Analysis
-
max time kernel
152s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20231025-en -
resource tags
arch:x64arch:x86image:win10v2004-20231025-enlocale:en-usos:windows10-2004-x64system -
submitted
16/11/2023, 07:43
Behavioral task
behavioral1
Sample
NEAS.42b86f192d5f944b5f7458e81fe8a2d0.exe
Resource
win7-20231023-en
windows7-x64
11 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.42b86f192d5f944b5f7458e81fe8a2d0.exe
Resource
win10v2004-20231025-en
windows10-2004-x64
11 signatures
150 seconds
General
-
Target
NEAS.42b86f192d5f944b5f7458e81fe8a2d0.exe
-
Size
348KB
-
MD5
42b86f192d5f944b5f7458e81fe8a2d0
-
SHA1
d2816bb13258cff33ed8fd9c653f51883090dc86
-
SHA256
67b16ba806e1bef2b9ea4e0c3ee17997c6f026f2737656ea67848ffe3c407858
-
SHA512
7fb1378f7dc6f937dfb17886593786f5141295a1ebf1cef2b3e84182e2b1f142700947be4e027c62f1d486b4b11f4bf0870b0d42257bba01b14e14fc5c89d9e9
-
SSDEEP
6144:MJueTkwOwoWOQ3dwaWB28edeP/deUv80P80Ap8UGwoTGHZOWJkqd0K4rG7eVT0SH:ouLwoZQGpnedeP/deUe1ppGjTGHZRT0z
Score
10/10
Malware Config
Signatures
-
Gh0st RAT payload 62 IoCs
resource yara_rule behavioral2/memory/3748-0-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/files/0x0008000000022df9-20.dat family_gh0strat behavioral2/files/0x0008000000022df9-19.dat family_gh0strat behavioral2/memory/3748-23-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/files/0x0007000000022e00-30.dat family_gh0strat behavioral2/files/0x0007000000022e01-37.dat family_gh0strat behavioral2/memory/560-58-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/memory/3340-59-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/files/0x0007000000022e01-42.dat family_gh0strat behavioral2/files/0x0007000000022e07-65.dat family_gh0strat behavioral2/files/0x0007000000022e07-66.dat family_gh0strat behavioral2/files/0x0007000000022e0b-88.dat family_gh0strat behavioral2/files/0x0007000000022e0b-87.dat family_gh0strat behavioral2/memory/2208-69-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/files/0x0007000000022e01-41.dat family_gh0strat behavioral2/memory/2208-96-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/files/0x0007000000022e10-109.dat family_gh0strat behavioral2/files/0x0007000000022e10-111.dat family_gh0strat behavioral2/memory/4540-113-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/files/0x0006000000022e18-132.dat family_gh0strat behavioral2/memory/1204-150-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/files/0x0006000000022e1c-156.dat family_gh0strat behavioral2/files/0x0006000000022e1c-155.dat family_gh0strat behavioral2/memory/3256-176-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/files/0x0006000000022e20-179.dat family_gh0strat behavioral2/files/0x0006000000022e24-200.dat family_gh0strat behavioral2/files/0x0006000000022e24-201.dat family_gh0strat behavioral2/files/0x0006000000022e20-178.dat family_gh0strat behavioral2/memory/4492-208-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/files/0x0006000000022e28-225.dat family_gh0strat behavioral2/files/0x0006000000022e2d-247.dat family_gh0strat behavioral2/files/0x0006000000022e2d-246.dat family_gh0strat behavioral2/memory/3668-241-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/memory/4400-263-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/memory/4376-286-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/files/0x0006000000022e39-315.dat family_gh0strat behavioral2/files/0x0006000000022e39-316.dat family_gh0strat behavioral2/memory/3204-351-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/files/0x0006000000022e3d-336.dat family_gh0strat behavioral2/files/0x0006000000022e3d-335.dat family_gh0strat behavioral2/files/0x0006000000022e35-293.dat family_gh0strat behavioral2/files/0x0006000000022e35-292.dat family_gh0strat behavioral2/files/0x0006000000022e31-270.dat family_gh0strat behavioral2/files/0x0006000000022e31-269.dat family_gh0strat behavioral2/memory/1780-267-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/memory/3448-353-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/memory/2384-352-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/files/0x0006000000022e28-224.dat family_gh0strat behavioral2/files/0x0006000000022e42-361.dat family_gh0strat behavioral2/files/0x0006000000022e42-359.dat family_gh0strat behavioral2/memory/224-136-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/files/0x0006000000022e18-134.dat family_gh0strat behavioral2/memory/904-391-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/memory/5056-390-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/memory/5056-399-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/memory/3408-427-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/memory/376-435-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/memory/5012-453-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/memory/4392-472-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/memory/704-491-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/memory/3960-520-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/memory/5108-528-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat -
Modifies Installed Components in the registry 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D7D52639-DAE5-434f-8571-B9320556B814} inknhvqeu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4EDFEE5A-4E34-42d2-B0BC-BB3715A6C06A}\stubpath = "C:\\Windows\\system32\\innptoush.exe" inktojpiu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AF215A92-A845-41bd-A3F0-43C7A353B55E}\stubpath = "C:\\Windows\\system32\\inufueytz.exe" injdwyyif.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C8BC91C1-4EF1-426a-8EA6-FE613E715738} inbuxzyre.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9B4346C6-E9D2-4ed3-887E-C976612BA3E7}\stubpath = "C:\\Windows\\system32\\inclpwksm.exe" inmkoozmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{468FEA6B-E32E-4d6e-B937-A68C0EFDDB48} inrdysgih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7930EDEF-72FC-422f-9573-10E2A6AE50BC}\stubpath = "C:\\Windows\\system32\\inykmqjhq.exe" inrfpuysy.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1F2E5E03-919F-4a57-A198-EBEA60EA969F} invgvfzue.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{25952369-D3B6-44ea-B3A0-B36DADC55007}\stubpath = "C:\\Windows\\system32\\inzolinkh.exe" injfqeotx.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C994712D-36BE-4f0d-AF51-F0A997550CBB} inbqiycju.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B750B446-E017-4403-ACEA-23AE87EFE327} inmibthrw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D9E2D381-4120-4bca-BE06-7FA27C6839D7}\stubpath = "C:\\Windows\\system32\\inpkfxleq.exe" indvjzcoq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AB7B27C5-7916-4b1a-883F-44E35CEC78C4}\stubpath = "C:\\Windows\\system32\\inqzfhsqg.exe" inmiqkaqr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8DBD5BF6-2D27-4e5f-A0C7-36FC1BA140CD}\stubpath = "C:\\Windows\\system32\\inyufnzuj.exe" intpaiupe.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D1104616-7075-43e4-90DA-256F228C4666} inbjudnts.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4F134BF9-4C0B-4321-8A4C-ABB01B138352}\stubpath = "C:\\Windows\\system32\\inhrmfavc.exe" inpdlvxfh.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6D90BBA8-C611-404a-AE9B-FC62ED77282C} inhzrfkoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6F238404-B2A7-4b19-8B41-351A2601E2CA}\stubpath = "C:\\Windows\\system32\\inpiofygs.exe" innezahdx.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4DB763B1-01A9-42f6-B26F-2E6B80A7B6F0} inxshctsn.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{842BA178-9870-4a9f-9686-863019CFCC1A} invhwkmle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{514CB119-8A27-42a2-963E-22BE73269586}\stubpath = "C:\\Windows\\system32\\inbjwysrs.exe" innqsrkjz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A8E67606-8EFD-4074-BF94-E9837EDD76F8}\stubpath = "C:\\Windows\\system32\\inetlfmxc.exe" inlhzufqa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5B711232-2EF9-4ed0-BE25-7EB625ED1284}\stubpath = "C:\\Windows\\system32\\inindltah.exe" inrvkfwvq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0C868F1D-B577-4be7-ACD6-F676C027D6EF}\stubpath = "C:\\Windows\\system32\\inbmyhvlc.exe" inwtzamwg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{728C781F-AF91-4a9a-99CB-83E4F14A2F35}\stubpath = "C:\\Windows\\system32\\inwixlnmf.exe" inadbobmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{46653580-5DCE-48c9-B267-61E06EF10B11}\stubpath = "C:\\Windows\\system32\\inqcxrfhg.exe" invbdruwx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{488C85B8-BD8D-4d73-943A-2A60CEADDBDA}\stubpath = "C:\\Windows\\system32\\inqtvunam.exe" inpkfxleq.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C1022BF9-C814-4b14-A747-5B66794E2118} inrtkbsie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{59307FAE-5C5A-4508-82A8-292A192C471E}\stubpath = "C:\\Windows\\system32\\innezovdr.exe" inmqlrpew.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6B5A2A39-AEA8-43e0-AA13-2613E66DBEEB}\stubpath = "C:\\Windows\\system32\\inzebvemw.exe" inkwblfyk.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6658C9E9-6B3E-4551-8C88-61A5BF4077F7} injhpghxs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FE526A9A-0D8F-4adf-8A2F-42440CC484BA}\stubpath = "C:\\Windows\\system32\\inrdysgih.exe" inbqostfv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1A2A2930-79FD-4892-A0ED-5594E54096F5}\stubpath = "C:\\Windows\\system32\\inmnccutj.exe" inqmfrmyb.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ACA9A2AE-6238-4d6e-9CC6-08001CA713F5} inqnbrgit.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C0B9081E-AC00-4550-9D82-AE80D9899837} ingwzqpxx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{510B4DEA-E905-48b0-AD11-1347D126A01A}\stubpath = "C:\\Windows\\system32\\intphcved.exe" inindltah.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{098A7E25-7184-4e63-B95F-8F3E60221F9F} inokbwlsa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{098A7E25-7184-4e63-B95F-8F3E60221F9F}\stubpath = "C:\\Windows\\system32\\inkhtihxi.exe" inokbwlsa.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{41B986C3-105C-45c0-A807-0FDA24DA2145} inhjrgabu.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D1777D84-64EE-4d8d-BBE3-2C45133F4057} inbaqbdfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6DA6FE9E-F1B4-4cd9-8D8E-584BB2EB7F5B}\stubpath = "C:\\Windows\\system32\\inqswbpnw.exe" inkxmjgli.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F8986455-B215-47e5-A31F-9AB833377C60} indxawycz.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{93078927-79C8-4231-BBB5-42755FEBB2BE} inrjcgagg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C4922764-28A0-4bc9-89F3-CE90A3702A2F}\stubpath = "C:\\Windows\\system32\\injkrqgyq.exe" inirmhzng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{38F0555E-3558-44c1-AD1B-B935D4A8CAF1}\stubpath = "C:\\Windows\\system32\\injyixbhg.exe" iniszaxor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D4926BDD-949F-4b78-B808-891823E45AD3}\stubpath = "C:\\Windows\\system32\\inlhpjpqs.exe" indwezqep.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{978621CE-64B0-4076-B60D-D4D85AB8BB0F} innezovdr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{63833EBA-5FFA-4630-B2F7-06C116436A0A}\stubpath = "C:\\Windows\\system32\\inbuiwfec.exe" indbkovjr.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{43093356-CCCC-42fa-9393-6427858C10D1} inbhrywnq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{013EC3E3-6573-40a0-A274-3BBBC8637A2E}\stubpath = "C:\\Windows\\system32\\indlflxmo.exe" inzjlpkqo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D1033278-8ED2-4816-9D55-BE7688E2A4F3}\stubpath = "C:\\Windows\\system32\\insuknjca.exe" inpwglkgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9F5C7DB2-1866-4759-BD7A-5210A3301501}\stubpath = "C:\\Windows\\system32\\inxitdtqe.exe" inrbrocsh.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{69236A1E-170F-43c0-9D23-37C402077B81} inmtiwity.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4BF87D72-F30F-45c8-A887-AB284F4FD610}\stubpath = "C:\\Windows\\system32\\inhscspdt.exe" injyixbhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B19818E9-4DFE-40df-84EA-0BA74794610A}\stubpath = "C:\\Windows\\system32\\inyaereiz.exe" insbznvcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{66A6B531-8D6D-462e-AAFE-1184BD9755FD}\stubpath = "C:\\Windows\\system32\\inpbwqegf.exe" inlgphgbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{77DC7A73-C739-43c2-B3C5-8B70090690C1}\stubpath = "C:\\Windows\\system32\\inbpjipes.exe" inrhmypep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CC63D13F-6979-48f8-A5AA-6CBC4D1800A5}\stubpath = "C:\\Windows\\system32\\inaouaylq.exe" inhsblrqs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5B40013F-708B-4323-A2CC-58715C2027EF}\stubpath = "C:\\Windows\\system32\\inixomukg.exe" inyluacnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{064EC7F3-DD1B-4f35-9930-95688B0ABFA1}\stubpath = "C:\\Windows\\system32\\incrjzdkv.exe" inwhpwale.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{63AFBBED-EC53-428b-ACF7-3E2AFC100A3B}\stubpath = "C:\\Windows\\system32\\indhxkwmb.exe" inpqffxwb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0120F407-CD6C-4d54-8F8D-C7EC99B3DDCC}\stubpath = "C:\\Windows\\system32\\inuytzxmg.exe" inorbpnrr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D67AEB05-50D9-4141-9951-3380EC534769}\stubpath = "C:\\Windows\\system32\\innpclapa.exe" inhegsgsd.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5A9F3F80-B805-48b1-BF2D-95FAE9DCE740} indeoeuxa.exe -
ACProtect 1.3x - 1.4x DLL software 33 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral2/files/0x00040000000006e5-4.dat acprotect behavioral2/files/0x00040000000006e5-2.dat acprotect behavioral2/files/0x00040000000006e5-12.dat acprotect behavioral2/files/0x0007000000022dff-26.dat acprotect behavioral2/files/0x0007000000022dff-24.dat acprotect behavioral2/files/0x0007000000022e03-48.dat acprotect behavioral2/files/0x0007000000022e03-46.dat acprotect behavioral2/files/0x0007000000022e09-72.dat acprotect behavioral2/files/0x0007000000022e09-70.dat acprotect behavioral2/files/0x0007000000022e0d-93.dat acprotect behavioral2/files/0x0007000000022e0d-91.dat acprotect behavioral2/files/0x0007000000022e15-116.dat acprotect behavioral2/files/0x0007000000022e15-114.dat acprotect behavioral2/files/0x0006000000022e1a-139.dat acprotect behavioral2/files/0x0006000000022e26-205.dat acprotect behavioral2/files/0x0006000000022e22-185.dat acprotect behavioral2/files/0x0006000000022e22-183.dat acprotect behavioral2/files/0x0006000000022e2b-230.dat acprotect behavioral2/files/0x0006000000022e2b-228.dat acprotect behavioral2/files/0x0006000000022e37-297.dat acprotect behavioral2/files/0x0006000000022e3b-321.dat acprotect behavioral2/files/0x0006000000022e3b-319.dat acprotect behavioral2/files/0x0006000000022e37-300.dat acprotect behavioral2/files/0x0006000000022e33-276.dat acprotect behavioral2/files/0x0006000000022e33-274.dat acprotect behavioral2/files/0x0006000000022e3f-341.dat acprotect behavioral2/files/0x0006000000022e3f-339.dat acprotect behavioral2/files/0x0006000000022e2f-252.dat acprotect behavioral2/files/0x0006000000022e2f-250.dat acprotect behavioral2/files/0x0006000000022e26-209.dat acprotect behavioral2/files/0x0006000000022e1e-161.dat acprotect behavioral2/files/0x0006000000022e1e-159.dat acprotect behavioral2/files/0x0006000000022e1a-137.dat acprotect -
Executes dropped EXE 64 IoCs
pid Process 3340 inldtepix.exe 560 inxiaqxbm.exe 2208 inoavpdfe.exe 4540 inmeufqjy.exe 224 invhwkmle.exe 1204 inruwvobn.exe 3256 inhwoipfi.exe 4492 inrngsnzc.exe 3668 incvyzsfr.exe 4400 inpsutmlb.exe 1780 indskelwb.exe 4376 inzkcszdo.exe 3204 indxawycz.exe 3448 inkzrlbas.exe 2384 inuqbjvqf.exe 904 inugvjlkd.exe 5056 inwsdlxsh.exe 3408 inaexuhtj.exe 376 inbqiycju.exe 5012 indtwnmuu.exe 4392 inocokdvj.exe 704 ingtgabri.exe 3960 inmtnbdcu.exe 5108 incsvmltt.exe 1504 inbfyviuk.exe 1056 invrckwrg.exe 2340 inwhpwale.exe 2568 incrjzdkv.exe 2036 inxjymong.exe 3196 inknedlyl.exe 388 innlypqcs.exe 660 inzvgovkd.exe 3408 infgwnmcy.exe 3848 inaivxrqr.exe 4948 insbquvhx.exe 3968 ingvzmksi.exe 1200 innfvgrkz.exe 2756 inbrulkss.exe 4872 inhwfuyzl.exe 5060 inortslka.exe 1056 invrckwrg.exe 3936 inopeewva.exe 884 injwnoaqy.exe 1188 inxtemyti.exe 3992 inzloqpih.exe 3252 insvxwpco.exe 3084 injyqkarh.exe 460 intpaiupe.exe 548 inyufnzuj.exe 3668 incgzwjvl.exe 1368 inaphxbit.exe 4580 inpleqlxa.exe 1640 intcrvwiy.exe 5060 inortslka.exe 3700 inadbobmd.exe 4512 inwixlnmf.exe 2348 inumafjdj.exe 1756 inmhxsddw.exe 4344 infnwdvwr.exe 2248 inykznpoh.exe 208 inhwnltjf.exe 3648 inscqyokc.exe 2860 inxhvtpha.exe 4580 TrustedInstaller.exe -
Loads dropped DLL 64 IoCs
pid Process 3748 NEAS.42b86f192d5f944b5f7458e81fe8a2d0.exe 3748 NEAS.42b86f192d5f944b5f7458e81fe8a2d0.exe 3340 inldtepix.exe 3340 inldtepix.exe 560 inxiaqxbm.exe 560 inxiaqxbm.exe 2208 inoavpdfe.exe 2208 inoavpdfe.exe 4540 inmeufqjy.exe 4540 inmeufqjy.exe 224 invhwkmle.exe 224 invhwkmle.exe 1204 inruwvobn.exe 1204 inruwvobn.exe 3256 inhwoipfi.exe 3256 inhwoipfi.exe 4492 inrngsnzc.exe 4492 inrngsnzc.exe 3668 incvyzsfr.exe 3668 incvyzsfr.exe 4400 inpsutmlb.exe 4400 inpsutmlb.exe 1780 indskelwb.exe 1780 indskelwb.exe 4376 inzkcszdo.exe 4376 inzkcszdo.exe 3204 indxawycz.exe 3204 indxawycz.exe 3448 inkzrlbas.exe 3448 inkzrlbas.exe 2384 inuqbjvqf.exe 2384 inuqbjvqf.exe 904 inugvjlkd.exe 904 inugvjlkd.exe 5056 inwsdlxsh.exe 5056 inwsdlxsh.exe 3408 infgwnmcy.exe 3408 infgwnmcy.exe 376 inbqiycju.exe 376 inbqiycju.exe 5012 indtwnmuu.exe 5012 indtwnmuu.exe 4392 inocokdvj.exe 4392 inocokdvj.exe 704 ingtgabri.exe 704 ingtgabri.exe 3960 inmtnbdcu.exe 3960 inmtnbdcu.exe 5108 incsvmltt.exe 5108 incsvmltt.exe 1504 inbfyviuk.exe 1504 inbfyviuk.exe 1056 invrckwrg.exe 1056 invrckwrg.exe 2340 inwhpwale.exe 2340 inwhpwale.exe 2568 incrjzdkv.exe 2568 incrjzdkv.exe 2036 inxjymong.exe 2036 inxjymong.exe 3196 inknedlyl.exe 3196 inknedlyl.exe 388 innlypqcs.exe 388 innlypqcs.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\incbrcegj.exe_lang.ini inmlwcerc.exe File opened for modification C:\Windows\SysWOW64\insuknjca.exe_lang.ini inpwglkgm.exe File opened for modification C:\Windows\SysWOW64\insbquvhx.exe_lang.ini inaivxrqr.exe File opened for modification C:\Windows\SysWOW64\invuwaxma.exe_lang.ini inlsmacbt.exe File created C:\Windows\SysWOW64\inaouaylq.exe inhsblrqs.exe File opened for modification C:\Windows\SysWOW64\syslog.dat inhscspdt.exe File opened for modification C:\Windows\SysWOW64\inzjwmbpr.exe_lang.ini inwtixaeq.exe File created C:\Windows\SysWOW64\inlhpjpqs.exe indwezqep.exe File opened for modification C:\Windows\SysWOW64\syslog.dat inhomdgwi.exe File created C:\Windows\SysWOW64\inqlzpgys.exe inggtifch.exe File created C:\Windows\SysWOW64\indcsegkx.exe inwezaozq.exe File created C:\Windows\SysWOW64\injfqeotx.exe insofpwae.exe File opened for modification C:\Windows\SysWOW64\indxawycz.exe_lang.ini inzkcszdo.exe File created C:\Windows\SysWOW64\inaqgiwze.exe inasgqvzt.exe File opened for modification C:\Windows\SysWOW64\syslog.dat incqysiyz.exe File created C:\Windows\SysWOW64\indtosnaj.exe inqxvmprs.exe File created C:\Windows\SysWOW64\inyoeaukm.exe indpalewk.exe File created C:\Windows\SysWOW64\inuisngbw.exe ineamubie.exe File created C:\Windows\SysWOW64\injqftzfq.exe inbhrywnq.exe File created C:\Windows\SysWOW64\inhrmfavc.exe inpdlvxfh.exe File created C:\Windows\SysWOW64\ineamubie.exe inzolinkh.exe File opened for modification C:\Windows\SysWOW64\invirzkie.exe_lang.ini injwbpnkv.exe File opened for modification C:\Windows\SysWOW64\inmgmynpz.exe_lang.ini inuwjozuo.exe File opened for modification C:\Windows\SysWOW64\incvyzsfr.exe_lang.ini inrngsnzc.exe File opened for modification C:\Windows\SysWOW64\inqklaasr.exe_lang.ini insywlfel.exe File opened for modification C:\Windows\SysWOW64\syslog.dat insjarhdx.exe File created C:\Windows\SysWOW64\inhgncqwc.exe inbohznex.exe File opened for modification C:\Windows\SysWOW64\invzzdxxz.exe_lang.ini inotjfrzg.exe File opened for modification C:\Windows\SysWOW64\syslog.dat incmhaqvq.exe File opened for modification C:\Windows\SysWOW64\syslog.dat inbrulkss.exe File created C:\Windows\SysWOW64\inyegrpfl.exe ingiuiufd.exe File opened for modification C:\Windows\SysWOW64\syslog.dat inebgydau.exe File created C:\Windows\SysWOW64\inrlmbbts.exe inuzplcxm.exe File opened for modification C:\Windows\SysWOW64\syslog.dat inmktaxgs.exe File opened for modification C:\Windows\SysWOW64\inzavthnp.exe_lang.ini inedyzakd.exe File created C:\Windows\SysWOW64\inxhvtpha.exe inscqyokc.exe File opened for modification C:\Windows\SysWOW64\inoxdfqoe.exe_lang.ini inoioprby.exe File opened for modification C:\Windows\SysWOW64\infhthtec.exe_lang.ini intglbjrf.exe File opened for modification C:\Windows\SysWOW64\syslog.dat inphclvql.exe File opened for modification C:\Windows\SysWOW64\syslog.dat inbxslgig.exe File opened for modification C:\Windows\SysWOW64\inmktaxgs.exe_lang.ini injprzfoi.exe File opened for modification C:\Windows\SysWOW64\syslog.dat invuwaxma.exe File opened for modification C:\Windows\SysWOW64\syslog.dat ingiuiufd.exe File created C:\Windows\SysWOW64\inztjzmib.exe inyxgeiit.exe File created C:\Windows\SysWOW64\insgoyikn.exe inpiqqmhr.exe File created C:\Windows\SysWOW64\ingtgabri.exe inocokdvj.exe File opened for modification C:\Windows\SysWOW64\injsnioht.exe_lang.ini insaljfpw.exe File created C:\Windows\SysWOW64\inupkqjvx.exe invwyxcqk.exe File created C:\Windows\SysWOW64\inkwblfyk.exe inwrucabh.exe File created C:\Windows\SysWOW64\inpzchsnz.exe inpscqoss.exe File opened for modification C:\Windows\SysWOW64\indskelwb.exe_lang.ini inpsutmlb.exe File created C:\Windows\SysWOW64\inortslka.exe intcrvwiy.exe File opened for modification C:\Windows\SysWOW64\injlxlxig.exe_lang.ini inligcrtk.exe File opened for modification C:\Windows\SysWOW64\inuytzxmg.exe_lang.ini inorbpnrr.exe File opened for modification C:\Windows\SysWOW64\syslog.dat inxtemyti.exe File opened for modification C:\Windows\SysWOW64\invnbgkek.exe_lang.ini inczeboin.exe File created C:\Windows\SysWOW64\ingugrwmi.exe inyodrton.exe File created C:\Windows\SysWOW64\inotqnqky.exe inanbwzzr.exe File opened for modification C:\Windows\SysWOW64\ineeenyiy.exe_lang.ini inbuxzyre.exe File opened for modification C:\Windows\SysWOW64\syslog.dat iniqzgcyz.exe File created C:\Windows\SysWOW64\inrfpuysy.exe infdqdofu.exe File opened for modification C:\Windows\SysWOW64\inykmqjhq.exe_lang.ini inrfpuysy.exe File opened for modification C:\Windows\SysWOW64\syslog.dat intwamnoz.exe File created C:\Windows\SysWOW64\inecpcnet.exe intsuvkkg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3748 NEAS.42b86f192d5f944b5f7458e81fe8a2d0.exe 3748 NEAS.42b86f192d5f944b5f7458e81fe8a2d0.exe 3340 inldtepix.exe 3340 inldtepix.exe 560 inxiaqxbm.exe 560 inxiaqxbm.exe 2208 inoavpdfe.exe 2208 inoavpdfe.exe 4540 inmeufqjy.exe 4540 inmeufqjy.exe 224 invhwkmle.exe 224 invhwkmle.exe 1204 inruwvobn.exe 1204 inruwvobn.exe 3256 inhwoipfi.exe 3256 inhwoipfi.exe 4492 inrngsnzc.exe 4492 inrngsnzc.exe 3668 incvyzsfr.exe 3668 incvyzsfr.exe 4400 inpsutmlb.exe 4400 inpsutmlb.exe 1780 indskelwb.exe 1780 indskelwb.exe 4376 inzkcszdo.exe 4376 inzkcszdo.exe 3204 indxawycz.exe 3204 indxawycz.exe 3448 inkzrlbas.exe 3448 inkzrlbas.exe 2384 inuqbjvqf.exe 2384 inuqbjvqf.exe 904 inugvjlkd.exe 904 inugvjlkd.exe 5056 inwsdlxsh.exe 5056 inwsdlxsh.exe 3408 infgwnmcy.exe 3408 infgwnmcy.exe 376 inbqiycju.exe 376 inbqiycju.exe 5012 indtwnmuu.exe 5012 indtwnmuu.exe 4392 inocokdvj.exe 4392 inocokdvj.exe 704 ingtgabri.exe 704 ingtgabri.exe 3960 inmtnbdcu.exe 3960 inmtnbdcu.exe 5108 incsvmltt.exe 5108 incsvmltt.exe 1504 inbfyviuk.exe 1504 inbfyviuk.exe 1056 invrckwrg.exe 1056 invrckwrg.exe 2340 inwhpwale.exe 2340 inwhpwale.exe 2568 incrjzdkv.exe 2568 incrjzdkv.exe 2036 inxjymong.exe 2036 inxjymong.exe 3196 inknedlyl.exe 3196 inknedlyl.exe 388 innlypqcs.exe 388 innlypqcs.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3748 NEAS.42b86f192d5f944b5f7458e81fe8a2d0.exe Token: SeDebugPrivilege 3340 inldtepix.exe Token: SeDebugPrivilege 560 inxiaqxbm.exe Token: SeDebugPrivilege 2208 inoavpdfe.exe Token: SeDebugPrivilege 4540 inmeufqjy.exe Token: SeDebugPrivilege 224 invhwkmle.exe Token: SeDebugPrivilege 1204 inruwvobn.exe Token: SeDebugPrivilege 3256 inhwoipfi.exe Token: SeDebugPrivilege 4492 inrngsnzc.exe Token: SeDebugPrivilege 3668 incvyzsfr.exe Token: SeDebugPrivilege 4400 inpsutmlb.exe Token: SeDebugPrivilege 1780 indskelwb.exe Token: SeDebugPrivilege 4376 inzkcszdo.exe Token: SeDebugPrivilege 3204 indxawycz.exe Token: SeDebugPrivilege 3448 inkzrlbas.exe Token: SeDebugPrivilege 2384 inuqbjvqf.exe Token: SeDebugPrivilege 904 inugvjlkd.exe Token: SeDebugPrivilege 5056 inwsdlxsh.exe Token: SeDebugPrivilege 3408 infgwnmcy.exe Token: SeDebugPrivilege 376 inbqiycju.exe Token: SeDebugPrivilege 5012 indtwnmuu.exe Token: SeDebugPrivilege 4392 inocokdvj.exe Token: SeDebugPrivilege 704 ingtgabri.exe Token: SeDebugPrivilege 3960 inmtnbdcu.exe Token: SeDebugPrivilege 5108 incsvmltt.exe Token: SeDebugPrivilege 1504 inbfyviuk.exe Token: SeDebugPrivilege 1056 invrckwrg.exe Token: SeDebugPrivilege 2340 inwhpwale.exe Token: SeDebugPrivilege 2568 incrjzdkv.exe Token: SeDebugPrivilege 2036 inxjymong.exe Token: SeDebugPrivilege 3196 inknedlyl.exe Token: SeDebugPrivilege 388 innlypqcs.exe Token: SeDebugPrivilege 660 inzvgovkd.exe Token: SeDebugPrivilege 3408 infgwnmcy.exe Token: SeDebugPrivilege 3848 inaivxrqr.exe Token: SeDebugPrivilege 4948 insbquvhx.exe Token: SeDebugPrivilege 3968 ingvzmksi.exe Token: SeDebugPrivilege 1200 innfvgrkz.exe Token: SeDebugPrivilege 2756 inbrulkss.exe Token: SeDebugPrivilege 4872 inhwfuyzl.exe Token: SeDebugPrivilege 5060 inortslka.exe Token: SeDebugPrivilege 1056 invrckwrg.exe Token: SeDebugPrivilege 3936 inopeewva.exe Token: SeDebugPrivilege 884 injwnoaqy.exe Token: SeDebugPrivilege 1188 inxtemyti.exe Token: SeDebugPrivilege 3992 inzloqpih.exe Token: SeDebugPrivilege 3252 insvxwpco.exe Token: SeDebugPrivilege 3084 injyqkarh.exe Token: SeDebugPrivilege 460 intpaiupe.exe Token: SeDebugPrivilege 548 inyufnzuj.exe Token: SeDebugPrivilege 3668 incgzwjvl.exe Token: SeDebugPrivilege 1368 inaphxbit.exe Token: SeDebugPrivilege 4580 inpleqlxa.exe Token: SeDebugPrivilege 1640 intcrvwiy.exe Token: SeDebugPrivilege 5060 inortslka.exe Token: SeDebugPrivilege 3700 inadbobmd.exe Token: SeDebugPrivilege 4512 inwixlnmf.exe Token: SeDebugPrivilege 2348 inumafjdj.exe Token: SeDebugPrivilege 1756 inmhxsddw.exe Token: SeDebugPrivilege 4344 infnwdvwr.exe Token: SeDebugPrivilege 2248 inykznpoh.exe Token: SeDebugPrivilege 208 inhwnltjf.exe Token: SeDebugPrivilege 3648 inscqyokc.exe Token: SeDebugPrivilege 2860 inxhvtpha.exe -
Suspicious use of SetWindowsHookEx 28 IoCs
pid Process 3748 NEAS.42b86f192d5f944b5f7458e81fe8a2d0.exe 3340 inldtepix.exe 560 inxiaqxbm.exe 2208 inoavpdfe.exe 4540 inmeufqjy.exe 224 invhwkmle.exe 1204 inruwvobn.exe 3256 inhwoipfi.exe 4492 inrngsnzc.exe 3668 incvyzsfr.exe 4400 inpsutmlb.exe 1780 indskelwb.exe 4376 inzkcszdo.exe 3204 indxawycz.exe 3448 inkzrlbas.exe 2384 inuqbjvqf.exe 904 inugvjlkd.exe 5056 inwsdlxsh.exe 3408 infgwnmcy.exe 376 inbqiycju.exe 5012 indtwnmuu.exe 4392 inocokdvj.exe 704 ingtgabri.exe 3960 inmtnbdcu.exe 5108 incsvmltt.exe 1504 inbfyviuk.exe 1056 invrckwrg.exe 2340 inwhpwale.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3748 wrote to memory of 3340 3748 NEAS.42b86f192d5f944b5f7458e81fe8a2d0.exe 87 PID 3748 wrote to memory of 3340 3748 NEAS.42b86f192d5f944b5f7458e81fe8a2d0.exe 87 PID 3748 wrote to memory of 3340 3748 NEAS.42b86f192d5f944b5f7458e81fe8a2d0.exe 87 PID 3340 wrote to memory of 560 3340 inldtepix.exe 89 PID 3340 wrote to memory of 560 3340 inldtepix.exe 89 PID 3340 wrote to memory of 560 3340 inldtepix.exe 89 PID 560 wrote to memory of 2208 560 inxiaqxbm.exe 90 PID 560 wrote to memory of 2208 560 inxiaqxbm.exe 90 PID 560 wrote to memory of 2208 560 inxiaqxbm.exe 90 PID 2208 wrote to memory of 4540 2208 inoavpdfe.exe 91 PID 2208 wrote to memory of 4540 2208 inoavpdfe.exe 91 PID 2208 wrote to memory of 4540 2208 inoavpdfe.exe 91 PID 4540 wrote to memory of 224 4540 inmeufqjy.exe 93 PID 4540 wrote to memory of 224 4540 inmeufqjy.exe 93 PID 4540 wrote to memory of 224 4540 inmeufqjy.exe 93 PID 224 wrote to memory of 1204 224 invhwkmle.exe 94 PID 224 wrote to memory of 1204 224 invhwkmle.exe 94 PID 224 wrote to memory of 1204 224 invhwkmle.exe 94 PID 1204 wrote to memory of 3256 1204 inruwvobn.exe 105 PID 1204 wrote to memory of 3256 1204 inruwvobn.exe 105 PID 1204 wrote to memory of 3256 1204 inruwvobn.exe 105 PID 3256 wrote to memory of 4492 3256 inhwoipfi.exe 95 PID 3256 wrote to memory of 4492 3256 inhwoipfi.exe 95 PID 3256 wrote to memory of 4492 3256 inhwoipfi.exe 95 PID 4492 wrote to memory of 3668 4492 inrngsnzc.exe 96 PID 4492 wrote to memory of 3668 4492 inrngsnzc.exe 96 PID 4492 wrote to memory of 3668 4492 inrngsnzc.exe 96 PID 3668 wrote to memory of 4400 3668 incvyzsfr.exe 97 PID 3668 wrote to memory of 4400 3668 incvyzsfr.exe 97 PID 3668 wrote to memory of 4400 3668 incvyzsfr.exe 97 PID 4400 wrote to memory of 1780 4400 inpsutmlb.exe 98 PID 4400 wrote to memory of 1780 4400 inpsutmlb.exe 98 PID 4400 wrote to memory of 1780 4400 inpsutmlb.exe 98 PID 1780 wrote to memory of 4376 1780 indskelwb.exe 99 PID 1780 wrote to memory of 4376 1780 indskelwb.exe 99 PID 1780 wrote to memory of 4376 1780 indskelwb.exe 99 PID 4376 wrote to memory of 3204 4376 inzkcszdo.exe 100 PID 4376 wrote to memory of 3204 4376 inzkcszdo.exe 100 PID 4376 wrote to memory of 3204 4376 inzkcszdo.exe 100 PID 3204 wrote to memory of 3448 3204 indxawycz.exe 101 PID 3204 wrote to memory of 3448 3204 indxawycz.exe 101 PID 3204 wrote to memory of 3448 3204 indxawycz.exe 101 PID 3448 wrote to memory of 2384 3448 inkzrlbas.exe 102 PID 3448 wrote to memory of 2384 3448 inkzrlbas.exe 102 PID 3448 wrote to memory of 2384 3448 inkzrlbas.exe 102 PID 2384 wrote to memory of 904 2384 inuqbjvqf.exe 103 PID 2384 wrote to memory of 904 2384 inuqbjvqf.exe 103 PID 2384 wrote to memory of 904 2384 inuqbjvqf.exe 103 PID 904 wrote to memory of 5056 904 inugvjlkd.exe 104 PID 904 wrote to memory of 5056 904 inugvjlkd.exe 104 PID 904 wrote to memory of 5056 904 inugvjlkd.exe 104 PID 5056 wrote to memory of 3408 5056 inwsdlxsh.exe 106 PID 5056 wrote to memory of 3408 5056 inwsdlxsh.exe 106 PID 5056 wrote to memory of 3408 5056 inwsdlxsh.exe 106 PID 3408 wrote to memory of 376 3408 infgwnmcy.exe 107 PID 3408 wrote to memory of 376 3408 infgwnmcy.exe 107 PID 3408 wrote to memory of 376 3408 infgwnmcy.exe 107 PID 376 wrote to memory of 5012 376 inbqiycju.exe 108 PID 376 wrote to memory of 5012 376 inbqiycju.exe 108 PID 376 wrote to memory of 5012 376 inbqiycju.exe 108 PID 5012 wrote to memory of 4392 5012 indtwnmuu.exe 109 PID 5012 wrote to memory of 4392 5012 indtwnmuu.exe 109 PID 5012 wrote to memory of 4392 5012 indtwnmuu.exe 109 PID 4392 wrote to memory of 704 4392 inocokdvj.exe 110
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.42b86f192d5f944b5f7458e81fe8a2d0.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.42b86f192d5f944b5f7458e81fe8a2d0.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3748 -
C:\Windows\SysWOW64\inldtepix.exeC:\Windows\system32\inldtepix.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3340 -
C:\Windows\SysWOW64\inxiaqxbm.exeC:\Windows\system32\inxiaqxbm.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:560 -
C:\Windows\SysWOW64\inoavpdfe.exeC:\Windows\system32\inoavpdfe.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\SysWOW64\inmeufqjy.exeC:\Windows\system32\inmeufqjy.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4540 -
C:\Windows\SysWOW64\invhwkmle.exeC:\Windows\system32\invhwkmle.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:224 -
C:\Windows\SysWOW64\inruwvobn.exeC:\Windows\system32\inruwvobn.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1204 -
C:\Windows\SysWOW64\inhwoipfi.exeC:\Windows\system32\inhwoipfi.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3256
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\inrngsnzc.exeC:\Windows\system32\inrngsnzc.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4492 -
C:\Windows\SysWOW64\incvyzsfr.exeC:\Windows\system32\incvyzsfr.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3668 -
C:\Windows\SysWOW64\inpsutmlb.exeC:\Windows\system32\inpsutmlb.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4400 -
C:\Windows\SysWOW64\indskelwb.exeC:\Windows\system32\indskelwb.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1780 -
C:\Windows\SysWOW64\inzkcszdo.exeC:\Windows\system32\inzkcszdo.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4376 -
C:\Windows\SysWOW64\indxawycz.exeC:\Windows\system32\indxawycz.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3204 -
C:\Windows\SysWOW64\inkzrlbas.exeC:\Windows\system32\inkzrlbas.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3448 -
C:\Windows\SysWOW64\inuqbjvqf.exeC:\Windows\system32\inuqbjvqf.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\SysWOW64\inugvjlkd.exeC:\Windows\system32\inugvjlkd.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:904 -
C:\Windows\SysWOW64\inwsdlxsh.exeC:\Windows\system32\inwsdlxsh.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5056 -
C:\Windows\SysWOW64\inaexuhtj.exeC:\Windows\system32\inaexuhtj.exe11⤵
- Executes dropped EXE
PID:3408 -
C:\Windows\SysWOW64\inbqiycju.exeC:\Windows\system32\inbqiycju.exe12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:376 -
C:\Windows\SysWOW64\indtwnmuu.exeC:\Windows\system32\indtwnmuu.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5012 -
C:\Windows\SysWOW64\inocokdvj.exeC:\Windows\system32\inocokdvj.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4392 -
C:\Windows\SysWOW64\ingtgabri.exeC:\Windows\system32\ingtgabri.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:704 -
C:\Windows\SysWOW64\inmtnbdcu.exeC:\Windows\system32\inmtnbdcu.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3960 -
C:\Windows\SysWOW64\incsvmltt.exeC:\Windows\system32\incsvmltt.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5108 -
C:\Windows\SysWOW64\inbfyviuk.exeC:\Windows\system32\inbfyviuk.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1504 -
C:\Windows\SysWOW64\intfuikjc.exeC:\Windows\system32\intfuikjc.exe19⤵PID:1056
-
C:\Windows\SysWOW64\inwhpwale.exeC:\Windows\system32\inwhpwale.exe20⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2340 -
C:\Windows\SysWOW64\incrjzdkv.exeC:\Windows\system32\incrjzdkv.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2568 -
C:\Windows\SysWOW64\inxjymong.exeC:\Windows\system32\inxjymong.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2036 -
C:\Windows\SysWOW64\inknedlyl.exeC:\Windows\system32\inknedlyl.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3196 -
C:\Windows\SysWOW64\innlypqcs.exeC:\Windows\system32\innlypqcs.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:388 -
C:\Windows\SysWOW64\inzvgovkd.exeC:\Windows\system32\inzvgovkd.exe25⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:660 -
C:\Windows\SysWOW64\infgwnmcy.exeC:\Windows\system32\infgwnmcy.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3408 -
C:\Windows\SysWOW64\inaivxrqr.exeC:\Windows\system32\inaivxrqr.exe27⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3848 -
C:\Windows\SysWOW64\insbquvhx.exeC:\Windows\system32\insbquvhx.exe28⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4948 -
C:\Windows\SysWOW64\ingvzmksi.exeC:\Windows\system32\ingvzmksi.exe29⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3968 -
C:\Windows\SysWOW64\innfvgrkz.exeC:\Windows\system32\innfvgrkz.exe30⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1200 -
C:\Windows\SysWOW64\inbrulkss.exeC:\Windows\system32\inbrulkss.exe31⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2756 -
C:\Windows\SysWOW64\inhwfuyzl.exeC:\Windows\system32\inhwfuyzl.exe32⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4872 -
C:\Windows\SysWOW64\insohtodl.exeC:\Windows\system32\insohtodl.exe33⤵PID:5060
-
C:\Windows\SysWOW64\invrckwrg.exeC:\Windows\system32\invrckwrg.exe34⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1056 -
C:\Windows\SysWOW64\inopeewva.exeC:\Windows\system32\inopeewva.exe35⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3936 -
C:\Windows\SysWOW64\injwnoaqy.exeC:\Windows\system32\injwnoaqy.exe36⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:884 -
C:\Windows\SysWOW64\inxtemyti.exeC:\Windows\system32\inxtemyti.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1188 -
C:\Windows\SysWOW64\inzloqpih.exeC:\Windows\system32\inzloqpih.exe38⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3992 -
C:\Windows\SysWOW64\insvxwpco.exeC:\Windows\system32\insvxwpco.exe39⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3252 -
C:\Windows\SysWOW64\injyqkarh.exeC:\Windows\system32\injyqkarh.exe40⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3084 -
C:\Windows\SysWOW64\intpaiupe.exeC:\Windows\system32\intpaiupe.exe41⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:460 -
C:\Windows\SysWOW64\inyufnzuj.exeC:\Windows\system32\inyufnzuj.exe42⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:548 -
C:\Windows\SysWOW64\incgzwjvl.exeC:\Windows\system32\incgzwjvl.exe43⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3668 -
C:\Windows\SysWOW64\inaphxbit.exeC:\Windows\system32\inaphxbit.exe44⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1368 -
C:\Windows\SysWOW64\insezthji.exeC:\Windows\system32\insezthji.exe45⤵PID:4580
-
C:\Windows\SysWOW64\intcrvwiy.exeC:\Windows\system32\intcrvwiy.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1640 -
C:\Windows\SysWOW64\inortslka.exeC:\Windows\system32\inortslka.exe47⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5060 -
C:\Windows\SysWOW64\inadbobmd.exeC:\Windows\system32\inadbobmd.exe48⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3700 -
C:\Windows\SysWOW64\inwixlnmf.exeC:\Windows\system32\inwixlnmf.exe49⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4512 -
C:\Windows\SysWOW64\inumafjdj.exeC:\Windows\system32\inumafjdj.exe50⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2348 -
C:\Windows\SysWOW64\inmhxsddw.exeC:\Windows\system32\inmhxsddw.exe51⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1756 -
C:\Windows\SysWOW64\infnwdvwr.exeC:\Windows\system32\infnwdvwr.exe52⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4344 -
C:\Windows\SysWOW64\inkbaivic.exeC:\Windows\system32\inkbaivic.exe53⤵PID:2248
-
C:\Windows\SysWOW64\inhwnltjf.exeC:\Windows\system32\inhwnltjf.exe54⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:208 -
C:\Windows\SysWOW64\inscqyokc.exeC:\Windows\system32\inscqyokc.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3648 -
C:\Windows\SysWOW64\inxhvtpha.exeC:\Windows\system32\inxhvtpha.exe56⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2860 -
C:\Windows\SysWOW64\inpleqlxa.exeC:\Windows\system32\inpleqlxa.exe57⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4580 -
C:\Windows\SysWOW64\inwmpgfnn.exeC:\Windows\system32\inwmpgfnn.exe58⤵PID:1736
-
C:\Windows\SysWOW64\inapnrseu.exeC:\Windows\system32\inapnrseu.exe59⤵PID:2268
-
C:\Windows\SysWOW64\ingvnhoze.exeC:\Windows\system32\ingvnhoze.exe60⤵PID:4452
-
C:\Windows\SysWOW64\inlsmacbt.exeC:\Windows\system32\inlsmacbt.exe61⤵
- Drops file in System32 directory
PID:2552 -
C:\Windows\SysWOW64\invuwaxma.exeC:\Windows\system32\invuwaxma.exe62⤵
- Drops file in System32 directory
PID:4024 -
C:\Windows\SysWOW64\inomzqrdt.exeC:\Windows\system32\inomzqrdt.exe63⤵PID:1696
-
C:\Windows\SysWOW64\inhfsfaqh.exeC:\Windows\system32\inhfsfaqh.exe64⤵PID:4380
-
C:\Windows\SysWOW64\inykznpoh.exeC:\Windows\system32\inykznpoh.exe65⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2248 -
C:\Windows\SysWOW64\inxsdoolp.exeC:\Windows\system32\inxsdoolp.exe66⤵PID:1472
-
C:\Windows\SysWOW64\inbmkzbqa.exeC:\Windows\system32\inbmkzbqa.exe67⤵PID:4460
-
C:\Windows\SysWOW64\inbaqtkjr.exeC:\Windows\system32\inbaqtkjr.exe68⤵PID:3172
-
C:\Windows\SysWOW64\inyjbrycn.exeC:\Windows\system32\inyjbrycn.exe69⤵PID:4780
-
C:\Windows\SysWOW64\inogwahsa.exeC:\Windows\system32\inogwahsa.exe70⤵PID:3608
-
C:\Windows\SysWOW64\inrdysgih.exeC:\Windows\system32\inrdysgih.exe71⤵
- Modifies Installed Components in the registry
PID:2708 -
C:\Windows\SysWOW64\inmxiifwj.exeC:\Windows\system32\inmxiifwj.exe72⤵PID:3392
-
C:\Windows\SysWOW64\indtkzjxv.exeC:\Windows\system32\indtkzjxv.exe73⤵PID:3344
-
C:\Windows\SysWOW64\innqsrkjz.exeC:\Windows\system32\innqsrkjz.exe74⤵
- Modifies Installed Components in the registry
PID:224 -
C:\Windows\SysWOW64\inbjwysrs.exeC:\Windows\system32\inbjwysrs.exe75⤵PID:1428
-
C:\Windows\SysWOW64\inixpjqgj.exeC:\Windows\system32\inixpjqgj.exe76⤵PID:4124
-
C:\Windows\SysWOW64\innuocedv.exeC:\Windows\system32\innuocedv.exe77⤵PID:3924
-
C:\Windows\SysWOW64\inbuxzyre.exeC:\Windows\system32\inbuxzyre.exe78⤵
- Modifies Installed Components in the registry
- Drops file in System32 directory
PID:964 -
C:\Windows\SysWOW64\ineeenyiy.exeC:\Windows\system32\ineeenyiy.exe79⤵PID:1300
-
C:\Windows\SysWOW64\inigtklnv.exeC:\Windows\system32\inigtklnv.exe80⤵PID:4648
-
C:\Windows\SysWOW64\inatybwnb.exeC:\Windows\system32\inatybwnb.exe81⤵PID:1356
-
C:\Windows\SysWOW64\inbqostfv.exeC:\Windows\system32\inbqostfv.exe82⤵
- Modifies Installed Components in the registry
PID:3608 -
C:\Windows\SysWOW64\inrjcgagg.exeC:\Windows\system32\inrjcgagg.exe83⤵
- Modifies Installed Components in the registry
PID:1104 -
C:\Windows\SysWOW64\inljyapnv.exeC:\Windows\system32\inljyapnv.exe84⤵PID:1452
-
C:\Windows\SysWOW64\inckxztas.exeC:\Windows\system32\inckxztas.exe85⤵PID:4836
-
C:\Windows\SysWOW64\infudswxj.exeC:\Windows\system32\infudswxj.exe86⤵PID:4948
-
C:\Windows\SysWOW64\inqmfrmyb.exeC:\Windows\system32\inqmfrmyb.exe87⤵
- Modifies Installed Components in the registry
PID:1224 -
C:\Windows\SysWOW64\inmnccutj.exeC:\Windows\system32\inmnccutj.exe88⤵PID:3728
-
C:\Windows\SysWOW64\ingiuiufd.exeC:\Windows\system32\ingiuiufd.exe89⤵
- Drops file in System32 directory
PID:880 -
C:\Windows\SysWOW64\inyegrpfl.exeC:\Windows\system32\inyegrpfl.exe90⤵PID:4852
-
C:\Windows\SysWOW64\inmflkmos.exeC:\Windows\system32\inmflkmos.exe91⤵PID:1948
-
C:\Windows\SysWOW64\infumgnyd.exeC:\Windows\system32\infumgnyd.exe92⤵PID:3252
-
C:\Windows\SysWOW64\ingvetxyk.exeC:\Windows\system32\ingvetxyk.exe93⤵PID:664
-
C:\Windows\SysWOW64\ingtvpopk.exeC:\Windows\system32\ingtvpopk.exe94⤵PID:4484
-
C:\Windows\SysWOW64\inazpsjiq.exeC:\Windows\system32\inazpsjiq.exe95⤵PID:4480
-
C:\Windows\SysWOW64\insaljfpw.exeC:\Windows\system32\insaljfpw.exe96⤵
- Drops file in System32 directory
PID:548 -
C:\Windows\SysWOW64\injsnioht.exeC:\Windows\system32\injsnioht.exe97⤵PID:2656
-
C:\Windows\SysWOW64\inarenvge.exeC:\Windows\system32\inarenvge.exe98⤵PID:4460
-
C:\Windows\SysWOW64\indlyubtu.exeC:\Windows\system32\indlyubtu.exe99⤵PID:3496
-
C:\Windows\SysWOW64\inilcbjwj.exeC:\Windows\system32\inilcbjwj.exe100⤵PID:3204
-
C:\Windows\SysWOW64\inlhzufqa.exeC:\Windows\system32\inlhzufqa.exe101⤵
- Modifies Installed Components in the registry
PID:4228 -
C:\Windows\SysWOW64\inetlfmxc.exeC:\Windows\system32\inetlfmxc.exe102⤵PID:3096
-
C:\Windows\SysWOW64\iniqzgcyz.exeC:\Windows\system32\iniqzgcyz.exe103⤵
- Drops file in System32 directory
PID:3796 -
C:\Windows\SysWOW64\invmdukgq.exeC:\Windows\system32\invmdukgq.exe104⤵PID:2992
-
C:\Windows\SysWOW64\intojzuff.exeC:\Windows\system32\intojzuff.exe105⤵PID:3420
-
C:\Windows\SysWOW64\inzhpyfbx.exeC:\Windows\system32\inzhpyfbx.exe106⤵PID:3968
-
C:\Windows\SysWOW64\intsuvkkg.exeC:\Windows\system32\intsuvkkg.exe107⤵
- Drops file in System32 directory
PID:4948 -
C:\Windows\SysWOW64\inecpcnet.exeC:\Windows\system32\inecpcnet.exe108⤵PID:4976
-
C:\Windows\SysWOW64\inlvjosms.exeC:\Windows\system32\inlvjosms.exe109⤵PID:3924
-
C:\Windows\SysWOW64\injmdckxk.exeC:\Windows\system32\injmdckxk.exe110⤵PID:4632
-
C:\Windows\SysWOW64\infvqbbup.exeC:\Windows\system32\infvqbbup.exe111⤵PID:4960
-
C:\Windows\SysWOW64\ingerepgv.exeC:\Windows\system32\ingerepgv.exe112⤵PID:1172
-
C:\Windows\SysWOW64\inaikwkwh.exeC:\Windows\system32\inaikwkwh.exe113⤵PID:1392
-
C:\Windows\SysWOW64\indqsmlmh.exeC:\Windows\system32\indqsmlmh.exe114⤵PID:372
-
C:\Windows\SysWOW64\inatwyxqd.exeC:\Windows\system32\inatwyxqd.exe115⤵PID:2240
-
C:\Windows\SysWOW64\indwztgsi.exeC:\Windows\system32\indwztgsi.exe116⤵PID:5100
-
C:\Windows\SysWOW64\incsnrmiw.exeC:\Windows\system32\incsnrmiw.exe117⤵PID:2756
-
C:\Windows\SysWOW64\inkivmnpx.exeC:\Windows\system32\inkivmnpx.exe118⤵PID:944
-
C:\Windows\SysWOW64\inyctgpxi.exeC:\Windows\system32\inyctgpxi.exe119⤵PID:3916
-
C:\Windows\SysWOW64\inqjpgzht.exeC:\Windows\system32\inqjpgzht.exe120⤵PID:3752
-
C:\Windows\SysWOW64\inewrcnnk.exeC:\Windows\system32\inewrcnnk.exe121⤵PID:4648
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-