Analysis
-
max time kernel
145s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
02/11/2023, 16:43
Behavioral task
behavioral1
Sample
NEAS.522e7938d88faa6a090453064c2464d0.exe
Resource
win7-20231020-en
windows7-x64
11 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.522e7938d88faa6a090453064c2464d0.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
11 signatures
150 seconds
General
-
Target
NEAS.522e7938d88faa6a090453064c2464d0.exe
-
Size
348KB
-
MD5
522e7938d88faa6a090453064c2464d0
-
SHA1
f6b8517e04ea78c4e2e0d8e142ecbe06a99c5d1a
-
SHA256
c855bc58f585191c02fbdddb95ee739b6973c55f0b7f3b864d99198f4f0c224c
-
SHA512
64fcb5890e199532e4cc92384f858ed723b935d59274a46b7e3ee0df56ddb2e4d21c99cbb46557c1020d24496e03c855837bfe7a8bfdbfab9956aef4e7c5e965
-
SSDEEP
6144:MJueTkwOwoWOQ3dwaWB28edeP/deUv80P80Ap8UGwoTGHZOWJkqd0K4rG7eVT0SG:ouLwoZQGpnedeP/deUe1ppGjTGHZRT0a
Score
10/10
Malware Config
Signatures
-
Gh0st RAT payload 64 IoCs
resource yara_rule behavioral1/memory/1936-0-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral1/files/0x000800000001422b-17.dat family_gh0strat behavioral1/files/0x000800000001422b-20.dat family_gh0strat behavioral1/memory/1176-27-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral1/memory/1936-29-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral1/files/0x0007000000014303-34.dat family_gh0strat behavioral1/files/0x0009000000014489-53.dat family_gh0strat behavioral1/memory/1176-55-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral1/files/0x0009000000014489-52.dat family_gh0strat behavioral1/memory/2792-68-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral1/files/0x0009000000014489-51.dat family_gh0strat behavioral1/files/0x0009000000014489-50.dat family_gh0strat behavioral1/files/0x0009000000014489-49.dat family_gh0strat behavioral1/files/0x0009000000014489-44.dat family_gh0strat behavioral1/files/0x000800000001422b-25.dat family_gh0strat behavioral1/files/0x000800000001422b-24.dat family_gh0strat behavioral1/files/0x000800000001422b-23.dat family_gh0strat behavioral1/files/0x000800000001422b-22.dat family_gh0strat behavioral1/files/0x000800000001422b-19.dat family_gh0strat behavioral1/files/0x0006000000014980-72.dat family_gh0strat behavioral1/files/0x0006000000014980-75.dat family_gh0strat behavioral1/files/0x0006000000014980-80.dat family_gh0strat behavioral1/files/0x0006000000014980-79.dat family_gh0strat behavioral1/files/0x0006000000014980-78.dat family_gh0strat behavioral1/files/0x0006000000014980-77.dat family_gh0strat behavioral1/files/0x0006000000014b5d-96.dat family_gh0strat behavioral1/files/0x0006000000014b5d-103.dat family_gh0strat behavioral1/files/0x0006000000014b5d-105.dat family_gh0strat behavioral1/memory/1748-110-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral1/files/0x0006000000014b5d-104.dat family_gh0strat behavioral1/files/0x0006000000014b5d-102.dat family_gh0strat behavioral1/files/0x0006000000014b5d-101.dat family_gh0strat behavioral1/files/0x0006000000015047-124.dat family_gh0strat behavioral1/files/0x0006000000015047-127.dat family_gh0strat behavioral1/files/0x0006000000015047-132.dat family_gh0strat behavioral1/memory/1716-139-0x0000000000230000-0x000000000025F000-memory.dmp family_gh0strat behavioral1/memory/2240-136-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral1/files/0x0006000000015047-131.dat family_gh0strat behavioral1/files/0x0006000000015047-130.dat family_gh0strat behavioral1/files/0x0006000000015047-129.dat family_gh0strat behavioral1/files/0x00060000000155af-150.dat family_gh0strat behavioral1/files/0x00060000000155af-159.dat family_gh0strat behavioral1/memory/2500-174-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral1/memory/1716-160-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral1/files/0x00060000000155af-158.dat family_gh0strat behavioral1/files/0x00060000000155af-157.dat family_gh0strat behavioral1/files/0x00060000000155af-156.dat family_gh0strat behavioral1/files/0x00060000000155af-155.dat family_gh0strat behavioral1/files/0x0006000000015c13-186.dat family_gh0strat behavioral1/files/0x0006000000015c13-188.dat family_gh0strat behavioral1/files/0x0006000000015c13-187.dat family_gh0strat behavioral1/files/0x0006000000015c13-185.dat family_gh0strat behavioral1/files/0x0006000000015c13-184.dat family_gh0strat behavioral1/files/0x0006000000015c13-179.dat family_gh0strat behavioral1/memory/1224-206-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral1/files/0x0006000000015c60-210.dat family_gh0strat behavioral1/files/0x0006000000015c60-213.dat family_gh0strat behavioral1/memory/2076-218-0x0000000000230000-0x000000000025F000-memory.dmp family_gh0strat behavioral1/files/0x0006000000015c60-215.dat family_gh0strat behavioral1/files/0x0006000000015c60-214.dat family_gh0strat behavioral1/files/0x0006000000015c60-212.dat family_gh0strat behavioral1/files/0x0006000000015c60-207.dat family_gh0strat behavioral1/files/0x0006000000015c94-233.dat family_gh0strat behavioral1/files/0x0006000000015c94-235.dat family_gh0strat -
Modifies Installed Components in the registry 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E696AF65-9F22-4eb4-AD82-9F0133C6262C} inogwahsa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DA46BD09-A24B-40a1-B1AC-688671C86715} inxgusiod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{77ED8582-0CF7-4100-9AA3-2DB18D83CA02}\stubpath = "C:\\Windows\\system32\\inahuhbcs.exe" inbuzcxoc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CEA2BB3E-FD2E-484b-B89D-8A4F03096E25} inmzfdmqx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{85989194-20C9-4b45-8DE9-C3F711581826} inpleqlxa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9F76C7E6-6325-44d1-A7B7-D4CF8DCAD383}\stubpath = "C:\\Windows\\system32\\indtwnmuu.exe" injhulmow.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2890CA9B-BBBB-4ac8-89B6-6D9E70B6BD90} inrkqhiua.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8B85CDA2-1AD5-4111-9D17-1932BD0FA362} inahuhbcs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B0E34CE4-9113-411f-AA09-693EFEB425F9} inqzaupvo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9C96466A-57F2-43d5-B6B7-D49FC82778F7} inuloqrtx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4B277B2E-BC0B-4b35-AC0D-EF6F34B9085B}\stubpath = "C:\\Windows\\system32\\invirzkie.exe" inupkqjvx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{40EA7E3F-E5FA-4f11-A9C1-F8B351E92548} inqrggyxc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A86215B2-3830-4eae-8E4C-90BBEA575EB2}\stubpath = "C:\\Windows\\system32\\inopeewva.exe" inoavpdfe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3F27F9C4-2E36-4d28-8747-FDCBDAD7311C} inbaqtkjr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B6A88CE8-B9F9-42b7-977A-CECCBC238998} inmvbdomc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2C31940D-4960-4dad-9A57-D9589322C19C}\stubpath = "C:\\Windows\\system32\\ingvzmksi.exe" inisglpjp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B4126D39-4E88-4bec-BF32-4BA34A64C097} inixpjqgj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{629FF383-1EB8-4fc2-BEF7-AE91A954DD2A} inbjwysrs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{67CD1FE0-0EDF-41da-9BB8-77744E51C41B} inuydrpyf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5C57A5F1-C3BC-4c13-BA35-A395B27CF703}\stubpath = "C:\\Windows\\system32\\inktojpiu.exe" inuiybnpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DA46BD09-A24B-40a1-B1AC-688671C86715}\stubpath = "C:\\Windows\\system32\\invuwaxma.exe" inxgusiod.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1C91EB74-53E2-4a9c-92DE-11C6949552C9} insaljfpw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C8ED5B12-CBA2-4cb6-8885-D9DD86011ADC} inyazesml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{30776B11-FD6A-4f88-850D-091A45D2A7E9}\stubpath = "C:\\Windows\\system32\\inqgdzfrf.exe" infauwnfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0560F05D-F389-48e4-8CB7-F6217FF07741}\stubpath = "C:\\Windows\\system32\\inudpxert.exe" inzhpyfbx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B2808622-BA14-4cb5-B1B5-90139871F691} infvqbbup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{05C048AD-741E-4fdb-A8A9-40D20C2A396C}\stubpath = "C:\\Windows\\system32\\inixomukg.exe" inzvgovkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{80A57FB2-BF92-4ce3-A36A-399CFAE58999}\stubpath = "C:\\Windows\\system32\\injausioy.exe" inbjudnts.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9B8DDD57-66F7-4a4a-A19A-54718AF70815} infudswxj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{62D509C0-FE90-41ca-B942-F6FD879BA1FE} inesqmezb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F847617D-57A9-42b7-AF2D-36A928865ED5}\stubpath = "C:\\Windows\\system32\\inkivmnpx.exe" ingerepgv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{59EC624B-B84A-4e46-A0AC-5CB4EEE9341B}\stubpath = "C:\\Windows\\system32\\inqklaasr.exe" infsuonoj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{85309201-6055-4454-9FB8-6E51CF514BAC} inyufnzuj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1B31973A-060C-4bf6-B368-C617549787F7}\stubpath = "C:\\Windows\\system32\\ineybxzdp.exe" inmxiifwj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4E507D36-32BA-4621-9C98-CC669E1E393F} inhwfuyzl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7FD67D71-CCFC-43cb-A945-C8D973792338} inrbvqwap.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D5C3BCA1-333B-4a44-BDDF-D2617A00550B} incvyzsfr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{76E496FC-21DE-4cb3-BE28-4D8813E685DC} indtosnaj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{49151687-D8D0-41e4-A5D5-962E9A1FA88A} indxawycz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{49151687-D8D0-41e4-A5D5-962E9A1FA88A}\stubpath = "C:\\Windows\\system32\\intxcqoxe.exe" indxawycz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{20019FCE-6A03-43fe-85A3-254E0427A464}\stubpath = "C:\\Windows\\system32\\inbaqtkjr.exe" inlofemzm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6C46D120-F8D3-45a0-BB9F-76BC27158FFF} inhsblrqs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6B0CE3CE-2110-4358-AEC7-9B41DCBA6ED7} inyjbrycn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9F755A7F-BE45-4b10-8D02-4A6BEDC737CE}\stubpath = "C:\\Windows\\system32\\inkzrlbas.exe" inqcxrfhg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{15CD2020-B513-4ca1-9CB0-BA7A4EABEC5F} intmsjkwc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{83710F38-3D12-483b-B613-55BA98466542} inkveoutv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8B33D2B4-1227-4e82-8753-6DA56A28938A} inddmxhxc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{13445330-497A-4e1b-AA39-91057C1BAF85} inzloqpih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2FE38630-2350-4ef1-A486-6BFC3C9E2F81}\stubpath = "C:\\Windows\\system32\\injlxlxig.exe" inpfzcyeq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D493E80A-A3B7-4397-906A-F047856EF50D}\stubpath = "C:\\Windows\\system32\\inbuxzyre.exe" inmkxopbr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4747537D-3684-44c7-8C0A-B579AD5093E8} inaqceivb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5719BB52-3B5B-46ed-B1D9-E5BB227CA72B} incwvxbyn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{077D5DBF-2DD8-49c3-9BD8-CEF38063083D}\stubpath = "C:\\Windows\\system32\\incanalcr.exe" indqsmlmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F98B9804-3AB2-4b03-BC27-1BFC1362C83A}\stubpath = "C:\\Windows\\system32\\inclwgwbt.exe" inclzteci.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BA3E98E5-B88F-44de-9125-6492558D8F8D} inlcfvhzy.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1B31973A-060C-4bf6-B368-C617549787F7} inmxiifwj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2176D6FA-BFF9-42a6-B26E-7649D94D9803}\stubpath = "C:\\Windows\\system32\\inxtemyti.exe" inxjymong.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B4126D39-4E88-4bec-BF32-4BA34A64C097}\stubpath = "C:\\Windows\\system32\\innlypqcs.exe" inixpjqgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{39357C12-9B6B-49c5-A8AC-8352CA152AC3}\stubpath = "C:\\Windows\\system32\\injfqeotx.exe" inwgusogd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{906C06E3-0EB0-483d-BE1B-8DB8E8F2B748} infcpjolj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9A083271-08BE-4fb5-9FCE-83C5452C9D51}\stubpath = "C:\\Windows\\system32\\inthmqkqb.exe" inknedlyl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B5DB1E9B-46F5-4605-B21B-CC8834DBFEE6} inkwblfyk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{077D5DBF-2DD8-49c3-9BD8-CEF38063083D} indqsmlmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6F1F8DAF-1C08-40f5-9FC7-5BC906BCF6FB}\stubpath = "C:\\Windows\\system32\\insvxwpco.exe" inldtepix.exe -
ACProtect 1.3x - 1.4x DLL software 11 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral1/files/0x000900000001224d-4.dat acprotect behavioral1/files/0x00070000000142d7-32.dat acprotect behavioral1/files/0x00070000000142d7-31.dat acprotect behavioral1/files/0x00060000000146d7-58.dat acprotect behavioral1/files/0x001b000000014127-83.dat acprotect behavioral1/files/0x0006000000014c3c-111.dat acprotect behavioral1/files/0x00060000000154ab-137.dat acprotect behavioral1/files/0x0006000000015618-163.dat acprotect behavioral1/files/0x0006000000015c3e-191.dat acprotect behavioral1/files/0x0006000000015c73-220.dat acprotect behavioral1/files/0x0006000000015ca9-245.dat acprotect -
Executes dropped EXE 64 IoCs
pid Process 1176 inqmfrmyb.exe 2792 invhwkmle.exe 1748 ingvnhoze.exe 2240 infumgnyd.exe 1716 inhfsfaqh.exe 2500 innfvgrkz.exe 1224 inyjbrycn.exe 2076 indhxkwmb.exe 2008 insohtodl.exe 444 inyufnzuj.exe 612 inzvgovkd.exe 2344 inixomukg.exe 1016 incgzwjvl.exe 888 inpbwqegf.exe 2144 inxiaqxbm.exe 2644 inpsutmlb.exe 1176 indwztgsi.exe 2352 inogwahsa.exe 2556 inatwyxqd.exe 1896 inbfyviuk.exe 2516 injhulmow.exe 1512 indtwnmuu.exe 1716 inaikwkwh.exe 1728 injwnoaqy.exe 2956 inetlfmxc.exe 2060 inldtepix.exe 2224 insvxwpco.exe 1948 infhthtec.exe 2796 inortslka.exe 1008 insbquvhx.exe 2140 inlsmacbt.exe 1504 inqcxrfhg.exe 2220 inkzrlbas.exe 2628 infdqdofu.exe 2284 inhjvjvge.exe 2112 inyteppma.exe 2540 ingvetxyk.exe 1404 inaexuhtj.exe 1416 inmeufqjy.exe 1452 incraptug.exe 1236 inuqbjvqf.exe 2868 infnwdvwr.exe 2996 inoavpdfe.exe 2040 inopeewva.exe 588 inilcbjwj.exe 2072 inugvjlkd.exe 1768 intfuikjc.exe 292 inljyapnv.exe 788 inwixlnmf.exe 1408 intpaiupe.exe 1596 inzkcszdo.exe 2312 inmxiifwj.exe 2220 ineybxzdp.exe 2692 inxjymong.exe 2536 inxtemyti.exe 2132 inzloqpih.exe 2816 inmprqjiy.exe 1860 inpfzcyeq.exe 1308 injlxlxig.exe 1136 indpalewk.exe 2468 inpleqlxa.exe 324 incrjzdkv.exe 1068 intmsjkwc.exe 3060 injyqkarh.exe -
Loads dropped DLL 64 IoCs
pid Process 1936 NEAS.522e7938d88faa6a090453064c2464d0.exe 1936 NEAS.522e7938d88faa6a090453064c2464d0.exe 1176 inqmfrmyb.exe 1176 inqmfrmyb.exe 1176 inqmfrmyb.exe 1176 inqmfrmyb.exe 1176 inqmfrmyb.exe 2792 invhwkmle.exe 2792 invhwkmle.exe 2792 invhwkmle.exe 2792 invhwkmle.exe 2792 invhwkmle.exe 1748 ingvnhoze.exe 1748 ingvnhoze.exe 1748 ingvnhoze.exe 1748 ingvnhoze.exe 1748 ingvnhoze.exe 2240 infumgnyd.exe 2240 infumgnyd.exe 2240 infumgnyd.exe 2240 infumgnyd.exe 2240 infumgnyd.exe 1716 inhfsfaqh.exe 1716 inhfsfaqh.exe 1716 inhfsfaqh.exe 1716 inhfsfaqh.exe 1716 inhfsfaqh.exe 2500 innfvgrkz.exe 2500 innfvgrkz.exe 2500 innfvgrkz.exe 2500 innfvgrkz.exe 2500 innfvgrkz.exe 1224 inyjbrycn.exe 1224 inyjbrycn.exe 1224 inyjbrycn.exe 1224 inyjbrycn.exe 1224 inyjbrycn.exe 2076 indhxkwmb.exe 2076 indhxkwmb.exe 2076 indhxkwmb.exe 2076 indhxkwmb.exe 2076 indhxkwmb.exe 2008 insohtodl.exe 2008 insohtodl.exe 2008 insohtodl.exe 2008 insohtodl.exe 2008 insohtodl.exe 444 inyufnzuj.exe 444 inyufnzuj.exe 444 inyufnzuj.exe 444 inyufnzuj.exe 444 inyufnzuj.exe 612 inzvgovkd.exe 612 inzvgovkd.exe 612 inzvgovkd.exe 612 inzvgovkd.exe 612 inzvgovkd.exe 2344 inixomukg.exe 2344 inixomukg.exe 2344 inixomukg.exe 2344 inixomukg.exe 2344 inixomukg.exe 1016 incgzwjvl.exe 1016 incgzwjvl.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\inyjbrycn.exe innfvgrkz.exe File opened for modification C:\Windows\SysWOW64\syslog.dat inatwyxqd.exe File created C:\Windows\SysWOW64\ingvetxyk.exe inyteppma.exe File created C:\Windows\SysWOW64\inkwblfyk.exe inertnmni.exe File created C:\Windows\SysWOW64\inrtkbsie.exe inrlmbbts.exe File opened for modification C:\Windows\SysWOW64\inpqffxwb.exe_lang.ini inhwnltjf.exe File opened for modification C:\Windows\SysWOW64\syslog.dat inpsutmlb.exe File opened for modification C:\Windows\SysWOW64\inbfyviuk.exe_lang.ini inatwyxqd.exe File opened for modification C:\Windows\SysWOW64\syslog.dat injwnoaqy.exe File opened for modification C:\Windows\SysWOW64\inmprqjiy.exe_lang.ini inzloqpih.exe File created C:\Windows\SysWOW64\invrckwrg.exe inkveoutv.exe File opened for modification C:\Windows\SysWOW64\inadbobmd.exe_lang.ini indeulkya.exe File opened for modification C:\Windows\SysWOW64\inwnmuuop.exe_lang.ini inqtvunam.exe File opened for modification C:\Windows\SysWOW64\syslog.dat injyiwuqi.exe File opened for modification C:\Windows\SysWOW64\syslog.dat infsuonoj.exe File created C:\Windows\SysWOW64\inxavmale.exe inqrggyxc.exe File created C:\Windows\SysWOW64\inkzrlbas.exe inqcxrfhg.exe File opened for modification C:\Windows\SysWOW64\inmeufqjy.exe_lang.ini inaexuhtj.exe File opened for modification C:\Windows\SysWOW64\inbuxzyre.exe_lang.ini inmkxopbr.exe File created C:\Windows\SysWOW64\inmwcesvx.exe inbqostfv.exe File created C:\Windows\SysWOW64\inthmqkqb.exe inknedlyl.exe File opened for modification C:\Windows\SysWOW64\syslog.dat infvypoww.exe File created C:\Windows\SysWOW64\intcrvwiy.exe inudpxert.exe File opened for modification C:\Windows\SysWOW64\inclzteci.exe_lang.ini inyoeaukm.exe File opened for modification C:\Windows\SysWOW64\syslog.dat invuwaxma.exe File opened for modification C:\Windows\SysWOW64\syslog.dat inqgdzfrf.exe File opened for modification C:\Windows\SysWOW64\syslog.dat inulkzdji.exe File opened for modification C:\Windows\SysWOW64\syslog.dat incwvxbyn.exe File opened for modification C:\Windows\SysWOW64\syslog.dat infmbihgy.exe File created C:\Windows\SysWOW64\infvqbbup.exe inboqtqar.exe File created C:\Windows\SysWOW64\inpsutmlb.exe inxiaqxbm.exe File opened for modification C:\Windows\SysWOW64\syslog.dat incraptug.exe File opened for modification C:\Windows\SysWOW64\syslog.dat inyoeaukm.exe File opened for modification C:\Windows\SysWOW64\syslog.dat infumgnyd.exe File created C:\Windows\SysWOW64\inmprqjiy.exe inzloqpih.exe File created C:\Windows\SysWOW64\inxgusiod.exe ineqbmfxl.exe File opened for modification C:\Windows\SysWOW64\inkzixomu.exe_lang.ini inbmmjnwc.exe File opened for modification C:\Windows\SysWOW64\syslog.dat inbfffozj.exe File opened for modification C:\Windows\SysWOW64\inbohznex.exe_lang.ini incanalcr.exe File opened for modification C:\Windows\SysWOW64\inclwgwbt.exe_lang.ini inclzteci.exe File created C:\Windows\SysWOW64\inkveoutv.exe inruwvobn.exe File created C:\Windows\SysWOW64\innuocedv.exe inlvjosms.exe File opened for modification C:\Windows\SysWOW64\inasgqvzt.exe_lang.ini inimthpzj.exe File created C:\Windows\SysWOW64\inrbvqwap.exe inijzqpfx.exe File opened for modification C:\Windows\SysWOW64\injyiwuqi.exe_lang.ini inkivmnpx.exe File opened for modification C:\Windows\SysWOW64\inbjwysrs.exe_lang.ini injyiwuqi.exe File opened for modification C:\Windows\SysWOW64\syslog.dat inyoqadam.exe File created C:\Windows\SysWOW64\inkjzlnrk.exe inmzfdmqx.exe File opened for modification C:\Windows\SysWOW64\syslog.dat indpalewk.exe File opened for modification C:\Windows\SysWOW64\ingiuiufd.exe_lang.ini inyazesml.exe File opened for modification C:\Windows\SysWOW64\invqlwhhe.exe_lang.ini inbqiycju.exe File created C:\Windows\SysWOW64\inftrnfcc.exe inshvhsxn.exe File opened for modification C:\Windows\SysWOW64\indhxkwmb.exe_lang.ini inyjbrycn.exe File opened for modification C:\Windows\SysWOW64\infauwnfj.exe_lang.ini intxcqoxe.exe File opened for modification C:\Windows\SysWOW64\syslog.dat indtosnaj.exe File created C:\Windows\SysWOW64\inhqlgymf.exe indwezqep.exe File created C:\Windows\SysWOW64\inyoqadam.exe inuhqyjhd.exe File opened for modification C:\Windows\SysWOW64\syslog.dat inbfyviuk.exe File opened for modification C:\Windows\SysWOW64\syslog.dat infnwdvwr.exe File created C:\Windows\SysWOW64\inxtemyti.exe inxjymong.exe File opened for modification C:\Windows\SysWOW64\syslog.dat inutvwllh.exe File opened for modification C:\Windows\SysWOW64\syslog.dat ingabrixh.exe File opened for modification C:\Windows\SysWOW64\syslog.dat inmtnbdcu.exe File created C:\Windows\SysWOW64\inrbrocsh.exe inwhpwale.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1936 NEAS.522e7938d88faa6a090453064c2464d0.exe 1176 inqmfrmyb.exe 2792 invhwkmle.exe 1748 ingvnhoze.exe 2240 infumgnyd.exe 1716 inhfsfaqh.exe 2500 innfvgrkz.exe 1224 inyjbrycn.exe 2076 indhxkwmb.exe 2008 insohtodl.exe 444 inyufnzuj.exe 612 inzvgovkd.exe 2344 inixomukg.exe 1016 incgzwjvl.exe 888 inpbwqegf.exe 2144 inxiaqxbm.exe 2644 inpsutmlb.exe 1176 indwztgsi.exe 2352 inogwahsa.exe 2556 inatwyxqd.exe 1896 inbfyviuk.exe 2516 injhulmow.exe 1512 indtwnmuu.exe 1716 inaikwkwh.exe 1728 injwnoaqy.exe 2956 inetlfmxc.exe 2060 inldtepix.exe 2224 insvxwpco.exe 1948 infhthtec.exe 2796 inortslka.exe 1008 insbquvhx.exe 2140 inlsmacbt.exe 1504 inqcxrfhg.exe 2220 inkzrlbas.exe 2628 infdqdofu.exe 2284 inhjvjvge.exe 2112 inyteppma.exe 2540 ingvetxyk.exe 1404 inaexuhtj.exe 1416 inmeufqjy.exe 1452 incraptug.exe 1236 inuqbjvqf.exe 2868 infnwdvwr.exe 2996 inoavpdfe.exe 2040 inopeewva.exe 588 inilcbjwj.exe 2072 inugvjlkd.exe 1768 intfuikjc.exe 292 inljyapnv.exe 788 inwixlnmf.exe 1408 intpaiupe.exe 1596 inzkcszdo.exe 2312 inmxiifwj.exe 2220 ineybxzdp.exe 2692 inxjymong.exe 2536 inxtemyti.exe 2132 inzloqpih.exe 2816 inmprqjiy.exe 1860 inpfzcyeq.exe 1308 injlxlxig.exe 1136 indpalewk.exe 2468 inpleqlxa.exe 324 incrjzdkv.exe 1068 intmsjkwc.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1936 NEAS.522e7938d88faa6a090453064c2464d0.exe Token: SeDebugPrivilege 1176 inqmfrmyb.exe Token: SeDebugPrivilege 2792 invhwkmle.exe Token: SeDebugPrivilege 1748 ingvnhoze.exe Token: SeDebugPrivilege 2240 infumgnyd.exe Token: SeDebugPrivilege 1716 inhfsfaqh.exe Token: SeDebugPrivilege 2500 innfvgrkz.exe Token: SeDebugPrivilege 1224 inyjbrycn.exe Token: SeDebugPrivilege 2076 indhxkwmb.exe Token: SeDebugPrivilege 2008 insohtodl.exe Token: SeDebugPrivilege 444 inyufnzuj.exe Token: SeDebugPrivilege 612 inzvgovkd.exe Token: SeDebugPrivilege 2344 inixomukg.exe Token: SeDebugPrivilege 1016 incgzwjvl.exe Token: SeDebugPrivilege 888 inpbwqegf.exe Token: SeDebugPrivilege 2144 inxiaqxbm.exe Token: SeDebugPrivilege 2644 inpsutmlb.exe Token: SeDebugPrivilege 1176 indwztgsi.exe Token: SeDebugPrivilege 2352 inogwahsa.exe Token: SeDebugPrivilege 2556 inatwyxqd.exe Token: SeDebugPrivilege 1896 inbfyviuk.exe Token: SeDebugPrivilege 2516 injhulmow.exe Token: SeDebugPrivilege 1512 indtwnmuu.exe Token: SeDebugPrivilege 1716 inaikwkwh.exe Token: SeDebugPrivilege 1728 injwnoaqy.exe Token: SeDebugPrivilege 2956 inetlfmxc.exe Token: SeDebugPrivilege 2060 inldtepix.exe Token: SeDebugPrivilege 2224 insvxwpco.exe Token: SeDebugPrivilege 1948 infhthtec.exe Token: SeDebugPrivilege 2796 inortslka.exe Token: SeDebugPrivilege 1008 insbquvhx.exe Token: SeDebugPrivilege 2140 inlsmacbt.exe Token: SeDebugPrivilege 1504 inqcxrfhg.exe Token: SeDebugPrivilege 2220 inkzrlbas.exe Token: SeDebugPrivilege 2628 infdqdofu.exe Token: SeDebugPrivilege 2284 inhjvjvge.exe Token: SeDebugPrivilege 2112 inyteppma.exe Token: SeDebugPrivilege 2540 ingvetxyk.exe Token: SeDebugPrivilege 1404 inaexuhtj.exe Token: SeDebugPrivilege 1416 inmeufqjy.exe Token: SeDebugPrivilege 1452 incraptug.exe Token: SeDebugPrivilege 1236 inuqbjvqf.exe Token: SeDebugPrivilege 2868 infnwdvwr.exe Token: SeDebugPrivilege 2996 inoavpdfe.exe Token: SeDebugPrivilege 2040 inopeewva.exe Token: SeDebugPrivilege 588 inilcbjwj.exe Token: SeDebugPrivilege 2072 inugvjlkd.exe Token: SeDebugPrivilege 1768 intfuikjc.exe Token: SeDebugPrivilege 292 inljyapnv.exe Token: SeDebugPrivilege 788 inwixlnmf.exe Token: SeDebugPrivilege 1408 intpaiupe.exe Token: SeDebugPrivilege 1596 inzkcszdo.exe Token: SeDebugPrivilege 2312 inmxiifwj.exe Token: SeDebugPrivilege 2220 ineybxzdp.exe Token: SeDebugPrivilege 2692 inxjymong.exe Token: SeDebugPrivilege 2536 inxtemyti.exe Token: SeDebugPrivilege 2132 inzloqpih.exe Token: SeDebugPrivilege 2816 inmprqjiy.exe Token: SeDebugPrivilege 1860 inpfzcyeq.exe Token: SeDebugPrivilege 1308 injlxlxig.exe Token: SeDebugPrivilege 1136 indpalewk.exe Token: SeDebugPrivilege 2468 inpleqlxa.exe Token: SeDebugPrivilege 324 incrjzdkv.exe Token: SeDebugPrivilege 1068 intmsjkwc.exe -
Suspicious use of SetWindowsHookEx 29 IoCs
pid Process 1936 NEAS.522e7938d88faa6a090453064c2464d0.exe 1176 inqmfrmyb.exe 2792 invhwkmle.exe 1748 ingvnhoze.exe 2240 infumgnyd.exe 1716 inhfsfaqh.exe 2500 innfvgrkz.exe 1224 inyjbrycn.exe 2076 indhxkwmb.exe 2008 insohtodl.exe 444 inyufnzuj.exe 612 inzvgovkd.exe 2344 inixomukg.exe 1016 incgzwjvl.exe 888 inpbwqegf.exe 2144 inxiaqxbm.exe 2644 inpsutmlb.exe 1176 indwztgsi.exe 2352 inogwahsa.exe 2556 inatwyxqd.exe 1896 inbfyviuk.exe 2516 injhulmow.exe 1512 indtwnmuu.exe 1716 inaikwkwh.exe 1728 injwnoaqy.exe 2956 inetlfmxc.exe 2060 inldtepix.exe 2224 insvxwpco.exe 1948 infhthtec.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1936 wrote to memory of 1176 1936 NEAS.522e7938d88faa6a090453064c2464d0.exe 28 PID 1936 wrote to memory of 1176 1936 NEAS.522e7938d88faa6a090453064c2464d0.exe 28 PID 1936 wrote to memory of 1176 1936 NEAS.522e7938d88faa6a090453064c2464d0.exe 28 PID 1936 wrote to memory of 1176 1936 NEAS.522e7938d88faa6a090453064c2464d0.exe 28 PID 1936 wrote to memory of 1176 1936 NEAS.522e7938d88faa6a090453064c2464d0.exe 28 PID 1936 wrote to memory of 1176 1936 NEAS.522e7938d88faa6a090453064c2464d0.exe 28 PID 1936 wrote to memory of 1176 1936 NEAS.522e7938d88faa6a090453064c2464d0.exe 28 PID 1176 wrote to memory of 2792 1176 inqmfrmyb.exe 29 PID 1176 wrote to memory of 2792 1176 inqmfrmyb.exe 29 PID 1176 wrote to memory of 2792 1176 inqmfrmyb.exe 29 PID 1176 wrote to memory of 2792 1176 inqmfrmyb.exe 29 PID 1176 wrote to memory of 2792 1176 inqmfrmyb.exe 29 PID 1176 wrote to memory of 2792 1176 inqmfrmyb.exe 29 PID 1176 wrote to memory of 2792 1176 inqmfrmyb.exe 29 PID 2792 wrote to memory of 1748 2792 invhwkmle.exe 30 PID 2792 wrote to memory of 1748 2792 invhwkmle.exe 30 PID 2792 wrote to memory of 1748 2792 invhwkmle.exe 30 PID 2792 wrote to memory of 1748 2792 invhwkmle.exe 30 PID 2792 wrote to memory of 1748 2792 invhwkmle.exe 30 PID 2792 wrote to memory of 1748 2792 invhwkmle.exe 30 PID 2792 wrote to memory of 1748 2792 invhwkmle.exe 30 PID 1748 wrote to memory of 2240 1748 ingvnhoze.exe 31 PID 1748 wrote to memory of 2240 1748 ingvnhoze.exe 31 PID 1748 wrote to memory of 2240 1748 ingvnhoze.exe 31 PID 1748 wrote to memory of 2240 1748 ingvnhoze.exe 31 PID 1748 wrote to memory of 2240 1748 ingvnhoze.exe 31 PID 1748 wrote to memory of 2240 1748 ingvnhoze.exe 31 PID 1748 wrote to memory of 2240 1748 ingvnhoze.exe 31 PID 2240 wrote to memory of 1716 2240 infumgnyd.exe 32 PID 2240 wrote to memory of 1716 2240 infumgnyd.exe 32 PID 2240 wrote to memory of 1716 2240 infumgnyd.exe 32 PID 2240 wrote to memory of 1716 2240 infumgnyd.exe 32 PID 2240 wrote to memory of 1716 2240 infumgnyd.exe 32 PID 2240 wrote to memory of 1716 2240 infumgnyd.exe 32 PID 2240 wrote to memory of 1716 2240 infumgnyd.exe 32 PID 1716 wrote to memory of 2500 1716 inhfsfaqh.exe 33 PID 1716 wrote to memory of 2500 1716 inhfsfaqh.exe 33 PID 1716 wrote to memory of 2500 1716 inhfsfaqh.exe 33 PID 1716 wrote to memory of 2500 1716 inhfsfaqh.exe 33 PID 1716 wrote to memory of 2500 1716 inhfsfaqh.exe 33 PID 1716 wrote to memory of 2500 1716 inhfsfaqh.exe 33 PID 1716 wrote to memory of 2500 1716 inhfsfaqh.exe 33 PID 2500 wrote to memory of 1224 2500 innfvgrkz.exe 34 PID 2500 wrote to memory of 1224 2500 innfvgrkz.exe 34 PID 2500 wrote to memory of 1224 2500 innfvgrkz.exe 34 PID 2500 wrote to memory of 1224 2500 innfvgrkz.exe 34 PID 2500 wrote to memory of 1224 2500 innfvgrkz.exe 34 PID 2500 wrote to memory of 1224 2500 innfvgrkz.exe 34 PID 2500 wrote to memory of 1224 2500 innfvgrkz.exe 34 PID 1224 wrote to memory of 2076 1224 inyjbrycn.exe 35 PID 1224 wrote to memory of 2076 1224 inyjbrycn.exe 35 PID 1224 wrote to memory of 2076 1224 inyjbrycn.exe 35 PID 1224 wrote to memory of 2076 1224 inyjbrycn.exe 35 PID 1224 wrote to memory of 2076 1224 inyjbrycn.exe 35 PID 1224 wrote to memory of 2076 1224 inyjbrycn.exe 35 PID 1224 wrote to memory of 2076 1224 inyjbrycn.exe 35 PID 2076 wrote to memory of 2008 2076 indhxkwmb.exe 36 PID 2076 wrote to memory of 2008 2076 indhxkwmb.exe 36 PID 2076 wrote to memory of 2008 2076 indhxkwmb.exe 36 PID 2076 wrote to memory of 2008 2076 indhxkwmb.exe 36 PID 2076 wrote to memory of 2008 2076 indhxkwmb.exe 36 PID 2076 wrote to memory of 2008 2076 indhxkwmb.exe 36 PID 2076 wrote to memory of 2008 2076 indhxkwmb.exe 36 PID 2008 wrote to memory of 444 2008 insohtodl.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.522e7938d88faa6a090453064c2464d0.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.522e7938d88faa6a090453064c2464d0.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1936 -
C:\Windows\SysWOW64\inqmfrmyb.exeC:\Windows\system32\inqmfrmyb.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1176 -
C:\Windows\SysWOW64\invhwkmle.exeC:\Windows\system32\invhwkmle.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\ingvnhoze.exeC:\Windows\system32\ingvnhoze.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Windows\SysWOW64\infumgnyd.exeC:\Windows\system32\infumgnyd.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Windows\SysWOW64\inhfsfaqh.exeC:\Windows\system32\inhfsfaqh.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Windows\SysWOW64\innfvgrkz.exeC:\Windows\system32\innfvgrkz.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Windows\SysWOW64\inyjbrycn.exeC:\Windows\system32\inyjbrycn.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1224 -
C:\Windows\SysWOW64\indhxkwmb.exeC:\Windows\system32\indhxkwmb.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Windows\SysWOW64\insohtodl.exeC:\Windows\system32\insohtodl.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\SysWOW64\inyufnzuj.exeC:\Windows\system32\inyufnzuj.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:444 -
C:\Windows\SysWOW64\inzvgovkd.exeC:\Windows\system32\inzvgovkd.exe12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:612 -
C:\Windows\SysWOW64\inixomukg.exeC:\Windows\system32\inixomukg.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2344 -
C:\Windows\SysWOW64\incgzwjvl.exeC:\Windows\system32\incgzwjvl.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1016 -
C:\Windows\SysWOW64\inpbwqegf.exeC:\Windows\system32\inpbwqegf.exe15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:888 -
C:\Windows\SysWOW64\inxiaqxbm.exeC:\Windows\system32\inxiaqxbm.exe16⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2144 -
C:\Windows\SysWOW64\inpsutmlb.exeC:\Windows\system32\inpsutmlb.exe17⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2644 -
C:\Windows\SysWOW64\indwztgsi.exeC:\Windows\system32\indwztgsi.exe18⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1176 -
C:\Windows\SysWOW64\inogwahsa.exeC:\Windows\system32\inogwahsa.exe19⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2352 -
C:\Windows\SysWOW64\inatwyxqd.exeC:\Windows\system32\inatwyxqd.exe20⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2556 -
C:\Windows\SysWOW64\inbfyviuk.exeC:\Windows\system32\inbfyviuk.exe21⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1896 -
C:\Windows\SysWOW64\injhulmow.exeC:\Windows\system32\injhulmow.exe22⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2516 -
C:\Windows\SysWOW64\indtwnmuu.exeC:\Windows\system32\indtwnmuu.exe23⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1512 -
C:\Windows\SysWOW64\inaikwkwh.exeC:\Windows\system32\inaikwkwh.exe24⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1716 -
C:\Windows\SysWOW64\injwnoaqy.exeC:\Windows\system32\injwnoaqy.exe25⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1728 -
C:\Windows\SysWOW64\inetlfmxc.exeC:\Windows\system32\inetlfmxc.exe26⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2956 -
C:\Windows\SysWOW64\inldtepix.exeC:\Windows\system32\inldtepix.exe27⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2060 -
C:\Windows\SysWOW64\insvxwpco.exeC:\Windows\system32\insvxwpco.exe28⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2224 -
C:\Windows\SysWOW64\infhthtec.exeC:\Windows\system32\infhthtec.exe29⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1948 -
C:\Windows\SysWOW64\inortslka.exeC:\Windows\system32\inortslka.exe30⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2796 -
C:\Windows\SysWOW64\insbquvhx.exeC:\Windows\system32\insbquvhx.exe31⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1008 -
C:\Windows\SysWOW64\inlsmacbt.exeC:\Windows\system32\inlsmacbt.exe32⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2140 -
C:\Windows\SysWOW64\inqcxrfhg.exeC:\Windows\system32\inqcxrfhg.exe33⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1504 -
C:\Windows\SysWOW64\inkzrlbas.exeC:\Windows\system32\inkzrlbas.exe34⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2220 -
C:\Windows\SysWOW64\infdqdofu.exeC:\Windows\system32\infdqdofu.exe35⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2628 -
C:\Windows\SysWOW64\inhjvjvge.exeC:\Windows\system32\inhjvjvge.exe36⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2284 -
C:\Windows\SysWOW64\inyteppma.exeC:\Windows\system32\inyteppma.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2112 -
C:\Windows\SysWOW64\ingvetxyk.exeC:\Windows\system32\ingvetxyk.exe38⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2540 -
C:\Windows\SysWOW64\inaexuhtj.exeC:\Windows\system32\inaexuhtj.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1404 -
C:\Windows\SysWOW64\inmeufqjy.exeC:\Windows\system32\inmeufqjy.exe40⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1416 -
C:\Windows\SysWOW64\incraptug.exeC:\Windows\system32\incraptug.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1452 -
C:\Windows\SysWOW64\inuqbjvqf.exeC:\Windows\system32\inuqbjvqf.exe42⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1236 -
C:\Windows\SysWOW64\infnwdvwr.exeC:\Windows\system32\infnwdvwr.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2868 -
C:\Windows\SysWOW64\inoavpdfe.exeC:\Windows\system32\inoavpdfe.exe44⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2996 -
C:\Windows\SysWOW64\inopeewva.exeC:\Windows\system32\inopeewva.exe45⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2040 -
C:\Windows\SysWOW64\inilcbjwj.exeC:\Windows\system32\inilcbjwj.exe46⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:588 -
C:\Windows\SysWOW64\inugvjlkd.exeC:\Windows\system32\inugvjlkd.exe47⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2072 -
C:\Windows\SysWOW64\intfuikjc.exeC:\Windows\system32\intfuikjc.exe48⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1768 -
C:\Windows\SysWOW64\inljyapnv.exeC:\Windows\system32\inljyapnv.exe49⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:292 -
C:\Windows\SysWOW64\inwixlnmf.exeC:\Windows\system32\inwixlnmf.exe50⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:788 -
C:\Windows\SysWOW64\intpaiupe.exeC:\Windows\system32\intpaiupe.exe51⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1408 -
C:\Windows\SysWOW64\inzkcszdo.exeC:\Windows\system32\inzkcszdo.exe52⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1596 -
C:\Windows\SysWOW64\inmxiifwj.exeC:\Windows\system32\inmxiifwj.exe53⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2312 -
C:\Windows\SysWOW64\ineybxzdp.exeC:\Windows\system32\ineybxzdp.exe54⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2220 -
C:\Windows\SysWOW64\inxjymong.exeC:\Windows\system32\inxjymong.exe55⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2692 -
C:\Windows\SysWOW64\inxtemyti.exeC:\Windows\system32\inxtemyti.exe56⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2536 -
C:\Windows\SysWOW64\inzloqpih.exeC:\Windows\system32\inzloqpih.exe57⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2132 -
C:\Windows\SysWOW64\inmprqjiy.exeC:\Windows\system32\inmprqjiy.exe58⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2816 -
C:\Windows\SysWOW64\inpfzcyeq.exeC:\Windows\system32\inpfzcyeq.exe59⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1860 -
C:\Windows\SysWOW64\injlxlxig.exeC:\Windows\system32\injlxlxig.exe60⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1308 -
C:\Windows\SysWOW64\indpalewk.exeC:\Windows\system32\indpalewk.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1136 -
C:\Windows\SysWOW64\inpleqlxa.exeC:\Windows\system32\inpleqlxa.exe62⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2468 -
C:\Windows\SysWOW64\incrjzdkv.exeC:\Windows\system32\incrjzdkv.exe63⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:324 -
C:\Windows\SysWOW64\intmsjkwc.exeC:\Windows\system32\intmsjkwc.exe64⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1068 -
C:\Windows\SysWOW64\injyqkarh.exeC:\Windows\system32\injyqkarh.exe65⤵
- Executes dropped EXE
PID:3060 -
C:\Windows\SysWOW64\inruwvobn.exeC:\Windows\system32\inruwvobn.exe66⤵
- Drops file in System32 directory
PID:992 -
C:\Windows\SysWOW64\inkveoutv.exeC:\Windows\system32\inkveoutv.exe67⤵
- Modifies Installed Components in the registry
- Drops file in System32 directory
PID:2796 -
C:\Windows\SysWOW64\invrckwrg.exeC:\Windows\system32\invrckwrg.exe68⤵PID:2020
-
C:\Windows\SysWOW64\inigtklnv.exeC:\Windows\system32\inigtklnv.exe69⤵PID:1644
-
C:\Windows\SysWOW64\ineqbmfxl.exeC:\Windows\system32\ineqbmfxl.exe70⤵
- Drops file in System32 directory
PID:2268 -
C:\Windows\SysWOW64\inxgusiod.exeC:\Windows\system32\inxgusiod.exe71⤵
- Modifies Installed Components in the registry
PID:2784 -
C:\Windows\SysWOW64\invuwaxma.exeC:\Windows\system32\invuwaxma.exe72⤵
- Drops file in System32 directory
PID:2684 -
C:\Windows\SysWOW64\inlvjosms.exeC:\Windows\system32\inlvjosms.exe73⤵
- Drops file in System32 directory
PID:1176 -
C:\Windows\SysWOW64\innuocedv.exeC:\Windows\system32\innuocedv.exe74⤵PID:2692
-
C:\Windows\SysWOW64\incsvmltt.exeC:\Windows\system32\incsvmltt.exe75⤵PID:1400
-
C:\Windows\SysWOW64\inxrqyyst.exeC:\Windows\system32\inxrqyyst.exe76⤵PID:2856
-
C:\Windows\SysWOW64\inmibthrw.exeC:\Windows\system32\inmibthrw.exe77⤵PID:1512
-
C:\Windows\SysWOW64\indscwrxb.exeC:\Windows\system32\indscwrxb.exe78⤵PID:1324
-
C:\Windows\SysWOW64\inxnqhgoo.exeC:\Windows\system32\inxnqhgoo.exe79⤵PID:2716
-
C:\Windows\SysWOW64\insaljfpw.exeC:\Windows\system32\insaljfpw.exe80⤵
- Modifies Installed Components in the registry
PID:2408 -
C:\Windows\SysWOW64\inbrulkss.exeC:\Windows\system32\inbrulkss.exe81⤵PID:2000
-
C:\Windows\SysWOW64\insrzztuj.exeC:\Windows\system32\insrzztuj.exe82⤵PID:1864
-
C:\Windows\SysWOW64\inrdysgih.exeC:\Windows\system32\inrdysgih.exe83⤵PID:1904
-
C:\Windows\SysWOW64\inkbaivic.exeC:\Windows\system32\inkbaivic.exe84⤵PID:1028
-
C:\Windows\SysWOW64\inmnccutj.exeC:\Windows\system32\inmnccutj.exe85⤵PID:1652
-
C:\Windows\SysWOW64\inutvwllh.exeC:\Windows\system32\inutvwllh.exe86⤵
- Drops file in System32 directory
PID:1620 -
C:\Windows\SysWOW64\ingabrixh.exeC:\Windows\system32\ingabrixh.exe87⤵
- Drops file in System32 directory
PID:2044 -
C:\Windows\SysWOW64\inmkxopbr.exeC:\Windows\system32\inmkxopbr.exe88⤵
- Modifies Installed Components in the registry
- Drops file in System32 directory
PID:2788 -
C:\Windows\SysWOW64\inbuxzyre.exeC:\Windows\system32\inbuxzyre.exe89⤵PID:2292
-
C:\Windows\SysWOW64\inixpjqgj.exeC:\Windows\system32\inixpjqgj.exe90⤵
- Modifies Installed Components in the registry
PID:2648 -
C:\Windows\SysWOW64\innlypqcs.exeC:\Windows\system32\innlypqcs.exe91⤵PID:2608
-
C:\Windows\SysWOW64\inuloqrtx.exeC:\Windows\system32\inuloqrtx.exe92⤵
- Modifies Installed Components in the registry
PID:2936 -
C:\Windows\SysWOW64\inhwoipfi.exeC:\Windows\system32\inhwoipfi.exe93⤵PID:1848
-
C:\Windows\SysWOW64\inqzfhsqg.exeC:\Windows\system32\inqzfhsqg.exe94⤵PID:1364
-
C:\Windows\SysWOW64\inhwfuyzl.exeC:\Windows\system32\inhwfuyzl.exe95⤵
- Modifies Installed Components in the registry
PID:1956 -
C:\Windows\SysWOW64\incvdypdo.exeC:\Windows\system32\incvdypdo.exe96⤵PID:1672
-
C:\Windows\SysWOW64\inmtnbdcu.exeC:\Windows\system32\inmtnbdcu.exe97⤵
- Drops file in System32 directory
PID:2252 -
C:\Windows\SysWOW64\indskelwb.exeC:\Windows\system32\indskelwb.exe98⤵PID:1944
-
C:\Windows\SysWOW64\indeulkya.exeC:\Windows\system32\indeulkya.exe99⤵
- Drops file in System32 directory
PID:1712 -
C:\Windows\SysWOW64\inadbobmd.exeC:\Windows\system32\inadbobmd.exe100⤵PID:1684
-
C:\Windows\SysWOW64\iniqzgcyz.exeC:\Windows\system32\iniqzgcyz.exe101⤵PID:1948
-
C:\Windows\SysWOW64\inrngsnzc.exeC:\Windows\system32\inrngsnzc.exe102⤵PID:568
-
C:\Windows\SysWOW64\inwgusogd.exeC:\Windows\system32\inwgusogd.exe103⤵
- Modifies Installed Components in the registry
PID:2280 -
C:\Windows\SysWOW64\injfqeotx.exeC:\Windows\system32\injfqeotx.exe104⤵PID:2504
-
C:\Windows\SysWOW64\inbqostfv.exeC:\Windows\system32\inbqostfv.exe105⤵
- Drops file in System32 directory
PID:2268 -
C:\Windows\SysWOW64\inmwcesvx.exeC:\Windows\system32\inmwcesvx.exe106⤵PID:2388
-
C:\Windows\SysWOW64\inaqceivb.exeC:\Windows\system32\inaqceivb.exe107⤵
- Modifies Installed Components in the registry
PID:2740 -
C:\Windows\SysWOW64\inaphxbit.exeC:\Windows\system32\inaphxbit.exe108⤵PID:2792
-
C:\Windows\SysWOW64\inyazesml.exeC:\Windows\system32\inyazesml.exe109⤵
- Modifies Installed Components in the registry
- Drops file in System32 directory
PID:2608 -
C:\Windows\SysWOW64\ingiuiufd.exeC:\Windows\system32\ingiuiufd.exe110⤵PID:1276
-
C:\Windows\SysWOW64\insezthji.exeC:\Windows\system32\insezthji.exe111⤵PID:1844
-
C:\Windows\SysWOW64\ineuxonvv.exeC:\Windows\system32\ineuxonvv.exe112⤵PID:3020
-
C:\Windows\SysWOW64\inqtvunam.exeC:\Windows\system32\inqtvunam.exe113⤵
- Drops file in System32 directory
PID:1224 -
C:\Windows\SysWOW64\inwnmuuop.exeC:\Windows\system32\inwnmuuop.exe114⤵PID:2208
-
C:\Windows\SysWOW64\infslrijv.exeC:\Windows\system32\infslrijv.exe115⤵PID:2408
-
C:\Windows\SysWOW64\inbmkzbqa.exeC:\Windows\system32\inbmkzbqa.exe116⤵PID:2224
-
C:\Windows\SysWOW64\innoddvuk.exeC:\Windows\system32\innoddvuk.exe117⤵PID:756
-
C:\Windows\SysWOW64\inwmpgfnn.exeC:\Windows\system32\inwmpgfnn.exe118⤵PID:3052
-
C:\Windows\SysWOW64\inimthpzj.exeC:\Windows\system32\inimthpzj.exe119⤵
- Drops file in System32 directory
PID:2840 -
C:\Windows\SysWOW64\inasgqvzt.exeC:\Windows\system32\inasgqvzt.exe120⤵PID:1652
-
C:\Windows\SysWOW64\inscqyokc.exeC:\Windows\system32\inscqyokc.exe121⤵PID:2080
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-