gh0strat | 15c05795419e2b32d14f88c34a58698671f39d95a4fa52c82c4d9b754dce1c46

Analysis

max time kernel
170s
max time network
184s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
03/01/2024, 15:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d50124fb9b63888e37d8325c77467122.exe
Size

348KB
MD5

d50124fb9b63888e37d8325c77467122
SHA1

f7af8a37cd43f6caeb87dd817fff00b189f33c23
SHA256

15c05795419e2b32d14f88c34a58698671f39d95a4fa52c82c4d9b754dce1c46
SHA512

6a503a4a322f7ac606bdb3b66540145ec3b32a8fd00af495bad8e2a08c193141590a9e7cb4ee3f8fe1dab78958af3fb4b8eff863eb3af436bf053e8e55a9740e
SSDEEP

6144:MJueTkwOwoWOQ3dwaWB28edeP/deUv80P80Ap8UGwoTGHZOWJkqd0K4rG7eVT0SO:ouLwoZQGpnedeP/deUe1ppGjTGHZRT06

Score

10^/10

gh0strat persistence rat

Malware Config

Signatures

Gh0st RAT payload 46 IoCs

resource	yara_rule
behavioral2/memory/3432-0-0x0000000000400000-0x000000000042F000-memory.dmp	family_gh0strat
behavioral2/files/0x000200000001e7ed-13.dat	family_gh0strat
behavioral2/files/0x000400000001e7eb-20.dat	family_gh0strat
behavioral2/files/0x000200000001e7f9-40.dat	family_gh0strat
behavioral2/files/0x000200000001e7fd-61.dat	family_gh0strat
behavioral2/memory/1376-68-0x0000000000400000-0x000000000042F000-memory.dmp	family_gh0strat
behavioral2/memory/3432-67-0x0000000000400000-0x000000000042F000-memory.dmp	family_gh0strat
behavioral2/memory/4968-69-0x0000000000400000-0x000000000042F000-memory.dmp	family_gh0strat
behavioral2/files/0x000200000001e800-90.dat	family_gh0strat
behavioral2/memory/2016-92-0x0000000000400000-0x000000000042F000-memory.dmp	family_gh0strat
behavioral2/memory/3508-91-0x0000000000400000-0x000000000042F000-memory.dmp	family_gh0strat
behavioral2/memory/3508-97-0x0000000002040000-0x00000000020B3000-memory.dmp	family_gh0strat
behavioral2/files/0x000200000001e804-112.dat	family_gh0strat
behavioral2/memory/952-116-0x0000000000400000-0x000000000042F000-memory.dmp	family_gh0strat
behavioral2/memory/3508-117-0x0000000000400000-0x000000000042F000-memory.dmp	family_gh0strat
behavioral2/files/0x000200000001e808-137.dat	family_gh0strat
behavioral2/memory/952-140-0x0000000000400000-0x000000000042F000-memory.dmp	family_gh0strat
behavioral2/memory/2572-144-0x0000000002120000-0x0000000002193000-memory.dmp	family_gh0strat
behavioral2/files/0x000300000001f596-160.dat	family_gh0strat
behavioral2/memory/2572-163-0x0000000000400000-0x000000000042F000-memory.dmp	family_gh0strat
behavioral2/memory/1532-165-0x0000000002040000-0x00000000020B3000-memory.dmp	family_gh0strat
behavioral2/files/0x000a000000023011-182.dat	family_gh0strat
behavioral2/memory/1532-186-0x0000000000400000-0x000000000042F000-memory.dmp	family_gh0strat
behavioral2/files/0x000600000002311e-205.dat	family_gh0strat
behavioral2/memory/3456-209-0x0000000000400000-0x000000000042F000-memory.dmp	family_gh0strat
behavioral2/files/0x0006000000023122-229.dat	family_gh0strat
behavioral2/memory/1480-232-0x0000000000400000-0x000000000042F000-memory.dmp	family_gh0strat
behavioral2/files/0x0006000000023126-251.dat	family_gh0strat
behavioral2/memory/1764-255-0x0000000000400000-0x000000000042F000-memory.dmp	family_gh0strat
behavioral2/files/0x000600000002312a-275.dat	family_gh0strat
behavioral2/memory/1600-278-0x0000000000400000-0x000000000042F000-memory.dmp	family_gh0strat
behavioral2/files/0x000600000002312e-296.dat	family_gh0strat
behavioral2/files/0x000600000002312e-298.dat	family_gh0strat
behavioral2/memory/4144-300-0x0000000000400000-0x000000000042F000-memory.dmp	family_gh0strat
behavioral2/files/0x0006000000023132-321.dat	family_gh0strat
behavioral2/memory/808-322-0x0000000000400000-0x000000000042F000-memory.dmp	family_gh0strat
behavioral2/files/0x0006000000023136-344.dat	family_gh0strat
behavioral2/memory/1368-345-0x0000000000400000-0x000000000042F000-memory.dmp	family_gh0strat
behavioral2/files/0x000600000002313a-364.dat	family_gh0strat
behavioral2/memory/3968-368-0x0000000000400000-0x000000000042F000-memory.dmp	family_gh0strat
behavioral2/memory/3260-387-0x0000000000400000-0x000000000042F000-memory.dmp	family_gh0strat
behavioral2/memory/1672-405-0x0000000000400000-0x000000000042F000-memory.dmp	family_gh0strat
behavioral2/memory/1812-424-0x0000000000400000-0x000000000042F000-memory.dmp	family_gh0strat
behavioral2/memory/1624-444-0x0000000000400000-0x000000000042F000-memory.dmp	family_gh0strat
behavioral2/memory/2204-463-0x0000000000400000-0x000000000042F000-memory.dmp	family_gh0strat
behavioral2/memory/3732-482-0x0000000000400000-0x000000000042F000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Modifies Installed Components in the registry 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0DB2B4F5-50F2-41f2-97AB-40E62937E415}	inyegrpfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7E97956E-AEB7-4c9d-BBB4-959A2E14E1D4}\stubpath = "C:\\Windows\\system32\\inldtepix.exe"	inmtnbdcu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3F816B67-9006-4204-8B0D-06E738F1A47D}	indskelwb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{174F64D4-5CA9-4c03-A6B5-541D6238B048}	inaexuhtj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{43FFE85B-7EF7-4a02-855D-82E9571D6639}	intfuikjc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{87665AE7-A4D3-4f2b-8006-50EEFC249E10}	indwztgsi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{88516624-5A98-488f-B181-CEDC0E026FEA}\stubpath = "C:\\Windows\\system32\\inocymrvp.exe"	inpqffxwb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{83B65115-5F5C-4c0c-9073-6FF9F681B111}\stubpath = "C:\\Windows\\system32\\inetlfmxc.exe"	insohtodl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5EBBB415-02E2-43ad-8F2C-EA4F679DE54C}\stubpath = "C:\\Windows\\system32\\inuqbjvqf.exe"	inldtepix.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E8C71466-048F-4d6c-8D8D-2E3EF6EADA89}	inwmpgfnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{672E5C51-54AB-4296-A91D-791346A6D225}\stubpath = "C:\\Windows\\system32\\inrshhzyd.exe"	inljyapnv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CACC1BCD-39B2-4c5b-9C04-620B21A9EF6F}\stubpath = "C:\\Windows\\system32\\insgwlney.exe"	injwnoaqy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3DBABF43-17EE-41e0-BEDC-8DD5EEA40D08}\stubpath = "C:\\Windows\\system32\\inejnhnnw.exe"	inqtvunam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22335114-D7E1-43b9-81B1-0693B4A1E2BA}	inyjbrycn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{43A9B068-80AB-47e5-90BB-BCF360984B47}\stubpath = "C:\\Windows\\system32\\indrzpldy.exe"	incgzwjvl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{40106805-6861-4670-93AD-60B497D98EA6}	inuinrlrc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C96AC7B8-4BA0-4543-B1FF-20266ECC5E17}\stubpath = "C:\\Windows\\system32\\inaexuhtj.exe"	inoavpdfe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{959CA8DF-1075-4f08-A0E7-3BEE31A34060}\stubpath = "C:\\Windows\\system32\\inpleqlxa.exe"	inbqiycju.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EE29BF80-D8F7-4d27-9BC3-5175AF8B9FBC}\stubpath = "C:\\Windows\\system32\\ingvzmksi.exe"	inahuhbcs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D3F014EE-B03B-42cf-AE6F-5708DC4D10E3}\stubpath = "C:\\Windows\\system32\\incgzwjvl.exe"	inlsmacbt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EFDFCB7F-40B5-4bdd-BB86-E646DFA57EB7}	inbbkvfva.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0DB2B4F5-50F2-41f2-97AB-40E62937E415}\stubpath = "C:\\Windows\\system32\\innlypqcs.exe"	inyegrpfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CF47CC90-289D-45a2-9DC7-9EC048F43E02}\stubpath = "C:\\Windows\\system32\\inkzrlbas.exe"	inmprqjiy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{63CD64FB-B480-49ff-BF20-8091BC7C08DF}\stubpath = "C:\\Windows\\system32\\indtkzjxv.exe"	inxjymong.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1B442712-A5D2-4266-8A02-EF4FCA72CD2D}	infnwdvwr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EFDFCB7F-40B5-4bdd-BB86-E646DFA57EB7}\stubpath = "C:\\Windows\\system32\\injkrqgyq.exe"	inbbkvfva.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C72CC88C-A398-4741-A2FE-362ACA1732C9}	innuocedv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{43FFE85B-7EF7-4a02-855D-82E9571D6639}\stubpath = "C:\\Windows\\system32\\inhwnltjf.exe"	intfuikjc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C1140070-C511-4937-972F-8CA8C1D77C3A}	infdqdofu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C72CC88C-A398-4741-A2FE-362ACA1732C9}\stubpath = "C:\\Windows\\system32\\inbfyviuk.exe"	innuocedv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0E99D93F-A694-42d9-92E0-BC041AA3FBF8}\stubpath = "C:\\Windows\\system32\\inxsdoolp.exe"	inowmiavg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A77E8520-6E56-4b8f-A85E-9D17FE77E5BB}	inuqbjvqf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{959CA8DF-1075-4f08-A0E7-3BEE31A34060}	inbqiycju.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D3F014EE-B03B-42cf-AE6F-5708DC4D10E3}	inlsmacbt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{61B8517C-AFB0-48a7-B12B-86B2AE72FE23}	indrzpldy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{35210FFD-A52C-46c8-8457-59DAC0000565}	innoddvuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{34671535-41B9-44d9-8E78-03A492AFBEEA}\stubpath = "C:\\Windows\\system32\\inuinrlrc.exe"	inrshhzyd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5DF5C5C4-70D0-40d3-B270-FEAE19F3ED91}	inbfyviuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5DF5C5C4-70D0-40d3-B270-FEAE19F3ED91}\stubpath = "C:\\Windows\\system32\\inbohznex.exe"	inbfyviuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8F479043-1F1F-4193-810A-44BDF5C3A40E}\stubpath = "C:\\Windows\\system32\\injyqkarh.exe"	inwixlnmf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EF2E7C63-7071-4cd4-B932-E97270A9B17A}\stubpath = "C:\\Windows\\system32\\inmtnbdcu.exe"	inetlfmxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6168C9DD-9AA0-4fab-8961-5F1994E7453E}\stubpath = "C:\\Windows\\system32\\inhiypoew.exe"	incsvmltt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{73810870-C493-4e27-9E00-70D5B040B5A7}\stubpath = "C:\\Windows\\system32\\innoddvuk.exe"	inkzrlbas.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BBE4678C-E693-41bf-94B4-3449352497FF}	inbmkzbqa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{92A8C953-1353-453b-86B5-B25D7E523DBF}	inaikwkwh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8F479043-1F1F-4193-810A-44BDF5C3A40E}	inwixlnmf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2ACF3D6F-E42A-4a1f-91BC-0A61E2171B97}\stubpath = "C:\\Windows\\system32\\inbmkzbqa.exe"	inbuxzyre.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F0BFC4A3-F1D8-4e4d-A2AE-BEDECDA16E30}\stubpath = "C:\\Windows\\system32\\injyiwuqi.exe"	ineuxonvv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{78E9AF54-95BD-4b43-968D-58D7275A1FC4}	inewrcnnk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2D62B9D3-3D06-4270-86DA-C82A708D8E57}\stubpath = "C:\\Windows\\system32\\insvxwpco.exe"	inumafjdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C6201E8F-4007-4b75-8E3F-DDDC57E60388}	ingtvpopk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{92A8C953-1353-453b-86B5-B25D7E523DBF}\stubpath = "C:\\Windows\\system32\\inewrcnnk.exe"	inaikwkwh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6B6D072F-ACF4-4eef-876B-DDA7ED646AFD}\stubpath = "C:\\Windows\\system32\\indwztgsi.exe"	inhegsgsd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1E3E56E4-740D-42b1-B089-B642C64ABB98}\stubpath = "C:\\Windows\\system32\\inmeufqjy.exe"	inykznpoh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BEC12DD4-00A6-44ab-B47B-9493F14213DD}	ingvzmksi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{43A9B068-80AB-47e5-90BB-BCF360984B47}	incgzwjvl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{73810870-C493-4e27-9E00-70D5B040B5A7}	inkzrlbas.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2191B63D-9F4D-4dad-913A-DFD61191B292}\stubpath = "C:\\Windows\\system32\\invrckwrg.exe"	inbqostfv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{86BA732C-BF37-416d-8D5B-0FD5E19E3B0B}	incvyzsfr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7766A339-3D59-49b6-AB5E-F6C75A0DAF66}\stubpath = "C:\\Windows\\system32\\injmdckxk.exe"	innlypqcs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EC7C102A-5ADB-4bed-B0BB-E18F64115E51}	invhwkmle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ADC63739-1F66-469e-A3AE-FCC75F299944}\stubpath = "C:\\Windows\\system32\\inugvjlkd.exe"	d50124fb9b63888e37d8325c77467122.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DACF751C-7495-4df3-AFE7-605B9E7DBAE7}\stubpath = "C:\\Windows\\system32\\inykznpoh.exe"	inxtemyti.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{142F515C-F609-43f9-88AF-5CD9BA4E3E41}	insbquvhx.exe

ACProtect 1.3x - 1.4x DLL software 16 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x000300000001e7e1-4.dat	acprotect
behavioral2/files/0x000400000001e7f4-23.dat	acprotect
behavioral2/files/0x000200000001e7fb-43.dat	acprotect
behavioral2/files/0x000400000001e7f3-70.dat	acprotect
behavioral2/files/0x000200000001e802-94.dat	acprotect
behavioral2/files/0x000200000001e806-118.dat	acprotect
behavioral2/files/0x000200000001e80a-141.dat	acprotect
behavioral2/files/0x0002000000022775-164.dat	acprotect
behavioral2/files/0x0007000000023118-187.dat	acprotect
behavioral2/files/0x0006000000023120-210.dat	acprotect
behavioral2/files/0x0006000000023124-233.dat	acprotect
behavioral2/files/0x0006000000023128-256.dat	acprotect
behavioral2/files/0x000600000002312c-281.dat	acprotect
behavioral2/files/0x0006000000023130-301.dat	acprotect
behavioral2/files/0x0006000000023134-324.dat	acprotect
behavioral2/files/0x0006000000023138-349.dat	acprotect

Executes dropped EXE 64 IoCs

pid	Process
1376	inugvjlkd.exe
4968	inaphxbit.exe
2016	inwixlnmf.exe
3508	injyqkarh.exe
952	inzvgovkd.exe
2572	inxtemyti.exe
1532	inykznpoh.exe
3456	inmeufqjy.exe
1480	inixpjqgj.exe
1764	inwsdlxsh.exe
1600	inyjbrycn.exe
4144	inkbaivic.exe
808	insohtodl.exe
1368	inetlfmxc.exe
3968	inmtnbdcu.exe
3260	inldtepix.exe
1672	inuqbjvqf.exe
1812	inruwvobn.exe
1624	indskelwb.exe
2204	inoavpdfe.exe
3732	inaexuhtj.exe
3440	inbqiycju.exe
2412	inpleqlxa.exe
4260	ingiuiufd.exe
2864	insbquvhx.exe
5020	intfuikjc.exe
5044	inhwnltjf.exe
3880	ingwzqpxx.exe
4288	inknedlyl.exe
4860	inecpcnet.exe
2060	inortslka.exe
3544	inwmpgfnn.exe
4684	inqcxrfhg.exe
4300	incsvmltt.exe
3052	inhiypoew.exe
2152	infgwnmcy.exe
4076	inahuhbcs.exe
4164	ingvzmksi.exe
2044	inlsmacbt.exe
2468	incgzwjvl.exe
2028	indrzpldy.exe
3864	inmprqjiy.exe
2416	inkzrlbas.exe
1716	innoddvuk.exe
2300	innfvgrkz.exe
1648	inbuxzyre.exe
3012	inbmkzbqa.exe
2676	inogwahsa.exe
4216	inilcbjwj.exe
3784	inbqostfv.exe
2100	invrckwrg.exe
2276	incvyzsfr.exe
904	ineuxonvv.exe
2844	injyiwuqi.exe
4352	inljyapnv.exe
1332	inrshhzyd.exe
1932	inuinrlrc.exe
4576	inaikwkwh.exe
2728	inewrcnnk.exe
5020	inowmiavg.exe
3408	inxsdoolp.exe
2616	infdqdofu.exe
1092	inxjymong.exe
4360	indtkzjxv.exe

Loads dropped DLL 64 IoCs

pid	Process
3432	d50124fb9b63888e37d8325c77467122.exe
3432	d50124fb9b63888e37d8325c77467122.exe
1376	inugvjlkd.exe
1376	inugvjlkd.exe
4968	inaphxbit.exe
4968	inaphxbit.exe
2016	inwixlnmf.exe
2016	inwixlnmf.exe
3508	injyqkarh.exe
3508	injyqkarh.exe
952	inzvgovkd.exe
952	inzvgovkd.exe
2572	inxtemyti.exe
2572	inxtemyti.exe
1532	inykznpoh.exe
1532	inykznpoh.exe
3456	inmeufqjy.exe
3456	inmeufqjy.exe
1480	inixpjqgj.exe
1480	inixpjqgj.exe
1764	inwsdlxsh.exe
1764	inwsdlxsh.exe
1600	inyjbrycn.exe
1600	inyjbrycn.exe
4144	inkbaivic.exe
4144	inkbaivic.exe
808	insohtodl.exe
808	insohtodl.exe
1368	inetlfmxc.exe
1368	inetlfmxc.exe
3968	inmtnbdcu.exe
3968	inmtnbdcu.exe
3260	inldtepix.exe
3260	inldtepix.exe
1672	inuqbjvqf.exe
1672	inuqbjvqf.exe
1812	inruwvobn.exe
1812	inruwvobn.exe
1624	indskelwb.exe
1624	indskelwb.exe
2204	inoavpdfe.exe
2204	inoavpdfe.exe
3732	inaexuhtj.exe
3732	inaexuhtj.exe
3440	inbqiycju.exe
3440	inbqiycju.exe
2412	inpleqlxa.exe
2412	inpleqlxa.exe
4260	ingiuiufd.exe
4260	ingiuiufd.exe
2864	insbquvhx.exe
2864	insbquvhx.exe
5020	intfuikjc.exe
5020	intfuikjc.exe
5044	inhwnltjf.exe
5044	inhwnltjf.exe
3880	ingwzqpxx.exe
3880	ingwzqpxx.exe
4288	inknedlyl.exe
4288	inknedlyl.exe
4860	inecpcnet.exe
4860	inecpcnet.exe
2060	inortslka.exe
2060	inortslka.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\innuocedv.exe	injmdckxk.exe
File opened for modification	C:\Windows\SysWOW64\ingiuiufd.exe_lang.ini	inpleqlxa.exe
File created	C:\Windows\SysWOW64\infnwdvwr.exe	insvxwpco.exe
File opened for modification	C:\Windows\SysWOW64\infnwdvwr.exe_lang.ini	insvxwpco.exe
File opened for modification	C:\Windows\SysWOW64\inocymrvp.exe_lang.ini	inpqffxwb.exe
File created	C:\Windows\SysWOW64\incgzwjvl.exe	inlsmacbt.exe
File created	C:\Windows\SysWOW64\inljyapnv.exe	injyiwuqi.exe
File opened for modification	C:\Windows\SysWOW64\syslog.dat	indwztgsi.exe
File opened for modification	C:\Windows\SysWOW64\infdqdofu.exe_lang.ini	inxsdoolp.exe
File created	C:\Windows\SysWOW64\inomzqrdt.exe	inesqmezb.exe
File opened for modification	C:\Windows\SysWOW64\inrjcgagg.exe_lang.ini	inomzqrdt.exe
File created	C:\Windows\SysWOW64\inldtepix.exe	inmtnbdcu.exe
File created	C:\Windows\SysWOW64\inbqiycju.exe	inaexuhtj.exe
File opened for modification	C:\Windows\SysWOW64\syslog.dat	inewrcnnk.exe
File created	C:\Windows\SysWOW64\inruwvobn.exe	inuqbjvqf.exe
File created	C:\Windows\SysWOW64\ingiuiufd.exe	inpleqlxa.exe
File created	C:\Windows\SysWOW64\inesqmezb.exe	inrdysgih.exe
File opened for modification	C:\Windows\SysWOW64\inzvgovkd.exe_lang.ini	injyqkarh.exe
File created	C:\Windows\SysWOW64\inmeufqjy.exe	inykznpoh.exe
File opened for modification	C:\Windows\SysWOW64\inixpjqgj.exe_lang.ini	inmeufqjy.exe
File created	C:\Windows\SysWOW64\inewrcnnk.exe	inaikwkwh.exe
File opened for modification	C:\Windows\SysWOW64\syslog.dat	inbbkvfva.exe
File opened for modification	C:\Windows\SysWOW64\inmprqjiy.exe_lang.ini	indrzpldy.exe
File created	C:\Windows\SysWOW64\injyiwuqi.exe	ineuxonvv.exe
File opened for modification	C:\Windows\SysWOW64\syslog.dat	inuinrlrc.exe
File created	C:\Windows\SysWOW64\inbmkzbqa.exe	inbuxzyre.exe
File created	C:\Windows\SysWOW64\inbfyviuk.exe	innuocedv.exe
File opened for modification	C:\Windows\SysWOW64\inbohznex.exe_lang.ini	inbfyviuk.exe
File opened for modification	C:\Windows\SysWOW64\syslog.dat	inxtemyti.exe
File created	C:\Windows\SysWOW64\inhiypoew.exe	incsvmltt.exe
File opened for modification	C:\Windows\SysWOW64\infgwnmcy.exe_lang.ini	inhiypoew.exe
File opened for modification	C:\Windows\SysWOW64\syslog.dat	innoddvuk.exe
File opened for modification	C:\Windows\SysWOW64\syslog.dat	inxjymong.exe
File created	C:\Windows\SysWOW64\ingtvpopk.exe	insgwlney.exe
File opened for modification	C:\Windows\SysWOW64\syslog.dat	injyqkarh.exe
File opened for modification	C:\Windows\SysWOW64\incgzwjvl.exe_lang.ini	inlsmacbt.exe
File opened for modification	C:\Windows\SysWOW64\indwztgsi.exe_lang.ini	inhegsgsd.exe
File opened for modification	C:\Windows\SysWOW64\syslog.dat	infgwnmcy.exe
File opened for modification	C:\Windows\SysWOW64\syslog.dat	incgzwjvl.exe
File created	C:\Windows\SysWOW64\infdqdofu.exe	inxsdoolp.exe
File opened for modification	C:\Windows\SysWOW64\inhegsgsd.exe_lang.ini	infnwdvwr.exe
File opened for modification	C:\Windows\SysWOW64\invhwkmle.exe_lang.ini	inejnhnnw.exe
File created	C:\Windows\SysWOW64\inixpjqgj.exe	inmeufqjy.exe
File opened for modification	C:\Windows\SysWOW64\inhwnltjf.exe_lang.ini	intfuikjc.exe
File created	C:\Windows\SysWOW64\inecpcnet.exe	inknedlyl.exe
File opened for modification	C:\Windows\SysWOW64\syslog.dat	invrckwrg.exe
File created	C:\Windows\SysWOW64\inrshhzyd.exe	inljyapnv.exe
File opened for modification	C:\Windows\SysWOW64\syslog.dat	inrdysgih.exe
File opened for modification	C:\Windows\SysWOW64\syslog.dat	inesqmezb.exe
File opened for modification	C:\Windows\SysWOW64\injkrqgyq.exe_lang.ini	inbbkvfva.exe
File opened for modification	C:\Windows\SysWOW64\syslog.dat	inpleqlxa.exe
File opened for modification	C:\Windows\SysWOW64\syslog.dat	inogwahsa.exe
File created	C:\Windows\SysWOW64\inbqostfv.exe	inilcbjwj.exe
File opened for modification	C:\Windows\SysWOW64\inowmiavg.exe_lang.ini	inewrcnnk.exe
File created	C:\Windows\SysWOW64\inugvjlkd.exe	d50124fb9b63888e37d8325c77467122.exe
File opened for modification	C:\Windows\SysWOW64\syslog.dat	inecpcnet.exe
File opened for modification	C:\Windows\SysWOW64\ineuxonvv.exe_lang.ini	incvyzsfr.exe
File opened for modification	C:\Windows\SysWOW64\injyiwuqi.exe_lang.ini	ineuxonvv.exe
File created	C:\Windows\SysWOW64\inxjymong.exe	infdqdofu.exe
File opened for modification	C:\Windows\SysWOW64\inejnhnnw.exe_lang.ini	inqtvunam.exe
File opened for modification	C:\Windows\SysWOW64\inqcxrfhg.exe_lang.ini	inwmpgfnn.exe
File created	C:\Windows\SysWOW64\inlsmacbt.exe	ingvzmksi.exe
File created	C:\Windows\SysWOW64\innoddvuk.exe	inkzrlbas.exe
File opened for modification	C:\Windows\SysWOW64\inwsdlxsh.exe_lang.ini	inixpjqgj.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3432	d50124fb9b63888e37d8325c77467122.exe
3432	d50124fb9b63888e37d8325c77467122.exe
1376	inugvjlkd.exe
1376	inugvjlkd.exe
4968	inaphxbit.exe
4968	inaphxbit.exe
2016	inwixlnmf.exe
2016	inwixlnmf.exe
3508	injyqkarh.exe
3508	injyqkarh.exe
952	inzvgovkd.exe
952	inzvgovkd.exe
2572	inxtemyti.exe
2572	inxtemyti.exe
1532	inykznpoh.exe
1532	inykznpoh.exe
3456	inmeufqjy.exe
3456	inmeufqjy.exe
1480	inixpjqgj.exe
1480	inixpjqgj.exe
1764	inwsdlxsh.exe
1764	inwsdlxsh.exe
1600	inyjbrycn.exe
1600	inyjbrycn.exe
4144	inkbaivic.exe
4144	inkbaivic.exe
808	insohtodl.exe
808	insohtodl.exe
1368	inetlfmxc.exe
1368	inetlfmxc.exe
3968	inmtnbdcu.exe
3968	inmtnbdcu.exe
3260	inldtepix.exe
3260	inldtepix.exe
1672	inuqbjvqf.exe
1672	inuqbjvqf.exe
1812	inruwvobn.exe
1812	inruwvobn.exe
1624	indskelwb.exe
1624	indskelwb.exe
2204	inoavpdfe.exe
2204	inoavpdfe.exe
3732	inaexuhtj.exe
3732	inaexuhtj.exe
3440	inbqiycju.exe
3440	inbqiycju.exe
2412	inpleqlxa.exe
2412	inpleqlxa.exe
4260	ingiuiufd.exe
4260	ingiuiufd.exe
2864	insbquvhx.exe
2864	insbquvhx.exe
5020	intfuikjc.exe
5020	intfuikjc.exe
5044	inhwnltjf.exe
5044	inhwnltjf.exe
3880	ingwzqpxx.exe
3880	ingwzqpxx.exe
4288	inknedlyl.exe
4288	inknedlyl.exe
4860	inecpcnet.exe
4860	inecpcnet.exe
2060	inortslka.exe
2060	inortslka.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3432	d50124fb9b63888e37d8325c77467122.exe
Token: SeDebugPrivilege	1376	inugvjlkd.exe
Token: SeDebugPrivilege	4968	inaphxbit.exe
Token: SeDebugPrivilege	2016	inwixlnmf.exe
Token: SeDebugPrivilege	3508	injyqkarh.exe
Token: SeDebugPrivilege	952	inzvgovkd.exe
Token: SeDebugPrivilege	2572	inxtemyti.exe
Token: SeDebugPrivilege	1532	inykznpoh.exe
Token: SeDebugPrivilege	3456	inmeufqjy.exe
Token: SeDebugPrivilege	1480	inixpjqgj.exe
Token: SeDebugPrivilege	1764	inwsdlxsh.exe
Token: SeDebugPrivilege	1600	inyjbrycn.exe
Token: SeDebugPrivilege	4144	inkbaivic.exe
Token: SeDebugPrivilege	808	insohtodl.exe
Token: SeDebugPrivilege	1368	inetlfmxc.exe
Token: SeDebugPrivilege	3968	inmtnbdcu.exe
Token: SeDebugPrivilege	3260	inldtepix.exe
Token: SeDebugPrivilege	1672	inuqbjvqf.exe
Token: SeDebugPrivilege	1812	inruwvobn.exe
Token: SeDebugPrivilege	1624	indskelwb.exe
Token: SeDebugPrivilege	2204	inoavpdfe.exe
Token: SeDebugPrivilege	3732	inaexuhtj.exe
Token: SeDebugPrivilege	3440	inbqiycju.exe
Token: SeDebugPrivilege	2412	inpleqlxa.exe
Token: SeDebugPrivilege	4260	ingiuiufd.exe
Token: SeDebugPrivilege	2864	insbquvhx.exe
Token: SeDebugPrivilege	5020	intfuikjc.exe
Token: SeDebugPrivilege	5044	inhwnltjf.exe
Token: SeDebugPrivilege	3880	ingwzqpxx.exe
Token: SeDebugPrivilege	4288	inknedlyl.exe
Token: SeDebugPrivilege	4860	inecpcnet.exe
Token: SeDebugPrivilege	2060	inortslka.exe
Token: SeDebugPrivilege	3544	inwmpgfnn.exe
Token: SeDebugPrivilege	4684	inqcxrfhg.exe
Token: SeDebugPrivilege	4300	incsvmltt.exe
Token: SeDebugPrivilege	3052	inhiypoew.exe
Token: SeDebugPrivilege	2152	infgwnmcy.exe
Token: SeDebugPrivilege	4076	inahuhbcs.exe
Token: SeDebugPrivilege	4164	ingvzmksi.exe
Token: SeDebugPrivilege	2044	inlsmacbt.exe
Token: SeDebugPrivilege	2468	incgzwjvl.exe
Token: SeDebugPrivilege	2028	indrzpldy.exe
Token: SeDebugPrivilege	3864	inmprqjiy.exe
Token: SeDebugPrivilege	2416	inkzrlbas.exe
Token: SeDebugPrivilege	1716	innoddvuk.exe
Token: SeDebugPrivilege	2300	innfvgrkz.exe
Token: SeDebugPrivilege	1648	inbuxzyre.exe
Token: SeDebugPrivilege	3012	inbmkzbqa.exe
Token: SeDebugPrivilege	2676	inogwahsa.exe
Token: SeDebugPrivilege	4216	inilcbjwj.exe
Token: SeDebugPrivilege	3784	inbqostfv.exe
Token: SeDebugPrivilege	2100	invrckwrg.exe
Token: SeDebugPrivilege	2276	incvyzsfr.exe
Token: SeDebugPrivilege	904	ineuxonvv.exe
Token: SeDebugPrivilege	2844	injyiwuqi.exe
Token: SeDebugPrivilege	4352	inljyapnv.exe
Token: SeDebugPrivilege	1332	inrshhzyd.exe
Token: SeDebugPrivilege	1932	inuinrlrc.exe
Token: SeDebugPrivilege	4576	inaikwkwh.exe
Token: SeDebugPrivilege	2728	inewrcnnk.exe
Token: SeDebugPrivilege	5020	inowmiavg.exe
Token: SeDebugPrivilege	3408	inxsdoolp.exe
Token: SeDebugPrivilege	2616	infdqdofu.exe
Token: SeDebugPrivilege	1092	inxjymong.exe

Suspicious use of SetWindowsHookEx 28 IoCs

pid	Process
3432	d50124fb9b63888e37d8325c77467122.exe
1376	inugvjlkd.exe
4968	inaphxbit.exe
2016	inwixlnmf.exe
3508	injyqkarh.exe
952	inzvgovkd.exe
2572	inxtemyti.exe
1532	inykznpoh.exe
3456	inmeufqjy.exe
1480	inixpjqgj.exe
1764	inwsdlxsh.exe
1600	inyjbrycn.exe
4144	inkbaivic.exe
808	insohtodl.exe
1368	inetlfmxc.exe
3968	inmtnbdcu.exe
3260	inldtepix.exe
1672	inuqbjvqf.exe
1812	inruwvobn.exe
1624	indskelwb.exe
2204	inoavpdfe.exe
3732	inaexuhtj.exe
3440	inbqiycju.exe
2412	inpleqlxa.exe
4260	ingiuiufd.exe
2864	insbquvhx.exe
5020	intfuikjc.exe
5044	inhwnltjf.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3432 wrote to memory of 1376	3432	d50124fb9b63888e37d8325c77467122.exe	97
PID 3432 wrote to memory of 1376	3432	d50124fb9b63888e37d8325c77467122.exe	97
PID 3432 wrote to memory of 1376	3432	d50124fb9b63888e37d8325c77467122.exe	97
PID 1376 wrote to memory of 4968	1376	inugvjlkd.exe	98
PID 1376 wrote to memory of 4968	1376	inugvjlkd.exe	98
PID 1376 wrote to memory of 4968	1376	inugvjlkd.exe	98
PID 4968 wrote to memory of 2016	4968	inaphxbit.exe	99
PID 4968 wrote to memory of 2016	4968	inaphxbit.exe	99
PID 4968 wrote to memory of 2016	4968	inaphxbit.exe	99
PID 2016 wrote to memory of 3508	2016	inwixlnmf.exe	100
PID 2016 wrote to memory of 3508	2016	inwixlnmf.exe	100
PID 2016 wrote to memory of 3508	2016	inwixlnmf.exe	100
PID 3508 wrote to memory of 952	3508	injyqkarh.exe	101
PID 3508 wrote to memory of 952	3508	injyqkarh.exe	101
PID 3508 wrote to memory of 952	3508	injyqkarh.exe	101
PID 952 wrote to memory of 2572	952	inzvgovkd.exe	102
PID 952 wrote to memory of 2572	952	inzvgovkd.exe	102
PID 952 wrote to memory of 2572	952	inzvgovkd.exe	102
PID 2572 wrote to memory of 1532	2572	inxtemyti.exe	103
PID 2572 wrote to memory of 1532	2572	inxtemyti.exe	103
PID 2572 wrote to memory of 1532	2572	inxtemyti.exe	103
PID 1532 wrote to memory of 3456	1532	inykznpoh.exe	104
PID 1532 wrote to memory of 3456	1532	inykznpoh.exe	104
PID 1532 wrote to memory of 3456	1532	inykznpoh.exe	104
PID 3456 wrote to memory of 1480	3456	inmeufqjy.exe	105
PID 3456 wrote to memory of 1480	3456	inmeufqjy.exe	105
PID 3456 wrote to memory of 1480	3456	inmeufqjy.exe	105
PID 1480 wrote to memory of 1764	1480	inixpjqgj.exe	106
PID 1480 wrote to memory of 1764	1480	inixpjqgj.exe	106
PID 1480 wrote to memory of 1764	1480	inixpjqgj.exe	106
PID 1764 wrote to memory of 1600	1764	inwsdlxsh.exe	107
PID 1764 wrote to memory of 1600	1764	inwsdlxsh.exe	107
PID 1764 wrote to memory of 1600	1764	inwsdlxsh.exe	107
PID 1600 wrote to memory of 4144	1600	inyjbrycn.exe	108
PID 1600 wrote to memory of 4144	1600	inyjbrycn.exe	108
PID 1600 wrote to memory of 4144	1600	inyjbrycn.exe	108
PID 4144 wrote to memory of 808	4144	inkbaivic.exe	109
PID 4144 wrote to memory of 808	4144	inkbaivic.exe	109
PID 4144 wrote to memory of 808	4144	inkbaivic.exe	109
PID 808 wrote to memory of 1368	808	insohtodl.exe	110
PID 808 wrote to memory of 1368	808	insohtodl.exe	110
PID 808 wrote to memory of 1368	808	insohtodl.exe	110
PID 1368 wrote to memory of 3968	1368	inetlfmxc.exe	111
PID 1368 wrote to memory of 3968	1368	inetlfmxc.exe	111
PID 1368 wrote to memory of 3968	1368	inetlfmxc.exe	111
PID 3968 wrote to memory of 3260	3968	inmtnbdcu.exe	112
PID 3968 wrote to memory of 3260	3968	inmtnbdcu.exe	112
PID 3968 wrote to memory of 3260	3968	inmtnbdcu.exe	112
PID 3260 wrote to memory of 1672	3260	inldtepix.exe	113
PID 3260 wrote to memory of 1672	3260	inldtepix.exe	113
PID 3260 wrote to memory of 1672	3260	inldtepix.exe	113
PID 1672 wrote to memory of 1812	1672	inuqbjvqf.exe	114
PID 1672 wrote to memory of 1812	1672	inuqbjvqf.exe	114
PID 1672 wrote to memory of 1812	1672	inuqbjvqf.exe	114
PID 1812 wrote to memory of 1624	1812	inruwvobn.exe	115
PID 1812 wrote to memory of 1624	1812	inruwvobn.exe	115
PID 1812 wrote to memory of 1624	1812	inruwvobn.exe	115
PID 1624 wrote to memory of 2204	1624	indskelwb.exe	116
PID 1624 wrote to memory of 2204	1624	indskelwb.exe	116
PID 1624 wrote to memory of 2204	1624	indskelwb.exe	116
PID 2204 wrote to memory of 3732	2204	inoavpdfe.exe	117
PID 2204 wrote to memory of 3732	2204	inoavpdfe.exe	117
PID 2204 wrote to memory of 3732	2204	inoavpdfe.exe	117
PID 3732 wrote to memory of 3440	3732	inaexuhtj.exe	118

C:\Users\Admin\AppData\Local\Temp\d50124fb9b63888e37d8325c77467122.exe
"C:\Users\Admin\AppData\Local\Temp\d50124fb9b63888e37d8325c77467122.exe"
1⤵
- Modifies Installed Components in the registry
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3432
- C:\Windows\SysWOW64\inugvjlkd.exe
  C:\Windows\system32\inugvjlkd.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1376
- - C:\Windows\SysWOW64\inaphxbit.exe
    C:\Windows\system32\inaphxbit.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4968
  - - C:\Windows\SysWOW64\inwixlnmf.exe
      C:\Windows\system32\inwixlnmf.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2016
    - - C:\Windows\SysWOW64\injyqkarh.exe
        
        C:\Windows\system32\injyqkarh.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3508
      - C:\Windows\SysWOW64\inzvgovkd.exe
        
        C:\Windows\system32\inzvgovkd.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:952
        
        C:\Windows\SysWOW64\inxtemyti.exe
        
        C:\Windows\system32\inxtemyti.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2572
        
        C:\Windows\SysWOW64\inykznpoh.exe
        
        C:\Windows\system32\inykznpoh.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1532
        
        C:\Windows\SysWOW64\inmeufqjy.exe
        
        C:\Windows\system32\inmeufqjy.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3456
        
        C:\Windows\SysWOW64\inixpjqgj.exe
        
        C:\Windows\system32\inixpjqgj.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1480
        
        C:\Windows\SysWOW64\inwsdlxsh.exe
        
        C:\Windows\system32\inwsdlxsh.exe
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1764
        
        C:\Windows\SysWOW64\inyjbrycn.exe
        
        C:\Windows\system32\inyjbrycn.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1600
        
        C:\Windows\SysWOW64\inkbaivic.exe
        
        C:\Windows\system32\inkbaivic.exe
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4144
        
        C:\Windows\SysWOW64\insohtodl.exe
        
        C:\Windows\system32\insohtodl.exe
        14⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:808
        
        C:\Windows\SysWOW64\inetlfmxc.exe
        
        C:\Windows\system32\inetlfmxc.exe
        15⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1368
        
        C:\Windows\SysWOW64\inmtnbdcu.exe
        
        C:\Windows\system32\inmtnbdcu.exe
        16⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3968
        
        C:\Windows\SysWOW64\inldtepix.exe
        
        C:\Windows\system32\inldtepix.exe
        17⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3260
        
        C:\Windows\SysWOW64\inuqbjvqf.exe
        
        C:\Windows\system32\inuqbjvqf.exe
        18⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1672
        
        C:\Windows\SysWOW64\inruwvobn.exe
        
        C:\Windows\system32\inruwvobn.exe
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1812
        
        C:\Windows\SysWOW64\indskelwb.exe
        
        C:\Windows\system32\indskelwb.exe
        20⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1624
        
        C:\Windows\SysWOW64\inoavpdfe.exe
        
        C:\Windows\system32\inoavpdfe.exe
        21⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2204
        
        C:\Windows\SysWOW64\inaexuhtj.exe
        
        C:\Windows\system32\inaexuhtj.exe
        22⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3732
        
        C:\Windows\SysWOW64\inbqiycju.exe
        
        C:\Windows\system32\inbqiycju.exe
        23⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3440
        
        C:\Windows\SysWOW64\inpleqlxa.exe
        
        C:\Windows\system32\inpleqlxa.exe
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2412
        
        C:\Windows\SysWOW64\ingiuiufd.exe
        
        C:\Windows\system32\ingiuiufd.exe
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4260
        
        C:\Windows\SysWOW64\insbquvhx.exe
        
        C:\Windows\system32\insbquvhx.exe
        26⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2864
        
        C:\Windows\SysWOW64\intfuikjc.exe
        
        C:\Windows\system32\intfuikjc.exe
        27⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:5020
        
        C:\Windows\SysWOW64\inhwnltjf.exe
        
        C:\Windows\system32\inhwnltjf.exe
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:5044
        
        C:\Windows\SysWOW64\ingwzqpxx.exe
        
        C:\Windows\system32\ingwzqpxx.exe
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3880
        
        C:\Windows\SysWOW64\inknedlyl.exe
        
        C:\Windows\system32\inknedlyl.exe
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4288
        
        C:\Windows\SysWOW64\inecpcnet.exe
        
        C:\Windows\system32\inecpcnet.exe
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4860
        
        C:\Windows\SysWOW64\inortslka.exe
        
        C:\Windows\system32\inortslka.exe
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2060
        
        C:\Windows\SysWOW64\inwmpgfnn.exe
        
        C:\Windows\system32\inwmpgfnn.exe
        33⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3544
        
        C:\Windows\SysWOW64\inqcxrfhg.exe
        
        C:\Windows\system32\inqcxrfhg.exe
        34⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4684
        
        C:\Windows\SysWOW64\incsvmltt.exe
        
        C:\Windows\system32\incsvmltt.exe
        35⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4300
        
        C:\Windows\SysWOW64\inhiypoew.exe
        
        C:\Windows\system32\inhiypoew.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3052
        
        C:\Windows\SysWOW64\infgwnmcy.exe
        
        C:\Windows\system32\infgwnmcy.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2152
        
        C:\Windows\SysWOW64\inahuhbcs.exe
        
        C:\Windows\system32\inahuhbcs.exe
        38⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4076
        
        C:\Windows\SysWOW64\ingvzmksi.exe
        
        C:\Windows\system32\ingvzmksi.exe
        39⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4164
        
        C:\Windows\SysWOW64\inlsmacbt.exe
        
        C:\Windows\system32\inlsmacbt.exe
        40⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2044
        
        C:\Windows\SysWOW64\incgzwjvl.exe
        
        C:\Windows\system32\incgzwjvl.exe
        41⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2468
        
        C:\Windows\SysWOW64\indrzpldy.exe
        
        C:\Windows\system32\indrzpldy.exe
        42⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2028
        
        C:\Windows\SysWOW64\inmprqjiy.exe
        
        C:\Windows\system32\inmprqjiy.exe
        43⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3864
        
        C:\Windows\SysWOW64\inkzrlbas.exe
        
        C:\Windows\system32\inkzrlbas.exe
        44⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2416
        
        C:\Windows\SysWOW64\innoddvuk.exe
        
        C:\Windows\system32\innoddvuk.exe
        45⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1716
        
        C:\Windows\SysWOW64\innfvgrkz.exe
        
        C:\Windows\system32\innfvgrkz.exe
        46⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2300
        
        C:\Windows\SysWOW64\inbuxzyre.exe
        
        C:\Windows\system32\inbuxzyre.exe
        47⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1648
        
        C:\Windows\SysWOW64\inbmkzbqa.exe
        
        C:\Windows\system32\inbmkzbqa.exe
        48⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3012
        
        C:\Windows\SysWOW64\inogwahsa.exe
        
        C:\Windows\system32\inogwahsa.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2676
        
        C:\Windows\SysWOW64\inilcbjwj.exe
        
        C:\Windows\system32\inilcbjwj.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4216
        
        C:\Windows\SysWOW64\inbqostfv.exe
        
        C:\Windows\system32\inbqostfv.exe
        51⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3784
        
        C:\Windows\SysWOW64\invrckwrg.exe
        
        C:\Windows\system32\invrckwrg.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2100
        
        C:\Windows\SysWOW64\incvyzsfr.exe
        
        C:\Windows\system32\incvyzsfr.exe
        53⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2276
        
        C:\Windows\SysWOW64\ineuxonvv.exe
        
        C:\Windows\system32\ineuxonvv.exe
        54⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:904
        
        C:\Windows\SysWOW64\injyiwuqi.exe
        
        C:\Windows\system32\injyiwuqi.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2844
        
        C:\Windows\SysWOW64\inljyapnv.exe
        
        C:\Windows\system32\inljyapnv.exe
        56⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4352
        
        C:\Windows\SysWOW64\inrshhzyd.exe
        
        C:\Windows\system32\inrshhzyd.exe
        57⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1332
        
        C:\Windows\SysWOW64\inuinrlrc.exe
        
        C:\Windows\system32\inuinrlrc.exe
        58⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1932
        
        C:\Windows\SysWOW64\inaikwkwh.exe
        
        C:\Windows\system32\inaikwkwh.exe
        59⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4576
        
        C:\Windows\SysWOW64\inewrcnnk.exe
        
        C:\Windows\system32\inewrcnnk.exe
        60⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2728
        
        C:\Windows\SysWOW64\inowmiavg.exe
        
        C:\Windows\system32\inowmiavg.exe
        61⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5020
        
        C:\Windows\SysWOW64\inxsdoolp.exe
        
        C:\Windows\system32\inxsdoolp.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3408
        
        C:\Windows\SysWOW64\infdqdofu.exe
        
        C:\Windows\system32\infdqdofu.exe
        63⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2616
        
        C:\Windows\SysWOW64\inxjymong.exe
        
        C:\Windows\system32\inxjymong.exe
        64⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1092
        
        C:\Windows\SysWOW64\indtkzjxv.exe
        
        C:\Windows\system32\indtkzjxv.exe
        65⤵
        Executes dropped EXE
        
        PID:4360
        
        C:\Windows\SysWOW64\inyufnzuj.exe
        
        C:\Windows\system32\inyufnzuj.exe
        66⤵
        
        PID:4860
        
        C:\Windows\SysWOW64\inrdysgih.exe
        
        C:\Windows\system32\inrdysgih.exe
        67⤵
        Drops file in System32 directory
        
        PID:1052
        
        C:\Windows\SysWOW64\inesqmezb.exe
        
        C:\Windows\system32\inesqmezb.exe
        68⤵
        Drops file in System32 directory
        
        PID:2440
        
        C:\Windows\SysWOW64\inomzqrdt.exe
        
        C:\Windows\system32\inomzqrdt.exe
        69⤵
        Drops file in System32 directory
        
        PID:4488
        
        C:\Windows\SysWOW64\inrjcgagg.exe
        
        C:\Windows\system32\inrjcgagg.exe
        70⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\inyorihpp.exe
        
        C:\Windows\system32\inyorihpp.exe
        71⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\incrjzdkv.exe
        
        C:\Windows\system32\incrjzdkv.exe
        72⤵
        
        PID:1408
        
        C:\Windows\SysWOW64\intpaiupe.exe
        
        C:\Windows\system32\intpaiupe.exe
        73⤵
        
        PID:368
        
        C:\Windows\SysWOW64\inumafjdj.exe
        
        C:\Windows\system32\inumafjdj.exe
        74⤵
        Modifies Installed Components in the registry
        
        PID:2204
        
        C:\Windows\SysWOW64\insvxwpco.exe
        
        C:\Windows\system32\insvxwpco.exe
        75⤵
        Drops file in System32 directory
        
        PID:5040
        
        C:\Windows\SysWOW64\infnwdvwr.exe
        
        C:\Windows\system32\infnwdvwr.exe
        76⤵
        Modifies Installed Components in the registry
        Drops file in System32 directory
        
        PID:4496
        
        C:\Windows\SysWOW64\inhegsgsd.exe
        
        C:\Windows\system32\inhegsgsd.exe
        77⤵
        Modifies Installed Components in the registry
        Drops file in System32 directory
        
        PID:3744
        
        C:\Windows\SysWOW64\indwztgsi.exe
        
        C:\Windows\system32\indwztgsi.exe
        78⤵
        Modifies Installed Components in the registry
        Drops file in System32 directory
        
        PID:4684
        
        C:\Windows\SysWOW64\inbbkvfva.exe
        
        C:\Windows\system32\inbbkvfva.exe
        79⤵
        Modifies Installed Components in the registry
        Drops file in System32 directory
        
        PID:2800
        
        C:\Windows\SysWOW64\injkrqgyq.exe
        
        C:\Windows\system32\injkrqgyq.exe
        80⤵
        
        PID:392
        
        C:\Windows\SysWOW64\indxawycz.exe
        
        C:\Windows\system32\indxawycz.exe
        81⤵
        
        PID:864
        
        C:\Windows\SysWOW64\inpqffxwb.exe
        
        C:\Windows\system32\inpqffxwb.exe
        82⤵
        Modifies Installed Components in the registry
        Drops file in System32 directory
        
        PID:2568
        
        C:\Windows\SysWOW64\inocymrvp.exe
        
        C:\Windows\system32\inocymrvp.exe
        83⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\inmkxopbr.exe
        
        C:\Windows\system32\inmkxopbr.exe
        84⤵
        
        PID:396
        
        C:\Windows\SysWOW64\injwnoaqy.exe
        
        C:\Windows\system32\injwnoaqy.exe
        85⤵
        Modifies Installed Components in the registry
        
        PID:2300
        
        C:\Windows\SysWOW64\insgwlney.exe
        
        C:\Windows\system32\insgwlney.exe
        86⤵
        Drops file in System32 directory
        
        PID:4724
        
        C:\Windows\SysWOW64\ingtvpopk.exe
        
        C:\Windows\system32\ingtvpopk.exe
        87⤵
        Modifies Installed Components in the registry
        
        PID:4488
        
        C:\Windows\SysWOW64\inqtvunam.exe
        
        C:\Windows\system32\inqtvunam.exe
        88⤵
        Modifies Installed Components in the registry
        Drops file in System32 directory
        
        PID:1548
        
        C:\Windows\SysWOW64\inejnhnnw.exe
        
        C:\Windows\system32\inejnhnnw.exe
        89⤵
        Drops file in System32 directory
        
        PID:4648
        
        C:\Windows\SysWOW64\invhwkmle.exe
        
        C:\Windows\system32\invhwkmle.exe
        90⤵
        Modifies Installed Components in the registry
        
        PID:4020
        
        C:\Windows\SysWOW64\inyegrpfl.exe
        
        C:\Windows\system32\inyegrpfl.exe
        91⤵
        Modifies Installed Components in the registry
        
        PID:4360
        
        C:\Windows\SysWOW64\innlypqcs.exe
        
        C:\Windows\system32\innlypqcs.exe
        92⤵
        Modifies Installed Components in the registry
        
        PID:3328
        
        C:\Windows\SysWOW64\injmdckxk.exe
        
        C:\Windows\system32\injmdckxk.exe
        93⤵
        Drops file in System32 directory
        
        PID:4392
        
        C:\Windows\SysWOW64\innuocedv.exe
        
        C:\Windows\system32\innuocedv.exe
        94⤵
        Modifies Installed Components in the registry
        Drops file in System32 directory
        
        PID:1248
        
        C:\Windows\SysWOW64\inbfyviuk.exe
        
        C:\Windows\system32\inbfyviuk.exe
        95⤵
        Modifies Installed Components in the registry
        Drops file in System32 directory
        
        PID:1612
        
        C:\Windows\SysWOW64\inbohznex.exe
        
        C:\Windows\system32\inbohznex.exe
        96⤵
        
        PID:4316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dhi4A1F.tmp

Filesize
172KB

MD5
e3ef2e4b0dfa678756f34d0146827a07

SHA1
8ab32d5a9622050bec0d491fd513b3dcc9bdd03c

SHA256
2b52805f0a43d4ed0b4db0444e0bc4154bd1a945eb527108656273428c43845c

SHA512
804b7209148e71a091f862dfdb294a687534c822d07482cd061393ae0e03809351608e449d44849b05a032e872dd941c61ad3ff9e1b828944c649912be4c2e85

Download Submit
C:\Users\Admin\AppData\Local\Temp\fviD9C1.tmp

Filesize
172KB

MD5
d029acc6c54e1ca4bf25e97d726f90ed

SHA1
5f410900bce1408f08d45166c58415543fb3589f

SHA256
5284f584dd97a8ad4b5fa57d6be693c348f191c4ee11cc6300e13305207ebdfa

SHA512
03496a82dbe88a307b7042a86102a63c84e872b1c814e9fe23dd5a9ae314e528edb3d3e6bb48201b691319b24fef9483474d0bfeb8ecec7d673a82b542d75ec7

Download Submit
C:\Users\Admin\AppData\Local\Temp\gfi3743.tmp

Filesize
172KB

MD5
3cb3ebca04ae378a48dc3dc73088235d

SHA1
5f64e4a626e0049c09c0fdb960a54e337eed322d

SHA256
902af327834906f371688fa136f3bcac4f5b6070f5689f76833fc9aa349f2c63

SHA512
000b0279f0531f0a8be99e6213f20579e362b244772e13a2a80c5e5fc368730df3cfd0b7ace94a9fb906ae0adb38ee98b6eb05df61e216bb6b015ffcc866fe03

Download Submit
C:\Users\Admin\AppData\Local\Temp\gfi3A40.tmp

Filesize
172KB

MD5
c24af0c9014e23d64ee96735045a36cc

SHA1
a7fb454de4f8aa8c6aff3c9004518d71387e42d1

SHA256
a8a00a048b7f1a3d8fde8e83d91b16886c877072fd96b8ea7411dfcdf4526d21

SHA512
31426f7efe476e64fab830ce5307037f99ee7cc30d7675570524e7ee418697a5ac542130d3fe4cdeecfcb9ab668ec70a66d1762f193f06f3b1dd313c7db93972

Download Submit
C:\Users\Admin\AppData\Local\Temp\gli7044.tmp

Filesize
172KB

MD5
babcfb2b1485a8f104a5b32aeffbc5ad

SHA1
fa486e8c85350e787b4e66516014c6086f23aa3b

SHA256
f0e9757f6d25cdb2550fd9609654086a9a8187edef4891a90b736a50b193f29e

SHA512
d816a34cd43cabd9eaca26c44bded8b8928740b25c9157308087a4cf4e7e05a47c0b7b35627dbe3bcfd2f68f73b51bd113876bba057e876863078348438c0ff2

Download Submit
C:\Users\Admin\AppData\Local\Temp\hyiF44F.tmp

Filesize
174KB

MD5
a538623e20bb0047c932adeb55766930

SHA1
c09fe7cf81df77e0be3b817efd9baa70834334f2

SHA256
067e37b3fbedb22d63be59ed5fa24a00e04d6970cc4773f3975a96fc7783118f

SHA512
f04b3d00ab78ae8e435399bbc507ec99c824ad73c77b78c825d0c3029e4909c9db13fd11be5764b824dc8fd2b19cae030be57995e8b5d3839ba381152ca1d5ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\iei2958.tmp

Filesize
172KB

MD5
bf40b9341bd229c2dfe87355439f2652

SHA1
b4d1a0b8b61fc798ee0b214ee97c21ce0b33bc06

SHA256
b3e752b2b7d1d78f05a9ddc09b57c2c74d461b57f064604d52146bf665a470c1

SHA512
e646e78bae78626b07b52be70446d18342da26a3d78c5b936a27cce7e7240b93077df42c8134ede181bff5054de1d96e3455841decb1315fc7268b248df801ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\ihi4656.tmp

Filesize
172KB

MD5
6b7abb72540fc9c00c9cfc279743aee5

SHA1
eb2f80883fc0a2b5547adb4a282e48be8818982c

SHA256
b37ef50048fec33045c5c37af737c1ed9c7d45b379220b50be13a2247e23d2b7

SHA512
4a5e143082f62bca3a9f33921a08f32ea9deae4821964d994cec5d0fcb6fdb29d8646fecb29a825f57c7a8a82f8285f19276af6bb30b71ac6cc1bde228e78eb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ihi4C51.tmp

Filesize
172KB

MD5
95683eabffacb5fdafc116feda86c19f

SHA1
f63ef3fb078986448fb96c266f7e9cbcd1cdd713

SHA256
f056b9a91fd975178a371de5521876fd157b51336bd32480587554d65bdbefe0

SHA512
e12f16421f7d87a8bd441fef3e18ab410759d611dd012901fa68a2afde7775a1be18982f623672f654fcbabc23366933c66af95cfd3f7069d76b065ae33c98c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\kii5068.tmp

Filesize
172KB

MD5
aab8181d6096cac02981bc90e5ed70c9

SHA1
9386456bf45a7d3471587525b37fc7395c71924e

SHA256
fe59b55fdbf46938cb6cea9a2d94c6aaed597944ead46d24b811b8f611de7f18

SHA512
a26fad68d08c88d0398e0533199f6c1daa10359de25bbf3eaae2a4a6fb2cd6b331b42ec29537e6d3cbb54846761f469f472fd40e94f77cb0eec029132c26e981

Download Submit
C:\Users\Admin\AppData\Local\Temp\kii526C.tmp

Filesize
172KB

MD5
86a9ff3c93ef7add7ebd45d0a149837a

SHA1
8fb97f8ba071bf8ac166a6fdb1367fd8212a2de6

SHA256
b48127447a7c05d80b008a75f818e8252784ce7a09ab100c5550a2ba477330be

SHA512
79e74b91e2a2d7174f8d4d251b5c1c46b38d91851fbcc4b6e29f8ba589022075c2a3510f6084415ea2620808091e0e063da318cfb985542a49e08eb9eda45a7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\mci1478.tmp

Filesize
172KB

MD5
9c98cfe0f4763a906836d5049b20f663

SHA1
54df1f6d9964eb8198543b14ca6e45e872019c5c

SHA256
8877eb8992c21dac4691cfb1c8f2a7926cad85232f371d9c84c786ad03f9e4a2

SHA512
631c157b842e1b1db6912b7695e943e6f7a94937bf679fd2a668cf5e7ec9e12e293aeae832fc3b629f432384ed2579d3038f8d81a28a35d64fe89ebdaab69b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\oci1D90.tmp

Filesize
172KB

MD5
16c07e2252c884a73911c145eaf09120

SHA1
a3c0acf32c5158a12300fd28b07705d9249326c9

SHA256
c68f71f20248e60d5a532dee5504f9bcc87510761eb401a0b1a1bcc3b0adb38c

SHA512
00d547814d6d69df801f0286ffb3360ff184241d53bec9d52d55ddb5f04a51e0ca68e74380efc6e44a1f623792c25a0993a142bbb77d55b9b1b65bb01d0c1892

Download Submit
C:\Users\Admin\AppData\Local\Temp\oki6B91.tmp

Filesize
172KB

MD5
4c3e41727525780d4da86586b1a1bac5

SHA1
cf9a2d875dcd3cf470bdea6a7cd4da2045d83965

SHA256
8f9095268e9759ec92f03e557fb4d3842abb5bffff864f81cbb99d1341a45b27

SHA512
f05d5871ff714b1e6cfa89c9174f807cf674aa0219fd8d63bf674c388a18fe8c335ff98fafd96486bb9f896fd7ab1936bf016996adc2704c88f01fa719cae86f

Download Submit
C:\Users\Admin\AppData\Local\Temp\rgi3DAB.tmp

Filesize
172KB

MD5
cd928270d9d2b760bda1cb19b2fe0ddf

SHA1
6f4be7ddd3a80364276c20928fbc61d217abe15d

SHA256
f5ed7e163709ba34c778dbf0581291034be56c4d81bfb66c5cd839c35405b151

SHA512
d7430df6fe513f2bcfe22b9ca20f4f998824fb2b9dffbe4a26a7089fd06417a0deb8288f6ed3a3cf7dbb1a9c5a2707297b6627616ac142c467160b93eb99f05e

Download Submit
C:\Users\Admin\AppData\Local\Temp\vci17D4.tmp

Filesize
172KB

MD5
5b50a9295135755137e815e48c374861

SHA1
49e1f2cb0624b14e5fa0696eafd023ab4eed6fd4

SHA256
f0ea33e6b3059030edfe202dd25e46c83caebfe2193bedaf0449594d7b7254cd

SHA512
69a4d785e0769af41479f9d63b15fff4fe1004ed602d076ab8436b10f49515ef0fb2dfcc52dbdcef3320ecaf17d2034f63bf1aee2026738fddb2e14bd0a778b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\xgi40E7.tmp

Filesize
172KB

MD5
b3edf2f31231d625c354c95992198b5e

SHA1
99e36f080e3e19c885b05c609bc0a2750621489c

SHA256
ce3fe0d65d77b075b00e332d3ef8a1ccc4c3b2be4347f5f73c0eb6afdccbe80a

SHA512
ef69e81e20ec1f0dfb7ae760777db5407f5f564f0cdf9734f9c91e69f3f992a81bd85771f74911d23acf2042a5a41bbfd8cef8ab73c639a04d1b10abbc9fe100

Download Submit
C:\Windows\SysWOW64\inaphxbit.exe

Filesize
348KB

MD5
dc79d7ef32672c326ddaf03c8de5b6f8

SHA1
de8cf2af21a0d2ff8cad19b83ee4c65247542e42

SHA256
d1b0737caa9602533c8ed185080d74e72d51c2252cc381de882ab0da6599c81e

SHA512
e0583192be31d8db7d1814099346b97bc7e74c10e63ffbc5e404a8cfefa78e33c37e14a502a99702ec5cb98511e861479ed6982b6550c91c2802d133abc04c28

Download Submit
C:\Windows\SysWOW64\inetlfmxc.exe

Filesize
348KB

MD5
3060e867b5c27255508d243079a4d726

SHA1
252e0d92fcd1e820a0baa3a0df7fad0287e39464

SHA256
08a6808780687dbf67c028f44e5e49f6430ff31b2af6d27bbe14c77520e0937b

SHA512
818a94da23402d34569718b3dfb641dfa383ecd5cace00882ab25407b00160898716be087df3b8d3560e0c4fbc37f12317ccb0ffb2f402d4a52fd00665c29b91

Download Submit
C:\Windows\SysWOW64\inixpjqgj.exe

Filesize
348KB

MD5
d5376e1b15c137e21a7aa2aaffb8ab42

SHA1
00b2d2feade02860d10c01e2f80e903ad0e4b5b7

SHA256
c9e2b1175d7f4014c2d7a1a4f025247f23343eb6769e55b4e58cab3f9b575675

SHA512
4c8387084a76c50662fae375646bfa1b524e0e80aa834589442734a5554afe08a16afef0dbe1022d2f422355f63c37659aa8a389d6c10590dc5ac381c79d5142

Download Submit
C:\Windows\SysWOW64\injyqkarh.exe

Filesize
348KB

MD5
26f545457ee7db2099b3a69c4eef196b

SHA1
65b0c0fc6e92b82450b919513b8f6b8c78b9039c

SHA256
17ef9d4745f059a7dfb321df1b4f6396c6770b2e89765005f07885abf41ebd80

SHA512
a966925fd714ee6ee12ee8d97f3c514b361358d0dfb70e4d6860d57b7cb38eba68bdbff4ad98b63ced04ad8954151f11a9ddb1110dcb69021531fba879592453

Download Submit
C:\Windows\SysWOW64\inkbaivic.exe

Filesize
348KB

MD5
a350815198309319fd26aa6aa877f4bd

SHA1
903b7ea69b0c263623d9d293f467a1460c5bcdc6

SHA256
efc67e084beeaa14171df37f4a1ae50b278d61ea1b067d51c7cb422cdfdc750b

SHA512
db2811d6d2b9d98a1007b02d8bd7a3f11c1dd2d8cfed2e05e2b12cb109feac8096fe9c9b2a73eda5911a8f8013abadf2334b1de2c05d7b341788362f2d97d0c6

Download Submit
C:\Windows\SysWOW64\inldtepix.exe

Filesize
348KB

MD5
1478698d87a4763ce846ab664210fcf8

SHA1
2af4bf88c73d8528b7faf627c5d647db90478a94

SHA256
3657ffb3c2b1809e346cfd8263bf280e6c294b9c131b0d94f26e8f83775a7709

SHA512
a04e0d8269a5d77ec5a15b5a96697a4f248780db3da5f0dfc5c5fa3d79cc3a36d75668eedbfdb078bcbf85441fe5e0dd7a1d6692dcfa34b9300a7786b9c86277

Download Submit
C:\Windows\SysWOW64\inmeufqjy.exe

Filesize
348KB

MD5
dede4dc216a9d8d3b09428a4ad13e573

SHA1
60e446992eebd48987feeb52db81d02e6b882b3b

SHA256
8d5e842b3ba39b8570f49dfa9477ab628ef9c4494e61f5e3d78d32f92d8a49d7

SHA512
854fe1c7b718559590653daa3e246427e0a57aaa5313dcf4391ea6963c1d0286a142446aa435fca5086d66eb62323c99089a53d411d522e6f4465ce6c649d443

Download Submit
C:\Windows\SysWOW64\inmtnbdcu.exe

Filesize
348KB

MD5
310512f9aeab0ef3cf9623a719579d71

SHA1
cbaf5df356e70c7206e766c3ccf3f90b96269d1b

SHA256
941963744e92e141828622d31da085a89e8f900b95479e37c31989cfdda65d96

SHA512
fc03b5e0fbf9061cf4c2e4e95c6bf0535dc5d7823a6bc6a36e8787a8fa1507cf27042a323a5a190717a515abe43b773d4bdc3e5ea149ccfb6cb3b5017dd08f77

Download Submit
C:\Windows\SysWOW64\insohtodl.exe

Filesize
348KB

MD5
c00d89fffd8a23e7de4cf18ad527d0ed

SHA1
c7bb65dbbea5ef76c0af7ec54dcfb4ec3558175b

SHA256
90138c34c31f5eea34f46199d4e6fde0e8057fcc6eb7dfc06e5e760c4f9e21bc

SHA512
291256f60b0123a2db384ec0921529e67e1785dd1573e120661ac6af972bbb0f7abd6c06a5ceb227bd0cafb95a8f9536289e3f61960445b167578a978d4a0285

Download Submit
C:\Windows\SysWOW64\inugvjlkd.exe

Filesize
348KB

MD5
4c7b21f77f5bee7b6d71d6eee9790ff8

SHA1
4e7d1bea11f0eb0b919ac08a89d0434ac7772bc4

SHA256
e25c2032bd76692ed4a3bf47b8a96d8934eedffee9647ddd94b332508d13f1e3

SHA512
80458c920e585bb9f9d7638e28107636b7888b162b483b4a55b1ae22d6d667b36356ad5c8965d807a651aac3845cc1a772251c24dc4fa963b4f59e8185eb440e

Download Submit
C:\Windows\SysWOW64\inwixlnmf.exe

Filesize
348KB

MD5
9cc5620e597549dc6260f916812645e2

SHA1
ec94582dd6141735c7a5ce02458cb139904f7a37

SHA256
7dadd454680ee643fefbcf7440cf030aab6cec094eca443a418b0cfedb01e687

SHA512
fb59870795f57ff02d0282b219062811df225dcf1f1e20c252b1f944e38f2b5f121d64d4a509638980a80acaea8bd5cb067587051b172801bcb712f0b720da89

Download Submit
C:\Windows\SysWOW64\inwixlnmf.exe_lang.ini

Filesize
47B

MD5
66cd2808b29dc657c3e125685ae78932

SHA1
3d364fef92b83f413d1cb388797cc17365086794

SHA256
5692d02ea32eca516173b77a0ce989abb0cb94467cf1c1f04c7903f234785cbf

SHA512
c38eb7f44f433e98acc7d5ac6daab11986acee9bf9b0b2ecbf6dcbaa2dce4c0aa7ec21c1a52875fa42c52caab2ef3a0bbb8cfe7acbff9279c8d6f7408d9faad7

Download Submit
C:\Windows\SysWOW64\inwsdlxsh.exe

Filesize
348KB

MD5
a0fdbb729af3ae8b66efc0edde64ec1d

SHA1
20e51eefb9ad5b869b84d2c52760703d859b796b

SHA256
297f843784c132bde8c4acd0fdeab745d1d2e5544c778aa846441b5d188e8cb0

SHA512
7f4cbf04db92cccca96a57af30012be68c12ff9be1a36b382998ce1b5eefdad1cfa816b8ad49f012ddaf9e9e0665d97f5f0fcea1868b36bbb109132616eea470

Download Submit
C:\Windows\SysWOW64\inxtemyti.exe

Filesize
348KB

MD5
b13cd7cca2328d1a0b52a837197313d2

SHA1
b495ac34c7798fb538016964a6d263a9ee1af1cc

SHA256
14bbb70537ab7b4a9b39d62bd479ba75580783b47736c0a806497428bb2e0284

SHA512
e0205444222d9dea7afc87a56e27284962da487bf9676cb8c232eb9e783e7af3cf6f2c9867038f20524fc6f453573b6c9f734f09103db61bcc29c3b1254b7bea

Download Submit
C:\Windows\SysWOW64\inyjbrycn.exe

Filesize
348KB

MD5
08de1c66f7822e683b3bcb81ad64361a

SHA1
1c59788071ac4adf42bfbce4da9c4de79bceb470

SHA256
612c1993e76da8ae0bde87e2c0fa34b386b8343024944177f2474e141343b80d

SHA512
2b55f13d50dc1ff07c9c0fe7d4d68e8a23b917ae35c39e79da2edb97ed56572378f23a127293b070f64956ab48f4090c4cac39e96be4215f07d6f747b0f5f67e

Download Submit
C:\Windows\SysWOW64\inykznpoh.exe

Filesize
348KB

MD5
d1d818526b6f3e8d08caa9137f221218

SHA1
e7efaffcca3cc6c12a3594dc1ed21d97255754be

SHA256
50a9c99382da9ba96db89c2af9f7a777ac1207cbed3e11bcbbe1e5b18aa217c1

SHA512
27df8beb9bb7b1c25cf213e52a72e64f3e5a9b6bd77a8f4c32dacb24cfe53129a1d6e4fcd6a1d34c14be61305c9603c026fbe7b6806721e3b9cb0190dd025448

Download Submit
C:\Windows\SysWOW64\inzvgovkd.exe

Filesize
348KB

MD5
dcffaa62380cb4e15481124a47cb432f

SHA1
854c194c660c3abb91d1ce3368c635c8bc82a0a0

SHA256
31a7218c3241871f4b74858f0eea89e603d74b8aebafe94f96d852a85f45b3e5

SHA512
4c948085d8e9a10e052936c6ec6dfdf623293e9744cb705fc37ed673f96d5216daa9bff90057bd4c8b934d2a82ac8414d07bc88ffaae228f02c9ae065733a096

Download Submit
memory/808-314-0x0000000000500000-0x0000000000573000-memory.dmp

Filesize
460KB

Download
memory/808-306-0x0000000000500000-0x0000000000573000-memory.dmp

Filesize
460KB

Download
memory/808-320-0x0000000000500000-0x0000000000573000-memory.dmp

Filesize
460KB

Download
memory/808-322-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/904-1088-0x0000000002090000-0x0000000002103000-memory.dmp

Filesize
460KB

Download
memory/952-131-0x00000000006A0000-0x0000000000713000-memory.dmp

Filesize
460KB

Download
memory/952-116-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/952-140-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/952-138-0x00000000006A0000-0x0000000000713000-memory.dmp

Filesize
460KB

Download
memory/952-122-0x00000000006A0000-0x0000000000713000-memory.dmp

Filesize
460KB

Download
memory/1332-1145-0x00000000020E0000-0x0000000002153000-memory.dmp

Filesize
460KB

Download
memory/1368-337-0x0000000002040000-0x00000000020B3000-memory.dmp

Filesize
460KB

Download
memory/1368-329-0x0000000002040000-0x00000000020B3000-memory.dmp

Filesize
460KB

Download
memory/1368-342-0x0000000002040000-0x00000000020B3000-memory.dmp

Filesize
460KB

Download
memory/1368-345-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1376-35-0x0000000002030000-0x00000000020A3000-memory.dmp

Filesize
460KB

Download
memory/1376-68-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1376-64-0x0000000002030000-0x00000000020A3000-memory.dmp

Filesize
460KB

Download
memory/1480-232-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1480-213-0x00000000020A0000-0x0000000002113000-memory.dmp

Filesize
460KB

Download
memory/1480-230-0x00000000020A0000-0x0000000002113000-memory.dmp

Filesize
460KB

Download
memory/1480-216-0x00000000020A0000-0x0000000002113000-memory.dmp

Filesize
460KB

Download
memory/1532-177-0x0000000002040000-0x00000000020B3000-memory.dmp

Filesize
460KB

Download
memory/1532-186-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1532-184-0x0000000002040000-0x00000000020B3000-memory.dmp

Filesize
460KB

Download
memory/1532-165-0x0000000002040000-0x00000000020B3000-memory.dmp

Filesize
460KB

Download
memory/1600-258-0x0000000000590000-0x0000000000603000-memory.dmp

Filesize
460KB

Download
memory/1600-269-0x0000000000590000-0x0000000000603000-memory.dmp

Filesize
460KB

Download
memory/1600-276-0x0000000000590000-0x0000000000603000-memory.dmp

Filesize
460KB

Download
memory/1600-278-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1624-442-0x0000000002090000-0x0000000002103000-memory.dmp

Filesize
460KB

Download
memory/1624-444-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1624-437-0x0000000002090000-0x0000000002103000-memory.dmp

Filesize
460KB

Download
memory/1624-429-0x0000000002090000-0x0000000002103000-memory.dmp

Filesize
460KB

Download
memory/1648-955-0x00000000020B0000-0x0000000002123000-memory.dmp

Filesize
460KB

Download
memory/1672-405-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1672-404-0x00000000020B0000-0x0000000002123000-memory.dmp

Filesize
460KB

Download
memory/1672-399-0x00000000020B0000-0x0000000002123000-memory.dmp

Filesize
460KB

Download
memory/1672-391-0x00000000020B0000-0x0000000002123000-memory.dmp

Filesize
460KB

Download
memory/1716-917-0x0000000001FB0000-0x0000000002023000-memory.dmp

Filesize
460KB

Download
memory/1764-246-0x00000000020B0000-0x0000000002123000-memory.dmp

Filesize
460KB

Download
memory/1764-253-0x00000000020B0000-0x0000000002123000-memory.dmp

Filesize
460KB

Download
memory/1764-255-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1764-237-0x00000000020B0000-0x0000000002123000-memory.dmp

Filesize
460KB

Download
memory/1812-418-0x00000000005E0000-0x0000000000653000-memory.dmp

Filesize
460KB

Download
memory/1812-424-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1812-410-0x00000000005E0000-0x0000000000653000-memory.dmp

Filesize
460KB

Download
memory/1812-423-0x00000000005E0000-0x0000000000653000-memory.dmp

Filesize
460KB

Download
memory/1932-1164-0x0000000000690000-0x0000000000703000-memory.dmp

Filesize
460KB

Download
memory/2016-74-0x00000000005C0000-0x0000000000633000-memory.dmp

Filesize
460KB

Download
memory/2016-89-0x00000000005C0000-0x0000000000633000-memory.dmp

Filesize
460KB

Download
memory/2016-83-0x00000000005C0000-0x0000000000633000-memory.dmp

Filesize
460KB

Download
memory/2016-92-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2028-860-0x0000000002050000-0x00000000020C3000-memory.dmp

Filesize
460KB

Download
memory/2044-822-0x00000000020F0000-0x0000000002163000-memory.dmp

Filesize
460KB

Download
memory/2060-670-0x00000000020A0000-0x0000000002113000-memory.dmp

Filesize
460KB

Download
memory/2100-1050-0x0000000002030000-0x00000000020A3000-memory.dmp

Filesize
460KB

Download
memory/2152-765-0x0000000000700000-0x0000000000773000-memory.dmp

Filesize
460KB

Download
memory/2204-447-0x0000000002080000-0x00000000020F3000-memory.dmp

Filesize
460KB

Download
memory/2204-461-0x0000000002080000-0x00000000020F3000-memory.dmp

Filesize
460KB

Download
memory/2204-463-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2204-456-0x0000000002080000-0x00000000020F3000-memory.dmp

Filesize
460KB

Download
memory/2276-1069-0x00000000020A0000-0x0000000002113000-memory.dmp

Filesize
460KB

Download
memory/2300-936-0x00000000005A0000-0x0000000000613000-memory.dmp

Filesize
460KB

Download
memory/2412-518-0x00000000005D0000-0x0000000000643000-memory.dmp

Filesize
460KB

Download
memory/2416-898-0x0000000002070000-0x00000000020E3000-memory.dmp

Filesize
460KB

Download
memory/2468-841-0x00000000020C0000-0x0000000002133000-memory.dmp

Filesize
460KB

Download
memory/2572-161-0x0000000002120000-0x0000000002193000-memory.dmp

Filesize
460KB

Download
memory/2572-144-0x0000000002120000-0x0000000002193000-memory.dmp

Filesize
460KB

Download
memory/2572-154-0x0000000002120000-0x0000000002193000-memory.dmp

Filesize
460KB

Download
memory/2572-163-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2676-993-0x0000000002090000-0x0000000002103000-memory.dmp

Filesize
460KB

Download
memory/2728-1202-0x00000000005A0000-0x0000000000613000-memory.dmp

Filesize
460KB

Download
memory/2844-1107-0x00000000006B0000-0x0000000000723000-memory.dmp

Filesize
460KB

Download
memory/2864-556-0x0000000000590000-0x0000000000603000-memory.dmp

Filesize
460KB

Download
memory/3012-974-0x0000000002040000-0x00000000020B3000-memory.dmp

Filesize
460KB

Download
memory/3052-746-0x00000000020C0000-0x0000000002133000-memory.dmp

Filesize
460KB

Download
memory/3260-372-0x0000000001F50000-0x0000000001FC3000-memory.dmp

Filesize
460KB

Download
memory/3260-387-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3260-385-0x0000000001F50000-0x0000000001FC3000-memory.dmp

Filesize
460KB

Download
memory/3260-380-0x0000000001F50000-0x0000000001FC3000-memory.dmp

Filesize
460KB

Download
memory/3408-1241-0x0000000001F90000-0x0000000002003000-memory.dmp

Filesize
460KB

Download
memory/3432-15-0x0000000002190000-0x0000000002203000-memory.dmp

Filesize
460KB

Download
memory/3432-58-0x0000000002190000-0x0000000002203000-memory.dmp

Filesize
460KB

Download
memory/3432-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3432-67-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3432-5-0x0000000002190000-0x0000000002203000-memory.dmp

Filesize
460KB

Download
memory/3440-499-0x0000000002080000-0x00000000020F3000-memory.dmp

Filesize
460KB

Download
memory/3456-190-0x00000000005C0000-0x0000000000633000-memory.dmp

Filesize
460KB

Download
memory/3456-209-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3456-206-0x00000000005C0000-0x0000000000633000-memory.dmp

Filesize
460KB

Download
memory/3456-200-0x00000000005C0000-0x0000000000633000-memory.dmp

Filesize
460KB

Download
memory/3508-97-0x0000000002040000-0x00000000020B3000-memory.dmp

Filesize
460KB

Download
memory/3508-114-0x0000000002040000-0x00000000020B3000-memory.dmp

Filesize
460KB

Download
memory/3508-117-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3508-107-0x0000000002040000-0x00000000020B3000-memory.dmp

Filesize
460KB

Download
memory/3508-91-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3544-689-0x0000000001F30000-0x0000000001FA3000-memory.dmp

Filesize
460KB

Download
memory/3732-480-0x0000000002070000-0x00000000020E3000-memory.dmp

Filesize
460KB

Download
memory/3732-482-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3732-467-0x0000000002070000-0x00000000020E3000-memory.dmp

Filesize
460KB

Download
memory/3732-475-0x0000000002070000-0x00000000020E3000-memory.dmp

Filesize
460KB

Download
memory/3784-1031-0x00000000006D0000-0x0000000000743000-memory.dmp

Filesize
460KB

Download
memory/3864-879-0x0000000002090000-0x0000000002103000-memory.dmp

Filesize
460KB

Download
memory/3880-613-0x0000000001F30000-0x0000000001FA3000-memory.dmp

Filesize
460KB

Download
memory/3968-368-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3968-359-0x0000000001F40000-0x0000000001FB3000-memory.dmp

Filesize
460KB

Download
memory/3968-365-0x0000000001F40000-0x0000000001FB3000-memory.dmp

Filesize
460KB

Download
memory/4076-784-0x0000000001F30000-0x0000000001FA3000-memory.dmp

Filesize
460KB

Download
memory/4144-297-0x00000000004E0000-0x0000000000553000-memory.dmp

Filesize
460KB

Download
memory/4144-300-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4144-291-0x00000000004E0000-0x0000000000553000-memory.dmp

Filesize
460KB

Download
memory/4164-803-0x00000000004D0000-0x0000000000543000-memory.dmp

Filesize
460KB

Download
memory/4216-1012-0x0000000002080000-0x00000000020F3000-memory.dmp

Filesize
460KB

Download
memory/4260-537-0x00000000020A0000-0x0000000002113000-memory.dmp

Filesize
460KB

Download
memory/4288-631-0x0000000001F30000-0x0000000001FA3000-memory.dmp

Filesize
460KB

Download
memory/4300-727-0x00000000006F0000-0x0000000000763000-memory.dmp

Filesize
460KB

Download
memory/4352-1126-0x0000000002030000-0x00000000020A3000-memory.dmp

Filesize
460KB

Download
memory/4576-1183-0x0000000002090000-0x0000000002103000-memory.dmp

Filesize
460KB

Download
memory/4684-708-0x00000000020A0000-0x0000000002113000-memory.dmp

Filesize
460KB

Download
memory/4860-651-0x0000000002030000-0x00000000020A3000-memory.dmp

Filesize
460KB

Download
memory/4968-66-0x0000000002040000-0x00000000020B3000-memory.dmp

Filesize
460KB

Download
memory/4968-69-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4968-59-0x0000000002040000-0x00000000020B3000-memory.dmp

Filesize
460KB

Download
memory/5020-575-0x00000000005B0000-0x0000000000623000-memory.dmp

Filesize
460KB

Download
memory/5020-1221-0x00000000020F0000-0x0000000002163000-memory.dmp

Filesize
460KB

Download
memory/5044-594-0x00000000005A0000-0x0000000000613000-memory.dmp

Filesize
460KB

Download