C:\\Windows\\system32\\infvypoww.exe" indwezqep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B8AC05AA-2E43-4a6e-B5C4-B3DE565F79BD}\stubpath = "C:\\Windows\\system32\\inbmkzbqa.exe" injkrqgyq.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3757D3BC-00E9-43e9-B803-D651B1821AB1} ingerepgv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C3527738-69DF-4554-9BC1-DA16DF76A3E6}\stubpath = "C:\\Windows\\system32\\inuqbjvqf.exe" NEAS.2689377888cb7847a060ffc515f5fcc0_JC.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0C3E27CB-6474-469c-AABD-10BB6744B6C6} inyegrpfl.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{983ECE69-D19B-4a7c-AB63-1E20E7B447A3} inhscspdt.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EE89281A-2FC5-4820-9B6D-EF35EEE3DCDF} inxrycagn.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2E136B56-4D62-4fab-887A-67A9E6032420} inewhnrej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AFB2D9FB-DBE7-4cae-85A0-96D357E2BBE8}\stubpath = "C:\\Windows\\system32\\inqdhyock.exe" inertnmni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{769ACAE1-2B15-4aac-B587-494E84E5566C}\stubpath = "C:\\Windows\\system32\\incrjzdkv.exe" intfuikjc.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{096A113C-ABDA-4f3c-8636-C8DE470E6FC8} invwyxcqk.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C30A31D2-9E4D-4f1b-B661-D575A1D56C44} inugvjlkd.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6DDF9FC2-1C30-4c13-A1E7-B9ECCF17B4C2} inhzpfbvl.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B214E733-4FEF-49ac-8EFD-0A13FCF0212A} inljyapnv.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0253224D-5609-4aa6-9D98-EE418AF23788} inyufnzuj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6A7176D6-E7A9-4778-B1E7-CE5C0FCC7564}\stubpath = "C:\\Windows\\system32\\ingoxeawx.exe" inniyteex.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DB2060EF-D389-4a89-BB82-9243695D9ACA} inmtiwity.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7EA7A759-4035-490a-A59A-D1C5CC676F4F} inbfyviuk.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4BE1323A-C3FF-493e-AA95-AFEDDC7DE297} inwemzvcu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{95AD9674-2C38-4e81-BEBA-81F644C249AC}\stubpath = "C:\\Windows\\system32\\inujlcwuk.exe" invnbgkek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8BD6ABEB-AF1C-42b0-9431-AFB21079A7C0}\stubpath = "C:\\Windows\\system32\\injyqkarh.exe" inazpsjiq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2C16D536-61B4-4a52-B4E1-EBBBB1BE2847}\stubpath = "C:\\Windows\\system32\\innqsrkjz.exe" inhjvjvge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3FD68E96-597F-4ca8-88E9-237E72E3E8EB}\stubpath = "C:\\Windows\\system32\\inyodrton.exe" inovtknpq.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B876D48E-838D-4dbe-A505-01506E5743D0} inkvbdqbu.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{97916E84-7C86-40f9-8BD1-4F840A37C11F} inqgdzfrf.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4E1CA9FA-C6F8-4423-9964-E06FE651D865} infumgnyd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2E136B56-4D62-4fab-887A-67A9E6032420}\stubpath = "C:\\Windows\\system32\\inomvcziu.exe" inewhnrej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5DD5409B-7589-4587-B84A-DF73AAC22263}\stubpath = "C:\\Windows\\system32\\inpdimgmm.exe" inlgphgbd.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{387DFF0B-9C98-4e54-903D-D85F720735DF} inhzrfkoi.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B8AC05AA-2E43-4a6e-B5C4-B3DE565F79BD} injkrqgyq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{215D74EA-33FC-47a5-9478-6FB938B51099}\stubpath = "C:\\Windows\\system32\\ingcowdkg.exe" inyaereiz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7A82642C-DAC8-4ea9-834D-0F0710A82AC0}\stubpath = "C:\\Windows\\system32\\inwmcsiky.exe" ingyagyjp.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F86A3C78-86AC-4009-9A56-DB76EC8F1E01} infslrijv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3B4538A6-D84A-471c-874A-2BFCCFB49A7E}\stubpath = "C:\\Windows\\system32\\inrcangym.exe" inaphxbit.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B59C7366-E963-4586-92D2-26B4CE935376} intmsjkwc.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{041C87F7-EEF6-4643-816A-60462811D42F} invudbffq.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{527F99FC-588F-43a2-95A0-5BB0345DDDFC} ingcowdkg.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{65B90840-8EA6-474e-94F8-C743D5A21D15} inqcxrfhg.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3FB37D0B-50B9-4549-BAE2-D077493ED323} inwsdlxsh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{84324677-BDDF-4868-8F46-561542AB6663}\stubpath = "C:\\Windows\\system32\\inofbieyd.exe" insbznvcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{708BFB6F-E6EC-4fc2-9189-D3A7432DEF27}\stubpath = "C:\\Windows\\system32\\inatybwnb.exe" inujqmuoe.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2B08CF8D-6F42-4236-AF6C-FF0050B6DEB5} inmprqjiy.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A0E2B7D9-663B-43d4-815C-B08A1D209B3A} inbmkzbqa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CEDBB318-50BB-4c9a-B577-D3211CEA64CA}\stubpath = "C:\\Windows\\system32\\inztjzmib.exe" inpdlvxfh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4647BA92-22ED-488f-BC89-DCFA5013CC3C}\stubpath = "C:\\Windows\\system32\\intikurgv.exe" inqxbfmkb.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9BD764E5-9049-425b-840F-44F20DC43990} inbuxzyre.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B57A1E45-5152-4f58-8090-BE8CE11FB2AD} innuocedv.exe -
ACProtect 1.3x - 1.4x DLL software 33 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral2/files/0x000a00000002317f-4.dat acprotect behavioral2/files/0x000a00000002317f-2.dat acprotect behavioral2/files/0x000a00000002317f-14.dat acprotect behavioral2/files/0x0007000000023253-28.dat acprotect behavioral2/files/0x0007000000023253-26.dat acprotect behavioral2/files/0x0007000000023256-49.dat acprotect behavioral2/files/0x000700000002325a-72.dat acprotect behavioral2/files/0x000700000002325a-70.dat acprotect behavioral2/files/0x000700000002325e-94.dat acprotect behavioral2/files/0x0006000000023263-116.dat acprotect behavioral2/files/0x0006000000023267-138.dat acprotect behavioral2/files/0x000600000002326b-160.dat acprotect behavioral2/files/0x0006000000023278-226.dat acprotect behavioral2/files/0x0006000000023278-224.dat acprotect behavioral2/files/0x0006000000023273-204.dat acprotect behavioral2/files/0x0006000000023273-202.dat acprotect behavioral2/files/0x000600000002326f-183.dat acprotect behavioral2/files/0x000600000002326f-181.dat acprotect behavioral2/files/0x000600000002326b-158.dat acprotect behavioral2/files/0x0006000000023267-136.dat acprotect behavioral2/files/0x0006000000023263-114.dat acprotect behavioral2/files/0x000700000002325e-92.dat acprotect behavioral2/files/0x000600000002327c-250.dat acprotect behavioral2/files/0x000600000002327c-248.dat acprotect behavioral2/files/0x0006000000023284-292.dat acprotect behavioral2/files/0x0006000000023284-294.dat acprotect behavioral2/files/0x0006000000023288-317.dat acprotect behavioral2/files/0x000600000002328c-340.dat acprotect behavioral2/files/0x000600000002328c-338.dat acprotect behavioral2/files/0x0006000000023288-315.dat acprotect behavioral2/files/0x0006000000023280-271.dat acprotect behavioral2/files/0x0006000000023280-269.dat acprotect behavioral2/files/0x0007000000023256-47.dat acprotect -
Executes dropped EXE 64 IoCs
pid Process 3860 inuqbjvqf.exe 4044 invrckwrg.exe 2224 incgzwjvl.exe 4668 insohtodl.exe 5048 inyjbrycn.exe 3820 inrdysgih.exe 1876 inldtepix.exe 2880 intfuikjc.exe 752 incrjzdkv.exe 3400 inaikwkwh.exe 1728 inpbwqegf.exe 2504 inlsmacbt.exe 5080 insvxwpco.exe 3544 inwhpwale.exe 4552 inhwoipfi.exe 2920 inogwahsa.exe 3632 indwztgsi.exe 3420 inoavpdfe.exe 1300 ingvzmksi.exe 1976 inbrulkss.exe 4192 intcrvwiy.exe 2404 inqcxrfhg.exe 860 infhthtec.exe 4100 injwnoaqy.exe 440 inpiofygs.exe 5076 inpleqlxa.exe 4460 inzvgovkd.exe 3488 inewrcnnk.exe 3412 inykznpoh.exe 4596 inomzqrdt.exe 1472 inrngsnzc.exe 1116 insbquvhx.exe 4188 inoxdfqoe.exe 2924 ineybxzdp.exe 1288 inixpjqgj.exe 1068 inmeufqjy.exe 3852 inbuxzyre.exe 4656 ingvetxyk.exe 2404 ingtvpopk.exe 3708 inxtemyti.exe 1020 iniqzgcyz.exe 4572 innlypqcs.exe 1756 incvyzsfr.exe 3624 inkuaczqt.exe 4908 inmnccutj.exe 4500 ingwzqpxx.exe 1832 innuocedv.exe 4336 inbqostfv.exe 3260 infslrijv.exe 3352 inbjwysrs.exe 4140 inlofemzm.exe 4084 inqgdzfrf.exe 4664 inigtklnv.exe 4512 inazpsjiq.exe 944 injyqkarh.exe 3364 inqklaasr.exe 5104 inkbaivic.exe 4984 innfvgrkz.exe 2880 inrshhzyd.exe 4368 inyorihpp.exe 1756 inbjudnts.exe 2640 inaivxrqr.exe 1348 ingtgabri.exe 3140 invwyxcqk.exe -
Loads dropped DLL 64 IoCs
pid Process 2924 NEAS.2689377888cb7847a060ffc515f5fcc0_JC.exe 2924 NEAS.2689377888cb7847a060ffc515f5fcc0_JC.exe 3860 inuqbjvqf.exe 3860 inuqbjvqf.exe 4044 invrckwrg.exe 4044 invrckwrg.exe 2224 incgzwjvl.exe 2224 incgzwjvl.exe 4668 insohtodl.exe 4668 insohtodl.exe 5048 inyjbrycn.exe 5048 inyjbrycn.exe 3820 inrdysgih.exe 3820 inrdysgih.exe 1876 inldtepix.exe 1876 inldtepix.exe 2880 intfuikjc.exe 2880 intfuikjc.exe 752 incrjzdkv.exe 752 incrjzdkv.exe 3400 inaikwkwh.exe 3400 inaikwkwh.exe 1728 inpbwqegf.exe 1728 inpbwqegf.exe 2504 inlsmacbt.exe 2504 inlsmacbt.exe 5080 insvxwpco.exe 5080 insvxwpco.exe 3544 inwhpwale.exe 3544 inwhpwale.exe 4552 inhwoipfi.exe 4552 inhwoipfi.exe 2920 inogwahsa.exe 2920 inogwahsa.exe 3632 indwztgsi.exe 3632 indwztgsi.exe 3420 inoavpdfe.exe 3420 inoavpdfe.exe 1300 ingvzmksi.exe 1300 ingvzmksi.exe 1976 inbrulkss.exe 1976 inbrulkss.exe 4192 intcrvwiy.exe 4192 intcrvwiy.exe 2404 inqcxrfhg.exe 2404 inqcxrfhg.exe 860 infhthtec.exe 860 infhthtec.exe 4100 injwnoaqy.exe 4100 injwnoaqy.exe 440 inpiofygs.exe 440 inpiofygs.exe 5076 inpleqlxa.exe 5076 inpleqlxa.exe 4460 inzvgovkd.exe 4460 inzvgovkd.exe 3488 inewrcnnk.exe 3488 inewrcnnk.exe 3412 inykznpoh.exe 3412 inykznpoh.exe 4596 inomzqrdt.exe 4596 inomzqrdt.exe 1472 inrngsnzc.exe 1472 inrngsnzc.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\inxitdtqe.exe_lang.ini inyegrpfl.exe File created C:\Windows\SysWOW64\inxrqyyst.exe inkvbdqbu.exe File created C:\Windows\SysWOW64\inddqfcew.exe ingtjmoji.exe File opened for modification C:\Windows\SysWOW64\syslog.dat ingtjmoji.exe File opened for modification C:\Windows\SysWOW64\inebgydau.exe_lang.ini inknhvqeu.exe File created C:\Windows\SysWOW64\inwsdlxsh.exe inwmpgfnn.exe File opened for modification C:\Windows\SysWOW64\syslog.dat ingoxeawx.exe File opened for modification C:\Windows\SysWOW64\inrfpuysy.exe_lang.ini iniszaxor.exe File opened for modification C:\Windows\SysWOW64\syslog.dat inhfbqsjb.exe File opened for modification C:\Windows\SysWOW64\ingvetxyk.exe_lang.ini inbuxzyre.exe File opened for modification C:\Windows\SysWOW64\inkivmnpx.exe_lang.ini inbfyviuk.exe File created C:\Windows\SysWOW64\insaljfpw.exe inlhzufqa.exe File created C:\Windows\SysWOW64\inaqgiwze.exe inipelkjl.exe File created C:\Windows\SysWOW64\inkvbdqbu.exe inalzlawr.exe File created C:\Windows\SysWOW64\inupkqjvx.exe inxrqyyst.exe File created C:\Windows\SysWOW64\inmflkmos.exe inortslka.exe File opened for modification C:\Windows\SysWOW64\infhthtec.exe_lang.ini inqcxrfhg.exe File opened for modification C:\Windows\SysWOW64\inzhpyfbx.exe_lang.ini inwmcsiky.exe File opened for modification C:\Windows\SysWOW64\inxtemyti.exe_lang.ini ingtvpopk.exe File opened for modification C:\Windows\SysWOW64\inigtklnv.exe_lang.ini inqgdzfrf.exe File opened for modification C:\Windows\SysWOW64\syslog.dat inaqgiwze.exe File opened for modification C:\Windows\SysWOW64\insbznvcp.exe_lang.ini infudswxj.exe File created C:\Windows\SysWOW64\inqcxrfhg.exe intcrvwiy.exe File opened for modification C:\Windows\SysWOW64\inrngsnzc.exe_lang.ini inomzqrdt.exe File opened for modification C:\Windows\SysWOW64\incraptug.exe_lang.ini inqmfrmyb.exe File created C:\Windows\SysWOW64\infdqdofu.exe infsuonoj.exe File created C:\Windows\SysWOW64\insvxwpco.exe inlsmacbt.exe File opened for modification C:\Windows\SysWOW64\inipelkjl.exe_lang.ini infnxzhjm.exe File created C:\Windows\SysWOW64\inqdhyock.exe inertnmni.exe File opened for modification C:\Windows\SysWOW64\syslog.dat ingvetxyk.exe File created C:\Windows\SysWOW64\inrngsnzc.exe inomzqrdt.exe File opened for modification C:\Windows\SysWOW64\syslog.dat inbmkzbqa.exe File opened for modification C:\Windows\SysWOW64\syslog.dat insywlfel.exe File opened for modification C:\Windows\SysWOW64\inujlcwuk.exe_lang.ini invnbgkek.exe File created C:\Windows\SysWOW64\inomvcziu.exe inewhnrej.exe File opened for modification C:\Windows\SysWOW64\inbbkvfva.exe_lang.ini innezovdr.exe File created C:\Windows\SysWOW64\incbskfog.exe inrkqhiua.exe File created C:\Windows\SysWOW64\inoavpdfe.exe indwztgsi.exe File opened for modification C:\Windows\SysWOW64\injlxlxig.exe_lang.ini inthmqkqb.exe File opened for modification C:\Windows\SysWOW64\inldtepix.exe_lang.ini inrdysgih.exe File opened for modification C:\Windows\SysWOW64\intcrvwiy.exe_lang.ini inbrulkss.exe File created C:\Windows\SysWOW64\ingwzqpxx.exe inmnccutj.exe File opened for modification C:\Windows\SysWOW64\syslog.dat inmnccutj.exe File opened for modification C:\Windows\SysWOW64\inngmlnpt.exe_lang.ini inixomukg.exe File created C:\Windows\SysWOW64\inyodrton.exe inovtknpq.exe File opened for modification C:\Windows\SysWOW64\syslog.dat incldxuje.exe File created C:\Windows\SysWOW64\infhfyusg.exe inebmvqfa.exe File opened for modification C:\Windows\SysWOW64\syslog.dat invrckwrg.exe File opened for modification C:\Windows\SysWOW64\inxjymong.exe_lang.ini inrcangym.exe File created C:\Windows\SysWOW64\infumgnyd.exe inljyapnv.exe File created C:\Windows\SysWOW64\intpaiupe.exe indhxkwmb.exe File opened for modification C:\Windows\SysWOW64\intpaiupe.exe_lang.ini indhxkwmb.exe File created C:\Windows\SysWOW64\inzloqpih.exe incsvmltt.exe File opened for modification C:\Windows\SysWOW64\syslog.dat inzloqpih.exe File opened for modification C:\Windows\SysWOW64\syslog.dat insbznvcp.exe File opened for modification C:\Windows\SysWOW64\iniqzgcyz.exe_lang.ini inxtemyti.exe File opened for modification C:\Windows\SysWOW64\syslog.dat inclwgwbt.exe File opened for modification C:\Windows\SysWOW64\syslog.dat inkhtihxi.exe File created C:\Windows\SysWOW64\inzkcszdo.exe invshckbs.exe File created C:\Windows\SysWOW64\inujqmuoe.exe injyiwuqi.exe File opened for modification C:\Windows\SysWOW64\syslog.dat inomzqrdt.exe File created C:\Windows\SysWOW64\iniqzgcyz.exe inxtemyti.exe File opened for modification C:\Windows\SysWOW64\syslog.dat injfqeotx.exe File opened for modification C:\Windows\SysWOW64\syslog.dat inftrnfcc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2924 NEAS.2689377888cb7847a060ffc515f5fcc0_JC.exe 2924 NEAS.2689377888cb7847a060ffc515f5fcc0_JC.exe 3860 inuqbjvqf.exe 3860 inuqbjvqf.exe 4044 invrckwrg.exe 4044 invrckwrg.exe 2224 incgzwjvl.exe 2224 incgzwjvl.exe 4668 insohtodl.exe 4668 insohtodl.exe 5048 inyjbrycn.exe 5048 inyjbrycn.exe 3820 inrdysgih.exe 3820 inrdysgih.exe 1876 inldtepix.exe 1876 inldtepix.exe 2880 intfuikjc.exe 2880 intfuikjc.exe 752 incrjzdkv.exe 752 incrjzdkv.exe 3400 inaikwkwh.exe 3400 inaikwkwh.exe 1728 inpbwqegf.exe 1728 inpbwqegf.exe 2504 inlsmacbt.exe 2504 inlsmacbt.exe 5080 insvxwpco.exe 5080 insvxwpco.exe 3544 inwhpwale.exe 3544 inwhpwale.exe 4552 inhwoipfi.exe 4552 inhwoipfi.exe 2920 inogwahsa.exe 2920 inogwahsa.exe 3632 indwztgsi.exe 3632 indwztgsi.exe 3420 inoavpdfe.exe 3420 inoavpdfe.exe 1300 ingvzmksi.exe 1300 ingvzmksi.exe 1976 inbrulkss.exe 1976 inbrulkss.exe 4192 intcrvwiy.exe 4192 intcrvwiy.exe 2404 inqcxrfhg.exe 2404 inqcxrfhg.exe 860 infhthtec.exe 860 infhthtec.exe 4100 injwnoaqy.exe 4100 injwnoaqy.exe 440 inpiofygs.exe 440 inpiofygs.exe 5076 inpleqlxa.exe 5076 inpleqlxa.exe 4460 inzvgovkd.exe 4460 inzvgovkd.exe 3488 inewrcnnk.exe 3488 inewrcnnk.exe 3412 inykznpoh.exe 3412 inykznpoh.exe 4596 inomzqrdt.exe 4596 inomzqrdt.exe 1472 inrngsnzc.exe 1472 inrngsnzc.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2924 NEAS.2689377888cb7847a060ffc515f5fcc0_JC.exe Token: SeDebugPrivilege 3860 inuqbjvqf.exe Token: SeDebugPrivilege 4044 invrckwrg.exe Token: SeDebugPrivilege 2224 incgzwjvl.exe Token: SeDebugPrivilege 4668 insohtodl.exe Token: SeDebugPrivilege 5048 inyjbrycn.exe Token: SeDebugPrivilege 3820 inrdysgih.exe Token: SeDebugPrivilege 1876 inldtepix.exe Token: SeDebugPrivilege 2880 intfuikjc.exe Token: SeDebugPrivilege 752 incrjzdkv.exe Token: SeDebugPrivilege 3400 inaikwkwh.exe Token: SeDebugPrivilege 1728 inpbwqegf.exe Token: SeDebugPrivilege 2504 inlsmacbt.exe Token: SeDebugPrivilege 5080 insvxwpco.exe Token: SeDebugPrivilege 3544 inwhpwale.exe Token: SeDebugPrivilege 4552 inhwoipfi.exe Token: SeDebugPrivilege 2920 inogwahsa.exe Token: SeDebugPrivilege 3632 indwztgsi.exe Token: SeDebugPrivilege 3420 inoavpdfe.exe Token: SeDebugPrivilege 1300 ingvzmksi.exe Token: SeDebugPrivilege 1976 inbrulkss.exe Token: SeDebugPrivilege 4192 intcrvwiy.exe Token: SeDebugPrivilege 2404 inqcxrfhg.exe Token: SeDebugPrivilege 860 infhthtec.exe Token: SeDebugPrivilege 4100 injwnoaqy.exe Token: SeDebugPrivilege 440 inpiofygs.exe Token: SeDebugPrivilege 5076 inpleqlxa.exe Token: SeDebugPrivilege 4460 inzvgovkd.exe Token: SeDebugPrivilege 3488 inewrcnnk.exe Token: SeDebugPrivilege 3412 inykznpoh.exe Token: SeDebugPrivilege 4596 inomzqrdt.exe Token: SeDebugPrivilege 1472 inrngsnzc.exe Token: SeDebugPrivilege 1116 insbquvhx.exe Token: SeDebugPrivilege 4188 inoxdfqoe.exe Token: SeDebugPrivilege 2924 ineybxzdp.exe Token: SeDebugPrivilege 1288 inixpjqgj.exe Token: SeDebugPrivilege 1068 inmeufqjy.exe Token: SeDebugPrivilege 3852 inbuxzyre.exe Token: SeDebugPrivilege 4656 ingvetxyk.exe Token: SeDebugPrivilege 2404 ingtvpopk.exe Token: SeDebugPrivilege 3708 inxtemyti.exe Token: SeDebugPrivilege 1020 iniqzgcyz.exe Token: SeDebugPrivilege 4572 innlypqcs.exe Token: SeDebugPrivilege 1756 incvyzsfr.exe Token: SeDebugPrivilege 3624 inkuaczqt.exe Token: SeDebugPrivilege 4908 inmnccutj.exe Token: SeDebugPrivilege 4500 ingwzqpxx.exe Token: SeDebugPrivilege 1832 innuocedv.exe Token: SeDebugPrivilege 4336 inbqostfv.exe Token: SeDebugPrivilege 3260 infslrijv.exe Token: SeDebugPrivilege 3352 inbjwysrs.exe Token: SeDebugPrivilege 4140 inlofemzm.exe Token: SeDebugPrivilege 4084 inqgdzfrf.exe Token: SeDebugPrivilege 4664 inigtklnv.exe Token: SeDebugPrivilege 4512 inazpsjiq.exe Token: SeDebugPrivilege 944 injyqkarh.exe Token: SeDebugPrivilege 3364 inqklaasr.exe Token: SeDebugPrivilege 5104 inkbaivic.exe Token: SeDebugPrivilege 4984 innfvgrkz.exe Token: SeDebugPrivilege 2880 inrshhzyd.exe Token: SeDebugPrivilege 4368 inyorihpp.exe Token: SeDebugPrivilege 1756 inbjudnts.exe Token: SeDebugPrivilege 2640 inaivxrqr.exe Token: SeDebugPrivilege 1348 ingtgabri.exe -
Suspicious use of SetWindowsHookEx 28 IoCs
pid Process 2924 NEAS.2689377888cb7847a060ffc515f5fcc0_JC.exe 3860 inuqbjvqf.exe 4044 invrckwrg.exe 2224 incgzwjvl.exe 4668 insohtodl.exe 5048 inyjbrycn.exe 3820 inrdysgih.exe 1876 inldtepix.exe 2880 intfuikjc.exe 752 incrjzdkv.exe 3400 inaikwkwh.exe 1728 inpbwqegf.exe 2504 inlsmacbt.exe 5080 insvxwpco.exe 3544 inwhpwale.exe 4552 inhwoipfi.exe 2920 inogwahsa.exe 3632 indwztgsi.exe 3420 inoavpdfe.exe 1300 ingvzmksi.exe 1976 inbrulkss.exe 4192 intcrvwiy.exe 2404 inqcxrfhg.exe 860 infhthtec.exe 4100 injwnoaqy.exe 440 inpiofygs.exe 5076 inpleqlxa.exe 4460 inzvgovkd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2924 wrote to memory of 3860 2924 NEAS.2689377888cb7847a060ffc515f5fcc0_JC.exe 83 PID 2924 wrote to memory of 3860 2924 NEAS.2689377888cb7847a060ffc515f5fcc0_JC.exe 83 PID 2924 wrote to memory of 3860 2924 NEAS.2689377888cb7847a060ffc515f5fcc0_JC.exe 83 PID 3860 wrote to memory of 4044 3860 inuqbjvqf.exe 84 PID 3860 wrote to memory of 4044 3860 inuqbjvqf.exe 84 PID 3860 wrote to memory of 4044 3860 inuqbjvqf.exe 84 PID 4044 wrote to memory of 2224 4044 invrckwrg.exe 100 PID 4044 wrote to memory of 2224 4044 invrckwrg.exe 100 PID 4044 wrote to memory of 2224 4044 invrckwrg.exe 100 PID 2224 wrote to memory of 4668 2224 incgzwjvl.exe 92 PID 2224 wrote to memory of 4668 2224 incgzwjvl.exe 92 PID 2224 wrote to memory of 4668 2224 incgzwjvl.exe 92 PID 4668 wrote to memory of 5048 4668 insohtodl.exe 85 PID 4668 wrote to memory of 5048 4668 insohtodl.exe 85 PID 4668 wrote to memory of 5048 4668 insohtodl.exe 85 PID 5048 wrote to memory of 3820 5048 inyjbrycn.exe 86 PID 5048 wrote to memory of 3820 5048 inyjbrycn.exe 86 PID 5048 wrote to memory of 3820 5048 inyjbrycn.exe 86 PID 3820 wrote to memory of 1876 3820 inrdysgih.exe 90 PID 3820 wrote to memory of 1876 3820 inrdysgih.exe 90 PID 3820 wrote to memory of 1876 3820 inrdysgih.exe 90 PID 1876 wrote to memory of 2880 1876 inldtepix.exe 87 PID 1876 wrote to memory of 2880 1876 inldtepix.exe 87 PID 1876 wrote to memory of 2880 1876 inldtepix.exe 87 PID 2880 wrote to memory of 752 2880 intfuikjc.exe 88 PID 2880 wrote to memory of 752 2880 intfuikjc.exe 88 PID 2880 wrote to memory of 752 2880 intfuikjc.exe 88 PID 752 wrote to memory of 3400 752 incrjzdkv.exe 89 PID 752 wrote to memory of 3400 752 incrjzdkv.exe 89 PID 752 wrote to memory of 3400 752 incrjzdkv.exe 89 PID 3400 wrote to memory of 1728 3400 inaikwkwh.exe 91 PID 3400 wrote to memory of 1728 3400 inaikwkwh.exe 91 PID 3400 wrote to memory of 1728 3400 inaikwkwh.exe 91 PID 1728 wrote to memory of 2504 1728 inpbwqegf.exe 93 PID 1728 wrote to memory of 2504 1728 inpbwqegf.exe 93 PID 1728 wrote to memory of 2504 1728 inpbwqegf.exe 93 PID 2504 wrote to memory of 5080 2504 inlsmacbt.exe 94 PID 2504 wrote to memory of 5080 2504 inlsmacbt.exe 94 PID 2504 wrote to memory of 5080 2504 inlsmacbt.exe 94 PID 5080 wrote to memory of 3544 5080 insvxwpco.exe 95 PID 5080 wrote to memory of 3544 5080 insvxwpco.exe 95 PID 5080 wrote to memory of 3544 5080 insvxwpco.exe 95 PID 3544 wrote to memory of 4552 3544 inwhpwale.exe 96 PID 3544 wrote to memory of 4552 3544 inwhpwale.exe 96 PID 3544 wrote to memory of 4552 3544 inwhpwale.exe 96 PID 4552 wrote to memory of 2920 4552 inhwoipfi.exe 97 PID 4552 wrote to memory of 2920 4552 inhwoipfi.exe 97 PID 4552 wrote to memory of 2920 4552 inhwoipfi.exe 97 PID 2920 wrote to memory of 3632 2920 inogwahsa.exe 98 PID 2920 wrote to memory of 3632 2920 inogwahsa.exe 98 PID 2920 wrote to memory of 3632 2920 inogwahsa.exe 98 PID 3632 wrote to memory of 3420 3632 indwztgsi.exe 99 PID 3632 wrote to memory of 3420 3632 indwztgsi.exe 99 PID 3632 wrote to memory of 3420 3632 indwztgsi.exe 99 PID 3420 wrote to memory of 1300 3420 inoavpdfe.exe 101 PID 3420 wrote to memory of 1300 3420 inoavpdfe.exe 101 PID 3420 wrote to memory of 1300 3420 inoavpdfe.exe 101 PID 1300 wrote to memory of 1976 1300 ingvzmksi.exe 102 PID 1300 wrote to memory of 1976 1300 ingvzmksi.exe 102 PID 1300 wrote to memory of 1976 1300 ingvzmksi.exe 102 PID 1976 wrote to memory of 4192 1976 inbrulkss.exe 103 PID 1976 wrote to memory of 4192 1976 inbrulkss.exe 103 PID 1976 wrote to memory of 4192 1976 inbrulkss.exe 103 PID 4192 wrote to memory of 2404 4192 intcrvwiy.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.2689377888cb7847a060ffc515f5fcc0_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.2689377888cb7847a060ffc515f5fcc0_JC.exe"1⤵
- Modifies Installed Components in the registry
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\SysWOW64\inuqbjvqf.exeC:\Windows\system32\inuqbjvqf.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3860 -
C:\Windows\SysWOW64\invrckwrg.exeC:\Windows\system32\invrckwrg.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4044 -
C:\Windows\SysWOW64\incgzwjvl.exeC:\Windows\system32\incgzwjvl.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2224
-
-
-
-
C:\Windows\SysWOW64\inyjbrycn.exeC:\Windows\system32\inyjbrycn.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5048 -
C:\Windows\SysWOW64\inrdysgih.exeC:\Windows\system32\inrdysgih.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3820 -
C:\Windows\SysWOW64\inldtepix.exeC:\Windows\system32\inldtepix.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1876
-
-
-
C:\Windows\SysWOW64\intfuikjc.exeC:\Windows\system32\intfuikjc.exe1⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\SysWOW64\incrjzdkv.exeC:\Windows\system32\incrjzdkv.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:752 -
C:\Windows\SysWOW64\inaikwkwh.exeC:\Windows\system32\inaikwkwh.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3400 -
C:\Windows\SysWOW64\inpbwqegf.exeC:\Windows\system32\inpbwqegf.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Windows\SysWOW64\inlsmacbt.exeC:\Windows\system32\inlsmacbt.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\SysWOW64\insvxwpco.exeC:\Windows\system32\insvxwpco.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5080 -
C:\Windows\SysWOW64\inwhpwale.exeC:\Windows\system32\inwhpwale.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3544 -
C:\Windows\SysWOW64\inhwoipfi.exeC:\Windows\system32\inhwoipfi.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4552 -
C:\Windows\SysWOW64\inogwahsa.exeC:\Windows\system32\inogwahsa.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\indwztgsi.exeC:\Windows\system32\indwztgsi.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3632 -
C:\Windows\SysWOW64\inoavpdfe.exeC:\Windows\system32\inoavpdfe.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3420 -
C:\Windows\SysWOW64\ingvzmksi.exeC:\Windows\system32\ingvzmksi.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1300 -
C:\Windows\SysWOW64\inbrulkss.exeC:\Windows\system32\inbrulkss.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Windows\SysWOW64\intcrvwiy.exeC:\Windows\system32\intcrvwiy.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4192 -
C:\Windows\SysWOW64\inqcxrfhg.exeC:\Windows\system32\inqcxrfhg.exe15⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2404 -
C:\Windows\SysWOW64\infhthtec.exeC:\Windows\system32\infhthtec.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:860 -
C:\Windows\SysWOW64\injwnoaqy.exeC:\Windows\system32\injwnoaqy.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4100 -
C:\Windows\SysWOW64\inpiofygs.exeC:\Windows\system32\inpiofygs.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:440 -
C:\Windows\SysWOW64\inpleqlxa.exeC:\Windows\system32\inpleqlxa.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5076 -
C:\Windows\SysWOW64\inzvgovkd.exeC:\Windows\system32\inzvgovkd.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4460 -
C:\Windows\SysWOW64\inewrcnnk.exeC:\Windows\system32\inewrcnnk.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3488 -
C:\Windows\SysWOW64\inykznpoh.exeC:\Windows\system32\inykznpoh.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3412 -
C:\Windows\SysWOW64\inomzqrdt.exeC:\Windows\system32\inomzqrdt.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4596 -
C:\Windows\SysWOW64\inrngsnzc.exeC:\Windows\system32\inrngsnzc.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1472 -
C:\Windows\SysWOW64\insbquvhx.exeC:\Windows\system32\insbquvhx.exe25⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1116 -
C:\Windows\SysWOW64\inoxdfqoe.exeC:\Windows\system32\inoxdfqoe.exe26⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4188 -
C:\Windows\SysWOW64\ineybxzdp.exeC:\Windows\system32\ineybxzdp.exe27⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2924 -
C:\Windows\SysWOW64\inixpjqgj.exeC:\Windows\system32\inixpjqgj.exe28⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1288 -
C:\Windows\SysWOW64\inmeufqjy.exeC:\Windows\system32\inmeufqjy.exe29⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1068 -
C:\Windows\SysWOW64\inbuxzyre.exeC:\Windows\system32\inbuxzyre.exe30⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3852 -
C:\Windows\SysWOW64\ingvetxyk.exeC:\Windows\system32\ingvetxyk.exe31⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4656 -
C:\Windows\SysWOW64\ingtvpopk.exeC:\Windows\system32\ingtvpopk.exe32⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2404 -
C:\Windows\SysWOW64\inxtemyti.exeC:\Windows\system32\inxtemyti.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3708 -
C:\Windows\SysWOW64\iniqzgcyz.exeC:\Windows\system32\iniqzgcyz.exe34⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1020 -
C:\Windows\SysWOW64\innlypqcs.exeC:\Windows\system32\innlypqcs.exe35⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4572 -
C:\Windows\SysWOW64\incvyzsfr.exeC:\Windows\system32\incvyzsfr.exe36⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1756 -
C:\Windows\SysWOW64\inkuaczqt.exeC:\Windows\system32\inkuaczqt.exe37⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3624 -
C:\Windows\SysWOW64\inmnccutj.exeC:\Windows\system32\inmnccutj.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4908 -
C:\Windows\SysWOW64\ingwzqpxx.exeC:\Windows\system32\ingwzqpxx.exe39⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4500 -
C:\Windows\SysWOW64\innuocedv.exeC:\Windows\system32\innuocedv.exe40⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1832 -
C:\Windows\SysWOW64\inbqostfv.exeC:\Windows\system32\inbqostfv.exe41⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4336 -
C:\Windows\SysWOW64\infslrijv.exeC:\Windows\system32\infslrijv.exe42⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3260 -
C:\Windows\SysWOW64\inbjwysrs.exeC:\Windows\system32\inbjwysrs.exe43⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3352 -
C:\Windows\SysWOW64\inlofemzm.exeC:\Windows\system32\inlofemzm.exe44⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4140 -
C:\Windows\SysWOW64\inqgdzfrf.exeC:\Windows\system32\inqgdzfrf.exe45⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4084 -
C:\Windows\SysWOW64\inigtklnv.exeC:\Windows\system32\inigtklnv.exe46⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4664 -
C:\Windows\SysWOW64\inazpsjiq.exeC:\Windows\system32\inazpsjiq.exe47⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4512 -
C:\Windows\SysWOW64\injyqkarh.exeC:\Windows\system32\injyqkarh.exe48⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:944 -
C:\Windows\SysWOW64\inqklaasr.exeC:\Windows\system32\inqklaasr.exe49⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3364 -
C:\Windows\SysWOW64\inkbaivic.exeC:\Windows\system32\inkbaivic.exe50⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5104 -
C:\Windows\SysWOW64\innfvgrkz.exeC:\Windows\system32\innfvgrkz.exe51⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4984 -
C:\Windows\SysWOW64\inrshhzyd.exeC:\Windows\system32\inrshhzyd.exe52⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2880 -
C:\Windows\SysWOW64\inyorihpp.exeC:\Windows\system32\inyorihpp.exe53⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4368 -
C:\Windows\SysWOW64\inbjudnts.exeC:\Windows\system32\inbjudnts.exe54⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1756 -
C:\Windows\SysWOW64\inaivxrqr.exeC:\Windows\system32\inaivxrqr.exe55⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2640 -
C:\Windows\SysWOW64\ingtgabri.exeC:\Windows\system32\ingtgabri.exe56⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1348 -
C:\Windows\SysWOW64\invwyxcqk.exeC:\Windows\system32\invwyxcqk.exe57⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
PID:3140 -
C:\Windows\SysWOW64\indpalewk.exeC:\Windows\system32\indpalewk.exe58⤵PID:4556
-
C:\Windows\SysWOW64\inwixlnmf.exeC:\Windows\system32\inwixlnmf.exe59⤵
- Modifies Installed Components in the registry
PID:3816 -
C:\Windows\SysWOW64\injmdckxk.exeC:\Windows\system32\injmdckxk.exe60⤵PID:1600
-
C:\Windows\SysWOW64\inbuzcxoc.exeC:\Windows\system32\inbuzcxoc.exe61⤵PID:3856
-
C:\Windows\SysWOW64\ingvnhoze.exeC:\Windows\system32\ingvnhoze.exe62⤵PID:1288
-
C:\Windows\SysWOW64\inefvmlzb.exeC:\Windows\system32\inefvmlzb.exe63⤵PID:4084
-
C:\Windows\SysWOW64\inaphxbit.exeC:\Windows\system32\inaphxbit.exe64⤵
- Modifies Installed Components in the registry
PID:2912 -
C:\Windows\SysWOW64\inrcangym.exeC:\Windows\system32\inrcangym.exe65⤵
- Drops file in System32 directory
PID:4620 -
C:\Windows\SysWOW64\inxjymong.exeC:\Windows\system32\inxjymong.exe66⤵PID:1576
-
C:\Windows\SysWOW64\infvqbbup.exeC:\Windows\system32\infvqbbup.exe67⤵PID:4324
-
C:\Windows\SysWOW64\inatwyxqd.exeC:\Windows\system32\inatwyxqd.exe68⤵PID:3212
-
C:\Windows\SysWOW64\inupalliz.exeC:\Windows\system32\inupalliz.exe69⤵PID:684
-
C:\Windows\SysWOW64\inljyapnv.exeC:\Windows\system32\inljyapnv.exe70⤵
- Modifies Installed Components in the registry
- Drops file in System32 directory
PID:4208 -
C:\Windows\SysWOW64\infumgnyd.exeC:\Windows\system32\infumgnyd.exe71⤵
- Modifies Installed Components in the registry
PID:3412 -
C:\Windows\SysWOW64\inmprqjiy.exeC:\Windows\system32\inmprqjiy.exe72⤵
- Modifies Installed Components in the registry
PID:2276 -
C:\Windows\SysWOW64\inhzrfkoi.exeC:\Windows\system32\inhzrfkoi.exe73⤵
- Modifies Installed Components in the registry
PID:4924 -
C:\Windows\SysWOW64\infnwdvwr.exeC:\Windows\system32\infnwdvwr.exe74⤵PID:5016
-
C:\Windows\SysWOW64\injqftzfq.exeC:\Windows\system32\injqftzfq.exe75⤵PID:2460
-
C:\Windows\SysWOW64\inwmpgfnn.exeC:\Windows\system32\inwmpgfnn.exe76⤵
- Drops file in System32 directory
PID:4052 -
C:\Windows\SysWOW64\inwsdlxsh.exeC:\Windows\system32\inwsdlxsh.exe77⤵
- Modifies Installed Components in the registry
PID:4428 -
C:\Windows\SysWOW64\inhfsfaqh.exeC:\Windows\system32\inhfsfaqh.exe78⤵PID:448
-
C:\Windows\SysWOW64\indhxkwmb.exeC:\Windows\system32\indhxkwmb.exe79⤵
- Drops file in System32 directory
PID:2816 -
C:\Windows\SysWOW64\intpaiupe.exeC:\Windows\system32\intpaiupe.exe80⤵PID:4832
-
C:\Windows\SysWOW64\inyufnzuj.exeC:\Windows\system32\inyufnzuj.exe81⤵
- Modifies Installed Components in the registry
PID:4184 -
C:\Windows\SysWOW64\inxtleici.exeC:\Windows\system32\inxtleici.exe82⤵
- Modifies Installed Components in the registry
PID:2888 -
C:\Windows\SysWOW64\ingrakqpr.exeC:\Windows\system32\ingrakqpr.exe83⤵PID:3032
-
C:\Windows\SysWOW64\insrzztuj.exeC:\Windows\system32\insrzztuj.exe84⤵PID:4472
-
C:\Windows\SysWOW64\inadbobmd.exeC:\Windows\system32\inadbobmd.exe85⤵PID:4748
-
C:\Windows\SysWOW64\intxcqoxe.exeC:\Windows\system32\intxcqoxe.exe86⤵PID:4704
-
C:\Windows\SysWOW64\inclzteci.exeC:\Windows\system32\inclzteci.exe87⤵PID:3516
-
C:\Windows\SysWOW64\indwezqep.exeC:\Windows\system32\indwezqep.exe88⤵
- Modifies Installed Components in the registry
PID:3792 -
C:\Windows\SysWOW64\infvypoww.exeC:\Windows\system32\infvypoww.exe89⤵PID:2992
-
C:\Windows\SysWOW64\inhwnltjf.exeC:\Windows\system32\inhwnltjf.exe90⤵PID:3580
-
C:\Windows\SysWOW64\inruwvobn.exeC:\Windows\system32\inruwvobn.exe91⤵
- Modifies Installed Components in the registry
PID:4780 -
C:\Windows\SysWOW64\inmxiifwj.exeC:\Windows\system32\inmxiifwj.exe92⤵PID:3856
-
C:\Windows\SysWOW64\indtkzjxv.exeC:\Windows\system32\indtkzjxv.exe93⤵
- Modifies Installed Components in the registry
PID:64 -
C:\Windows\SysWOW64\inqtvunam.exeC:\Windows\system32\inqtvunam.exe94⤵PID:628
-
C:\Windows\SysWOW64\inthmqkqb.exeC:\Windows\system32\inthmqkqb.exe95⤵
- Drops file in System32 directory
PID:4400 -
C:\Windows\SysWOW64\injlxlxig.exeC:\Windows\system32\injlxlxig.exe96⤵PID:1532
-
C:\Windows\SysWOW64\inmkxopbr.exeC:\Windows\system32\inmkxopbr.exe97⤵PID:1944
-
C:\Windows\SysWOW64\inionprva.exeC:\Windows\system32\inionprva.exe98⤵PID:1632
-
C:\Windows\SysWOW64\inpnehxjk.exeC:\Windows\system32\inpnehxjk.exe99⤵PID:2876
-
C:\Windows\SysWOW64\insezthji.exeC:\Windows\system32\insezthji.exe100⤵PID:4908
-
C:\Windows\SysWOW64\inqrggyxc.exeC:\Windows\system32\inqrggyxc.exe101⤵PID:1044
-
C:\Windows\SysWOW64\inugvjlkd.exeC:\Windows\system32\inugvjlkd.exe102⤵
- Modifies Installed Components in the registry
PID:1484 -
C:\Windows\SysWOW64\inbfyviuk.exeC:\Windows\system32\inbfyviuk.exe103⤵
- Modifies Installed Components in the registry
- Drops file in System32 directory
PID:2276 -
C:\Windows\SysWOW64\inkivmnpx.exeC:\Windows\system32\inkivmnpx.exe104⤵PID:4932
-
C:\Windows\SysWOW64\inqzaupvo.exeC:\Windows\system32\inqzaupvo.exe105⤵PID:1440
-
C:\Windows\SysWOW64\intmsjkwc.exeC:\Windows\system32\intmsjkwc.exe106⤵
- Modifies Installed Components in the registry
PID:2688 -
C:\Windows\SysWOW64\inixomukg.exeC:\Windows\system32\inixomukg.exe107⤵
- Drops file in System32 directory
PID:1564 -
C:\Windows\SysWOW64\inngmlnpt.exeC:\Windows\system32\inngmlnpt.exe108⤵PID:712
-
C:\Windows\SysWOW64\inxhvtpha.exeC:\Windows\system32\inxhvtpha.exe109⤵PID:1748
-
C:\Windows\SysWOW64\inmtnbdcu.exeC:\Windows\system32\inmtnbdcu.exe110⤵PID:2816
-
C:\Windows\SysWOW64\indxawycz.exeC:\Windows\system32\indxawycz.exe111⤵PID:4512
-
C:\Windows\SysWOW64\inetlfmxc.exeC:\Windows\system32\inetlfmxc.exe112⤵PID:316
-
C:\Windows\SysWOW64\invhwkmle.exeC:\Windows\system32\invhwkmle.exe113⤵PID:2880
-
C:\Windows\SysWOW64\ineuxonvv.exeC:\Windows\system32\ineuxonvv.exe114⤵PID:1728
-
C:\Windows\SysWOW64\inhiypoew.exeC:\Windows\system32\inhiypoew.exe115⤵PID:4520
-
C:\Windows\SysWOW64\injkrqgyq.exeC:\Windows\system32\injkrqgyq.exe116⤵
- Modifies Installed Components in the registry
PID:4500 -
C:\Windows\SysWOW64\inbmkzbqa.exeC:\Windows\system32\inbmkzbqa.exe117⤵
- Modifies Installed Components in the registry
- Drops file in System32 directory
PID:4344 -
C:\Windows\SysWOW64\inmvbdomc.exeC:\Windows\system32\inmvbdomc.exe118⤵PID:2172
-
C:\Windows\SysWOW64\inscqyokc.exeC:\Windows\system32\inscqyokc.exe119⤵PID:4200
-
C:\Windows\SysWOW64\inkwblfyk.exeC:\Windows\system32\inkwblfyk.exe120⤵PID:3260
-
C:\Windows\SysWOW64\inlhzufqa.exeC:\Windows\system32\inlhzufqa.exe121⤵
- Drops file in System32 directory
PID:5040
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-