Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
-
submitted
14-11-2024 05:29
General
-
Target
4438107e7516d7b7896a15b097c2b9e0cd9fb65e5b6813e10203d9865f86c79d.exe
-
Size
348KB
-
MD5
b9befe5cf8c341b816fcd1922accf117
-
SHA1
08ca40d0fc0c580caeb6c15aa5289bef223dd6d4
-
SHA256
4438107e7516d7b7896a15b097c2b9e0cd9fb65e5b6813e10203d9865f86c79d
-
SHA512
3e85b180156fd665618fca532f4588f9edb9935fe2ecf3ebd60621a974c8fd30e32adee3a5d36c8bdefbec05787d69e721a13ade542f6d372681c4c80e448cac
-
SSDEEP
6144:MJueTkwOwoWOQ3dwaWB28edeP/deUv80P80Ap8UGwoTGHZOWJkqd0K4rG7eVT0SQ:ouLwoZQGpnedeP/deUe1ppGjTGHZRT08
Score
10/10
Malware Config
Signatures
-
Gh0st RAT payload 33 IoCs
-
Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
-
Gh0strat family
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 64 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
ACProtect 1.3x - 1.4x DLL software 10 IoCs
Detects file using ACProtect software.
-
Executes dropped EXE 64 IoCs
-
Loads dropped DLL 64 IoCs
-
Drops file in System32 directory 64 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of SetWindowsHookEx 29 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\4438107e7516d7b7896a15b097c2b9e0cd9fb65e5b6813e10203d9865f86c79d.exe"C:\Users\Admin\AppData\Local\Temp\4438107e7516d7b7896a15b097c2b9e0cd9fb65e5b6813e10203d9865f86c79d.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\indhxkwmb.exeC:\Windows\system32\indhxkwmb.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\innfvgrkz.exeC:\Windows\system32\innfvgrkz.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\insvxwpco.exeC:\Windows\system32\insvxwpco.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\invhwkmle.exeC:\Windows\system32\invhwkmle.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\inmprqjiy.exeC:\Windows\system32\inmprqjiy.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\insohtodl.exeC:\Windows\system32\insohtodl.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\inrdysgih.exeC:\Windows\system32\inrdysgih.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\inzvgovkd.exeC:\Windows\system32\inzvgovkd.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\injyqkarh.exeC:\Windows\system32\injyqkarh.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\innqsrkjz.exeC:\Windows\system32\innqsrkjz.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\inpsutmlb.exeC:\Windows\system32\inpsutmlb.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\inqcxrfhg.exeC:\Windows\system32\inqcxrfhg.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\inyufnzuj.exeC:\Windows\system32\inyufnzuj.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\inkzrlbas.exeC:\Windows\system32\inkzrlbas.exe15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\inortslka.exeC:\Windows\system32\inortslka.exe16⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\incrjzdkv.exeC:\Windows\system32\incrjzdkv.exe17⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\inugvjlkd.exeC:\Windows\system32\inugvjlkd.exe18⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\inxiaqxbm.exeC:\Windows\system32\inxiaqxbm.exe19⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\intsuvkkg.exeC:\Windows\system32\intsuvkkg.exe20⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\inyorihpp.exeC:\Windows\system32\inyorihpp.exe21⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\incraptug.exeC:\Windows\system32\incraptug.exe22⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\inwhpwale.exeC:\Windows\system32\inwhpwale.exe23⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\insrzztuj.exeC:\Windows\system32\insrzztuj.exe24⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\inqtvunam.exeC:\Windows\system32\inqtvunam.exe25⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\incsvmltt.exeC:\Windows\system32\incsvmltt.exe26⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\inwixlnmf.exeC:\Windows\system32\inwixlnmf.exe27⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\inldtepix.exeC:\Windows\system32\inldtepix.exe28⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\inoavpdfe.exeC:\Windows\system32\inoavpdfe.exe29⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\ineybxzdp.exeC:\Windows\system32\ineybxzdp.exe30⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\infumgnyd.exeC:\Windows\system32\infumgnyd.exe31⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\inxjymong.exeC:\Windows\system32\inxjymong.exe32⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\inpleqlxa.exeC:\Windows\system32\inpleqlxa.exe33⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\inogwahsa.exeC:\Windows\system32\inogwahsa.exe34⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\inuqbjvqf.exeC:\Windows\system32\inuqbjvqf.exe35⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\inetlfmxc.exeC:\Windows\system32\inetlfmxc.exe36⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\ingvnhoze.exeC:\Windows\system32\ingvnhoze.exe37⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\inkbaivic.exeC:\Windows\system32\inkbaivic.exe38⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\inlsmacbt.exeC:\Windows\system32\inlsmacbt.exe39⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\intpaiupe.exeC:\Windows\system32\intpaiupe.exe40⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\indskelwb.exeC:\Windows\system32\indskelwb.exe41⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\intcrvwiy.exeC:\Windows\system32\intcrvwiy.exe42⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\inigtklnv.exeC:\Windows\system32\inigtklnv.exe43⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\inutvwllh.exeC:\Windows\system32\inutvwllh.exe44⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\inadbobmd.exeC:\Windows\system32\inadbobmd.exe45⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\inwsdlxsh.exeC:\Windows\system32\inwsdlxsh.exe46⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\inhfsfaqh.exeC:\Windows\system32\inhfsfaqh.exe47⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\injlxlxig.exeC:\Windows\system32\injlxlxig.exe48⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\inwmpgfnn.exeC:\Windows\system32\inwmpgfnn.exe49⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\indpalewk.exeC:\Windows\system32\indpalewk.exe50⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\indtwnmuu.exeC:\Windows\system32\indtwnmuu.exe51⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\inixpjqgj.exeC:\Windows\system32\inixpjqgj.exe52⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\indqsmlmh.exeC:\Windows\system32\indqsmlmh.exe53⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\injwnoaqy.exeC:\Windows\system32\injwnoaqy.exe54⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\innlypqcs.exeC:\Windows\system32\innlypqcs.exe55⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\inazpsjiq.exeC:\Windows\system32\inazpsjiq.exe56⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\innoddvuk.exeC:\Windows\system32\innoddvuk.exe57⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\inbfyviuk.exeC:\Windows\system32\inbfyviuk.exe58⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\inrfpuysy.exeC:\Windows\system32\inrfpuysy.exe59⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\inmkxopbr.exeC:\Windows\system32\inmkxopbr.exe60⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\inbuxzyre.exeC:\Windows\system32\inbuxzyre.exe61⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\indwztgsi.exeC:\Windows\system32\indwztgsi.exe62⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\inyjbrycn.exeC:\Windows\system32\inyjbrycn.exe63⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\inmeufqjy.exeC:\Windows\system32\inmeufqjy.exe64⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\incwvxbyn.exeC:\Windows\system32\incwvxbyn.exe65⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\inscqyokc.exeC:\Windows\system32\inscqyokc.exe66⤵
-
C:\Windows\SysWOW64\ineuxonvv.exeC:\Windows\system32\ineuxonvv.exe67⤵
-
C:\Windows\SysWOW64\ingvzmksi.exeC:\Windows\system32\ingvzmksi.exe68⤵
-
C:\Windows\SysWOW64\inhiypoew.exeC:\Windows\system32\inhiypoew.exe69⤵
-
C:\Windows\SysWOW64\injkrqgyq.exeC:\Windows\system32\injkrqgyq.exe70⤵
-
C:\Windows\SysWOW64\inopeewva.exeC:\Windows\system32\inopeewva.exe71⤵
-
C:\Windows\SysWOW64\infvypoww.exeC:\Windows\system32\infvypoww.exe72⤵
-
C:\Windows\SysWOW64\incsnrmiw.exeC:\Windows\system32\incsnrmiw.exe73⤵
-
C:\Windows\SysWOW64\inljyapnv.exeC:\Windows\system32\inljyapnv.exe74⤵
-
C:\Windows\SysWOW64\inapnrseu.exeC:\Windows\system32\inapnrseu.exe75⤵
-
C:\Windows\SysWOW64\incvyzsfr.exeC:\Windows\system32\incvyzsfr.exe76⤵
-
C:\Windows\SysWOW64\intmsjkwc.exeC:\Windows\system32\intmsjkwc.exe77⤵
-
C:\Windows\SysWOW64\injyixbhg.exeC:\Windows\system32\injyixbhg.exe78⤵
-
C:\Windows\SysWOW64\inecpcnet.exeC:\Windows\system32\inecpcnet.exe79⤵
-
C:\Windows\SysWOW64\inqgdzfrf.exeC:\Windows\system32\inqgdzfrf.exe80⤵
-
C:\Windows\SysWOW64\infhthtec.exeC:\Windows\system32\infhthtec.exe81⤵
-
C:\Windows\SysWOW64\inqrggyxc.exeC:\Windows\system32\inqrggyxc.exe82⤵
-
C:\Windows\SysWOW64\inilcbjwj.exeC:\Windows\system32\inilcbjwj.exe83⤵
-
C:\Windows\SysWOW64\inhwnltjf.exeC:\Windows\system32\inhwnltjf.exe84⤵
-
C:\Windows\SysWOW64\ingtvpopk.exeC:\Windows\system32\ingtvpopk.exe85⤵
-
C:\Windows\SysWOW64\inbnjcuis.exeC:\Windows\system32\inbnjcuis.exe86⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\inatwyxqd.exeC:\Windows\system32\inatwyxqd.exe87⤵
-
C:\Windows\SysWOW64\inuinrlrc.exeC:\Windows\system32\inuinrlrc.exe88⤵
-
C:\Windows\SysWOW64\inpqffxwb.exeC:\Windows\system32\inpqffxwb.exe89⤵
-
C:\Windows\SysWOW64\inykznpoh.exeC:\Windows\system32\inykznpoh.exe90⤵
-
C:\Windows\SysWOW64\inwikohfo.exeC:\Windows\system32\inwikohfo.exe91⤵
-
C:\Windows\SysWOW64\inochlfll.exeC:\Windows\system32\inochlfll.exe92⤵
-
C:\Windows\SysWOW64\inejnhnnw.exeC:\Windows\system32\inejnhnnw.exe93⤵
-
C:\Windows\SysWOW64\indrzpldy.exeC:\Windows\system32\indrzpldy.exe94⤵
-
C:\Windows\SysWOW64\ingerepgv.exeC:\Windows\system32\ingerepgv.exe95⤵
-
C:\Windows\SysWOW64\ingoxeawx.exeC:\Windows\system32\ingoxeawx.exe96⤵
-
C:\Windows\SysWOW64\ingvetxyk.exeC:\Windows\system32\ingvetxyk.exe97⤵
-
C:\Windows\SysWOW64\injfqeotx.exeC:\Windows\system32\injfqeotx.exe98⤵
-
C:\Windows\SysWOW64\inasgqvzt.exeC:\Windows\system32\inasgqvzt.exe99⤵
-
C:\Windows\SysWOW64\inpbwqegf.exeC:\Windows\system32\inpbwqegf.exe100⤵
-
C:\Windows\SysWOW64\inaivxrqr.exeC:\Windows\system32\inaivxrqr.exe101⤵
-
C:\Windows\SysWOW64\inckxztas.exeC:\Windows\system32\inckxztas.exe102⤵
-
C:\Windows\SysWOW64\inhegsgsd.exeC:\Windows\system32\inhegsgsd.exe103⤵
-
C:\Windows\SysWOW64\infudswxj.exeC:\Windows\system32\infudswxj.exe104⤵
-
C:\Windows\SysWOW64\ingwzqpxx.exeC:\Windows\system32\ingwzqpxx.exe105⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\inqmfrmyb.exeC:\Windows\system32\inqmfrmyb.exe106⤵
-
C:\Windows\SysWOW64\inzhuwqpq.exeC:\Windows\system32\inzhuwqpq.exe107⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\inbuzcxoc.exeC:\Windows\system32\inbuzcxoc.exe108⤵
-
C:\Windows\SysWOW64\insezthji.exeC:\Windows\system32\insezthji.exe109⤵
-
C:\Windows\SysWOW64\inlvjosms.exeC:\Windows\system32\inlvjosms.exe110⤵
-
C:\Windows\SysWOW64\insnyjjgx.exeC:\Windows\system32\insnyjjgx.exe111⤵
-
C:\Windows\SysWOW64\indeulkya.exeC:\Windows\system32\indeulkya.exe112⤵
-
C:\Windows\SysWOW64\inmtnbdcu.exeC:\Windows\system32\inmtnbdcu.exe113⤵
-
C:\Windows\SysWOW64\inxnqhgoo.exeC:\Windows\system32\inxnqhgoo.exe114⤵
-
C:\Windows\SysWOW64\inmhxsddw.exeC:\Windows\system32\inmhxsddw.exe115⤵
-
C:\Windows\SysWOW64\inpfzcyeq.exeC:\Windows\system32\inpfzcyeq.exe116⤵
-
C:\Windows\SysWOW64\inrbvqwap.exeC:\Windows\system32\inrbvqwap.exe117⤵
-
C:\Windows\SysWOW64\inmawkptn.exeC:\Windows\system32\inmawkptn.exe118⤵
-
C:\Windows\SysWOW64\indtkzjxv.exeC:\Windows\system32\indtkzjxv.exe119⤵
-
C:\Windows\SysWOW64\insbznvcp.exeC:\Windows\system32\insbznvcp.exe120⤵
-
C:\Windows\SysWOW64\inixomukg.exeC:\Windows\system32\inixomukg.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-