Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
22-07-2024 18:06
Behavioral task
behavioral1
Sample
0139422358150eda3958945b70568121b7037e50a0968e2a1c978f7c309aa318.exe
Resource
win7-20240704-en
windows7-x64
11 signatures
150 seconds
Behavioral task
behavioral2
Sample
0139422358150eda3958945b70568121b7037e50a0968e2a1c978f7c309aa318.exe
Resource
win10v2004-20240704-en
windows10-2004-x64
11 signatures
150 seconds
General
-
Target
0139422358150eda3958945b70568121b7037e50a0968e2a1c978f7c309aa318.exe
-
Size
348KB
-
MD5
cafdd4962dd00ff3d59b0481bef83c78
-
SHA1
bc9da8b3decb86edfbc3c5eab6ac8c40543ee814
-
SHA256
0139422358150eda3958945b70568121b7037e50a0968e2a1c978f7c309aa318
-
SHA512
29063753a504f46343c917040de19640751bf47d0e36012e0e5eb18a87c868d6ac6c35faf500e95220578e89a907cff2c6f291f71277ceb72055ee9c6a02b6fb
-
SSDEEP
6144:MJueTkwOwoWOQ3dwaWB28edeP/deUv80P80Ap8UGwoTGHZOWJkqd0K4rG7eVT0SX:ouLwoZQGpnedeP/deUe1ppGjTGHZRT0z
Score
10/10
Malware Config
Signatures
-
Gh0st RAT payload 49 IoCs
resource yara_rule behavioral2/memory/4988-0-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/files/0x00080000000234d7-14.dat family_gh0strat behavioral2/files/0x00070000000234d8-21.dat family_gh0strat behavioral2/memory/452-23-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/memory/4988-29-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/files/0x00070000000234de-44.dat family_gh0strat behavioral2/memory/452-47-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/files/0x00070000000234e2-63.dat family_gh0strat behavioral2/memory/2088-71-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/files/0x00070000000234e6-91.dat family_gh0strat behavioral2/memory/4868-101-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/memory/220-115-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/files/0x00070000000234ea-118.dat family_gh0strat behavioral2/files/0x00070000000234ed-137.dat family_gh0strat behavioral2/memory/4192-139-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/files/0x00070000000234f1-162.dat family_gh0strat behavioral2/memory/4128-163-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/files/0x00070000000234f5-187.dat family_gh0strat behavioral2/memory/1520-186-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/memory/2688-211-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/files/0x00070000000234f9-208.dat family_gh0strat behavioral2/files/0x00070000000234fd-232.dat family_gh0strat behavioral2/memory/1992-235-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/files/0x0007000000023501-256.dat family_gh0strat behavioral2/memory/1204-260-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/files/0x0007000000023505-278.dat family_gh0strat behavioral2/memory/2228-281-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/files/0x0007000000023509-302.dat family_gh0strat behavioral2/memory/4112-305-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/memory/2220-328-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/files/0x000700000002350d-325.dat family_gh0strat behavioral2/memory/4672-350-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/files/0x0007000000023511-352.dat family_gh0strat behavioral2/memory/4396-374-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/memory/4980-376-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/files/0x0007000000023516-372.dat family_gh0strat behavioral2/memory/4980-394-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/memory/4040-413-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/memory/3600-432-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/memory/2460-452-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/memory/1596-471-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/memory/636-491-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/memory/1624-512-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/memory/1520-530-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/memory/920-549-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/memory/1768-568-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/memory/2504-587-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/memory/2192-611-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/files/0x0007000000023b9b-7250.dat family_gh0strat -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 64 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8104F731-B981-4b8f-BFD8-56A5878FD638} inuonujxj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AC727915-4096-49bd-91D2-6E441520070B}\stubpath = "C:\\Windows\\system32\\inufmslyy.exe" inxpjkmpr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{37E36BEC-00EC-478d-99FD-649161189771}\stubpath = "C:\\Windows\\system32\\inxgdqmcb.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D33623B3-A33B-4cab-A0C6-9BE778C15BEC}\stubpath = "C:\\Windows\\system32\\ingvomzma.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3E901822-9E4C-4b5c-AA71-C58F844E6C26}\stubpath = "C:\\Windows\\system32\\inrfemnge.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5E686300-2500-4de0-9EAC-A08DDC3ACF84}\stubpath = "C:\\Windows\\system32\\inebazogg.exe" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{250349F7-3E99-4c81-B396-18A4F1EC954C} Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4FA3661F-F8A4-4cd6-B628-61D3F061ACBB} Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{07ECEF91-F2B0-4e5c-B131-2FC65EFEAC78}\stubpath = "C:\\Windows\\system32\\inzloqpih.exe" insbquvhx.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D4D27ABE-EB01-426e-9264-0F4E0FD388B2} inhfnbzwf.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3F9E8EBF-D9F8-4cdd-AB02-0586EFA39E47} Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ADC68D90-CC99-485a-BBE4-235FF72A776F} Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EA4F1EDC-08D0-4cda-BCFE-1E12A4CAEB3E}\stubpath = "C:\\Windows\\system32\\inankwxuq.exe" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{58646BB2-F917-4d08-A706-6C680DA6B350} Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C9A061BC-FD8F-4ce3-BC00-56758CCF188D}\stubpath = "C:\\Windows\\system32\\inwzqoory.exe" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D444284D-DDDD-4c14-A549-79174957732A} insdablrp.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{12C7E85B-AA62-4059-A530-A649A3933C25} Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F4C2AF3E-E63A-41a9-8A17-A43ACCDACE8D}\stubpath = "C:\\Windows\\system32\\ingdeousr.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8CA0C4BA-9698-4f00-9F63-21130AB454F1}\stubpath = "C:\\Windows\\system32\\infkavqje.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C80826FC-624A-4593-9E1B-7678CC49052C}\stubpath = "C:\\Windows\\system32\\intvupzwd.exe" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6FDA02FA-9AB7-4a7f-997F-E86685D9CA7C} Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6E950D5A-ACA0-455e-9217-FB88EF57E3C9} Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{17EA6D6A-C010-4253-AECF-560AB7FCC690}\stubpath = "C:\\Windows\\system32\\inyjzpitc.exe" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{43E2B922-8F95-4b8e-A11F-3CB1D12F9D6A} iniszaxor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{67C3F5A0-4FCA-4930-8A28-A0CD388DD913}\stubpath = "C:\\Windows\\system32\\invwyxcqk.exe" incehxwfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BEA9C0A6-70AD-4724-9C73-E4E87EF2F1EC}\stubpath = "C:\\Windows\\system32\\inhsbzwsj.exe" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{471F5CC8-AEC9-4d25-9A84-A0DD316A54BD} Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{07419E0A-C169-4136-ABB5-909078C2A46C} Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{27ED638F-91E7-4b0f-8268-E639624C7BEB}\stubpath = "C:\\Windows\\system32\\inyuytoya.exe" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{77EC5FD1-C5A4-422a-B567-DA0D9C09744D} Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FBB28FCA-86D9-49a0-A8E0-8EE4E058381D} Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{56BD4B53-40AF-454a-8295-08703FB63BAA} inhoiekzn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D9D97ED8-DBCA-49b4-89B8-5948B0A70A80}\stubpath = "C:\\Windows\\system32\\inlludanj.exe" injtvdfif.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{38348B3A-7AD1-4c41-AB37-ED81B5F27C4C} inydmqxqc.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5E578FB8-B434-41bd-AB2E-DA0E5634A00A} inemiltdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9E7BDA93-9695-4735-81CC-29FD9BB46054}\stubpath = "C:\\Windows\\system32\\inckhnzcv.exe" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A8BC2753-A703-4b65-88A6-FCE57AC33F7B} Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A9AC18BE-C753-4f1a-84F7-73F56D6F6EB3}\stubpath = "C:\\Windows\\system32\\injsknhzy.exe" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EA42E2FC-F6A3-42d3-AA05-61E39A8D6052} ininzqfqh.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{16668597-346C-48ab-A8E7-102FC9090749} Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{813F1923-CE65-47cc-8485-C6A161776FF6} Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DC5DDDFF-DB39-4847-B655-40104E8C3D7E}\stubpath = "C:\\Windows\\system32\\injwpstuk.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E06C545B-49E1-4c42-B971-E259E3834697}\stubpath = "C:\\Windows\\system32\\inhterkxn.exe" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B1FB2DA0-1F4F-41d1-8060-780239603DF5} innswqwhw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{86DB811D-F8F2-4e57-804D-148B5F255F6C}\stubpath = "C:\\Windows\\system32\\inbjdjvkm.exe" injidfpid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DF2D79EE-97C2-4645-A904-8993EB3C9343}\stubpath = "C:\\Windows\\system32\\infrgispe.exe" inhwfuyzl.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{52BDE922-2DCE-4ad4-BB67-1B332CE71E5A} Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DA9FBD3D-47F4-4f32-AE60-89D903B7D79D} Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6997A72C-66AA-47a6-A6C4-61E97D6DFDB7}\stubpath = "C:\\Windows\\system32\\indywcrzo.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6443C350-A204-4220-BEDB-39148F11E790}\stubpath = "C:\\Windows\\system32\\inkyfaolx.exe" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{612E0B24-C321-49bd-9519-C35D968DD38B} Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B107A5F4-73BA-4e9b-B971-0A5EC2122667}\stubpath = "C:\\Windows\\system32\\inisglpjp.exe" inazojdaz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{93CF47CC-5BC2-4226-A099-529113D0B43E}\stubpath = "C:\\Windows\\system32\\indfdzqme.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{24564734-E634-4bd5-A571-46071D13DDCC}\stubpath = "C:\\Windows\\system32\\inczmkfzy.exe" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{38B4A4C0-FF96-48d1-90FC-1B5941175278} Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{47BE0F8F-132A-48d7-8661-A36A96FD01F0} Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9836EAAF-2376-4f9e-9D5B-581025D2358A} Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{694D9749-B75C-46e1-A21C-43524D4E826A}\stubpath = "C:\\Windows\\system32\\inikojpnc.exe" infcpjolj.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2DCB31D4-5D50-4de6-BEAF-8754DF166868} inltfhpes.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5B7688C3-7994-455e-82D9-1E6D555237D8}\stubpath = "C:\\Windows\\system32\\inunawidf.exe" inhngmkjz.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8A2B7334-59EF-41a8-856A-80EA2F451F9C} Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{538D41B2-4901-4938-BD3C-26C7FD2185C6}\stubpath = "C:\\Windows\\system32\\inarkgohq.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9E056076-A6BB-4d9b-A8A4-9C910D09F1AC}\stubpath = "C:\\Windows\\system32\\insrgosss.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8CF1D2F8-8A9D-4720-A334-5EBFE396231C}\stubpath = "C:\\Windows\\system32\\inyoeaukm.exe" inxujybfr.exe -
ACProtect 1.3x - 1.4x DLL software 16 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral2/files/0x000600000002325a-4.dat acprotect behavioral2/files/0x00070000000234db-27.dat acprotect behavioral2/files/0x00070000000234e0-52.dat acprotect behavioral2/files/0x00070000000234e4-73.dat acprotect behavioral2/files/0x00070000000234e8-98.dat acprotect behavioral2/files/0x00070000000234ec-120.dat acprotect behavioral2/files/0x00070000000234ef-145.dat acprotect behavioral2/files/0x00070000000234f3-166.dat acprotect behavioral2/files/0x00070000000234f7-192.dat acprotect behavioral2/files/0x00070000000234fb-216.dat acprotect behavioral2/files/0x00070000000234ff-238.dat acprotect behavioral2/files/0x0007000000023503-263.dat acprotect behavioral2/files/0x0007000000023507-284.dat acprotect behavioral2/files/0x000700000002350b-310.dat acprotect behavioral2/files/0x000700000002350f-331.dat acprotect behavioral2/files/0x0007000000023513-354.dat acprotect -
Executes dropped EXE 64 IoCs
pid Process 452 inqcxrfhg.exe 2088 intfuikjc.exe 4868 invhwkmle.exe 220 inmeufqjy.exe 4192 incrjzdkv.exe 4128 inzvgovkd.exe 1520 inmtnbdcu.exe 2688 inbqiycju.exe 1992 inaexuhtj.exe 1204 innqsrkjz.exe 2228 incanalcr.exe 4112 ingiuiufd.exe 2220 inlsmacbt.exe 4672 inhwnltjf.exe 4396 inbuxzyre.exe 4980 inxjymong.exe 4040 inortslka.exe 3600 inxtemyti.exe 2460 insbquvhx.exe 1596 inzloqpih.exe 636 inrngsnzc.exe 1624 inrdysgih.exe 1520 ingvnhoze.exe 920 injyqkarh.exe 1768 injmdckxk.exe 2504 inbpxnjbw.exe 2192 inqgdzfrf.exe 2848 inwhpwale.exe 1008 incgzwjvl.exe 2220 inxsdoolp.exe 596 insohtodl.exe 2868 inruwvobn.exe 2016 inbqostfv.exe 2448 indwztgsi.exe 4132 inaikwkwh.exe 3008 inpleqlxa.exe 1012 inogwahsa.exe 3516 inadbobmd.exe 3252 inetlfmxc.exe 2104 inwixlnmf.exe 2720 inkbaivic.exe 1992 inknedlyl.exe 4612 inljyapnv.exe 4444 inuqbjvqf.exe 1564 inbrulkss.exe 4932 ineuxonvv.exe 4672 inykznpoh.exe 5024 inyorihpp.exe 1404 indskelwb.exe 4836 indtwnmuu.exe 3600 inixpjqgj.exe 432 inefvmlzb.exe 1076 innuocedv.exe 3420 injkrqgyq.exe 2136 insezthji.exe 4548 inopeewva.exe 1224 inhwoipfi.exe 2464 inmprqjiy.exe 4020 inutvwllh.exe 4472 indxawycz.exe 3624 inatwyxqd.exe 3160 ingtgabri.exe 844 inldtepix.exe 928 inlhzufqa.exe -
Loads dropped DLL 64 IoCs
pid Process 4988 0139422358150eda3958945b70568121b7037e50a0968e2a1c978f7c309aa318.exe 4988 0139422358150eda3958945b70568121b7037e50a0968e2a1c978f7c309aa318.exe 452 inqcxrfhg.exe 452 inqcxrfhg.exe 2088 intfuikjc.exe 2088 intfuikjc.exe 4868 invhwkmle.exe 4868 invhwkmle.exe 220 inmeufqjy.exe 220 inmeufqjy.exe 4192 incrjzdkv.exe 4192 incrjzdkv.exe 4128 inzvgovkd.exe 4128 inzvgovkd.exe 1520 inmtnbdcu.exe 1520 inmtnbdcu.exe 2688 inbqiycju.exe 2688 inbqiycju.exe 1992 inaexuhtj.exe 1992 inaexuhtj.exe 1204 innqsrkjz.exe 1204 innqsrkjz.exe 2228 incanalcr.exe 2228 incanalcr.exe 4112 ingiuiufd.exe 4112 ingiuiufd.exe 2220 inlsmacbt.exe 2220 inlsmacbt.exe 4672 inhwnltjf.exe 4672 inhwnltjf.exe 4396 inbuxzyre.exe 4396 inbuxzyre.exe 4980 inxjymong.exe 4980 inxjymong.exe 4040 inortslka.exe 4040 inortslka.exe 3600 inxtemyti.exe 3600 inxtemyti.exe 2460 insbquvhx.exe 2460 insbquvhx.exe 1596 inzloqpih.exe 1596 inzloqpih.exe 636 inrngsnzc.exe 636 inrngsnzc.exe 1624 inrdysgih.exe 1624 inrdysgih.exe 1520 ingvnhoze.exe 1520 ingvnhoze.exe 920 injyqkarh.exe 920 injyqkarh.exe 1768 injmdckxk.exe 1768 injmdckxk.exe 2504 inbpxnjbw.exe 2504 inbpxnjbw.exe 2192 inqgdzfrf.exe 2192 inqgdzfrf.exe 2848 inwhpwale.exe 2848 inwhpwale.exe 1008 incgzwjvl.exe 1008 incgzwjvl.exe 2220 inxsdoolp.exe 2220 inxsdoolp.exe 596 insohtodl.exe 596 insohtodl.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\syslog.dat inzrcejxv.exe File opened for modification C:\Windows\SysWOW64\syslog.dat Process not Found File opened for modification C:\Windows\SysWOW64\incsnrmiw.exe_lang.ini intetdxsy.exe File opened for modification C:\Windows\SysWOW64\syslog.dat invnvfler.exe File opened for modification C:\Windows\SysWOW64\syslog.dat Process not Found File opened for modification C:\Windows\SysWOW64\syslog.dat Process not Found File opened for modification C:\Windows\SysWOW64\inkdlvlhw.exe_lang.ini injgmuryj.exe File created C:\Windows\SysWOW64\inrcdzdjx.exe Process not Found File opened for modification C:\Windows\SysWOW64\invffjsln.exe_lang.ini Process not Found File opened for modification C:\Windows\SysWOW64\inhwoipfi.exe_lang.ini inopeewva.exe File opened for modification C:\Windows\SysWOW64\syslog.dat indcsegkx.exe File opened for modification C:\Windows\SysWOW64\inunzyumh.exe_lang.ini infagddmf.exe File opened for modification C:\Windows\SysWOW64\syslog.dat injbpispm.exe File opened for modification C:\Windows\SysWOW64\injbpivej.exe_lang.ini Process not Found File opened for modification C:\Windows\SysWOW64\syslog.dat inhgfxhuk.exe File opened for modification C:\Windows\SysWOW64\inqnnretv.exe_lang.ini intfcjrzb.exe File created C:\Windows\SysWOW64\inyltoqyk.exe Process not Found File opened for modification C:\Windows\SysWOW64\ingzrkglm.exe_lang.ini Process not Found File created C:\Windows\SysWOW64\inisqkawb.exe Process not Found File created C:\Windows\SysWOW64\inbfffozj.exe indscwrxb.exe File created C:\Windows\SysWOW64\inmjqbyiq.exe inbjibmnx.exe File opened for modification C:\Windows\SysWOW64\inkeovoal.exe_lang.ini Process not Found File created C:\Windows\SysWOW64\infctfire.exe Process not Found File created C:\Windows\SysWOW64\inngemtwk.exe Process not Found File opened for modification C:\Windows\SysWOW64\inavtceys.exe_lang.ini Process not Found File opened for modification C:\Windows\SysWOW64\inbrwoskn.exe_lang.ini Process not Found File opened for modification C:\Windows\SysWOW64\syslog.dat inbrumuek.exe File opened for modification C:\Windows\SysWOW64\syslog.dat inufmslyy.exe File created C:\Windows\SysWOW64\intujfhfg.exe Process not Found File opened for modification C:\Windows\SysWOW64\syslog.dat Process not Found File created C:\Windows\SysWOW64\inytvinyt.exe Process not Found File opened for modification C:\Windows\SysWOW64\inljoboqb.exe_lang.ini Process not Found File opened for modification C:\Windows\SysWOW64\ingwzqpxx.exe_lang.ini inhfsfaqh.exe File created C:\Windows\SysWOW64\intlkfhrk.exe inisucehe.exe File opened for modification C:\Windows\SysWOW64\injvmflfv.exe_lang.ini Process not Found File opened for modification C:\Windows\SysWOW64\intgxxsna.exe_lang.ini Process not Found File opened for modification C:\Windows\SysWOW64\inisfosxg.exe_lang.ini Process not Found File opened for modification C:\Windows\SysWOW64\syslog.dat incbskfog.exe File opened for modification C:\Windows\SysWOW64\inivxkbyw.exe_lang.ini inckagkpg.exe File created C:\Windows\SysWOW64\inclbusyn.exe inwgmmfga.exe File created C:\Windows\SysWOW64\inoeomhqc.exe Process not Found File created C:\Windows\SysWOW64\inypeugby.exe Process not Found File opened for modification C:\Windows\SysWOW64\inxcttnmt.exe_lang.ini Process not Found File opened for modification C:\Windows\SysWOW64\syslog.dat Process not Found File opened for modification C:\Windows\SysWOW64\inxgusiod.exe_lang.ini inkmpmynm.exe File created C:\Windows\SysWOW64\inboxtclv.exe Process not Found File opened for modification C:\Windows\SysWOW64\syslog.dat Process not Found File opened for modification C:\Windows\SysWOW64\syslog.dat Process not Found File opened for modification C:\Windows\SysWOW64\syslog.dat Process not Found File opened for modification C:\Windows\SysWOW64\syslog.dat Process not Found File opened for modification C:\Windows\SysWOW64\inkebrohr.exe_lang.ini Process not Found File opened for modification C:\Windows\SysWOW64\syslog.dat inortslka.exe File opened for modification C:\Windows\SysWOW64\syslog.dat inooqnkpm.exe File opened for modification C:\Windows\SysWOW64\inbjipgjs.exe_lang.ini Process not Found File opened for modification C:\Windows\SysWOW64\inliodwyb.exe_lang.ini Process not Found File opened for modification C:\Windows\SysWOW64\invjwwjhc.exe_lang.ini Process not Found File opened for modification C:\Windows\SysWOW64\inylhcvcx.exe_lang.ini Process not Found File opened for modification C:\Windows\SysWOW64\inkietvme.exe_lang.ini inlhpjpqs.exe File created C:\Windows\SysWOW64\inamdunku.exe intbosajb.exe File opened for modification C:\Windows\SysWOW64\innpkjuac.exe_lang.ini incxuerhz.exe File created C:\Windows\SysWOW64\ineqanlms.exe Process not Found File created C:\Windows\SysWOW64\inusoldel.exe Process not Found File opened for modification C:\Windows\SysWOW64\syslog.dat Process not Found File opened for modification C:\Windows\SysWOW64\inlootzmy.exe_lang.ini Process not Found -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4988 0139422358150eda3958945b70568121b7037e50a0968e2a1c978f7c309aa318.exe 4988 0139422358150eda3958945b70568121b7037e50a0968e2a1c978f7c309aa318.exe 452 inqcxrfhg.exe 452 inqcxrfhg.exe 2088 intfuikjc.exe 2088 intfuikjc.exe 4868 invhwkmle.exe 4868 invhwkmle.exe 220 inmeufqjy.exe 220 inmeufqjy.exe 4192 incrjzdkv.exe 4192 incrjzdkv.exe 4128 inzvgovkd.exe 4128 inzvgovkd.exe 1520 inmtnbdcu.exe 1520 inmtnbdcu.exe 2688 inbqiycju.exe 2688 inbqiycju.exe 1992 inaexuhtj.exe 1992 inaexuhtj.exe 1204 innqsrkjz.exe 1204 innqsrkjz.exe 2228 incanalcr.exe 2228 incanalcr.exe 4112 ingiuiufd.exe 4112 ingiuiufd.exe 2220 inlsmacbt.exe 2220 inlsmacbt.exe 4672 inhwnltjf.exe 4672 inhwnltjf.exe 4396 inbuxzyre.exe 4396 inbuxzyre.exe 4980 inxjymong.exe 4980 inxjymong.exe 4040 inortslka.exe 4040 inortslka.exe 3600 inxtemyti.exe 3600 inxtemyti.exe 2460 insbquvhx.exe 2460 insbquvhx.exe 1596 inzloqpih.exe 1596 inzloqpih.exe 636 inrngsnzc.exe 636 inrngsnzc.exe 1624 inrdysgih.exe 1624 inrdysgih.exe 1520 ingvnhoze.exe 1520 ingvnhoze.exe 920 injyqkarh.exe 920 injyqkarh.exe 1768 injmdckxk.exe 1768 injmdckxk.exe 2504 inbpxnjbw.exe 2504 inbpxnjbw.exe 2192 inqgdzfrf.exe 2192 inqgdzfrf.exe 2848 inwhpwale.exe 2848 inwhpwale.exe 1008 incgzwjvl.exe 1008 incgzwjvl.exe 2220 inxsdoolp.exe 2220 inxsdoolp.exe 596 insohtodl.exe 596 insohtodl.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4988 0139422358150eda3958945b70568121b7037e50a0968e2a1c978f7c309aa318.exe Token: SeDebugPrivilege 452 inqcxrfhg.exe Token: SeDebugPrivilege 2088 intfuikjc.exe Token: SeDebugPrivilege 4868 invhwkmle.exe Token: SeDebugPrivilege 220 inmeufqjy.exe Token: SeDebugPrivilege 4192 incrjzdkv.exe Token: SeDebugPrivilege 4128 inzvgovkd.exe Token: SeDebugPrivilege 1520 inmtnbdcu.exe Token: SeDebugPrivilege 2688 inbqiycju.exe Token: SeDebugPrivilege 1992 inaexuhtj.exe Token: SeDebugPrivilege 1204 innqsrkjz.exe Token: SeDebugPrivilege 2228 incanalcr.exe Token: SeDebugPrivilege 4112 ingiuiufd.exe Token: SeDebugPrivilege 2220 inlsmacbt.exe Token: SeDebugPrivilege 4672 inhwnltjf.exe Token: SeDebugPrivilege 4396 inbuxzyre.exe Token: SeDebugPrivilege 4980 inxjymong.exe Token: SeDebugPrivilege 4040 inortslka.exe Token: SeDebugPrivilege 3600 inxtemyti.exe Token: SeDebugPrivilege 2460 insbquvhx.exe Token: SeDebugPrivilege 1596 inzloqpih.exe Token: SeDebugPrivilege 636 inrngsnzc.exe Token: SeDebugPrivilege 1624 inrdysgih.exe Token: SeDebugPrivilege 1520 ingvnhoze.exe Token: SeDebugPrivilege 920 injyqkarh.exe Token: SeDebugPrivilege 1768 injmdckxk.exe Token: SeDebugPrivilege 2504 inbpxnjbw.exe Token: SeDebugPrivilege 2192 inqgdzfrf.exe Token: SeDebugPrivilege 2848 inwhpwale.exe Token: SeDebugPrivilege 1008 incgzwjvl.exe Token: SeDebugPrivilege 2220 inxsdoolp.exe Token: SeDebugPrivilege 596 insohtodl.exe Token: SeDebugPrivilege 2868 inruwvobn.exe Token: SeDebugPrivilege 2016 inbqostfv.exe Token: SeDebugPrivilege 2448 indwztgsi.exe Token: SeDebugPrivilege 4132 inaikwkwh.exe Token: SeDebugPrivilege 3008 inpleqlxa.exe Token: SeDebugPrivilege 1012 inogwahsa.exe Token: SeDebugPrivilege 3516 inadbobmd.exe Token: SeDebugPrivilege 3252 inetlfmxc.exe Token: SeDebugPrivilege 2104 inwixlnmf.exe Token: SeDebugPrivilege 2720 inkbaivic.exe Token: SeDebugPrivilege 1992 inknedlyl.exe Token: SeDebugPrivilege 4612 inljyapnv.exe Token: SeDebugPrivilege 4444 inuqbjvqf.exe Token: SeDebugPrivilege 1564 inbrulkss.exe Token: SeDebugPrivilege 4932 ineuxonvv.exe Token: SeDebugPrivilege 4672 inykznpoh.exe Token: SeDebugPrivilege 5024 inyorihpp.exe Token: SeDebugPrivilege 1404 indskelwb.exe Token: SeDebugPrivilege 4836 indtwnmuu.exe Token: SeDebugPrivilege 3600 inixpjqgj.exe Token: SeDebugPrivilege 432 inefvmlzb.exe Token: SeDebugPrivilege 1076 innuocedv.exe Token: SeDebugPrivilege 3420 injkrqgyq.exe Token: SeDebugPrivilege 2136 insezthji.exe Token: SeDebugPrivilege 4548 inopeewva.exe Token: SeDebugPrivilege 1224 inhwoipfi.exe Token: SeDebugPrivilege 2464 inmprqjiy.exe Token: SeDebugPrivilege 4020 inutvwllh.exe Token: SeDebugPrivilege 4472 indxawycz.exe Token: SeDebugPrivilege 3624 inatwyxqd.exe Token: SeDebugPrivilege 3160 ingtgabri.exe Token: SeDebugPrivilege 844 inldtepix.exe -
Suspicious use of SetWindowsHookEx 28 IoCs
pid Process 4988 0139422358150eda3958945b70568121b7037e50a0968e2a1c978f7c309aa318.exe 452 inqcxrfhg.exe 2088 intfuikjc.exe 4868 invhwkmle.exe 220 inmeufqjy.exe 4192 incrjzdkv.exe 4128 inzvgovkd.exe 1520 inmtnbdcu.exe 2688 inbqiycju.exe 1992 inaexuhtj.exe 1204 innqsrkjz.exe 2228 incanalcr.exe 4112 ingiuiufd.exe 2220 inlsmacbt.exe 4672 inhwnltjf.exe 4396 inbuxzyre.exe 4980 inxjymong.exe 4040 inortslka.exe 3600 inxtemyti.exe 2460 insbquvhx.exe 1596 inzloqpih.exe 636 inrngsnzc.exe 1624 inrdysgih.exe 1520 ingvnhoze.exe 920 injyqkarh.exe 1768 injmdckxk.exe 2504 inbpxnjbw.exe 2192 inqgdzfrf.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4988 wrote to memory of 452 4988 0139422358150eda3958945b70568121b7037e50a0968e2a1c978f7c309aa318.exe 83 PID 4988 wrote to memory of 452 4988 0139422358150eda3958945b70568121b7037e50a0968e2a1c978f7c309aa318.exe 83 PID 4988 wrote to memory of 452 4988 0139422358150eda3958945b70568121b7037e50a0968e2a1c978f7c309aa318.exe 83 PID 452 wrote to memory of 2088 452 inqcxrfhg.exe 84 PID 452 wrote to memory of 2088 452 inqcxrfhg.exe 84 PID 452 wrote to memory of 2088 452 inqcxrfhg.exe 84 PID 2088 wrote to memory of 4868 2088 intfuikjc.exe 85 PID 2088 wrote to memory of 4868 2088 intfuikjc.exe 85 PID 2088 wrote to memory of 4868 2088 intfuikjc.exe 85 PID 4868 wrote to memory of 220 4868 invhwkmle.exe 86 PID 4868 wrote to memory of 220 4868 invhwkmle.exe 86 PID 4868 wrote to memory of 220 4868 invhwkmle.exe 86 PID 220 wrote to memory of 4192 220 inmeufqjy.exe 87 PID 220 wrote to memory of 4192 220 inmeufqjy.exe 87 PID 220 wrote to memory of 4192 220 inmeufqjy.exe 87 PID 4192 wrote to memory of 4128 4192 incrjzdkv.exe 89 PID 4192 wrote to memory of 4128 4192 incrjzdkv.exe 89 PID 4192 wrote to memory of 4128 4192 incrjzdkv.exe 89 PID 4128 wrote to memory of 1520 4128 inzvgovkd.exe 91 PID 4128 wrote to memory of 1520 4128 inzvgovkd.exe 91 PID 4128 wrote to memory of 1520 4128 inzvgovkd.exe 91 PID 1520 wrote to memory of 2688 1520 inmtnbdcu.exe 93 PID 1520 wrote to memory of 2688 1520 inmtnbdcu.exe 93 PID 1520 wrote to memory of 2688 1520 inmtnbdcu.exe 93 PID 2688 wrote to memory of 1992 2688 inbqiycju.exe 94 PID 2688 wrote to memory of 1992 2688 inbqiycju.exe 94 PID 2688 wrote to memory of 1992 2688 inbqiycju.exe 94 PID 1992 wrote to memory of 1204 1992 inaexuhtj.exe 95 PID 1992 wrote to memory of 1204 1992 inaexuhtj.exe 95 PID 1992 wrote to memory of 1204 1992 inaexuhtj.exe 95 PID 1204 wrote to memory of 2228 1204 innqsrkjz.exe 96 PID 1204 wrote to memory of 2228 1204 innqsrkjz.exe 96 PID 1204 wrote to memory of 2228 1204 innqsrkjz.exe 96 PID 2228 wrote to memory of 4112 2228 incanalcr.exe 97 PID 2228 wrote to memory of 4112 2228 incanalcr.exe 97 PID 2228 wrote to memory of 4112 2228 incanalcr.exe 97 PID 4112 wrote to memory of 2220 4112 ingiuiufd.exe 98 PID 4112 wrote to memory of 2220 4112 ingiuiufd.exe 98 PID 4112 wrote to memory of 2220 4112 ingiuiufd.exe 98 PID 2220 wrote to memory of 4672 2220 inlsmacbt.exe 99 PID 2220 wrote to memory of 4672 2220 inlsmacbt.exe 99 PID 2220 wrote to memory of 4672 2220 inlsmacbt.exe 99 PID 4672 wrote to memory of 4396 4672 inhwnltjf.exe 100 PID 4672 wrote to memory of 4396 4672 inhwnltjf.exe 100 PID 4672 wrote to memory of 4396 4672 inhwnltjf.exe 100 PID 4396 wrote to memory of 4980 4396 inbuxzyre.exe 101 PID 4396 wrote to memory of 4980 4396 inbuxzyre.exe 101 PID 4396 wrote to memory of 4980 4396 inbuxzyre.exe 101 PID 4980 wrote to memory of 4040 4980 inxjymong.exe 102 PID 4980 wrote to memory of 4040 4980 inxjymong.exe 102 PID 4980 wrote to memory of 4040 4980 inxjymong.exe 102 PID 4040 wrote to memory of 3600 4040 inortslka.exe 103 PID 4040 wrote to memory of 3600 4040 inortslka.exe 103 PID 4040 wrote to memory of 3600 4040 inortslka.exe 103 PID 3600 wrote to memory of 2460 3600 inxtemyti.exe 104 PID 3600 wrote to memory of 2460 3600 inxtemyti.exe 104 PID 3600 wrote to memory of 2460 3600 inxtemyti.exe 104 PID 2460 wrote to memory of 1596 2460 insbquvhx.exe 105 PID 2460 wrote to memory of 1596 2460 insbquvhx.exe 105 PID 2460 wrote to memory of 1596 2460 insbquvhx.exe 105 PID 1596 wrote to memory of 636 1596 inzloqpih.exe 106 PID 1596 wrote to memory of 636 1596 inzloqpih.exe 106 PID 1596 wrote to memory of 636 1596 inzloqpih.exe 106 PID 636 wrote to memory of 1624 636 inrngsnzc.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\0139422358150eda3958945b70568121b7037e50a0968e2a1c978f7c309aa318.exe"C:\Users\Admin\AppData\Local\Temp\0139422358150eda3958945b70568121b7037e50a0968e2a1c978f7c309aa318.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4988 -
C:\Windows\SysWOW64\inqcxrfhg.exeC:\Windows\system32\inqcxrfhg.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:452 -
C:\Windows\SysWOW64\intfuikjc.exeC:\Windows\system32\intfuikjc.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\SysWOW64\invhwkmle.exeC:\Windows\system32\invhwkmle.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4868 -
C:\Windows\SysWOW64\inmeufqjy.exeC:\Windows\system32\inmeufqjy.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:220 -
C:\Windows\SysWOW64\incrjzdkv.exeC:\Windows\system32\incrjzdkv.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4192 -
C:\Windows\SysWOW64\inzvgovkd.exeC:\Windows\system32\inzvgovkd.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4128 -
C:\Windows\SysWOW64\inmtnbdcu.exeC:\Windows\system32\inmtnbdcu.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1520 -
C:\Windows\SysWOW64\inbqiycju.exeC:\Windows\system32\inbqiycju.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\inaexuhtj.exeC:\Windows\system32\inaexuhtj.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Windows\SysWOW64\innqsrkjz.exeC:\Windows\system32\innqsrkjz.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1204 -
C:\Windows\SysWOW64\incanalcr.exeC:\Windows\system32\incanalcr.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Windows\SysWOW64\ingiuiufd.exeC:\Windows\system32\ingiuiufd.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4112 -
C:\Windows\SysWOW64\inlsmacbt.exeC:\Windows\system32\inlsmacbt.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Windows\SysWOW64\inhwnltjf.exeC:\Windows\system32\inhwnltjf.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4672 -
C:\Windows\SysWOW64\inbuxzyre.exeC:\Windows\system32\inbuxzyre.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4396 -
C:\Windows\SysWOW64\inxjymong.exeC:\Windows\system32\inxjymong.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4980 -
C:\Windows\SysWOW64\inortslka.exeC:\Windows\system32\inortslka.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4040 -
C:\Windows\SysWOW64\inxtemyti.exeC:\Windows\system32\inxtemyti.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3600 -
C:\Windows\SysWOW64\insbquvhx.exeC:\Windows\system32\insbquvhx.exe20⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\Windows\SysWOW64\inzloqpih.exeC:\Windows\system32\inzloqpih.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1596 -
C:\Windows\SysWOW64\inrngsnzc.exeC:\Windows\system32\inrngsnzc.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:636 -
C:\Windows\SysWOW64\inrdysgih.exeC:\Windows\system32\inrdysgih.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1624 -
C:\Windows\SysWOW64\ingvnhoze.exeC:\Windows\system32\ingvnhoze.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1520 -
C:\Windows\SysWOW64\injyqkarh.exeC:\Windows\system32\injyqkarh.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:920 -
C:\Windows\SysWOW64\injmdckxk.exeC:\Windows\system32\injmdckxk.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1768 -
C:\Windows\SysWOW64\inbpxnjbw.exeC:\Windows\system32\inbpxnjbw.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2504 -
C:\Windows\SysWOW64\inqgdzfrf.exeC:\Windows\system32\inqgdzfrf.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2192 -
C:\Windows\SysWOW64\inwhpwale.exeC:\Windows\system32\inwhpwale.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2848 -
C:\Windows\SysWOW64\incgzwjvl.exeC:\Windows\system32\incgzwjvl.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1008 -
C:\Windows\SysWOW64\inxsdoolp.exeC:\Windows\system32\inxsdoolp.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2220 -
C:\Windows\SysWOW64\insohtodl.exeC:\Windows\system32\insohtodl.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:596 -
C:\Windows\SysWOW64\inruwvobn.exeC:\Windows\system32\inruwvobn.exe33⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2868 -
C:\Windows\SysWOW64\inbqostfv.exeC:\Windows\system32\inbqostfv.exe34⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2016 -
C:\Windows\SysWOW64\indwztgsi.exeC:\Windows\system32\indwztgsi.exe35⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2448 -
C:\Windows\SysWOW64\inaikwkwh.exeC:\Windows\system32\inaikwkwh.exe36⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4132 -
C:\Windows\SysWOW64\inpleqlxa.exeC:\Windows\system32\inpleqlxa.exe37⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3008 -
C:\Windows\SysWOW64\inogwahsa.exeC:\Windows\system32\inogwahsa.exe38⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1012 -
C:\Windows\SysWOW64\inadbobmd.exeC:\Windows\system32\inadbobmd.exe39⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3516 -
C:\Windows\SysWOW64\inetlfmxc.exeC:\Windows\system32\inetlfmxc.exe40⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3252 -
C:\Windows\SysWOW64\inwixlnmf.exeC:\Windows\system32\inwixlnmf.exe41⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2104 -
C:\Windows\SysWOW64\inkbaivic.exeC:\Windows\system32\inkbaivic.exe42⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2720 -
C:\Windows\SysWOW64\inknedlyl.exeC:\Windows\system32\inknedlyl.exe43⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1992 -
C:\Windows\SysWOW64\inljyapnv.exeC:\Windows\system32\inljyapnv.exe44⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4612 -
C:\Windows\SysWOW64\inuqbjvqf.exeC:\Windows\system32\inuqbjvqf.exe45⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4444 -
C:\Windows\SysWOW64\inbrulkss.exeC:\Windows\system32\inbrulkss.exe46⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1564 -
C:\Windows\SysWOW64\ineuxonvv.exeC:\Windows\system32\ineuxonvv.exe47⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4932 -
C:\Windows\SysWOW64\inykznpoh.exeC:\Windows\system32\inykznpoh.exe48⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4672 -
C:\Windows\SysWOW64\inyorihpp.exeC:\Windows\system32\inyorihpp.exe49⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5024 -
C:\Windows\SysWOW64\indskelwb.exeC:\Windows\system32\indskelwb.exe50⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1404 -
C:\Windows\SysWOW64\indtwnmuu.exeC:\Windows\system32\indtwnmuu.exe51⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4836 -
C:\Windows\SysWOW64\inixpjqgj.exeC:\Windows\system32\inixpjqgj.exe52⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3600 -
C:\Windows\SysWOW64\inefvmlzb.exeC:\Windows\system32\inefvmlzb.exe53⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:432 -
C:\Windows\SysWOW64\innuocedv.exeC:\Windows\system32\innuocedv.exe54⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1076 -
C:\Windows\SysWOW64\injkrqgyq.exeC:\Windows\system32\injkrqgyq.exe55⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3420 -
C:\Windows\SysWOW64\insezthji.exeC:\Windows\system32\insezthji.exe56⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2136 -
C:\Windows\SysWOW64\inopeewva.exeC:\Windows\system32\inopeewva.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4548 -
C:\Windows\SysWOW64\inhwoipfi.exeC:\Windows\system32\inhwoipfi.exe58⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1224 -
C:\Windows\SysWOW64\inmprqjiy.exeC:\Windows\system32\inmprqjiy.exe59⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2464 -
C:\Windows\SysWOW64\inutvwllh.exeC:\Windows\system32\inutvwllh.exe60⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4020 -
C:\Windows\SysWOW64\indxawycz.exeC:\Windows\system32\indxawycz.exe61⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4472 -
C:\Windows\SysWOW64\inatwyxqd.exeC:\Windows\system32\inatwyxqd.exe62⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3624 -
C:\Windows\SysWOW64\ingtgabri.exeC:\Windows\system32\ingtgabri.exe63⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3160 -
C:\Windows\SysWOW64\inldtepix.exeC:\Windows\system32\inldtepix.exe64⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:844 -
C:\Windows\SysWOW64\inlhzufqa.exeC:\Windows\system32\inlhzufqa.exe65⤵
- Executes dropped EXE
PID:928 -
C:\Windows\SysWOW64\inazpsjiq.exeC:\Windows\system32\inazpsjiq.exe66⤵PID:3396
-
C:\Windows\SysWOW64\infdqdofu.exeC:\Windows\system32\infdqdofu.exe67⤵PID:2952
-
C:\Windows\SysWOW64\inpqffxwb.exeC:\Windows\system32\inpqffxwb.exe68⤵PID:3416
-
C:\Windows\SysWOW64\indhxkwmb.exeC:\Windows\system32\indhxkwmb.exe69⤵PID:1408
-
C:\Windows\SysWOW64\innfvgrkz.exeC:\Windows\system32\innfvgrkz.exe70⤵PID:4680
-
C:\Windows\SysWOW64\intpaiupe.exeC:\Windows\system32\intpaiupe.exe71⤵PID:1708
-
C:\Windows\SysWOW64\inrcangym.exeC:\Windows\system32\inrcangym.exe72⤵PID:1572
-
C:\Windows\SysWOW64\inhfsfaqh.exeC:\Windows\system32\inhfsfaqh.exe73⤵
- Drops file in System32 directory
PID:2920 -
C:\Windows\SysWOW64\ingwzqpxx.exeC:\Windows\system32\ingwzqpxx.exe74⤵PID:5020
-
C:\Windows\SysWOW64\inqmfrmyb.exeC:\Windows\system32\inqmfrmyb.exe75⤵PID:3104
-
C:\Windows\SysWOW64\inocokdvj.exeC:\Windows\system32\inocokdvj.exe76⤵PID:3180
-
C:\Windows\SysWOW64\indwezqep.exeC:\Windows\system32\indwezqep.exe77⤵PID:3568
-
C:\Windows\SysWOW64\intcrvwiy.exeC:\Windows\system32\intcrvwiy.exe78⤵PID:3892
-
C:\Windows\SysWOW64\inyjbrycn.exeC:\Windows\system32\inyjbrycn.exe79⤵PID:3972
-
C:\Windows\SysWOW64\infgwnmcy.exeC:\Windows\system32\infgwnmcy.exe80⤵PID:4524
-
C:\Windows\SysWOW64\inqnbrgit.exeC:\Windows\system32\inqnbrgit.exe81⤵PID:464
-
C:\Windows\SysWOW64\inqklaasr.exeC:\Windows\system32\inqklaasr.exe82⤵PID:652
-
C:\Windows\SysWOW64\infhthtec.exeC:\Windows\system32\infhthtec.exe83⤵PID:2564
-
C:\Windows\SysWOW64\inbfyviuk.exeC:\Windows\system32\inbfyviuk.exe84⤵PID:2208
-
C:\Windows\SysWOW64\inigtklnv.exeC:\Windows\system32\inigtklnv.exe85⤵PID:2196
-
C:\Windows\SysWOW64\inrhnxdft.exeC:\Windows\system32\inrhnxdft.exe86⤵PID:1572
-
C:\Windows\SysWOW64\inhzrfkoi.exeC:\Windows\system32\inhzrfkoi.exe87⤵PID:4612
-
C:\Windows\SysWOW64\incvyzsfr.exeC:\Windows\system32\incvyzsfr.exe88⤵PID:4444
-
C:\Windows\SysWOW64\inxiaqxbm.exeC:\Windows\system32\inxiaqxbm.exe89⤵PID:560
-
C:\Windows\SysWOW64\injlxlxig.exeC:\Windows\system32\injlxlxig.exe90⤵PID:4928
-
C:\Windows\SysWOW64\inixomukg.exeC:\Windows\system32\inixomukg.exe91⤵PID:4240
-
C:\Windows\SysWOW64\inmkxopbr.exeC:\Windows\system32\inmkxopbr.exe92⤵PID:3892
-
C:\Windows\SysWOW64\invrckwrg.exeC:\Windows\system32\invrckwrg.exe93⤵PID:4156
-
C:\Windows\SysWOW64\inionprva.exeC:\Windows\system32\inionprva.exe94⤵PID:4524
-
C:\Windows\SysWOW64\inqjpgzht.exeC:\Windows\system32\inqjpgzht.exe95⤵PID:1596
-
C:\Windows\SysWOW64\infslrijv.exeC:\Windows\system32\infslrijv.exe96⤵PID:1580
-
C:\Windows\SysWOW64\injhulmow.exeC:\Windows\system32\injhulmow.exe97⤵PID:4516
-
C:\Windows\SysWOW64\injwnoaqy.exeC:\Windows\system32\injwnoaqy.exe98⤵PID:4548
-
C:\Windows\SysWOW64\inscqyokc.exeC:\Windows\system32\inscqyokc.exe99⤵PID:1820
-
C:\Windows\SysWOW64\inlvjosms.exeC:\Windows\system32\inlvjosms.exe100⤵PID:2940
-
C:\Windows\SysWOW64\inxhvtpha.exeC:\Windows\system32\inxhvtpha.exe101⤵PID:1572
-
C:\Windows\SysWOW64\insrzztuj.exeC:\Windows\system32\insrzztuj.exe102⤵PID:3952
-
C:\Windows\SysWOW64\inumafjdj.exeC:\Windows\system32\inumafjdj.exe103⤵PID:1084
-
C:\Windows\SysWOW64\inpbwqegf.exeC:\Windows\system32\inpbwqegf.exe104⤵PID:1344
-
C:\Windows\SysWOW64\inxitdtqe.exeC:\Windows\system32\inxitdtqe.exe105⤵PID:560
-
C:\Windows\SysWOW64\inpiofygs.exeC:\Windows\system32\inpiofygs.exe106⤵PID:3180
-
C:\Windows\SysWOW64\inxrqyyst.exeC:\Windows\system32\inxrqyyst.exe107⤵PID:4424
-
C:\Windows\SysWOW64\intsuvkkg.exeC:\Windows\system32\intsuvkkg.exe108⤵PID:5048
-
C:\Windows\SysWOW64\inoavpdfe.exeC:\Windows\system32\inoavpdfe.exe109⤵PID:1016
-
C:\Windows\SysWOW64\inooxsntm.exeC:\Windows\system32\inooxsntm.exe110⤵PID:2860
-
C:\Windows\SysWOW64\inhegsgsd.exeC:\Windows\system32\inhegsgsd.exe111⤵PID:2424
-
C:\Windows\SysWOW64\infudswxj.exeC:\Windows\system32\infudswxj.exe112⤵PID:3732
-
C:\Windows\SysWOW64\ingvzmksi.exeC:\Windows\system32\ingvzmksi.exe113⤵PID:5028
-
C:\Windows\SysWOW64\inyteppma.exeC:\Windows\system32\inyteppma.exe114⤵PID:4348
-
C:\Windows\SysWOW64\inejnhnnw.exeC:\Windows\system32\inejnhnnw.exe115⤵PID:1664
-
C:\Windows\SysWOW64\inmnccutj.exeC:\Windows\system32\inmnccutj.exe116⤵PID:1280
-
C:\Windows\SysWOW64\inwgusogd.exeC:\Windows\system32\inwgusogd.exe117⤵PID:3392
-
C:\Windows\SysWOW64\inahuhbcs.exeC:\Windows\system32\inahuhbcs.exe118⤵PID:836
-
C:\Windows\SysWOW64\inxtleici.exeC:\Windows\system32\inxtleici.exe119⤵PID:2032
-
C:\Windows\SysWOW64\inyegrpfl.exeC:\Windows\system32\inyegrpfl.exe120⤵PID:3160
-
C:\Windows\SysWOW64\inaphxbit.exeC:\Windows\system32\inaphxbit.exe121⤵PID:2728
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-