Analysis
-
max time kernel
147s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system -
submitted
01/11/2023, 12:33
Behavioral task
behavioral1
Sample
NEAS.ad825727d40dbf4409ff5bfabf92c0d0_JC.exe
Resource
win7-20231023-en
windows7-x64
11 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.ad825727d40dbf4409ff5bfabf92c0d0_JC.exe
Resource
win10v2004-20231020-en
windows10-2004-x64
11 signatures
150 seconds
General
-
Target
NEAS.ad825727d40dbf4409ff5bfabf92c0d0_JC.exe
-
Size
348KB
-
MD5
ad825727d40dbf4409ff5bfabf92c0d0
-
SHA1
b6fd2fe3dcadba07cac6decad431607cc2e8a8bf
-
SHA256
d319ff6eb4c50e7f2a8da085c3c46c3fe15b84932d269f4ca438493040134fe4
-
SHA512
7be6d0c15beea5c1164a4d5b4216d57a4260e6de5efa5bd16a0ce1094844ad93b9f51d391599a86c5381f3cb022cf77ecda53df50b7443c52f71bccf849e0598
-
SSDEEP
6144:MJueTkwOwoWOQ3dwaWB28edeP/deUv80P80Ap8UGwoTGHZOWJkqd0K4rG7eVT0SA:ouLwoZQGpnedeP/deUe1ppGjTGHZRT08
Score
10/10
Malware Config
Signatures
-
Gh0st RAT payload 61 IoCs
resource yara_rule behavioral2/memory/3684-0-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/files/0x0006000000022e58-13.dat family_gh0strat behavioral2/files/0x0006000000022e59-19.dat family_gh0strat behavioral2/files/0x0006000000022e59-20.dat family_gh0strat behavioral2/memory/3684-35-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/files/0x0006000000022e62-59.dat family_gh0strat behavioral2/files/0x0006000000022e62-65.dat family_gh0strat behavioral2/memory/1680-80-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/files/0x0006000000022e66-86.dat family_gh0strat behavioral2/memory/3952-103-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/memory/1688-102-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/memory/4264-113-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/files/0x0006000000022e6a-109.dat family_gh0strat behavioral2/files/0x0006000000022e6a-108.dat family_gh0strat behavioral2/files/0x0006000000022e66-85.dat family_gh0strat behavioral2/files/0x0006000000022e62-64.dat family_gh0strat behavioral2/memory/1816-49-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/files/0x0006000000022e5e-42.dat family_gh0strat behavioral2/files/0x0006000000022e5e-41.dat family_gh0strat behavioral2/files/0x0006000000022e6e-133.dat family_gh0strat behavioral2/memory/4264-134-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/files/0x0006000000022e6e-132.dat family_gh0strat behavioral2/files/0x0006000000022e74-153.dat family_gh0strat behavioral2/files/0x0006000000022e74-155.dat family_gh0strat behavioral2/memory/3080-157-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/files/0x0006000000022e78-176.dat family_gh0strat behavioral2/files/0x0006000000022e78-177.dat family_gh0strat behavioral2/memory/3996-180-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/files/0x0006000000022e7c-198.dat family_gh0strat behavioral2/files/0x0006000000022e7c-200.dat family_gh0strat behavioral2/memory/2488-202-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/files/0x0006000000022e80-221.dat family_gh0strat behavioral2/memory/2840-230-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/files/0x0006000000022e85-244.dat family_gh0strat behavioral2/files/0x0006000000022e89-266.dat family_gh0strat behavioral2/files/0x0006000000022e89-265.dat family_gh0strat behavioral2/memory/5056-269-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/memory/500-247-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/files/0x0006000000022e8d-289.dat family_gh0strat behavioral2/files/0x0006000000022e8d-288.dat family_gh0strat behavioral2/memory/4976-292-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/files/0x0006000000022e85-243.dat family_gh0strat behavioral2/files/0x0006000000022e80-222.dat family_gh0strat behavioral2/files/0x0006000000022e93-311.dat family_gh0strat behavioral2/memory/1104-315-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/files/0x0006000000022e93-312.dat family_gh0strat behavioral2/memory/3556-338-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/files/0x0006000000022e97-336.dat family_gh0strat behavioral2/files/0x0006000000022e97-335.dat family_gh0strat behavioral2/files/0x0006000000022e9b-358.dat family_gh0strat behavioral2/files/0x0006000000022e9b-356.dat family_gh0strat behavioral2/memory/3524-360-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/memory/3708-378-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/memory/1376-397-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/memory/2844-418-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/memory/316-434-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/memory/2708-456-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/memory/1272-484-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/memory/5016-472-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/memory/5016-491-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/memory/376-510-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat -
Modifies Installed Components in the registry 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B80C7C71-8C27-4f61-A7FB-048990183DD2} inclzteci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{25A574F2-E60F-47d6-BF7F-198DA577A4B6}\stubpath = "C:\\Windows\\system32\\inqxvmprs.exe" intikurgv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3F9CA08A-5E06-473a-A7B5-428848A29453}\stubpath = "C:\\Windows\\system32\\innfvgrkz.exe" instvzuyn.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BDB135F3-66FD-4f42-B7ED-06D38F9F962A} inpbwqegf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CA403E24-B87A-4aa2-B324-2E0B94DAE409}\stubpath = "C:\\Windows\\system32\\indbkovjr.exe" inbzddobb.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{82538B5F-2B27-458a-BB22-610BD634E1F9} inuvrtzkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{66B80D3C-6A9F-4efb-AD09-C9C1870620EB}\stubpath = "C:\\Windows\\system32\\inligcrtk.exe" inpdimgmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{15AD3961-26EF-479f-A7EF-39F17C1C93CD}\stubpath = "C:\\Windows\\system32\\incmixrty.exe" insavkvmj.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E8DBC7CE-F1E0-43be-8F0F-10C4DF9B24FC} innbxlquo.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{607CAB10-F21F-4dbb-BAC3-1CEDD107FE8F} inasgqvzt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C41EE35F-59B1-46df-8B72-7BA4086AE303}\stubpath = "C:\\Windows\\system32\\ingtvpopk.exe" infslrijv.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E2861CAE-4DAC-4c53-AAD7-0487F94D1FD0} inbmyhvlc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ADC1A873-E9FE-4810-855B-FA181F8B6894}\stubpath = "C:\\Windows\\system32\\insavkvmj.exe" ingmcckte.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{01F305E2-A479-474e-A8F7-507D303C40BB}\stubpath = "C:\\Windows\\system32\\inmiqkaqr.exe" innwfcplb.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2EC805AE-F655-4432-B6B1-BC9379C783D9} insgwlney.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7D97695A-AD62-4f44-A6AC-A8618906F390}\stubpath = "C:\\Windows\\system32\\inowqgwxz.exe" initcmsrt.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F145FD94-FE95-4a94-9397-6A26218D9B85} incwvxbyn.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E0711AB3-3B71-4a4f-A6C5-5DC3E8050FB2} incbrdfjw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3D7C2D28-DE99-4db3-9F35-DAECF8A79FAD}\stubpath = "C:\\Windows\\system32\\indvsdhdh.exe" inuibdjgg.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8C751C9B-D292-4771-B09E-AFBB0BCFB33E} inazpsjiq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E9CD3BD3-9064-412e-9B2F-B1525BCB2A7C}\stubpath = "C:\\Windows\\system32\\inuaizlgb.exe" invdmeyvk.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A3BC906D-515D-4cc9-8477-C639B7F3F289} incgthaci.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B6DFA49D-5E1F-4c50-9FA6-07C996486A76} inilftocs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6206D2D7-F464-4af5-8448-27039A102579}\stubpath = "C:\\Windows\\system32\\inivlaoql.exe" inbaqtkjr.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{254BDA3C-0800-4ca5-AB5C-CB18A2764700} inokiqcye.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{633402E8-10B5-43f0-B230-F75B0D2A0407} insqkrbxb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3E34070E-211C-4c0a-8D1C-0FB2E90A421D}\stubpath = "C:\\Windows\\system32\\inioohicw.exe" inydmqxqc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1F8514D3-678F-4101-A926-E846250FBEA4}\stubpath = "C:\\Windows\\system32\\intbpxrhx.exe" invaiaqlz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1B3E9657-4349-4475-8CD8-2ACE98B3B56B}\stubpath = "C:\\Windows\\system32\\inkfbyhcg.exe" inodxpojl.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{91E22169-BD6C-4b0b-888A-ABAD2BF82286} infrfqjpo.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A7838827-704A-4ba6-B153-382698EDB1E7} inyoeaukm.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8CBBD77A-348A-4626-9266-5EB77D6AFF3D} inpbwqegf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2CBA77F6-E196-4df9-B832-D3233A8BBAA7}\stubpath = "C:\\Windows\\system32\\insaljfpw.exe" incxuerhz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F145FD94-FE95-4a94-9397-6A26218D9B85}\stubpath = "C:\\Windows\\system32\\injvkjzkm.exe" incwvxbyn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FA20FCBA-CDE2-4b19-AA48-3566C83EFB32}\stubpath = "C:\\Windows\\system32\\inuhqyjhd.exe" inqlzpgys.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AE883B53-5299-4ca2-AB0B-4893B31E6520} inzjwmbpr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B6E00280-7656-41c7-B88A-0A8BBEF90AE0}\stubpath = "C:\\Windows\\system32\\intpaiupe.exe" inldtepix.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6440E28B-3AAB-42a0-BA1B-E1FCE3A4AE72}\stubpath = "C:\\Windows\\system32\\inihodrxd.exe" inivlaoql.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3466F463-4909-4b64-994F-CD59BE79B3A8} ingkqfvqx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{574AA127-8DA2-488d-BF8B-EE269BBA1350}\stubpath = "C:\\Windows\\system32\\inbmnexcl.exe" inpmytiuc.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{07050A39-391C-42e1-B093-EC5D725D871F} inxjymong.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3B5E0574-1B07-4bab-A109-4E8AFD14D422} inytozkkh.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D2C4271A-52A8-4c67-98BE-11AABEA1BCBA} inhlazdts.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A8B16AFE-EE20-4082-A057-CE177AD489F6} inycopaqa.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FBC7C89D-8CB9-4899-900A-D401F74F9647} infvypoww.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BEB598F6-79B8-4b61-9D9E-8975EADFB91F} insbznvcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E3CE27EE-858D-40d5-B412-340FA03715CB}\stubpath = "C:\\Windows\\system32\\indrzpldy.exe" inkmhgrmq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F5A51F12-3879-4ce7-9357-FF1F96481817}\stubpath = "C:\\Windows\\system32\\inlcfvhzy.exe" inhhsffsh.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D48D75DF-4D82-4267-B9D7-AEC40A8BBE69} inclpwksm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1EF00AAC-51C7-4123-B061-CB32BAA11DF2}\stubpath = "C:\\Windows\\system32\\injfiqaer.exe" invatpnbv.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D549D7D0-3F34-406f-8832-BC9E4528F5A9} innpclapa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2B7A4060-CCDB-4080-845A-9AF9AE31F06F}\stubpath = "C:\\Windows\\system32\\inuloqrtx.exe" insnyjjgx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EE399960-919D-4026-8501-BC65348B0079}\stubpath = "C:\\Windows\\system32\\inrtwgusw.exe" ingcowdkg.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CFF537E2-0225-40b5-B053-5B379A2914D7} inxuxrboe.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C4244AD6-A7C3-481f-8CD2-2406E3506E95} injgmuryj.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DB5F62AB-E468-49b8-A4A9-CE5A14083961} indtosnaj.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{80CC9E18-1738-4d3b-818A-CD484ABE5F54} inudpxert.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DF8490F9-D941-4641-B24E-58A77414F966}\stubpath = "C:\\Windows\\system32\\incibocxs.exe" inirveqyf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6A9F1B0E-A5B0-4361-8681-6FBCC816A8A5}\stubpath = "C:\\Windows\\system32\\inhomdgwi.exe" inkwlklan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{609E7948-A288-4aaa-820F-E838F0178D68}\stubpath = "C:\\Windows\\system32\\inodxpojl.exe" iniaooxbd.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E3D63EAF-3960-429c-8D0A-FC24915C70C7} inaphxbit.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2CA4B3DB-533B-4a3a-8274-1BC4AC58C9DE} invpovkyk.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1B20BBC3-6F8E-4f56-9927-816C8C5F4876} inaiqezai.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EFD9B62A-0971-4e0b-9B6E-3B15C516FCF2} inkfbyhcg.exe -
ACProtect 1.3x - 1.4x DLL software 33 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral2/files/0x0008000000022e47-2.dat acprotect behavioral2/files/0x0008000000022e47-4.dat acprotect behavioral2/files/0x0008000000022e47-12.dat acprotect behavioral2/files/0x0006000000022e60-46.dat acprotect behavioral2/files/0x0006000000022e68-91.dat acprotect behavioral2/files/0x0006000000022e6c-115.dat acprotect behavioral2/files/0x0006000000022e6c-112.dat acprotect behavioral2/files/0x0006000000022e68-89.dat acprotect behavioral2/files/0x0006000000022e64-70.dat acprotect behavioral2/files/0x0006000000022e64-68.dat acprotect behavioral2/files/0x0006000000022e60-48.dat acprotect behavioral2/files/0x0006000000022e5c-25.dat acprotect behavioral2/files/0x0006000000022e5c-23.dat acprotect behavioral2/files/0x0006000000022e71-136.dat acprotect behavioral2/files/0x0006000000022e71-138.dat acprotect behavioral2/files/0x0006000000022e76-160.dat acprotect behavioral2/files/0x0006000000022e76-158.dat acprotect behavioral2/files/0x0006000000022e7a-183.dat acprotect behavioral2/files/0x0006000000022e7a-181.dat acprotect behavioral2/files/0x0006000000022e7e-205.dat acprotect behavioral2/files/0x0006000000022e7e-203.dat acprotect behavioral2/files/0x0006000000022e82-225.dat acprotect behavioral2/files/0x0006000000022e82-227.dat acprotect behavioral2/files/0x0006000000022e87-250.dat acprotect behavioral2/files/0x0006000000022e87-248.dat acprotect behavioral2/files/0x0006000000022e8b-270.dat acprotect behavioral2/files/0x0006000000022e8b-272.dat acprotect behavioral2/files/0x0006000000022e8f-295.dat acprotect behavioral2/files/0x0006000000022e8f-293.dat acprotect behavioral2/files/0x0006000000022e95-316.dat acprotect behavioral2/files/0x0006000000022e95-319.dat acprotect behavioral2/files/0x0006000000022e99-339.dat acprotect behavioral2/files/0x0006000000022e99-341.dat acprotect -
Executes dropped EXE 64 IoCs
pid Process 1816 inwhpwale.exe 1680 innuocedv.exe 1688 inxtemyti.exe 3952 inpleqlxa.exe 4264 inrdysgih.exe 3080 inuqbjvqf.exe 3996 inogwahsa.exe 2488 incvyzsfr.exe 2840 inbqiycju.exe 500 incanalcr.exe 5056 inzvgovkd.exe 4976 inoavpdfe.exe 1104 inaexuhtj.exe 3556 inbuxzyre.exe 3524 inxjymong.exe 3708 innlypqcs.exe 1376 infvypoww.exe 2844 insvxwpco.exe 316 inqmfrmyb.exe 2708 invrckwrg.exe 1272 inigtklnv.exe 5016 indqsmlmh.exe 376 inaivxrqr.exe 2900 injyqkarh.exe 2468 inbpxnjbw.exe 3684 inyufnzuj.exe 1576 inykznpoh.exe 2872 inmeufqjy.exe 4660 infumgnyd.exe 1316 inqrggyxc.exe 2276 inljyapnv.exe 1364 inetlfmxc.exe 932 inkbaivic.exe 2808 inmhxsddw.exe 1112 inhegsgsd.exe 4288 inldtepix.exe 3604 intpaiupe.exe 1880 ingvnhoze.exe 3168 inhwnltjf.exe 2484 inomzqrdt.exe 1464 indwztgsi.exe 1576 inmprqjiy.exe 4656 insohtodl.exe 2784 inazpsjiq.exe 1620 ingvzmksi.exe 2276 inwsdlxsh.exe 4852 inxiaqxbm.exe 2916 injhulmow.exe 4540 inbjwysrs.exe 2804 invhwkmle.exe 4460 inewrcnnk.exe 2132 infdqdofu.exe 4260 inoxdfqoe.exe 1656 inniyteex.exe 2636 inixpjqgj.exe 4648 insrzztuj.exe 4516 inqcxrfhg.exe 3256 inqgdzfrf.exe 2740 inhwoipfi.exe 4660 inesqmezb.exe 3236 inwixlnmf.exe 1984 inbohznex.exe 4852 ingwzqpxx.exe 4756 inbsfowhf.exe -
Loads dropped DLL 64 IoCs
pid Process 3684 NEAS.ad825727d40dbf4409ff5bfabf92c0d0_JC.exe 3684 NEAS.ad825727d40dbf4409ff5bfabf92c0d0_JC.exe 1816 inwhpwale.exe 1816 inwhpwale.exe 1680 innuocedv.exe 1680 innuocedv.exe 1688 inxtemyti.exe 1688 inxtemyti.exe 3952 inpleqlxa.exe 3952 inpleqlxa.exe 4264 inrdysgih.exe 4264 inrdysgih.exe 3080 inuqbjvqf.exe 3080 inuqbjvqf.exe 3996 inogwahsa.exe 3996 inogwahsa.exe 2488 incvyzsfr.exe 2488 incvyzsfr.exe 2840 inbqiycju.exe 2840 inbqiycju.exe 500 incanalcr.exe 500 incanalcr.exe 5056 inzvgovkd.exe 5056 inzvgovkd.exe 4976 inoavpdfe.exe 4976 inoavpdfe.exe 1104 inaexuhtj.exe 1104 inaexuhtj.exe 3556 inbuxzyre.exe 3556 inbuxzyre.exe 3524 inxjymong.exe 3524 inxjymong.exe 3708 innlypqcs.exe 3708 innlypqcs.exe 1376 infvypoww.exe 1376 infvypoww.exe 2844 insvxwpco.exe 2844 insvxwpco.exe 316 inqmfrmyb.exe 316 inqmfrmyb.exe 2708 invrckwrg.exe 2708 invrckwrg.exe 1272 inigtklnv.exe 1272 inigtklnv.exe 5016 indqsmlmh.exe 5016 indqsmlmh.exe 376 inaivxrqr.exe 376 inaivxrqr.exe 2900 injyqkarh.exe 2900 injyqkarh.exe 2468 inbpxnjbw.exe 2468 inbpxnjbw.exe 3684 inyufnzuj.exe 3684 inyufnzuj.exe 1576 inykznpoh.exe 1576 inykznpoh.exe 2872 inmeufqjy.exe 2872 inmeufqjy.exe 4660 infumgnyd.exe 4660 infumgnyd.exe 1316 inqrggyxc.exe 1316 inqrggyxc.exe 2276 inljyapnv.exe 2276 inljyapnv.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\inktbmkag.exe inrlmbbts.exe File opened for modification C:\Windows\SysWOW64\syslog.dat inugbdlkd.exe File opened for modification C:\Windows\SysWOW64\syslog.dat inwauuwtq.exe File opened for modification C:\Windows\SysWOW64\syslog.dat inxnewqnc.exe File opened for modification C:\Windows\SysWOW64\indexckbc.exe_lang.ini inlludanj.exe File created C:\Windows\SysWOW64\invofligz.exe inbpjipes.exe File opened for modification C:\Windows\SysWOW64\syslog.dat invtfsnjp.exe File opened for modification C:\Windows\SysWOW64\syslog.dat inbsfowhf.exe File opened for modification C:\Windows\SysWOW64\inwemzvcu.exe_lang.ini inngmlnpt.exe File created C:\Windows\SysWOW64\insylvfcw.exe ingmqvmoi.exe File opened for modification C:\Windows\SysWOW64\syslog.dat incgthaci.exe File opened for modification C:\Windows\SysWOW64\syslog.dat inydmqxqc.exe File opened for modification C:\Windows\SysWOW64\syslog.dat inmfdiwbp.exe File opened for modification C:\Windows\SysWOW64\inpsutmlb.exe_lang.ini invwyxcqk.exe File created C:\Windows\SysWOW64\ineugyxhj.exe inufueytz.exe File created C:\Windows\SysWOW64\inngbnczn.exe ineupaato.exe File opened for modification C:\Windows\SysWOW64\syslog.dat inyvsxuru.exe File opened for modification C:\Windows\SysWOW64\incixldvq.exe_lang.ini inwrucabh.exe File opened for modification C:\Windows\SysWOW64\syslog.dat intidlctm.exe File opened for modification C:\Windows\SysWOW64\syslog.dat inngmlnpt.exe File created C:\Windows\SysWOW64\inrfpuysy.exe intetdxsy.exe File created C:\Windows\SysWOW64\infacmfam.exe innjrlbrs.exe File opened for modification C:\Windows\SysWOW64\syslog.dat insofpwae.exe File created C:\Windows\SysWOW64\intndtuwg.exe infnwdvwr.exe File opened for modification C:\Windows\SysWOW64\syslog.dat inmktaxgs.exe File opened for modification C:\Windows\SysWOW64\syslog.dat inoerbbwf.exe File opened for modification C:\Windows\SysWOW64\syslog.dat inuqbjvqf.exe File opened for modification C:\Windows\SysWOW64\syslog.dat inbqiycju.exe File opened for modification C:\Windows\SysWOW64\inclwgwbt.exe_lang.ini inljswfrz.exe File created C:\Windows\SysWOW64\inhhsffsh.exe inzzjgeaz.exe File opened for modification C:\Windows\SysWOW64\syslog.dat inbymawrk.exe File opened for modification C:\Windows\SysWOW64\syslog.dat inbmnexcl.exe File created C:\Windows\SysWOW64\inzloqpih.exe incsvmltt.exe File opened for modification C:\Windows\SysWOW64\syslog.dat inimbeutc.exe File opened for modification C:\Windows\SysWOW64\incgzwjvl.exe_lang.ini inhfsfaqh.exe File opened for modification C:\Windows\SysWOW64\inrbrocsh.exe_lang.ini inktojpiu.exe File opened for modification C:\Windows\SysWOW64\syslog.dat inkwblfyk.exe File opened for modification C:\Windows\SysWOW64\syslog.dat inrwawibx.exe File created C:\Windows\SysWOW64\inquussur.exe inaqgiwze.exe File opened for modification C:\Windows\SysWOW64\inytomigo.exe_lang.ini inlmnyysj.exe File opened for modification C:\Windows\SysWOW64\syslog.dat inxjymong.exe File created C:\Windows\SysWOW64\innqsrkjz.exe inbfyviuk.exe File opened for modification C:\Windows\SysWOW64\syslog.dat inkwlklan.exe File created C:\Windows\SysWOW64\inmpleckt.exe inawcknai.exe File opened for modification C:\Windows\SysWOW64\syslog.dat injwlifkh.exe File opened for modification C:\Windows\SysWOW64\inuisngbw.exe_lang.ini inmrxryds.exe File opened for modification C:\Windows\SysWOW64\indvpwggs.exe_lang.ini indexckbc.exe File opened for modification C:\Windows\SysWOW64\syslog.dat indfkortr.exe File opened for modification C:\Windows\SysWOW64\insjarhdx.exe_lang.ini inthmqkqb.exe File opened for modification C:\Windows\SysWOW64\inmvbdomc.exe_lang.ini inkwblfyk.exe File opened for modification C:\Windows\SysWOW64\inbmmjnwc.exe_lang.ini injhpghxs.exe File created C:\Windows\SysWOW64\intikurgv.exe inxdmghfn.exe File opened for modification C:\Windows\SysWOW64\inmowclfg.exe_lang.ini inxshctsn.exe File opened for modification C:\Windows\SysWOW64\syslog.dat inwpkmkez.exe File opened for modification C:\Windows\SysWOW64\syslog.dat inoywxwhj.exe File created C:\Windows\SysWOW64\inltdlhks.exe intchxupt.exe File opened for modification C:\Windows\SysWOW64\inqnbrgit.exe_lang.ini iniqzgcyz.exe File opened for modification C:\Windows\SysWOW64\syslog.dat incawvwly.exe File opened for modification C:\Windows\SysWOW64\innboczda.exe_lang.ini inlqjfngp.exe File opened for modification C:\Windows\SysWOW64\syslog.dat incgncjih.exe File opened for modification C:\Windows\SysWOW64\inrnisxfb.exe_lang.ini incsdfhkz.exe File opened for modification C:\Windows\SysWOW64\indtfhlye.exe_lang.ini inqjpgzht.exe File created C:\Windows\SysWOW64\inctpigdo.exe incbrdfjw.exe File opened for modification C:\Windows\SysWOW64\indvxhyav.exe_lang.ini ingkqfvqx.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3684 NEAS.ad825727d40dbf4409ff5bfabf92c0d0_JC.exe 3684 NEAS.ad825727d40dbf4409ff5bfabf92c0d0_JC.exe 1816 inwhpwale.exe 1816 inwhpwale.exe 1680 innuocedv.exe 1680 innuocedv.exe 1688 inxtemyti.exe 1688 inxtemyti.exe 3952 inpleqlxa.exe 3952 inpleqlxa.exe 4264 inrdysgih.exe 4264 inrdysgih.exe 3080 inuqbjvqf.exe 3080 inuqbjvqf.exe 3996 inogwahsa.exe 3996 inogwahsa.exe 2488 incvyzsfr.exe 2488 incvyzsfr.exe 2840 inbqiycju.exe 2840 inbqiycju.exe 500 incanalcr.exe 500 incanalcr.exe 5056 inzvgovkd.exe 5056 inzvgovkd.exe 4976 inoavpdfe.exe 4976 inoavpdfe.exe 1104 inaexuhtj.exe 1104 inaexuhtj.exe 3556 inbuxzyre.exe 3556 inbuxzyre.exe 3524 inxjymong.exe 3524 inxjymong.exe 3708 innlypqcs.exe 3708 innlypqcs.exe 1376 infvypoww.exe 1376 infvypoww.exe 2844 insvxwpco.exe 2844 insvxwpco.exe 316 inqmfrmyb.exe 316 inqmfrmyb.exe 2708 invrckwrg.exe 2708 invrckwrg.exe 1272 inigtklnv.exe 1272 inigtklnv.exe 5016 indqsmlmh.exe 5016 indqsmlmh.exe 376 inaivxrqr.exe 376 inaivxrqr.exe 2900 injyqkarh.exe 2900 injyqkarh.exe 2468 inbpxnjbw.exe 2468 inbpxnjbw.exe 3684 inyufnzuj.exe 3684 inyufnzuj.exe 1576 inykznpoh.exe 1576 inykznpoh.exe 2872 inmeufqjy.exe 2872 inmeufqjy.exe 4660 infumgnyd.exe 4660 infumgnyd.exe 1316 inqrggyxc.exe 1316 inqrggyxc.exe 2276 inljyapnv.exe 2276 inljyapnv.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3684 NEAS.ad825727d40dbf4409ff5bfabf92c0d0_JC.exe Token: SeDebugPrivilege 1816 inwhpwale.exe Token: SeDebugPrivilege 1680 innuocedv.exe Token: SeDebugPrivilege 1688 inxtemyti.exe Token: SeDebugPrivilege 3952 inpleqlxa.exe Token: SeDebugPrivilege 4264 inrdysgih.exe Token: SeDebugPrivilege 3080 inuqbjvqf.exe Token: SeDebugPrivilege 3996 inogwahsa.exe Token: SeDebugPrivilege 2488 incvyzsfr.exe Token: SeDebugPrivilege 2840 inbqiycju.exe Token: SeDebugPrivilege 500 incanalcr.exe Token: SeDebugPrivilege 5056 inzvgovkd.exe Token: SeDebugPrivilege 4976 inoavpdfe.exe Token: SeDebugPrivilege 1104 inaexuhtj.exe Token: SeDebugPrivilege 3556 inbuxzyre.exe Token: SeDebugPrivilege 3524 inxjymong.exe Token: SeDebugPrivilege 3708 innlypqcs.exe Token: SeDebugPrivilege 1376 infvypoww.exe Token: SeDebugPrivilege 2844 insvxwpco.exe Token: SeDebugPrivilege 316 inqmfrmyb.exe Token: SeDebugPrivilege 2708 invrckwrg.exe Token: SeDebugPrivilege 1272 inigtklnv.exe Token: SeDebugPrivilege 5016 indqsmlmh.exe Token: SeDebugPrivilege 376 inaivxrqr.exe Token: SeDebugPrivilege 2900 injyqkarh.exe Token: SeDebugPrivilege 2468 inbpxnjbw.exe Token: SeDebugPrivilege 3684 inyufnzuj.exe Token: SeDebugPrivilege 1576 inykznpoh.exe Token: SeDebugPrivilege 2872 inmeufqjy.exe Token: SeDebugPrivilege 4660 infumgnyd.exe Token: SeDebugPrivilege 1316 inqrggyxc.exe Token: SeDebugPrivilege 2276 inljyapnv.exe Token: SeDebugPrivilege 1364 inetlfmxc.exe Token: SeDebugPrivilege 932 inkbaivic.exe Token: SeDebugPrivilege 2808 inmhxsddw.exe Token: SeDebugPrivilege 1112 inhegsgsd.exe Token: SeDebugPrivilege 4288 inldtepix.exe Token: SeDebugPrivilege 3604 intpaiupe.exe Token: SeDebugPrivilege 1880 ingvnhoze.exe Token: SeDebugPrivilege 3168 inhwnltjf.exe Token: SeDebugPrivilege 2484 inomzqrdt.exe Token: SeDebugPrivilege 1464 indwztgsi.exe Token: SeDebugPrivilege 1576 inmprqjiy.exe Token: SeDebugPrivilege 4656 insohtodl.exe Token: SeDebugPrivilege 2784 inazpsjiq.exe Token: SeDebugPrivilege 1620 ingvzmksi.exe Token: SeDebugPrivilege 2276 inwsdlxsh.exe Token: SeDebugPrivilege 4852 inxiaqxbm.exe Token: SeDebugPrivilege 2916 injhulmow.exe Token: SeDebugPrivilege 4540 inbjwysrs.exe Token: SeDebugPrivilege 2804 invhwkmle.exe Token: SeDebugPrivilege 4460 inewrcnnk.exe Token: SeDebugPrivilege 2132 infdqdofu.exe Token: SeDebugPrivilege 4260 inoxdfqoe.exe Token: SeDebugPrivilege 1656 inniyteex.exe Token: SeDebugPrivilege 2636 inixpjqgj.exe Token: SeDebugPrivilege 4648 insrzztuj.exe Token: SeDebugPrivilege 4516 inqcxrfhg.exe Token: SeDebugPrivilege 3256 inqgdzfrf.exe Token: SeDebugPrivilege 2740 inhwoipfi.exe Token: SeDebugPrivilege 4660 inesqmezb.exe Token: SeDebugPrivilege 3236 inwixlnmf.exe Token: SeDebugPrivilege 1984 inbohznex.exe Token: SeDebugPrivilege 4852 ingwzqpxx.exe -
Suspicious use of SetWindowsHookEx 28 IoCs
pid Process 3684 NEAS.ad825727d40dbf4409ff5bfabf92c0d0_JC.exe 1816 inwhpwale.exe 1680 innuocedv.exe 1688 inxtemyti.exe 3952 inpleqlxa.exe 4264 inrdysgih.exe 3080 inuqbjvqf.exe 3996 inogwahsa.exe 2488 incvyzsfr.exe 2840 inbqiycju.exe 500 incanalcr.exe 5056 inzvgovkd.exe 4976 inoavpdfe.exe 1104 inaexuhtj.exe 3556 inbuxzyre.exe 3524 inxjymong.exe 3708 innlypqcs.exe 1376 infvypoww.exe 2844 insvxwpco.exe 316 inqmfrmyb.exe 2708 invrckwrg.exe 1272 inigtklnv.exe 5016 indqsmlmh.exe 376 inaivxrqr.exe 2900 injyqkarh.exe 2468 inbpxnjbw.exe 3684 inyufnzuj.exe 1576 inykznpoh.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3684 wrote to memory of 1816 3684 NEAS.ad825727d40dbf4409ff5bfabf92c0d0_JC.exe 86 PID 3684 wrote to memory of 1816 3684 NEAS.ad825727d40dbf4409ff5bfabf92c0d0_JC.exe 86 PID 3684 wrote to memory of 1816 3684 NEAS.ad825727d40dbf4409ff5bfabf92c0d0_JC.exe 86 PID 1816 wrote to memory of 1680 1816 inwhpwale.exe 87 PID 1816 wrote to memory of 1680 1816 inwhpwale.exe 87 PID 1816 wrote to memory of 1680 1816 inwhpwale.exe 87 PID 1680 wrote to memory of 1688 1680 innuocedv.exe 91 PID 1680 wrote to memory of 1688 1680 innuocedv.exe 91 PID 1680 wrote to memory of 1688 1680 innuocedv.exe 91 PID 1688 wrote to memory of 3952 1688 inxtemyti.exe 90 PID 1688 wrote to memory of 3952 1688 inxtemyti.exe 90 PID 1688 wrote to memory of 3952 1688 inxtemyti.exe 90 PID 3952 wrote to memory of 4264 3952 inpleqlxa.exe 88 PID 3952 wrote to memory of 4264 3952 inpleqlxa.exe 88 PID 3952 wrote to memory of 4264 3952 inpleqlxa.exe 88 PID 4264 wrote to memory of 3080 4264 inrdysgih.exe 89 PID 4264 wrote to memory of 3080 4264 inrdysgih.exe 89 PID 4264 wrote to memory of 3080 4264 inrdysgih.exe 89 PID 3080 wrote to memory of 3996 3080 inuqbjvqf.exe 93 PID 3080 wrote to memory of 3996 3080 inuqbjvqf.exe 93 PID 3080 wrote to memory of 3996 3080 inuqbjvqf.exe 93 PID 3996 wrote to memory of 2488 3996 inogwahsa.exe 94 PID 3996 wrote to memory of 2488 3996 inogwahsa.exe 94 PID 3996 wrote to memory of 2488 3996 inogwahsa.exe 94 PID 2488 wrote to memory of 2840 2488 incvyzsfr.exe 95 PID 2488 wrote to memory of 2840 2488 incvyzsfr.exe 95 PID 2488 wrote to memory of 2840 2488 incvyzsfr.exe 95 PID 2840 wrote to memory of 500 2840 inbqiycju.exe 101 PID 2840 wrote to memory of 500 2840 inbqiycju.exe 101 PID 2840 wrote to memory of 500 2840 inbqiycju.exe 101 PID 500 wrote to memory of 5056 500 incanalcr.exe 100 PID 500 wrote to memory of 5056 500 incanalcr.exe 100 PID 500 wrote to memory of 5056 500 incanalcr.exe 100 PID 5056 wrote to memory of 4976 5056 inzvgovkd.exe 96 PID 5056 wrote to memory of 4976 5056 inzvgovkd.exe 96 PID 5056 wrote to memory of 4976 5056 inzvgovkd.exe 96 PID 4976 wrote to memory of 1104 4976 inoavpdfe.exe 98 PID 4976 wrote to memory of 1104 4976 inoavpdfe.exe 98 PID 4976 wrote to memory of 1104 4976 inoavpdfe.exe 98 PID 1104 wrote to memory of 3556 1104 inaexuhtj.exe 102 PID 1104 wrote to memory of 3556 1104 inaexuhtj.exe 102 PID 1104 wrote to memory of 3556 1104 inaexuhtj.exe 102 PID 3556 wrote to memory of 3524 3556 inbuxzyre.exe 103 PID 3556 wrote to memory of 3524 3556 inbuxzyre.exe 103 PID 3556 wrote to memory of 3524 3556 inbuxzyre.exe 103 PID 3524 wrote to memory of 3708 3524 inxjymong.exe 104 PID 3524 wrote to memory of 3708 3524 inxjymong.exe 104 PID 3524 wrote to memory of 3708 3524 inxjymong.exe 104 PID 3708 wrote to memory of 1376 3708 innlypqcs.exe 105 PID 3708 wrote to memory of 1376 3708 innlypqcs.exe 105 PID 3708 wrote to memory of 1376 3708 innlypqcs.exe 105 PID 1376 wrote to memory of 2844 1376 infvypoww.exe 107 PID 1376 wrote to memory of 2844 1376 infvypoww.exe 107 PID 1376 wrote to memory of 2844 1376 infvypoww.exe 107 PID 2844 wrote to memory of 316 2844 insvxwpco.exe 109 PID 2844 wrote to memory of 316 2844 insvxwpco.exe 109 PID 2844 wrote to memory of 316 2844 insvxwpco.exe 109 PID 316 wrote to memory of 2708 316 inqmfrmyb.exe 110 PID 316 wrote to memory of 2708 316 inqmfrmyb.exe 110 PID 316 wrote to memory of 2708 316 inqmfrmyb.exe 110 PID 2708 wrote to memory of 1272 2708 invrckwrg.exe 111 PID 2708 wrote to memory of 1272 2708 invrckwrg.exe 111 PID 2708 wrote to memory of 1272 2708 invrckwrg.exe 111 PID 1272 wrote to memory of 5016 1272 inigtklnv.exe 112
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.ad825727d40dbf4409ff5bfabf92c0d0_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.ad825727d40dbf4409ff5bfabf92c0d0_JC.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3684 -
C:\Windows\SysWOW64\inwhpwale.exeC:\Windows\system32\inwhpwale.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1816 -
C:\Windows\SysWOW64\innuocedv.exeC:\Windows\system32\innuocedv.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Windows\SysWOW64\inxtemyti.exeC:\Windows\system32\inxtemyti.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1688
-
-
-
-
C:\Windows\SysWOW64\inrdysgih.exeC:\Windows\system32\inrdysgih.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4264 -
C:\Windows\SysWOW64\inuqbjvqf.exeC:\Windows\system32\inuqbjvqf.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3080 -
C:\Windows\SysWOW64\inogwahsa.exeC:\Windows\system32\inogwahsa.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3996 -
C:\Windows\SysWOW64\incvyzsfr.exeC:\Windows\system32\incvyzsfr.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Windows\SysWOW64\inbqiycju.exeC:\Windows\system32\inbqiycju.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\SysWOW64\incanalcr.exeC:\Windows\system32\incanalcr.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:500
-
-
-
-
-
-
C:\Windows\SysWOW64\inpleqlxa.exeC:\Windows\system32\inpleqlxa.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3952
-
C:\Windows\SysWOW64\inoavpdfe.exeC:\Windows\system32\inoavpdfe.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4976 -
C:\Windows\SysWOW64\inaexuhtj.exeC:\Windows\system32\inaexuhtj.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1104 -
C:\Windows\SysWOW64\inbuxzyre.exeC:\Windows\system32\inbuxzyre.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3556 -
C:\Windows\SysWOW64\inxjymong.exeC:\Windows\system32\inxjymong.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3524 -
C:\Windows\SysWOW64\innlypqcs.exeC:\Windows\system32\innlypqcs.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3708 -
C:\Windows\SysWOW64\infvypoww.exeC:\Windows\system32\infvypoww.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1376 -
C:\Windows\SysWOW64\insvxwpco.exeC:\Windows\system32\insvxwpco.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\inqmfrmyb.exeC:\Windows\system32\inqmfrmyb.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:316 -
C:\Windows\SysWOW64\invrckwrg.exeC:\Windows\system32\invrckwrg.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\inigtklnv.exeC:\Windows\system32\inigtklnv.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1272 -
C:\Windows\SysWOW64\indqsmlmh.exeC:\Windows\system32\indqsmlmh.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5016 -
C:\Windows\SysWOW64\inaivxrqr.exeC:\Windows\system32\inaivxrqr.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:376 -
C:\Windows\SysWOW64\injyqkarh.exeC:\Windows\system32\injyqkarh.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2900 -
C:\Windows\SysWOW64\inbpxnjbw.exeC:\Windows\system32\inbpxnjbw.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2468 -
C:\Windows\SysWOW64\inyufnzuj.exeC:\Windows\system32\inyufnzuj.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3684 -
C:\Windows\SysWOW64\inykznpoh.exeC:\Windows\system32\inykznpoh.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1576 -
C:\Windows\SysWOW64\inmeufqjy.exeC:\Windows\system32\inmeufqjy.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2872 -
C:\Windows\SysWOW64\infumgnyd.exeC:\Windows\system32\infumgnyd.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4660 -
C:\Windows\SysWOW64\inqrggyxc.exeC:\Windows\system32\inqrggyxc.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1316 -
C:\Windows\SysWOW64\inljyapnv.exeC:\Windows\system32\inljyapnv.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2276 -
C:\Windows\SysWOW64\inetlfmxc.exeC:\Windows\system32\inetlfmxc.exe21⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1364 -
C:\Windows\SysWOW64\inkbaivic.exeC:\Windows\system32\inkbaivic.exe22⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:932 -
C:\Windows\SysWOW64\inmhxsddw.exeC:\Windows\system32\inmhxsddw.exe23⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2808 -
C:\Windows\SysWOW64\inhegsgsd.exeC:\Windows\system32\inhegsgsd.exe24⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1112 -
C:\Windows\SysWOW64\inldtepix.exeC:\Windows\system32\inldtepix.exe25⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4288 -
C:\Windows\SysWOW64\intpaiupe.exeC:\Windows\system32\intpaiupe.exe26⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3604 -
C:\Windows\SysWOW64\ingvnhoze.exeC:\Windows\system32\ingvnhoze.exe27⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1880 -
C:\Windows\SysWOW64\inhwnltjf.exeC:\Windows\system32\inhwnltjf.exe28⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3168 -
C:\Windows\SysWOW64\inomzqrdt.exeC:\Windows\system32\inomzqrdt.exe29⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2484 -
C:\Windows\SysWOW64\indwztgsi.exeC:\Windows\system32\indwztgsi.exe30⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1464 -
C:\Windows\SysWOW64\inmprqjiy.exeC:\Windows\system32\inmprqjiy.exe31⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1576 -
C:\Windows\SysWOW64\insohtodl.exeC:\Windows\system32\insohtodl.exe32⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4656 -
C:\Windows\SysWOW64\inazpsjiq.exeC:\Windows\system32\inazpsjiq.exe33⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2784 -
C:\Windows\SysWOW64\ingvzmksi.exeC:\Windows\system32\ingvzmksi.exe34⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1620 -
C:\Windows\SysWOW64\inwsdlxsh.exeC:\Windows\system32\inwsdlxsh.exe35⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2276 -
C:\Windows\SysWOW64\inxiaqxbm.exeC:\Windows\system32\inxiaqxbm.exe36⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4852 -
C:\Windows\SysWOW64\injhulmow.exeC:\Windows\system32\injhulmow.exe37⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2916 -
C:\Windows\SysWOW64\inbjwysrs.exeC:\Windows\system32\inbjwysrs.exe38⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4540 -
C:\Windows\SysWOW64\invhwkmle.exeC:\Windows\system32\invhwkmle.exe39⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2804 -
C:\Windows\SysWOW64\inewrcnnk.exeC:\Windows\system32\inewrcnnk.exe40⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4460 -
C:\Windows\SysWOW64\infdqdofu.exeC:\Windows\system32\infdqdofu.exe41⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2132 -
C:\Windows\SysWOW64\inoxdfqoe.exeC:\Windows\system32\inoxdfqoe.exe42⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4260 -
C:\Windows\SysWOW64\inniyteex.exeC:\Windows\system32\inniyteex.exe43⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1656 -
C:\Windows\SysWOW64\inixpjqgj.exeC:\Windows\system32\inixpjqgj.exe44⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2636 -
C:\Windows\SysWOW64\insrzztuj.exeC:\Windows\system32\insrzztuj.exe45⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4648 -
C:\Windows\SysWOW64\inqcxrfhg.exeC:\Windows\system32\inqcxrfhg.exe46⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4516 -
C:\Windows\SysWOW64\inqgdzfrf.exeC:\Windows\system32\inqgdzfrf.exe47⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3256 -
C:\Windows\SysWOW64\inhwoipfi.exeC:\Windows\system32\inhwoipfi.exe48⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2740 -
C:\Windows\SysWOW64\inesqmezb.exeC:\Windows\system32\inesqmezb.exe49⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4660 -
C:\Windows\SysWOW64\inwixlnmf.exeC:\Windows\system32\inwixlnmf.exe50⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3236 -
C:\Windows\SysWOW64\inbohznex.exeC:\Windows\system32\inbohznex.exe51⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1984 -
C:\Windows\SysWOW64\ingwzqpxx.exeC:\Windows\system32\ingwzqpxx.exe52⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4852 -
C:\Windows\SysWOW64\inbsfowhf.exeC:\Windows\system32\inbsfowhf.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4756 -
C:\Windows\SysWOW64\inahuhbcs.exeC:\Windows\system32\inahuhbcs.exe54⤵PID:500
-
C:\Windows\SysWOW64\inxsdoolp.exeC:\Windows\system32\inxsdoolp.exe55⤵PID:4184
-
C:\Windows\SysWOW64\inruwvobn.exeC:\Windows\system32\inruwvobn.exe56⤵PID:3604
-
C:\Windows\SysWOW64\innbxlquo.exeC:\Windows\system32\innbxlquo.exe57⤵
- Modifies Installed Components in the registry
PID:1352 -
C:\Windows\SysWOW64\inortslka.exeC:\Windows\system32\inortslka.exe58⤵PID:4520
-
C:\Windows\SysWOW64\inugvjlkd.exeC:\Windows\system32\inugvjlkd.exe59⤵PID:3684
-
C:\Windows\SysWOW64\inbfyviuk.exeC:\Windows\system32\inbfyviuk.exe60⤵
- Drops file in System32 directory
PID:3576 -
C:\Windows\SysWOW64\innqsrkjz.exeC:\Windows\system32\innqsrkjz.exe61⤵PID:1544
-
C:\Windows\SysWOW64\inarenvge.exeC:\Windows\system32\inarenvge.exe62⤵PID:4304
-
C:\Windows\SysWOW64\infrfqjpo.exeC:\Windows\system32\infrfqjpo.exe63⤵
- Modifies Installed Components in the registry
PID:1996 -
C:\Windows\SysWOW64\indtkzjxv.exeC:\Windows\system32\indtkzjxv.exe64⤵PID:5012
-
C:\Windows\SysWOW64\inyorihpp.exeC:\Windows\system32\inyorihpp.exe65⤵PID:2100
-
C:\Windows\SysWOW64\inrshhzyd.exeC:\Windows\system32\inrshhzyd.exe66⤵PID:4448
-
C:\Windows\SysWOW64\inyegrpfl.exeC:\Windows\system32\inyegrpfl.exe67⤵PID:4672
-
C:\Windows\SysWOW64\infhthtec.exeC:\Windows\system32\infhthtec.exe68⤵PID:4988
-
C:\Windows\SysWOW64\inmtnbdcu.exeC:\Windows\system32\inmtnbdcu.exe69⤵PID:1276
-
C:\Windows\SysWOW64\inqklaasr.exeC:\Windows\system32\inqklaasr.exe70⤵PID:4232
-
C:\Windows\SysWOW64\insbquvhx.exeC:\Windows\system32\insbquvhx.exe71⤵PID:3168
-
C:\Windows\SysWOW64\inrjcgagg.exeC:\Windows\system32\inrjcgagg.exe72⤵PID:64
-
C:\Windows\SysWOW64\inwmpgfnn.exeC:\Windows\system32\inwmpgfnn.exe73⤵PID:1668
-
C:\Windows\SysWOW64\ineybxzdp.exeC:\Windows\system32\ineybxzdp.exe74⤵PID:4792
-
C:\Windows\SysWOW64\inqswbpnw.exeC:\Windows\system32\inqswbpnw.exe75⤵PID:3524
-
C:\Windows\SysWOW64\inkuaczqt.exeC:\Windows\system32\inkuaczqt.exe76⤵PID:2460
-
C:\Windows\SysWOW64\inmkxopbr.exeC:\Windows\system32\inmkxopbr.exe77⤵PID:3060
-
C:\Windows\SysWOW64\intfuikjc.exeC:\Windows\system32\intfuikjc.exe78⤵PID:4668
-
C:\Windows\SysWOW64\inhfsfaqh.exeC:\Windows\system32\inhfsfaqh.exe79⤵
- Drops file in System32 directory
PID:3668 -
C:\Windows\SysWOW64\incgzwjvl.exeC:\Windows\system32\incgzwjvl.exe80⤵PID:2808
-
C:\Windows\SysWOW64\injwnoaqy.exeC:\Windows\system32\injwnoaqy.exe81⤵PID:1600
-
C:\Windows\SysWOW64\inblsqhkm.exeC:\Windows\system32\inblsqhkm.exe82⤵PID:4000
-
C:\Windows\SysWOW64\inaikwkwh.exeC:\Windows\system32\inaikwkwh.exe83⤵PID:3528
-
C:\Windows\SysWOW64\inutvwllh.exeC:\Windows\system32\inutvwllh.exe84⤵PID:4520
-
C:\Windows\SysWOW64\incrjzdkv.exeC:\Windows\system32\incrjzdkv.exe85⤵PID:3600
-
C:\Windows\SysWOW64\inyjbrycn.exeC:\Windows\system32\inyjbrycn.exe86⤵PID:3084
-
C:\Windows\SysWOW64\inzhuwqpq.exeC:\Windows\system32\inzhuwqpq.exe87⤵PID:4780
-
C:\Windows\SysWOW64\incraptug.exeC:\Windows\system32\incraptug.exe88⤵PID:1040
-
C:\Windows\SysWOW64\inlsmacbt.exeC:\Windows\system32\inlsmacbt.exe89⤵PID:4900
-
C:\Windows\SysWOW64\inaphxbit.exeC:\Windows\system32\inaphxbit.exe90⤵
- Modifies Installed Components in the registry
PID:456 -
C:\Windows\SysWOW64\ingerepgv.exeC:\Windows\system32\ingerepgv.exe91⤵PID:4284
-
C:\Windows\SysWOW64\inasgqvzt.exeC:\Windows\system32\inasgqvzt.exe92⤵
- Modifies Installed Components in the registry
PID:2084 -
C:\Windows\SysWOW64\inhzrfkoi.exeC:\Windows\system32\inhzrfkoi.exe93⤵PID:4612
-
C:\Windows\SysWOW64\ingvetxyk.exeC:\Windows\system32\ingvetxyk.exe94⤵PID:944
-
C:\Windows\SysWOW64\indpalewk.exeC:\Windows\system32\indpalewk.exe95⤵PID:4652
-
C:\Windows\SysWOW64\inwgusogd.exeC:\Windows\system32\inwgusogd.exe96⤵PID:3796
-
C:\Windows\SysWOW64\invwyxcqk.exeC:\Windows\system32\invwyxcqk.exe97⤵
- Drops file in System32 directory
PID:3576 -
C:\Windows\SysWOW64\inpsutmlb.exeC:\Windows\system32\inpsutmlb.exe98⤵PID:1592
-
C:\Windows\SysWOW64\innptoush.exeC:\Windows\system32\innptoush.exe99⤵PID:3956
-
C:\Windows\SysWOW64\inzkcszdo.exeC:\Windows\system32\inzkcszdo.exe100⤵PID:5048
-
C:\Windows\SysWOW64\inlofemzm.exeC:\Windows\system32\inlofemzm.exe101⤵PID:5096
-
C:\Windows\SysWOW64\inadbobmd.exeC:\Windows\system32\inadbobmd.exe102⤵PID:4708
-
C:\Windows\SysWOW64\inpiofygs.exeC:\Windows\system32\inpiofygs.exe103⤵PID:3368
-
C:\Windows\SysWOW64\inkzrlbas.exeC:\Windows\system32\inkzrlbas.exe104⤵PID:2140
-
C:\Windows\SysWOW64\inlhzufqa.exeC:\Windows\system32\inlhzufqa.exe105⤵PID:4064
-
C:\Windows\SysWOW64\inatwyxqd.exeC:\Windows\system32\inatwyxqd.exe106⤵PID:1000
-
C:\Windows\SysWOW64\ingtgabri.exeC:\Windows\system32\ingtgabri.exe107⤵PID:2484
-
C:\Windows\SysWOW64\incsnrmiw.exeC:\Windows\system32\incsnrmiw.exe108⤵PID:4984
-
C:\Windows\SysWOW64\inooxsntm.exeC:\Windows\system32\inooxsntm.exe109⤵PID:3572
-
C:\Windows\SysWOW64\inddmxhxc.exeC:\Windows\system32\inddmxhxc.exe110⤵PID:4792
-
C:\Windows\SysWOW64\injqftzfq.exeC:\Windows\system32\injqftzfq.exe111⤵PID:4656
-
C:\Windows\SysWOW64\inbuzcxoc.exeC:\Windows\system32\inbuzcxoc.exe112⤵PID:1316
-
C:\Windows\SysWOW64\indtwnmuu.exeC:\Windows\system32\indtwnmuu.exe113⤵PID:1220
-
C:\Windows\SysWOW64\injfqeotx.exeC:\Windows\system32\injfqeotx.exe114⤵PID:3656
-
C:\Windows\SysWOW64\injkrqgyq.exeC:\Windows\system32\injkrqgyq.exe115⤵PID:4668
-
C:\Windows\SysWOW64\inbqostfv.exeC:\Windows\system32\inbqostfv.exe116⤵PID:2956
-
C:\Windows\SysWOW64\infslrijv.exeC:\Windows\system32\infslrijv.exe117⤵
- Modifies Installed Components in the registry
PID:2044 -
C:\Windows\SysWOW64\ingtvpopk.exeC:\Windows\system32\ingtvpopk.exe118⤵PID:1784
-
C:\Windows\SysWOW64\inxhvtpha.exeC:\Windows\system32\inxhvtpha.exe119⤵PID:3840
-
C:\Windows\SysWOW64\inrngsnzc.exeC:\Windows\system32\inrngsnzc.exe120⤵PID:2180
-
C:\Windows\SysWOW64\inhscspdt.exeC:\Windows\system32\inhscspdt.exe121⤵PID:3844
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-