Analysis
-
max time kernel
73s -
max time network
83s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
18-11-2023 02:33
Behavioral task
behavioral1
Sample
NEAS.ddc35a8e0a6fba3b527542d9af0571b0.exe
Resource
win7-20231023-en
windows7-x64
11 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.ddc35a8e0a6fba3b527542d9af0571b0.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
11 signatures
150 seconds
General
-
Target
NEAS.ddc35a8e0a6fba3b527542d9af0571b0.exe
-
Size
348KB
-
MD5
ddc35a8e0a6fba3b527542d9af0571b0
-
SHA1
9fd7ff02ce3ef685f1cb283d8afa1ab6f1720eb5
-
SHA256
fb8ed52376fcf581f683e3ff5a7b9bb2dfc7b29077e651e07f7755bb6fe47312
-
SHA512
bb5fb36fc0d83c5c63ddc1a36300edb516841f91c6297b9efbc57c477c9bff65cc78f906e0c5b8d65fe337f5d359ec54c9f9616454581a697ed4a9e2a482884b
-
SSDEEP
6144:MJueTkwOwoWOQ3dwaWB28edeP/deUv80P80Ap8UGwoTGHZOWJkqd0K4rG7eVT0S2:ouLwoZQGpnedeP/deUe1ppGjTGHZRT0i
Score
10/10
Malware Config
Signatures
-
Gh0st RAT payload 62 IoCs
resource yara_rule behavioral2/memory/5040-0-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/files/0x0008000000022ded-15.dat family_gh0strat behavioral2/files/0x0008000000022df0-20.dat family_gh0strat behavioral2/memory/4564-23-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/memory/5040-25-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/files/0x0008000000022df0-21.dat family_gh0strat behavioral2/files/0x0006000000022e0e-42.dat family_gh0strat behavioral2/memory/4564-44-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/files/0x0006000000022e0e-45.dat family_gh0strat behavioral2/files/0x0006000000022e0e-46.dat family_gh0strat behavioral2/files/0x0006000000022e13-67.dat family_gh0strat behavioral2/memory/1252-69-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/files/0x0006000000022e13-65.dat family_gh0strat behavioral2/files/0x0006000000022e19-88.dat family_gh0strat behavioral2/files/0x0006000000022e19-90.dat family_gh0strat behavioral2/memory/3124-92-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/memory/1220-113-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/files/0x0006000000022e1d-111.dat family_gh0strat behavioral2/files/0x0006000000022e1d-110.dat family_gh0strat behavioral2/files/0x0006000000022e21-134.dat family_gh0strat behavioral2/files/0x0006000000022e21-135.dat family_gh0strat behavioral2/memory/4452-150-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/memory/1220-151-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/memory/4928-133-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/files/0x0006000000022e25-158.dat family_gh0strat behavioral2/files/0x0006000000022e25-159.dat family_gh0strat behavioral2/files/0x0006000000022e29-179.dat family_gh0strat behavioral2/memory/4284-181-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/files/0x0006000000022e29-182.dat family_gh0strat behavioral2/files/0x0006000000022e2d-202.dat family_gh0strat behavioral2/files/0x0006000000022e2d-203.dat family_gh0strat behavioral2/memory/1360-205-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/files/0x0006000000022e31-223.dat family_gh0strat behavioral2/files/0x0006000000022e31-224.dat family_gh0strat behavioral2/memory/2264-232-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/files/0x0006000000022e36-247.dat family_gh0strat behavioral2/files/0x0006000000022e3a-268.dat family_gh0strat behavioral2/files/0x0006000000022e3a-267.dat family_gh0strat behavioral2/memory/508-283-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/memory/3088-249-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/files/0x0006000000022e3e-290.dat family_gh0strat behavioral2/memory/1956-291-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/files/0x0006000000022e36-246.dat family_gh0strat behavioral2/files/0x0006000000022e3e-292.dat family_gh0strat behavioral2/files/0x0006000000022e42-312.dat family_gh0strat behavioral2/memory/4236-316-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/files/0x0006000000022e42-314.dat family_gh0strat behavioral2/memory/4528-321-0x0000000002090000-0x0000000002103000-memory.dmp family_gh0strat behavioral2/files/0x0006000000022e46-335.dat family_gh0strat behavioral2/files/0x0006000000022e46-336.dat family_gh0strat behavioral2/memory/4528-351-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/files/0x0006000000022e4a-357.dat family_gh0strat behavioral2/files/0x0006000000022e4a-358.dat family_gh0strat behavioral2/memory/464-364-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/memory/5108-379-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/memory/3220-398-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/memory/5064-417-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/memory/64-435-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/memory/3976-455-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/memory/4280-484-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/memory/2316-492-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/memory/2528-521-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat -
Modifies Installed Components in the registry 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E221C883-90E1-4ddd-9476-B34BF98251DD} inykznpoh.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BA67E002-D546-4f79-9967-8553CE82DCE3} inscqyokc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D765FB1E-F9D7-41b8-8ADF-404540DAD98D}\stubpath = "C:\\Windows\\system32\\injyiwuqi.exe" inwemzvcu.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C38B2BD9-3F22-4e29-BE05-C857590AD82A} inhjvjvge.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ED1E1B3A-6DBE-4c0d-BA07-4BA2497A7E7A} inetlfmxc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{43AFCC60-5C89-4964-A6C8-EF8916219DE5}\stubpath = "C:\\Windows\\system32\\indeulkya.exe" inqrggyxc.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7F8F8035-20D6-40d2-A134-8AE1C510269E} ingvzmksi.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F2FE51D1-C942-4b8b-9066-A9DCC8BE70C1} inyufnzuj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{88EB5FF2-5856-4a8e-B987-6F8F352E4BA5}\stubpath = "C:\\Windows\\system32\\inscqyokc.exe" inxsdoolp.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{196BC679-A5B5-4d74-AA73-158CEE072E9B} intcrvwiy.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{02B2F87C-CCBC-4131-9774-906610E7C584} ingoxeawx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FF37D450-27A2-4761-ABAF-D27146F591A6}\stubpath = "C:\\Windows\\system32\\innfvgrkz.exe" inixpjqgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{48C6E72F-E046-4ca1-B0F8-6A6ED077981B}\stubpath = "C:\\Windows\\system32\\incvyzsfr.exe" inqtvunam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C90251DE-FC9D-4184-9CCB-15451DF2F4E1}\stubpath = "C:\\Windows\\system32\\inuhqyjhd.exe" invrckwrg.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{810FCD1D-716B-401a-9B95-23085FD38B1A} insnyjjgx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9CDF7B14-26F6-4fa2-BA08-C3B2A697E1FD}\stubpath = "C:\\Windows\\system32\\inrmslxzd.exe" inlofemzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{14BE3748-479B-4ad1-922C-0BB733F5B0EE}\stubpath = "C:\\Windows\\system32\\infdqdofu.exe" inocokdvj.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E46DA9F3-BFB7-4491-84F7-EE5F33B689D4} inbjudnts.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C7D30F53-6999-49d1-95E3-60B2A454538B} inortslka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FA161C95-17EB-4da8-8004-DF256B530796}\stubpath = "C:\\Windows\\system32\\innqsrkjz.exe" inxiaqxbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6C8E3055-FB9B-45a8-9E8E-BAC93E58C556}\stubpath = "C:\\Windows\\system32\\incraptug.exe" innfvgrkz.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D0157145-12FE-4135-813A-FD75195A7535} invuwaxma.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AB694447-49BF-457d-AFAF-523A83E0A049} infslrijv.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C5C73759-4C27-4892-8918-7254080AFC04} inhwfuyzl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B4AA7E33-D587-40fb-854A-58E52CA68EDB}\stubpath = "C:\\Windows\\system32\\infnwdvwr.exe" inbqiycju.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DF258BAA-9C16-4a11-9731-880588EABABA} initcmsrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6662500E-1582-4ecd-AEE2-8253139DA293}\stubpath = "C:\\Windows\\system32\\inlsmacbt.exe" inoavpdfe.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AC9AB226-9FFA-46e2-A999-858FC8552097} inmeufqjy.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8A6FE8AA-C36F-4a00-B8FC-74A4F83FAFD9} inqklaasr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3B86EA6F-0600-42e9-959C-42A3D9E23B07}\stubpath = "C:\\Windows\\system32\\insohtodl.exe" incgzwjvl.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CD19F8BB-0CC9-4926-B9F3-B1949EC8F21C} inyorihpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{02B2F87C-CCBC-4131-9774-906610E7C584}\stubpath = "C:\\Windows\\system32\\injkrqgyq.exe" ingoxeawx.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{80DC8C61-58CD-47d5-9F3F-097F9FC26D55} injkrqgyq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{86FEDCF9-A418-4a44-BEC4-F4E6BD7FD562}\stubpath = "C:\\Windows\\system32\\inpkvggzd.exe" inxjymong.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{08160ECF-D6F4-4c6b-806D-AB276E9173D7} inpkvggzd.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D05352D2-BBD2-4457-B566-9967B4CE19DC} inxtemyti.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4FC35ADD-B549-429e-AAEC-8C097D202E96}\stubpath = "C:\\Windows\\system32\\inbrulkss.exe" inmhxsddw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{599DEFB8-C487-4e51-82E0-F5ECAA460E60}\stubpath = "C:\\Windows\\system32\\inrshhzyd.exe" inmxiifwj.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A98E1A08-2AD2-4af4-8A31-439E24E834E5} insezthji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{45DFFCAB-4D7C-4b73-8BFB-A9971426BB21}\stubpath = "C:\\Windows\\system32\\inixomukg.exe" intetdxsy.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6EFB5A5F-B1D9-4988-879F-3542F8CBAEEF} ingvnhoze.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{859520F6-93C2-487f-B412-8065F500BE95}\stubpath = "C:\\Windows\\system32\\infumgnyd.exe" inbmkzbqa.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{282806EF-8D5F-48c5-89DC-242CAF47A447} indhxkwmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E3913645-1FE7-4212-959B-7396C1DC9F55}\stubpath = "C:\\Windows\\system32\\inrlmbbts.exe" inhiypoew.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2A7FE0BB-5027-4c94-8809-46A9239A3ACC}\stubpath = "C:\\Windows\\system32\\inuloqrtx.exe" incanalcr.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C444B8FB-C2E8-4c4b-8E43-55EF33B43999} invqlwhhe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0264C08B-B038-4082-B61C-306BB476B739}\stubpath = "C:\\Windows\\system32\\inyufnzuj.exe" inqcxrfhg.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D2C0C41C-F587-4eaf-9E01-7D9748D273A4} inpqffxwb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3C95D114-4BD8-47a8-B2C1-EE82DB50F2F3}\stubpath = "C:\\Windows\\system32\\inruwvobn.exe" invbdruwx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{80DC8C61-58CD-47d5-9F3F-097F9FC26D55}\stubpath = "C:\\Windows\\system32\\inixpjqgj.exe" injkrqgyq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9E9C8B4D-71CF-4b87-BAC8-99B1E2F46BEA}\stubpath = "C:\\Windows\\system32\\inwemzvcu.exe" insvxwpco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C8A12937-3DCB-4b74-88AA-688C4CE9DFFD}\stubpath = "C:\\Windows\\system32\\inrfpuysy.exe" ingugrwmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DCA44C12-D66B-4001-8CA1-4ACD18B360F5}\stubpath = "C:\\Windows\\system32\\inejnhnnw.exe" inixomukg.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4FC35ADD-B549-429e-AAEC-8C097D202E96} inmhxsddw.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{66F52772-333C-40ae-9EE2-FF6591B674B8} inwikohfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{731137C2-CB8E-42ad-951E-B0D07C7FFAC1}\stubpath = "C:\\Windows\\system32\\inlofemzm.exe" inocymrvp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EC046DAF-7FB2-4ace-82BB-8E064BDFB5AA}\stubpath = "C:\\Windows\\system32\\insaljfpw.exe" infvqbbup.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7BC22986-CB1F-4f30-88BF-E8943836837B} inqdpfzcy.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FF37D450-27A2-4761-ABAF-D27146F591A6} inixpjqgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E7E665E4-1CC2-447d-AC24-55DB652AAEA0}\stubpath = "C:\\Windows\\system32\\inxitdtqe.exe" injwnoaqy.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{69871433-577B-497b-A90D-F38B0C547B01}\stubpath = "C:\\Windows\\system32\\initcmsrt.exe" infdqdofu.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6662500E-1582-4ecd-AEE2-8253139DA293} inoavpdfe.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CFC2F2D9-5337-46f7-8191-1F6AD9C7FD5B} inwsdlxsh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FB76E34D-1C01-4a24-AE44-4F3B20F47961}\stubpath = "C:\\Windows\\system32\\indpalewk.exe" inqmfrmyb.exe -
ACProtect 1.3x - 1.4x DLL software 33 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral2/files/0x00090000000222f4-4.dat acprotect behavioral2/files/0x00090000000222f4-2.dat acprotect behavioral2/files/0x00090000000222f4-13.dat acprotect behavioral2/files/0x0006000000022e0c-28.dat acprotect behavioral2/files/0x0006000000022e0c-26.dat acprotect behavioral2/files/0x0006000000022e10-48.dat acprotect behavioral2/files/0x0006000000022e10-50.dat acprotect behavioral2/files/0x0006000000022e15-72.dat acprotect behavioral2/files/0x0006000000022e15-70.dat acprotect behavioral2/files/0x0006000000022e1b-95.dat acprotect behavioral2/files/0x0006000000022e1b-93.dat acprotect behavioral2/files/0x0006000000022e1f-118.dat acprotect behavioral2/files/0x0006000000022e1f-116.dat acprotect behavioral2/files/0x0006000000022e23-140.dat acprotect behavioral2/files/0x0006000000022e23-138.dat acprotect behavioral2/files/0x0006000000022e27-161.dat acprotect behavioral2/files/0x0006000000022e27-163.dat acprotect behavioral2/files/0x0006000000022e2b-184.dat acprotect behavioral2/files/0x0006000000022e2b-186.dat acprotect behavioral2/files/0x0006000000022e2f-208.dat acprotect behavioral2/files/0x0006000000022e2f-206.dat acprotect behavioral2/files/0x0006000000022e34-227.dat acprotect behavioral2/files/0x0006000000022e34-229.dat acprotect behavioral2/files/0x0006000000022e38-252.dat acprotect behavioral2/files/0x0006000000022e3c-273.dat acprotect behavioral2/files/0x0006000000022e3c-271.dat acprotect behavioral2/files/0x0006000000022e38-250.dat acprotect behavioral2/files/0x0006000000022e40-296.dat acprotect behavioral2/files/0x0006000000022e40-294.dat acprotect behavioral2/files/0x0006000000022e44-317.dat acprotect behavioral2/files/0x0006000000022e48-341.dat acprotect behavioral2/files/0x0006000000022e48-339.dat acprotect behavioral2/files/0x0006000000022e44-319.dat acprotect -
Executes dropped EXE 64 IoCs
pid Process 4564 inykznpoh.exe 1252 inaphxbit.exe 3124 inmtnbdcu.exe 4928 inpleqlxa.exe 1220 inuqbjvqf.exe 4452 injyqkarh.exe 4284 inoavpdfe.exe 1360 inlsmacbt.exe 2264 inmeufqjy.exe 3088 inrdysgih.exe 508 inbfyviuk.exe 1956 inazpsjiq.exe 4236 inwixlnmf.exe 4528 indskelwb.exe 464 inmprqjiy.exe 5108 inbuxzyre.exe 3220 inkzrlbas.exe 5064 incrjzdkv.exe 64 ineuxonvv.exe 3976 inrngsnzc.exe 4280 inhwnltjf.exe 2316 inadbobmd.exe 2528 inwhpwale.exe 5044 inknedlyl.exe 5104 inxtemyti.exe 3300 innlypqcs.exe 4380 inxiaqxbm.exe 3216 innqsrkjz.exe 5040 inqcxrfhg.exe 2960 inyufnzuj.exe 960 inzkcszdo.exe 5108 inpsutmlb.exe 4868 insezthji.exe 4928 indwztgsi.exe 1168 inxsdoolp.exe 2128 inscqyokc.exe 3768 inpqffxwb.exe 3844 inkivmnpx.exe 2012 inqklaasr.exe 4576 inzvgovkd.exe 5060 intsuvkkg.exe 4164 inecpcnet.exe 4356 inaexuhtj.exe 3060 inyegrpfl.exe 5068 inbqostfv.exe 720 incgzwjvl.exe 4432 insohtodl.exe 1412 inqdpfzcy.exe 5064 inigtklnv.exe 3264 inwsdlxsh.exe 1232 inmawkptn.exe 1516 injmdckxk.exe 2868 inyorihpp.exe 1552 intcrvwiy.exe 2620 invbdruwx.exe 4188 inruwvobn.exe 1800 ingoxeawx.exe 3368 injkrqgyq.exe 432 inixpjqgj.exe 3808 innfvgrkz.exe 5040 incraptug.exe 2960 inahuhbcs.exe 3124 insrzztuj.exe 1916 indxawycz.exe -
Loads dropped DLL 64 IoCs
pid Process 5040 NEAS.ddc35a8e0a6fba3b527542d9af0571b0.exe 5040 NEAS.ddc35a8e0a6fba3b527542d9af0571b0.exe 4564 inykznpoh.exe 4564 inykznpoh.exe 1252 inaphxbit.exe 1252 inaphxbit.exe 3124 inmtnbdcu.exe 3124 inmtnbdcu.exe 4928 inpleqlxa.exe 4928 inpleqlxa.exe 1220 inuqbjvqf.exe 1220 inuqbjvqf.exe 4452 injyqkarh.exe 4452 injyqkarh.exe 4284 inoavpdfe.exe 4284 inoavpdfe.exe 1360 inlsmacbt.exe 1360 inlsmacbt.exe 2264 inmeufqjy.exe 2264 inmeufqjy.exe 3088 inrdysgih.exe 3088 inrdysgih.exe 508 inbfyviuk.exe 508 inbfyviuk.exe 1956 inazpsjiq.exe 1956 inazpsjiq.exe 4236 inwixlnmf.exe 4236 inwixlnmf.exe 4528 indskelwb.exe 4528 indskelwb.exe 464 inmprqjiy.exe 464 inmprqjiy.exe 5108 inbuxzyre.exe 5108 inbuxzyre.exe 3220 inkzrlbas.exe 3220 inkzrlbas.exe 5064 incrjzdkv.exe 5064 incrjzdkv.exe 64 ineuxonvv.exe 64 ineuxonvv.exe 3976 inrngsnzc.exe 3976 inrngsnzc.exe 4280 inhwnltjf.exe 4280 inhwnltjf.exe 2316 inadbobmd.exe 2316 inadbobmd.exe 2528 inwhpwale.exe 2528 inwhpwale.exe 5044 inknedlyl.exe 5044 inknedlyl.exe 5104 inxtemyti.exe 5104 inxtemyti.exe 3300 innlypqcs.exe 3300 innlypqcs.exe 4380 inxiaqxbm.exe 4380 inxiaqxbm.exe 3216 innqsrkjz.exe 3216 innqsrkjz.exe 5040 inqcxrfhg.exe 5040 inqcxrfhg.exe 2960 inyufnzuj.exe 2960 inyufnzuj.exe 960 inzkcszdo.exe 960 inzkcszdo.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\infnwdvwr.exe_lang.ini inbqiycju.exe File opened for modification C:\Windows\SysWOW64\inyufnzuj.exe_lang.ini inqcxrfhg.exe File created C:\Windows\SysWOW64\invhwkmle.exe indrzpldy.exe File created C:\Windows\SysWOW64\inpiofygs.exe inaivxrqr.exe File opened for modification C:\Windows\SysWOW64\inpiofygs.exe_lang.ini inaivxrqr.exe File created C:\Windows\SysWOW64\inljyapnv.exe inkbaivic.exe File opened for modification C:\Windows\SysWOW64\invhwkmle.exe_lang.ini indrzpldy.exe File opened for modification C:\Windows\SysWOW64\inhjvjvge.exe_lang.ini infhthtec.exe File opened for modification C:\Windows\SysWOW64\inzhpyfbx.exe_lang.ini ineybxzdp.exe File opened for modification C:\Windows\SysWOW64\syslog.dat inhzrfkoi.exe File opened for modification C:\Windows\SysWOW64\syslog.dat inrngsnzc.exe File opened for modification C:\Windows\SysWOW64\syslog.dat inxsdoolp.exe File created C:\Windows\SysWOW64\injyiwuqi.exe inwemzvcu.exe File opened for modification C:\Windows\SysWOW64\syslog.dat inbaqtkjr.exe File created C:\Windows\SysWOW64\indeulkya.exe inqrggyxc.exe File opened for modification C:\Windows\SysWOW64\inuqbjvqf.exe_lang.ini inpleqlxa.exe File created C:\Windows\SysWOW64\innlypqcs.exe inxtemyti.exe File opened for modification C:\Windows\SysWOW64\inzkcszdo.exe_lang.ini inyufnzuj.exe File opened for modification C:\Windows\SysWOW64\syslog.dat inkivmnpx.exe File created C:\Windows\SysWOW64\invuwaxma.exe infudswxj.exe File opened for modification C:\Windows\SysWOW64\syslog.dat inwikohfo.exe File opened for modification C:\Windows\SysWOW64\incsnrmiw.exe_lang.ini ingrakqpr.exe File opened for modification C:\Windows\SysWOW64\syslog.dat inrdysgih.exe File opened for modification C:\Windows\SysWOW64\inkzrlbas.exe_lang.ini inbuxzyre.exe File opened for modification C:\Windows\SysWOW64\incrjzdkv.exe_lang.ini inkzrlbas.exe File opened for modification C:\Windows\SysWOW64\indpalewk.exe_lang.ini inqmfrmyb.exe File created C:\Windows\SysWOW64\inldtepix.exe inqjpgzht.exe File opened for modification C:\Windows\SysWOW64\syslog.dat incrjzdkv.exe File opened for modification C:\Windows\SysWOW64\syslog.dat inahuhbcs.exe File opened for modification C:\Windows\SysWOW64\syslog.dat indlyubtu.exe File opened for modification C:\Windows\SysWOW64\syslog.dat innlypqcs.exe File created C:\Windows\SysWOW64\indwztgsi.exe insezthji.exe File opened for modification C:\Windows\SysWOW64\syslog.dat ingoxeawx.exe File opened for modification C:\Windows\SysWOW64\syslog.dat incsnrmiw.exe File opened for modification C:\Windows\SysWOW64\injyqkarh.exe_lang.ini inuqbjvqf.exe File opened for modification C:\Windows\SysWOW64\intcrvwiy.exe_lang.ini inyorihpp.exe File opened for modification C:\Windows\SysWOW64\syslog.dat infgwnmcy.exe File opened for modification C:\Windows\SysWOW64\inogwahsa.exe_lang.ini inhjvjvge.exe File created C:\Windows\SysWOW64\inulkzdji.exe inbjudnts.exe File created C:\Windows\SysWOW64\inoavpdfe.exe injyqkarh.exe File opened for modification C:\Windows\SysWOW64\syslog.dat innqsrkjz.exe File opened for modification C:\Windows\SysWOW64\syslog.dat inrfpuysy.exe File opened for modification C:\Windows\SysWOW64\inbmkzbqa.exe_lang.ini inefvmlzb.exe File opened for modification C:\Windows\SysWOW64\inyjbrycn.exe_lang.ini inugvjlkd.exe File opened for modification C:\Windows\SysWOW64\inhfsfaqh.exe_lang.ini inbuzcxoc.exe File opened for modification C:\Windows\SysWOW64\inqdhyock.exe_lang.ini injlxlxig.exe File opened for modification C:\Windows\SysWOW64\syslog.dat inwsdlxsh.exe File opened for modification C:\Windows\SysWOW64\inefvmlzb.exe_lang.ini ingiuiufd.exe File opened for modification C:\Windows\SysWOW64\injsnioht.exe_lang.ini initcmsrt.exe File opened for modification C:\Windows\SysWOW64\syslog.dat insbznvcp.exe File opened for modification C:\Windows\SysWOW64\syslog.dat incanalcr.exe File opened for modification C:\Windows\SysWOW64\syslog.dat inlsmacbt.exe File created C:\Windows\SysWOW64\inmawkptn.exe inwsdlxsh.exe File opened for modification C:\Windows\SysWOW64\ingtvpopk.exe_lang.ini indeulkya.exe File opened for modification C:\Windows\SysWOW64\syslog.dat intetdxsy.exe File created C:\Windows\SysWOW64\inejnhnnw.exe inixomukg.exe File created C:\Windows\SysWOW64\inhwfuyzl.exe indpalewk.exe File opened for modification C:\Windows\SysWOW64\syslog.dat insnyjjgx.exe File created C:\Windows\SysWOW64\inwixlnmf.exe inazpsjiq.exe File created C:\Windows\SysWOW64\inscqyokc.exe inxsdoolp.exe File opened for modification C:\Windows\SysWOW64\indxawycz.exe_lang.ini insrzztuj.exe File created C:\Windows\SysWOW64\infdqdofu.exe inocokdvj.exe File opened for modification C:\Windows\SysWOW64\syslog.dat inmeufqjy.exe File opened for modification C:\Windows\SysWOW64\inazpsjiq.exe_lang.ini inbfyviuk.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5040 NEAS.ddc35a8e0a6fba3b527542d9af0571b0.exe 5040 NEAS.ddc35a8e0a6fba3b527542d9af0571b0.exe 4564 inykznpoh.exe 4564 inykznpoh.exe 1252 inaphxbit.exe 1252 inaphxbit.exe 3124 inmtnbdcu.exe 3124 inmtnbdcu.exe 4928 inpleqlxa.exe 4928 inpleqlxa.exe 1220 inuqbjvqf.exe 1220 inuqbjvqf.exe 4452 injyqkarh.exe 4452 injyqkarh.exe 4284 inoavpdfe.exe 4284 inoavpdfe.exe 1360 inlsmacbt.exe 1360 inlsmacbt.exe 2264 inmeufqjy.exe 2264 inmeufqjy.exe 3088 inrdysgih.exe 3088 inrdysgih.exe 508 inbfyviuk.exe 508 inbfyviuk.exe 1956 inazpsjiq.exe 1956 inazpsjiq.exe 4236 inwixlnmf.exe 4236 inwixlnmf.exe 4528 indskelwb.exe 4528 indskelwb.exe 464 inmprqjiy.exe 464 inmprqjiy.exe 5108 inbuxzyre.exe 5108 inbuxzyre.exe 3220 inkzrlbas.exe 3220 inkzrlbas.exe 5064 incrjzdkv.exe 5064 incrjzdkv.exe 64 ineuxonvv.exe 64 ineuxonvv.exe 3976 inrngsnzc.exe 3976 inrngsnzc.exe 4280 inhwnltjf.exe 4280 inhwnltjf.exe 2316 inadbobmd.exe 2316 inadbobmd.exe 2528 inwhpwale.exe 2528 inwhpwale.exe 5044 inknedlyl.exe 5044 inknedlyl.exe 5104 inxtemyti.exe 5104 inxtemyti.exe 3300 innlypqcs.exe 3300 innlypqcs.exe 4380 inxiaqxbm.exe 4380 inxiaqxbm.exe 3216 innqsrkjz.exe 3216 innqsrkjz.exe 5040 inqcxrfhg.exe 5040 inqcxrfhg.exe 2960 inyufnzuj.exe 2960 inyufnzuj.exe 960 inzkcszdo.exe 960 inzkcszdo.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 5040 NEAS.ddc35a8e0a6fba3b527542d9af0571b0.exe Token: SeDebugPrivilege 4564 inykznpoh.exe Token: SeDebugPrivilege 1252 inaphxbit.exe Token: SeDebugPrivilege 3124 inmtnbdcu.exe Token: SeDebugPrivilege 4928 inpleqlxa.exe Token: SeDebugPrivilege 1220 inuqbjvqf.exe Token: SeDebugPrivilege 4452 injyqkarh.exe Token: SeDebugPrivilege 4284 inoavpdfe.exe Token: SeDebugPrivilege 1360 inlsmacbt.exe Token: SeDebugPrivilege 2264 inmeufqjy.exe Token: SeDebugPrivilege 3088 inrdysgih.exe Token: SeDebugPrivilege 508 inbfyviuk.exe Token: SeDebugPrivilege 1956 inazpsjiq.exe Token: SeDebugPrivilege 4236 inwixlnmf.exe Token: SeDebugPrivilege 4528 indskelwb.exe Token: SeDebugPrivilege 464 inmprqjiy.exe Token: SeDebugPrivilege 5108 inbuxzyre.exe Token: SeDebugPrivilege 3220 inkzrlbas.exe Token: SeDebugPrivilege 5064 incrjzdkv.exe Token: SeDebugPrivilege 64 ineuxonvv.exe Token: SeDebugPrivilege 3976 inrngsnzc.exe Token: SeDebugPrivilege 4280 inhwnltjf.exe Token: SeDebugPrivilege 2316 inadbobmd.exe Token: SeDebugPrivilege 2528 inwhpwale.exe Token: SeDebugPrivilege 5044 inknedlyl.exe Token: SeDebugPrivilege 5104 inxtemyti.exe Token: SeDebugPrivilege 3300 innlypqcs.exe Token: SeDebugPrivilege 4380 inxiaqxbm.exe Token: SeDebugPrivilege 3216 innqsrkjz.exe Token: SeDebugPrivilege 5040 inqcxrfhg.exe Token: SeDebugPrivilege 2960 inyufnzuj.exe Token: SeDebugPrivilege 960 inzkcszdo.exe Token: SeDebugPrivilege 5108 inpsutmlb.exe Token: SeDebugPrivilege 4868 insezthji.exe Token: SeDebugPrivilege 4928 indwztgsi.exe Token: SeDebugPrivilege 1168 inxsdoolp.exe Token: SeDebugPrivilege 2128 inscqyokc.exe Token: SeDebugPrivilege 3768 inpqffxwb.exe Token: SeDebugPrivilege 3844 inkivmnpx.exe Token: SeDebugPrivilege 2012 inqklaasr.exe Token: SeDebugPrivilege 4576 inzvgovkd.exe Token: SeDebugPrivilege 5060 intsuvkkg.exe Token: SeDebugPrivilege 4164 inecpcnet.exe Token: SeDebugPrivilege 4356 inaexuhtj.exe Token: SeDebugPrivilege 3060 inyegrpfl.exe Token: SeDebugPrivilege 5068 inbqostfv.exe Token: SeDebugPrivilege 720 incgzwjvl.exe Token: SeDebugPrivilege 4432 insohtodl.exe Token: SeDebugPrivilege 1412 inqdpfzcy.exe Token: SeDebugPrivilege 5064 inigtklnv.exe Token: SeDebugPrivilege 3264 inwsdlxsh.exe Token: SeDebugPrivilege 1232 inmawkptn.exe Token: SeDebugPrivilege 1516 injmdckxk.exe Token: SeDebugPrivilege 2868 inyorihpp.exe Token: SeDebugPrivilege 1552 intcrvwiy.exe Token: SeDebugPrivilege 2620 invbdruwx.exe Token: SeDebugPrivilege 4188 inruwvobn.exe Token: SeDebugPrivilege 1800 ingoxeawx.exe Token: SeDebugPrivilege 3368 injkrqgyq.exe Token: SeDebugPrivilege 432 inixpjqgj.exe Token: SeDebugPrivilege 3808 innfvgrkz.exe Token: SeDebugPrivilege 5040 incraptug.exe Token: SeDebugPrivilege 2960 inahuhbcs.exe Token: SeDebugPrivilege 3124 insrzztuj.exe -
Suspicious use of SetWindowsHookEx 28 IoCs
pid Process 5040 NEAS.ddc35a8e0a6fba3b527542d9af0571b0.exe 4564 inykznpoh.exe 1252 inaphxbit.exe 3124 inmtnbdcu.exe 4928 inpleqlxa.exe 1220 inuqbjvqf.exe 4452 injyqkarh.exe 4284 inoavpdfe.exe 1360 inlsmacbt.exe 2264 inmeufqjy.exe 3088 inrdysgih.exe 508 inbfyviuk.exe 1956 inazpsjiq.exe 4236 inwixlnmf.exe 4528 indskelwb.exe 464 inmprqjiy.exe 5108 inbuxzyre.exe 3220 inkzrlbas.exe 5064 incrjzdkv.exe 64 ineuxonvv.exe 3976 inrngsnzc.exe 4280 inhwnltjf.exe 2316 inadbobmd.exe 2528 inwhpwale.exe 5044 inknedlyl.exe 5104 inxtemyti.exe 3300 innlypqcs.exe 4380 inxiaqxbm.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5040 wrote to memory of 4564 5040 NEAS.ddc35a8e0a6fba3b527542d9af0571b0.exe 86 PID 5040 wrote to memory of 4564 5040 NEAS.ddc35a8e0a6fba3b527542d9af0571b0.exe 86 PID 5040 wrote to memory of 4564 5040 NEAS.ddc35a8e0a6fba3b527542d9af0571b0.exe 86 PID 4564 wrote to memory of 1252 4564 inykznpoh.exe 87 PID 4564 wrote to memory of 1252 4564 inykznpoh.exe 87 PID 4564 wrote to memory of 1252 4564 inykznpoh.exe 87 PID 1252 wrote to memory of 3124 1252 inaphxbit.exe 88 PID 1252 wrote to memory of 3124 1252 inaphxbit.exe 88 PID 1252 wrote to memory of 3124 1252 inaphxbit.exe 88 PID 3124 wrote to memory of 4928 3124 inmtnbdcu.exe 90 PID 3124 wrote to memory of 4928 3124 inmtnbdcu.exe 90 PID 3124 wrote to memory of 4928 3124 inmtnbdcu.exe 90 PID 4928 wrote to memory of 1220 4928 inpleqlxa.exe 91 PID 4928 wrote to memory of 1220 4928 inpleqlxa.exe 91 PID 4928 wrote to memory of 1220 4928 inpleqlxa.exe 91 PID 1220 wrote to memory of 4452 1220 inuqbjvqf.exe 92 PID 1220 wrote to memory of 4452 1220 inuqbjvqf.exe 92 PID 1220 wrote to memory of 4452 1220 inuqbjvqf.exe 92 PID 4452 wrote to memory of 4284 4452 injyqkarh.exe 94 PID 4452 wrote to memory of 4284 4452 injyqkarh.exe 94 PID 4452 wrote to memory of 4284 4452 injyqkarh.exe 94 PID 4284 wrote to memory of 1360 4284 inoavpdfe.exe 95 PID 4284 wrote to memory of 1360 4284 inoavpdfe.exe 95 PID 4284 wrote to memory of 1360 4284 inoavpdfe.exe 95 PID 1360 wrote to memory of 2264 1360 inlsmacbt.exe 96 PID 1360 wrote to memory of 2264 1360 inlsmacbt.exe 96 PID 1360 wrote to memory of 2264 1360 inlsmacbt.exe 96 PID 2264 wrote to memory of 3088 2264 inmeufqjy.exe 98 PID 2264 wrote to memory of 3088 2264 inmeufqjy.exe 98 PID 2264 wrote to memory of 3088 2264 inmeufqjy.exe 98 PID 3088 wrote to memory of 508 3088 inrdysgih.exe 99 PID 3088 wrote to memory of 508 3088 inrdysgih.exe 99 PID 3088 wrote to memory of 508 3088 inrdysgih.exe 99 PID 508 wrote to memory of 1956 508 inbfyviuk.exe 100 PID 508 wrote to memory of 1956 508 inbfyviuk.exe 100 PID 508 wrote to memory of 1956 508 inbfyviuk.exe 100 PID 1956 wrote to memory of 4236 1956 inazpsjiq.exe 101 PID 1956 wrote to memory of 4236 1956 inazpsjiq.exe 101 PID 1956 wrote to memory of 4236 1956 inazpsjiq.exe 101 PID 4236 wrote to memory of 4528 4236 inwixlnmf.exe 102 PID 4236 wrote to memory of 4528 4236 inwixlnmf.exe 102 PID 4236 wrote to memory of 4528 4236 inwixlnmf.exe 102 PID 4528 wrote to memory of 464 4528 indskelwb.exe 103 PID 4528 wrote to memory of 464 4528 indskelwb.exe 103 PID 4528 wrote to memory of 464 4528 indskelwb.exe 103 PID 464 wrote to memory of 5108 464 inmprqjiy.exe 104 PID 464 wrote to memory of 5108 464 inmprqjiy.exe 104 PID 464 wrote to memory of 5108 464 inmprqjiy.exe 104 PID 5108 wrote to memory of 3220 5108 inbuxzyre.exe 105 PID 5108 wrote to memory of 3220 5108 inbuxzyre.exe 105 PID 5108 wrote to memory of 3220 5108 inbuxzyre.exe 105 PID 3220 wrote to memory of 5064 3220 inkzrlbas.exe 106 PID 3220 wrote to memory of 5064 3220 inkzrlbas.exe 106 PID 3220 wrote to memory of 5064 3220 inkzrlbas.exe 106 PID 5064 wrote to memory of 64 5064 incrjzdkv.exe 107 PID 5064 wrote to memory of 64 5064 incrjzdkv.exe 107 PID 5064 wrote to memory of 64 5064 incrjzdkv.exe 107 PID 64 wrote to memory of 3976 64 ineuxonvv.exe 108 PID 64 wrote to memory of 3976 64 ineuxonvv.exe 108 PID 64 wrote to memory of 3976 64 ineuxonvv.exe 108 PID 3976 wrote to memory of 4280 3976 inrngsnzc.exe 109 PID 3976 wrote to memory of 4280 3976 inrngsnzc.exe 109 PID 3976 wrote to memory of 4280 3976 inrngsnzc.exe 109 PID 4280 wrote to memory of 2316 4280 inhwnltjf.exe 110
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.ddc35a8e0a6fba3b527542d9af0571b0.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.ddc35a8e0a6fba3b527542d9af0571b0.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5040 -
C:\Windows\SysWOW64\inykznpoh.exeC:\Windows\system32\inykznpoh.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4564 -
C:\Windows\SysWOW64\inaphxbit.exeC:\Windows\system32\inaphxbit.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1252 -
C:\Windows\SysWOW64\inmtnbdcu.exeC:\Windows\system32\inmtnbdcu.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3124 -
C:\Windows\SysWOW64\inpleqlxa.exeC:\Windows\system32\inpleqlxa.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4928 -
C:\Windows\SysWOW64\inuqbjvqf.exeC:\Windows\system32\inuqbjvqf.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1220 -
C:\Windows\SysWOW64\injyqkarh.exeC:\Windows\system32\injyqkarh.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4452 -
C:\Windows\SysWOW64\inoavpdfe.exeC:\Windows\system32\inoavpdfe.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4284 -
C:\Windows\SysWOW64\inlsmacbt.exeC:\Windows\system32\inlsmacbt.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1360 -
C:\Windows\SysWOW64\inmeufqjy.exeC:\Windows\system32\inmeufqjy.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Windows\SysWOW64\inrdysgih.exeC:\Windows\system32\inrdysgih.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3088 -
C:\Windows\SysWOW64\inbfyviuk.exeC:\Windows\system32\inbfyviuk.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:508 -
C:\Windows\SysWOW64\inazpsjiq.exeC:\Windows\system32\inazpsjiq.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Windows\SysWOW64\inwixlnmf.exeC:\Windows\system32\inwixlnmf.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4236 -
C:\Windows\SysWOW64\indskelwb.exeC:\Windows\system32\indskelwb.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4528 -
C:\Windows\SysWOW64\inmprqjiy.exeC:\Windows\system32\inmprqjiy.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:464 -
C:\Windows\SysWOW64\inbuxzyre.exeC:\Windows\system32\inbuxzyre.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5108 -
C:\Windows\SysWOW64\inkzrlbas.exeC:\Windows\system32\inkzrlbas.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3220 -
C:\Windows\SysWOW64\incrjzdkv.exeC:\Windows\system32\incrjzdkv.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5064 -
C:\Windows\SysWOW64\ineuxonvv.exeC:\Windows\system32\ineuxonvv.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:64 -
C:\Windows\SysWOW64\inrngsnzc.exeC:\Windows\system32\inrngsnzc.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3976 -
C:\Windows\SysWOW64\inhwnltjf.exeC:\Windows\system32\inhwnltjf.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4280 -
C:\Windows\SysWOW64\inadbobmd.exeC:\Windows\system32\inadbobmd.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2316 -
C:\Windows\SysWOW64\inwhpwale.exeC:\Windows\system32\inwhpwale.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2528 -
C:\Windows\SysWOW64\inknedlyl.exeC:\Windows\system32\inknedlyl.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5044 -
C:\Windows\SysWOW64\inxtemyti.exeC:\Windows\system32\inxtemyti.exe26⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5104 -
C:\Windows\SysWOW64\innlypqcs.exeC:\Windows\system32\innlypqcs.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3300 -
C:\Windows\SysWOW64\inxiaqxbm.exeC:\Windows\system32\inxiaqxbm.exe28⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4380 -
C:\Windows\SysWOW64\innqsrkjz.exeC:\Windows\system32\innqsrkjz.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3216 -
C:\Windows\SysWOW64\inqcxrfhg.exeC:\Windows\system32\inqcxrfhg.exe30⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5040 -
C:\Windows\SysWOW64\inyufnzuj.exeC:\Windows\system32\inyufnzuj.exe31⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2960 -
C:\Windows\SysWOW64\inzkcszdo.exeC:\Windows\system32\inzkcszdo.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:960 -
C:\Windows\SysWOW64\inpsutmlb.exeC:\Windows\system32\inpsutmlb.exe33⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5108 -
C:\Windows\SysWOW64\insezthji.exeC:\Windows\system32\insezthji.exe34⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4868 -
C:\Windows\SysWOW64\indwztgsi.exeC:\Windows\system32\indwztgsi.exe35⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4928 -
C:\Windows\SysWOW64\inxsdoolp.exeC:\Windows\system32\inxsdoolp.exe36⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1168 -
C:\Windows\SysWOW64\inscqyokc.exeC:\Windows\system32\inscqyokc.exe37⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2128 -
C:\Windows\SysWOW64\inpqffxwb.exeC:\Windows\system32\inpqffxwb.exe38⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3768 -
C:\Windows\SysWOW64\inkivmnpx.exeC:\Windows\system32\inkivmnpx.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3844 -
C:\Windows\SysWOW64\inqklaasr.exeC:\Windows\system32\inqklaasr.exe40⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2012 -
C:\Windows\SysWOW64\inzvgovkd.exeC:\Windows\system32\inzvgovkd.exe41⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4576 -
C:\Windows\SysWOW64\intsuvkkg.exeC:\Windows\system32\intsuvkkg.exe42⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5060 -
C:\Windows\SysWOW64\inecpcnet.exeC:\Windows\system32\inecpcnet.exe43⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4164 -
C:\Windows\SysWOW64\inaexuhtj.exeC:\Windows\system32\inaexuhtj.exe44⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4356 -
C:\Windows\SysWOW64\inyegrpfl.exeC:\Windows\system32\inyegrpfl.exe45⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3060 -
C:\Windows\SysWOW64\inbqostfv.exeC:\Windows\system32\inbqostfv.exe46⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5068 -
C:\Windows\SysWOW64\incgzwjvl.exeC:\Windows\system32\incgzwjvl.exe47⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:720 -
C:\Windows\SysWOW64\insohtodl.exeC:\Windows\system32\insohtodl.exe48⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4432 -
C:\Windows\SysWOW64\inqdpfzcy.exeC:\Windows\system32\inqdpfzcy.exe49⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1412 -
C:\Windows\SysWOW64\inigtklnv.exeC:\Windows\system32\inigtklnv.exe50⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5064 -
C:\Windows\SysWOW64\inwsdlxsh.exeC:\Windows\system32\inwsdlxsh.exe51⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3264 -
C:\Windows\SysWOW64\inmawkptn.exeC:\Windows\system32\inmawkptn.exe52⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1232 -
C:\Windows\SysWOW64\injmdckxk.exeC:\Windows\system32\injmdckxk.exe53⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1516 -
C:\Windows\SysWOW64\inyorihpp.exeC:\Windows\system32\inyorihpp.exe54⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2868 -
C:\Windows\SysWOW64\intcrvwiy.exeC:\Windows\system32\intcrvwiy.exe55⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1552 -
C:\Windows\SysWOW64\invbdruwx.exeC:\Windows\system32\invbdruwx.exe56⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2620 -
C:\Windows\SysWOW64\inruwvobn.exeC:\Windows\system32\inruwvobn.exe57⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4188 -
C:\Windows\SysWOW64\ingoxeawx.exeC:\Windows\system32\ingoxeawx.exe58⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1800 -
C:\Windows\SysWOW64\injkrqgyq.exeC:\Windows\system32\injkrqgyq.exe59⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3368 -
C:\Windows\SysWOW64\inixpjqgj.exeC:\Windows\system32\inixpjqgj.exe60⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:432 -
C:\Windows\SysWOW64\innfvgrkz.exeC:\Windows\system32\innfvgrkz.exe61⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3808 -
C:\Windows\SysWOW64\incraptug.exeC:\Windows\system32\incraptug.exe62⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5040 -
C:\Windows\SysWOW64\inahuhbcs.exeC:\Windows\system32\inahuhbcs.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2960 -
C:\Windows\SysWOW64\insrzztuj.exeC:\Windows\system32\insrzztuj.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3124 -
C:\Windows\SysWOW64\indxawycz.exeC:\Windows\system32\indxawycz.exe65⤵
- Executes dropped EXE
PID:1916 -
C:\Windows\SysWOW64\indlyubtu.exeC:\Windows\system32\indlyubtu.exe66⤵
- Drops file in System32 directory
PID:4872 -
C:\Windows\SysWOW64\inxjymong.exeC:\Windows\system32\inxjymong.exe67⤵
- Modifies Installed Components in the registry
PID:4728 -
C:\Windows\SysWOW64\inpkvggzd.exeC:\Windows\system32\inpkvggzd.exe68⤵
- Modifies Installed Components in the registry
PID:4284 -
C:\Windows\SysWOW64\insbquvhx.exeC:\Windows\system32\insbquvhx.exe69⤵PID:1940
-
C:\Windows\SysWOW64\indqsmlmh.exeC:\Windows\system32\indqsmlmh.exe70⤵PID:2440
-
C:\Windows\SysWOW64\inqtvunam.exeC:\Windows\system32\inqtvunam.exe71⤵
- Modifies Installed Components in the registry
PID:792 -
C:\Windows\SysWOW64\incvyzsfr.exeC:\Windows\system32\incvyzsfr.exe72⤵PID:2860
-
C:\Windows\SysWOW64\infudswxj.exeC:\Windows\system32\infudswxj.exe73⤵
- Drops file in System32 directory
PID:4988 -
C:\Windows\SysWOW64\invuwaxma.exeC:\Windows\system32\invuwaxma.exe74⤵
- Modifies Installed Components in the registry
PID:3300 -
C:\Windows\SysWOW64\insvxwpco.exeC:\Windows\system32\insvxwpco.exe75⤵
- Modifies Installed Components in the registry
PID:4244 -
C:\Windows\SysWOW64\inwemzvcu.exeC:\Windows\system32\inwemzvcu.exe76⤵
- Modifies Installed Components in the registry
- Drops file in System32 directory
PID:4356 -
C:\Windows\SysWOW64\injyiwuqi.exeC:\Windows\system32\injyiwuqi.exe77⤵PID:3540
-
C:\Windows\SysWOW64\inzydrlkr.exeC:\Windows\system32\inzydrlkr.exe78⤵PID:2632
-
C:\Windows\SysWOW64\ingugrwmi.exeC:\Windows\system32\ingugrwmi.exe79⤵
- Modifies Installed Components in the registry
PID:1488 -
C:\Windows\SysWOW64\inrfpuysy.exeC:\Windows\system32\inrfpuysy.exe80⤵
- Drops file in System32 directory
PID:4984 -
C:\Windows\SysWOW64\intpaiupe.exeC:\Windows\system32\intpaiupe.exe81⤵PID:5008
-
C:\Windows\SysWOW64\indrzpldy.exeC:\Windows\system32\indrzpldy.exe82⤵
- Drops file in System32 directory
PID:2128 -
C:\Windows\SysWOW64\invhwkmle.exeC:\Windows\system32\invhwkmle.exe83⤵PID:2576
-
C:\Windows\SysWOW64\inaikwkwh.exeC:\Windows\system32\inaikwkwh.exe84⤵PID:864
-
C:\Windows\SysWOW64\infhthtec.exeC:\Windows\system32\infhthtec.exe85⤵
- Drops file in System32 directory
PID:2500 -
C:\Windows\SysWOW64\inhjvjvge.exeC:\Windows\system32\inhjvjvge.exe86⤵
- Modifies Installed Components in the registry
- Drops file in System32 directory
PID:2732 -
C:\Windows\SysWOW64\inogwahsa.exeC:\Windows\system32\inogwahsa.exe87⤵PID:3060
-
C:\Windows\SysWOW64\intfuikjc.exeC:\Windows\system32\intfuikjc.exe88⤵PID:4356
-
C:\Windows\SysWOW64\intetdxsy.exeC:\Windows\system32\intetdxsy.exe89⤵
- Modifies Installed Components in the registry
- Drops file in System32 directory
PID:2208 -
C:\Windows\SysWOW64\inixomukg.exeC:\Windows\system32\inixomukg.exe90⤵
- Modifies Installed Components in the registry
- Drops file in System32 directory
PID:4812 -
C:\Windows\SysWOW64\inejnhnnw.exeC:\Windows\system32\inejnhnnw.exe91⤵PID:2632
-
C:\Windows\SysWOW64\ingvnhoze.exeC:\Windows\system32\ingvnhoze.exe92⤵
- Modifies Installed Components in the registry
PID:3672 -
C:\Windows\SysWOW64\infslrijv.exeC:\Windows\system32\infslrijv.exe93⤵
- Modifies Installed Components in the registry
PID:2316 -
C:\Windows\SysWOW64\innuocedv.exeC:\Windows\system32\innuocedv.exe94⤵PID:3768
-
C:\Windows\SysWOW64\invrckwrg.exeC:\Windows\system32\invrckwrg.exe95⤵
- Modifies Installed Components in the registry
PID:2620 -
C:\Windows\SysWOW64\inuhqyjhd.exeC:\Windows\system32\inuhqyjhd.exe96⤵PID:4840
-
C:\Windows\SysWOW64\infvypoww.exeC:\Windows\system32\infvypoww.exe97⤵PID:2088
-
C:\Windows\SysWOW64\infgwnmcy.exeC:\Windows\system32\infgwnmcy.exe98⤵
- Drops file in System32 directory
PID:864 -
C:\Windows\SysWOW64\inaivxrqr.exeC:\Windows\system32\inaivxrqr.exe99⤵
- Drops file in System32 directory
PID:1344 -
C:\Windows\SysWOW64\inpiofygs.exeC:\Windows\system32\inpiofygs.exe100⤵PID:1924
-
C:\Windows\SysWOW64\inkbaivic.exeC:\Windows\system32\inkbaivic.exe101⤵
- Drops file in System32 directory
PID:3556 -
C:\Windows\SysWOW64\inljyapnv.exeC:\Windows\system32\inljyapnv.exe102⤵PID:2324
-
C:\Windows\SysWOW64\ineybxzdp.exeC:\Windows\system32\ineybxzdp.exe103⤵
- Drops file in System32 directory
PID:4108 -
C:\Windows\SysWOW64\inzhpyfbx.exeC:\Windows\system32\inzhpyfbx.exe104⤵PID:60
-
C:\Windows\SysWOW64\inqmfrmyb.exeC:\Windows\system32\inqmfrmyb.exe105⤵
- Modifies Installed Components in the registry
- Drops file in System32 directory
PID:3672 -
C:\Windows\SysWOW64\indpalewk.exeC:\Windows\system32\indpalewk.exe106⤵
- Drops file in System32 directory
PID:3860 -
C:\Windows\SysWOW64\inhwfuyzl.exeC:\Windows\system32\inhwfuyzl.exe107⤵
- Modifies Installed Components in the registry
PID:2984 -
C:\Windows\SysWOW64\injyixbhg.exeC:\Windows\system32\injyixbhg.exe108⤵PID:4716
-
C:\Windows\SysWOW64\inmhxsddw.exeC:\Windows\system32\inmhxsddw.exe109⤵
- Modifies Installed Components in the registry
PID:4660 -
C:\Windows\SysWOW64\inbrulkss.exeC:\Windows\system32\inbrulkss.exe110⤵PID:2732
-
C:\Windows\SysWOW64\ingwzqpxx.exeC:\Windows\system32\ingwzqpxx.exe111⤵PID:3700
-
C:\Windows\SysWOW64\ingiuiufd.exeC:\Windows\system32\ingiuiufd.exe112⤵
- Drops file in System32 directory
PID:4504 -
C:\Windows\SysWOW64\inefvmlzb.exeC:\Windows\system32\inefvmlzb.exe113⤵
- Drops file in System32 directory
PID:3432 -
C:\Windows\SysWOW64\inbmkzbqa.exeC:\Windows\system32\inbmkzbqa.exe114⤵
- Modifies Installed Components in the registry
PID:2672 -
C:\Windows\SysWOW64\infumgnyd.exeC:\Windows\system32\infumgnyd.exe115⤵PID:4728
-
C:\Windows\SysWOW64\inilcbjwj.exeC:\Windows\system32\inilcbjwj.exe116⤵PID:3076
-
C:\Windows\SysWOW64\inarenvge.exeC:\Windows\system32\inarenvge.exe117⤵PID:1552
-
C:\Windows\SysWOW64\inugvjlkd.exeC:\Windows\system32\inugvjlkd.exe118⤵
- Drops file in System32 directory
PID:4364 -
C:\Windows\SysWOW64\inyjbrycn.exeC:\Windows\system32\inyjbrycn.exe119⤵PID:580
-
C:\Windows\SysWOW64\inwikohfo.exeC:\Windows\system32\inwikohfo.exe120⤵
- Modifies Installed Components in the registry
- Drops file in System32 directory
PID:2984 -
C:\Windows\SysWOW64\inbqiycju.exeC:\Windows\system32\inbqiycju.exe121⤵
- Modifies Installed Components in the registry
- Drops file in System32 directory
PID:2404
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-