Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
30/12/2024, 16:29
Behavioral task
behavioral1
Sample
8c5be896b660b59046f1e0990c72fd7abed0f51369a8510e805c1db8f6f582ffN.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
8c5be896b660b59046f1e0990c72fd7abed0f51369a8510e805c1db8f6f582ffN.exe
Resource
win10v2004-20241007-en
General
-
Target
8c5be896b660b59046f1e0990c72fd7abed0f51369a8510e805c1db8f6f582ffN.exe
-
Size
348KB
-
MD5
bdc1ddc53cbccb1282d8ea5a71e93d00
-
SHA1
3c0c44b40da2bf72021db3e1bb72f3ab5e3508ba
-
SHA256
8c5be896b660b59046f1e0990c72fd7abed0f51369a8510e805c1db8f6f582ff
-
SHA512
3d10acc75e96b18d9b42575de73c19d221c5a2cf7ba58f69ccb4afbc4155ff493b8ed0adbad9c44e729fd2f6d7377aa7a305bc9bb9dccae0aad39df415393cb8
-
SSDEEP
6144:MJueTkwOwoWOQ3dwaWB28edeP/deUv80P80Ap8UGwoTGHZOWJkqd0K4rG7eVT0S8:ouLwoZQGpnedeP/deUe1ppGjTGHZRT0g
Malware Config
Signatures
-
Gh0st RAT payload 34 IoCs
resource yara_rule behavioral1/memory/2648-0-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral1/files/0x0008000000016d9f-48.dat family_gh0strat behavioral1/files/0x00050000000187a8-82.dat family_gh0strat behavioral1/files/0x0005000000019297-137.dat family_gh0strat behavioral1/memory/2372-335-0x0000000000290000-0x00000000002BF000-memory.dmp family_gh0strat behavioral1/memory/788-428-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral1/memory/788-410-0x00000000003D0000-0x00000000003FF000-memory.dmp family_gh0strat behavioral1/memory/2972-408-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral1/memory/1732-389-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral1/memory/1736-371-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral1/memory/2372-352-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral1/memory/2488-333-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral1/memory/2228-313-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral1/memory/1352-293-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral1/memory/2692-273-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral1/files/0x000500000001950e-252.dat family_gh0strat behavioral1/memory/2064-246-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral1/files/0x00050000000194ee-224.dat family_gh0strat behavioral1/memory/1780-218-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral1/files/0x0005000000019458-196.dat family_gh0strat behavioral1/memory/596-190-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral1/files/0x00050000000193b6-168.dat family_gh0strat behavioral1/memory/3032-162-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral1/memory/2364-135-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral1/files/0x0005000000019250-114.dat family_gh0strat behavioral1/memory/2924-108-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral1/memory/2980-80-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral1/memory/2980-59-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral1/memory/1264-51-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral1/files/0x0007000000016d54-29.dat family_gh0strat behavioral1/memory/2648-25-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral1/files/0x0008000000016d4b-10.dat family_gh0strat behavioral1/memory/2648-2-0x0000000000230000-0x000000000025F000-memory.dmp family_gh0strat behavioral1/files/0x0002000000024c9c-26161.dat family_gh0strat -
Gh0strat family
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 64 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E77281B4-67B0-43a7-AF36-138D6A038D89} inoaszdwx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D498D743-9111-4044-938D-8ED63FC00FA5} Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BB535042-7FA1-45a2-AB48-F72EB6AF6563}\stubpath = "C:\\Windows\\system32\\intxcqoxe.exe" indzyzoqh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{41A0B34E-49F2-4f8d-AAF4-C4BF32484833}\stubpath = "C:\\Windows\\system32\\inizrmbvn.exe" inofbieyd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{47894572-3781-48ba-A024-A92B299EFE21}\stubpath = "C:\\Windows\\system32\\inscqyokc.exe" inpdimgmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F2FBB4CA-1B36-4cb2-BD09-010F212BB043} Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7CCA2A6F-89CE-4391-9634-F5E3BB67C6E8}\stubpath = "C:\\Windows\\system32\\inzjjvayd.exe" ininivphm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{679D5F9E-F061-47e1-9C53-C0AF834BB452} Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3E4832E4-1AFF-495f-A108-0366CEE2F960}\stubpath = "C:\\Windows\\system32\\inunfxaxv.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0121B275-9E4A-455e-AF38-ADD60A61040E}\stubpath = "C:\\Windows\\system32\\inqmqnuiq.exe" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{17AF72DF-155F-4960-A082-639FF0D49047} inqhyroyr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C45072E4-96B9-4f5c-8A41-174D251A8758}\stubpath = "C:\\Windows\\system32\\injymewrt.exe" invdojvdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{45D99F0E-6B4B-4892-A2DD-901BBCE6AC18}\stubpath = "C:\\Windows\\system32\\inxswcvtn.exe" inpxexdto.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{20377B0F-4076-48e7-8204-BC3825324521}\stubpath = "C:\\Windows\\system32\\inurornuo.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5E8A7427-EC61-41b7-8BC6-9A2B04BD7753}\stubpath = "C:\\Windows\\system32\\innmcoecs.exe" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EDCD0A92-902A-4db9-B5F8-7179D6FD8D06} Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A544A628-0F97-446b-8E19-D45E02E158FD}\stubpath = "C:\\Windows\\system32\\inrzcysgd.exe" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DB62A44A-619D-47f0-A26A-28B1A3203207} inecpcnet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2C547362-85A9-475c-B23B-4DE30D044D04}\stubpath = "C:\\Windows\\system32\\injqkgmph.exe" iniizepdz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7A64D759-9708-4d8e-AEB4-A263AC4F78DC}\stubpath = "C:\\Windows\\system32\\inodcerim.exe" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8CE9FAD7-C914-401c-AA09-8B35BDE4FF1A} Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8186041B-CB7A-401c-96B2-B733C668F6C2}\stubpath = "C:\\Windows\\system32\\inipteugw.exe" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{228F21A4-22DF-4150-BC9A-98B8300B5DD9} Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9D1A1A28-5C62-4435-918E-364BB1F9CC5F} invapablb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A6E4069C-A2F8-49b3-BEA0-C1FB2FEE2895} inechvaow.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3EBE0DCB-6F99-460b-913A-73F103F14B40} Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{577CC0E7-399C-48af-9D51-5D19BCEA7BD0} Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6EB62DCE-2FD8-433a-8D35-B20BBF35B744}\stubpath = "C:\\Windows\\system32\\indjvakex.exe" insgwlney.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C1540649-6D62-4907-8C06-469ADE044D98}\stubpath = "C:\\Windows\\system32\\inwhxahtz.exe" innaftrao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4F093ADB-C7FF-4cd1-900A-F9E8826AD934}\stubpath = "C:\\Windows\\system32\\inkqsgpjk.exe" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{351C7A0B-2AD2-4590-9CA8-23FD206FF439} Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{026AE05A-CF86-43e0-8FF4-B17465B04BAF}\stubpath = "C:\\Windows\\system32\\inpztaxyf.exe" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A7DBD848-C9DE-47ab-8913-BF17E820CE4A} Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DEE3050C-42D4-436a-82C9-E9CE7DAFD2DD}\stubpath = "C:\\Windows\\system32\\inlvjosms.exe" inapytoun.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CE752CE4-1E2F-4a05-ADC9-B1249D03AC4E}\stubpath = "C:\\Windows\\system32\\invisczyt.exe" inqgyjlgf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A18AC010-BAE7-44b1-B372-9567A7BAD960} intmfourr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{36F1022B-E6D0-4e92-8B73-4170FF5F95BC} Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D0BC4657-8C8B-4a53-B391-F5DF0D2B398E}\stubpath = "C:\\Windows\\system32\\inrshhzyd.exe" inmjhdsul.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{98D54CBD-ECAB-4d41-AC9C-2F737E80893D} inwojflbg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1BF76C2B-1C64-4f03-8456-9DA40990D638} inffohdws.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6C6D0001-CDF7-4f2c-BA18-E6266E5BF6C6} Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D1220B77-0296-4c9e-93B0-C1AD3D327E68} Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2E3A9600-0140-40df-9B5D-1D587EC1C77B} Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A59B7324-FB7B-43fc-9C6E-E841B8855B10}\stubpath = "C:\\Windows\\system32\\inacpgkhi.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2ED6AE00-574C-4635-AABE-5A166DE2C2E2}\stubpath = "C:\\Windows\\system32\\invqcumgh.exe" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BB535042-7FA1-45a2-AB48-F72EB6AF6563} indzyzoqh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9AE014DA-64A9-4a01-AB45-DB592A61ABCF}\stubpath = "C:\\Windows\\system32\\invhauplr.exe" inckscbjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B59F9A19-46A3-41c2-B947-B32A21D9F820} invjqufvh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{847C932D-58E5-4cc0-A3A7-0EA6E9917D16}\stubpath = "C:\\Windows\\system32\\inpwpbxsu.exe" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{721AF739-B448-40c1-92E2-2F05B1EE3E35} Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{092CEB15-2C5D-4db7-B1D1-422019DE2C03} Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2407CFC2-9A3D-47bd-A7CC-9421B63A7DF0}\stubpath = "C:\\Windows\\system32\\inlcylamx.exe" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1318059F-5C1B-41b0-81F5-E667C4D84289} inatwyxqd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FE3683CE-9506-44fd-A9ED-EAFAC76F182F}\stubpath = "C:\\Windows\\system32\\inupkqjvx.exe" inhhujgdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F0F660E2-87D7-43e3-B8C3-4BA3C4E51574}\stubpath = "C:\\Windows\\system32\\inoyifzki.exe" invaiaqlz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9CAFCF9E-3FC5-4332-8FF7-B8253209F6C4}\stubpath = "C:\\Windows\\system32\\inpzplgqv.exe" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2D00B1F4-7EF1-4d2b-A004-2037737F1D64} Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9CA22DC9-AECB-4617-9CA0-83F328D0F960}\stubpath = "C:\\Windows\\system32\\indtfvtuy.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3BC09971-562C-451b-B08D-FCF19A4C2887}\stubpath = "C:\\Windows\\system32\\inkhtihxi.exe" indxawycz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C99B042D-685C-43a2-B46C-9B283146474D} inpljrdzf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{75CC95E2-2D87-4cd3-AEE5-9C748611FEF4} Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8D98AF82-8E48-47c0-92A0-256C3CAA403B} Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B3436F6E-EB7E-472c-BC5D-9BC0A1477E77} Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F41ADC11-B14F-41b9-981A-FE0ADF1D22BE}\stubpath = "C:\\Windows\\system32\\inajqfrbv.exe" Process not Found -
ACProtect 1.3x - 1.4x DLL software 10 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral1/files/0x0007000000016d6f-34.dat acprotect behavioral1/files/0x000500000001957e-257.dat acprotect behavioral1/files/0x0005000000019502-229.dat acprotect behavioral1/files/0x00050000000194b9-201.dat acprotect behavioral1/files/0x00050000000193df-173.dat acprotect behavioral1/files/0x0005000000019360-145.dat acprotect behavioral1/files/0x0005000000019278-118.dat acprotect behavioral1/files/0x0006000000018c16-91.dat acprotect behavioral1/files/0x0005000000018744-63.dat acprotect behavioral1/files/0x000c00000001202c-3.dat acprotect -
Executes dropped EXE 64 IoCs
pid Process 1264 inxjymong.exe 2980 inpleqlxa.exe 2924 insohtodl.exe 2364 inrdysgih.exe 3032 incvyzsfr.exe 596 indhxkwmb.exe 1780 innfvgrkz.exe 2064 inqcxrfhg.exe 2692 inbuxzyre.exe 1352 inixpjqgj.exe 2228 inmtnbdcu.exe 2488 inqtvunam.exe 2372 inugvjlkd.exe 1736 injyqkarh.exe 1732 innqsrkjz.exe 2972 inyorihpp.exe 788 inqgdzfrf.exe 2768 inwhpwale.exe 2016 inigtklnv.exe 2396 inpbwqegf.exe 356 inatwyxqd.exe 2572 inhegsgsd.exe 1980 inxiaqxbm.exe 1676 intsuvkkg.exe 2432 intpaiupe.exe 476 inrcangym.exe 2824 intcrvwiy.exe 1968 inmprqjiy.exe 2612 inogwahsa.exe 2460 inazpsjiq.exe 408 inbohznex.exe 1560 infudswxj.exe 1456 inlsmacbt.exe 2292 inaphxbit.exe 1948 insezthji.exe 1624 indwztgsi.exe 1084 inyjbrycn.exe 2852 inljyapnv.exe 1240 inwsdlxsh.exe 592 inwixlnmf.exe 2988 inykznpoh.exe 2384 inrfpuysy.exe 2864 inoavpdfe.exe 444 indskelwb.exe 1640 infumgnyd.exe 1744 incgzwjvl.exe 2312 inmeufqjy.exe 2356 inuqbjvqf.exe 784 inetlfmxc.exe 3028 inzhpyfbx.exe 2064 injmdckxk.exe 2768 inmkxopbr.exe 476 insvxwpco.exe 408 invhwkmle.exe 1840 infvypoww.exe 324 inortslka.exe 2328 incwvxbyn.exe 2836 incsvmltt.exe 1884 inytozkkh.exe 2264 inpsutmlb.exe 1572 ineybxzdp.exe 572 inbaqtkjr.exe 2192 ingerepgv.exe 2816 inahuhbcs.exe -
Loads dropped DLL 64 IoCs
pid Process 2648 8c5be896b660b59046f1e0990c72fd7abed0f51369a8510e805c1db8f6f582ffN.exe 2648 8c5be896b660b59046f1e0990c72fd7abed0f51369a8510e805c1db8f6f582ffN.exe 1264 inxjymong.exe 1264 inxjymong.exe 1264 inxjymong.exe 1264 inxjymong.exe 1264 inxjymong.exe 2980 inpleqlxa.exe 2980 inpleqlxa.exe 2980 inpleqlxa.exe 2980 inpleqlxa.exe 2980 inpleqlxa.exe 2924 insohtodl.exe 2924 insohtodl.exe 2924 insohtodl.exe 2924 insohtodl.exe 2924 insohtodl.exe 2364 inrdysgih.exe 2364 inrdysgih.exe 2364 inrdysgih.exe 2364 inrdysgih.exe 2364 inrdysgih.exe 3032 incvyzsfr.exe 3032 incvyzsfr.exe 3032 incvyzsfr.exe 3032 incvyzsfr.exe 3032 incvyzsfr.exe 596 indhxkwmb.exe 596 indhxkwmb.exe 596 indhxkwmb.exe 596 indhxkwmb.exe 596 indhxkwmb.exe 1780 innfvgrkz.exe 1780 innfvgrkz.exe 1780 innfvgrkz.exe 1780 innfvgrkz.exe 1780 innfvgrkz.exe 2064 inqcxrfhg.exe 2064 inqcxrfhg.exe 2064 inqcxrfhg.exe 2064 inqcxrfhg.exe 2064 inqcxrfhg.exe 2692 inbuxzyre.exe 2692 inbuxzyre.exe 2692 inbuxzyre.exe 2692 inbuxzyre.exe 2692 inbuxzyre.exe 1352 inixpjqgj.exe 1352 inixpjqgj.exe 1352 inixpjqgj.exe 1352 inixpjqgj.exe 1352 inixpjqgj.exe 2228 inmtnbdcu.exe 2228 inmtnbdcu.exe 2228 inmtnbdcu.exe 2228 inmtnbdcu.exe 2228 inmtnbdcu.exe 2488 inqtvunam.exe 2488 inqtvunam.exe 2488 inqtvunam.exe 2488 inqtvunam.exe 2488 inqtvunam.exe 2372 inugvjlkd.exe 2372 inugvjlkd.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\inzhpyfbx.exe inetlfmxc.exe File created C:\Windows\SysWOW64\inklimtau.exe Process not Found File opened for modification C:\Windows\SysWOW64\inzpesupo.exe_lang.ini inhgncqwc.exe File opened for modification C:\Windows\SysWOW64\syslog.dat injwlifkh.exe File created C:\Windows\SysWOW64\inyorihpp.exe innqsrkjz.exe File created C:\Windows\SysWOW64\inupeyqpk.exe Process not Found File opened for modification C:\Windows\SysWOW64\inuvefndq.exe_lang.ini Process not Found File created C:\Windows\SysWOW64\inucbcecy.exe Process not Found File opened for modification C:\Windows\SysWOW64\inecpiotv.exe_lang.ini Process not Found File opened for modification C:\Windows\SysWOW64\inxiaqxbm.exe_lang.ini inhegsgsd.exe File opened for modification C:\Windows\SysWOW64\syslog.dat ingfvhjng.exe File created C:\Windows\SysWOW64\innkqyvdn.exe injflluak.exe File opened for modification C:\Windows\SysWOW64\syslog.dat Process not Found File opened for modification C:\Windows\SysWOW64\insbkusts.exe_lang.ini Process not Found File created C:\Windows\SysWOW64\inmdfmhoe.exe Process not Found File opened for modification C:\Windows\SysWOW64\syslog.dat Process not Found File created C:\Windows\SysWOW64\infciqnuf.exe Process not Found File opened for modification C:\Windows\SysWOW64\syslog.dat Process not Found File created C:\Windows\SysWOW64\inqswbpnw.exe ingcmtril.exe File created C:\Windows\SysWOW64\inrkwvrje.exe invtcqgup.exe File opened for modification C:\Windows\SysWOW64\inhiypoew.exe_lang.ini insbznvcp.exe File created C:\Windows\SysWOW64\inenfezbl.exe intmfourr.exe File opened for modification C:\Windows\SysWOW64\inmlwuypj.exe_lang.ini Process not Found File opened for modification C:\Windows\SysWOW64\syslog.dat innlypqcs.exe File created C:\Windows\SysWOW64\inoxlbteg.exe inlnqnzon.exe File opened for modification C:\Windows\SysWOW64\inbjdjvkm.exe_lang.ini inpnehxjk.exe File opened for modification C:\Windows\SysWOW64\syslog.dat inqbjpnmx.exe File opened for modification C:\Windows\SysWOW64\inlybptqf.exe_lang.ini Process not Found File created C:\Windows\SysWOW64\inyoefgxy.exe Process not Found File created C:\Windows\SysWOW64\inpatqcxl.exe Process not Found File created C:\Windows\SysWOW64\inxtleici.exe innpclapa.exe File opened for modification C:\Windows\SysWOW64\syslog.dat Process not Found File opened for modification C:\Windows\SysWOW64\ineltpsko.exe_lang.ini Process not Found File opened for modification C:\Windows\SysWOW64\inhtwbxjg.exe_lang.ini Process not Found File opened for modification C:\Windows\SysWOW64\inhrkssoj.exe_lang.ini inokiqcye.exe File created C:\Windows\SysWOW64\inydcsdod.exe Process not Found File opened for modification C:\Windows\SysWOW64\syslog.dat Process not Found File opened for modification C:\Windows\SysWOW64\syslog.dat inmflkmos.exe File opened for modification C:\Windows\SysWOW64\invffjsln.exe_lang.ini Process not Found File opened for modification C:\Windows\SysWOW64\invfswsxy.exe_lang.ini Process not Found File created C:\Windows\SysWOW64\inggqqxvm.exe Process not Found File opened for modification C:\Windows\SysWOW64\inofygsgr.exe_lang.ini Process not Found File opened for modification C:\Windows\SysWOW64\syslog.dat infsuonoj.exe File opened for modification C:\Windows\SysWOW64\inzloqpih.exe_lang.ini innsieqyf.exe File created C:\Windows\SysWOW64\inljswfrz.exe inmbvemfc.exe File opened for modification C:\Windows\SysWOW64\syslog.dat Process not Found File created C:\Windows\SysWOW64\inknbtcvi.exe Process not Found File created C:\Windows\SysWOW64\inwkalber.exe Process not Found File opened for modification C:\Windows\SysWOW64\invvjmkuo.exe_lang.ini Process not Found File created C:\Windows\SysWOW64\inpiofygs.exe inomvcziu.exe File created C:\Windows\SysWOW64\insbznvcp.exe inoxdfqoe.exe File opened for modification C:\Windows\SysWOW64\syslog.dat innuoakaq.exe File opened for modification C:\Windows\SysWOW64\syslog.dat inzlipaxh.exe File opened for modification C:\Windows\SysWOW64\indtfhlye.exe_lang.ini Process not Found File created C:\Windows\SysWOW64\inysanyhe.exe Process not Found File opened for modification C:\Windows\SysWOW64\injaxsmjs.exe_lang.ini infxufjfj.exe File created C:\Windows\SysWOW64\inskjvlag.exe Process not Found File opened for modification C:\Windows\SysWOW64\syslog.dat Process not Found File opened for modification C:\Windows\SysWOW64\inpeapdzu.exe_lang.ini inziwmdvp.exe File opened for modification C:\Windows\SysWOW64\inmcvtzoh.exe_lang.ini Process not Found File opened for modification C:\Windows\SysWOW64\syslog.dat inthmqkqb.exe File opened for modification C:\Windows\SysWOW64\syslog.dat Process not Found File created C:\Windows\SysWOW64\inqyuxptk.exe Process not Found File opened for modification C:\Windows\SysWOW64\inooxsntm.exe_lang.ini inkjzlnrk.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language insdablrp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language intndtuwg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language infbnevol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language infhfyusg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language intlbygys.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ineybxzdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ingjdrmaq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language inyegtexf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language inoexvqjh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language insgoyikn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language injfzedyv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language inqxbfmkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language inooxsntm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language inclzteci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language innvrumqh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language inckagkpg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language inkbyhage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language innkyzbkq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language inleuzbus.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language inaqceivb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language infagddmf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2648 8c5be896b660b59046f1e0990c72fd7abed0f51369a8510e805c1db8f6f582ffN.exe 1264 inxjymong.exe 2980 inpleqlxa.exe 2924 insohtodl.exe 2364 inrdysgih.exe 3032 incvyzsfr.exe 596 indhxkwmb.exe 1780 innfvgrkz.exe 2064 inqcxrfhg.exe 2692 inbuxzyre.exe 1352 inixpjqgj.exe 2228 inmtnbdcu.exe 2488 inqtvunam.exe 2372 inugvjlkd.exe 1736 injyqkarh.exe 1732 innqsrkjz.exe 2972 inyorihpp.exe 788 inqgdzfrf.exe 2768 inwhpwale.exe 2016 inigtklnv.exe 2396 inpbwqegf.exe 356 inatwyxqd.exe 2572 inhegsgsd.exe 1980 inxiaqxbm.exe 1676 intsuvkkg.exe 2432 intpaiupe.exe 476 inrcangym.exe 2824 intcrvwiy.exe 1968 inmprqjiy.exe 2612 inogwahsa.exe 2460 inazpsjiq.exe 408 inbohznex.exe 1560 infudswxj.exe 1456 inlsmacbt.exe 2292 inaphxbit.exe 1948 insezthji.exe 1624 indwztgsi.exe 1084 inyjbrycn.exe 2852 inljyapnv.exe 1240 inwsdlxsh.exe 592 inwixlnmf.exe 2988 inykznpoh.exe 2384 inrfpuysy.exe 2864 inoavpdfe.exe 444 indskelwb.exe 1640 infumgnyd.exe 1744 incgzwjvl.exe 2312 inmeufqjy.exe 2356 inuqbjvqf.exe 784 inetlfmxc.exe 3028 inzhpyfbx.exe 2064 injmdckxk.exe 2768 inmkxopbr.exe 476 insvxwpco.exe 408 invhwkmle.exe 1840 infvypoww.exe 324 inortslka.exe 2328 incwvxbyn.exe 2836 incsvmltt.exe 1884 inytozkkh.exe 2264 inpsutmlb.exe 1572 ineybxzdp.exe 572 inbaqtkjr.exe 2192 ingerepgv.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2648 8c5be896b660b59046f1e0990c72fd7abed0f51369a8510e805c1db8f6f582ffN.exe Token: SeDebugPrivilege 1264 inxjymong.exe Token: SeDebugPrivilege 2980 inpleqlxa.exe Token: SeDebugPrivilege 2924 insohtodl.exe Token: SeDebugPrivilege 2364 inrdysgih.exe Token: SeDebugPrivilege 3032 incvyzsfr.exe Token: SeDebugPrivilege 596 indhxkwmb.exe Token: SeDebugPrivilege 1780 innfvgrkz.exe Token: SeDebugPrivilege 2064 inqcxrfhg.exe Token: SeDebugPrivilege 2692 inbuxzyre.exe Token: SeDebugPrivilege 1352 inixpjqgj.exe Token: SeDebugPrivilege 2228 inmtnbdcu.exe Token: SeDebugPrivilege 2488 inqtvunam.exe Token: SeDebugPrivilege 2372 inugvjlkd.exe Token: SeDebugPrivilege 1736 injyqkarh.exe Token: SeDebugPrivilege 1732 innqsrkjz.exe Token: SeDebugPrivilege 2972 inyorihpp.exe Token: SeDebugPrivilege 788 inqgdzfrf.exe Token: SeDebugPrivilege 2768 inwhpwale.exe Token: SeDebugPrivilege 2016 inigtklnv.exe Token: SeDebugPrivilege 2396 inpbwqegf.exe Token: SeDebugPrivilege 356 inatwyxqd.exe Token: SeDebugPrivilege 2572 inhegsgsd.exe Token: SeDebugPrivilege 1980 inxiaqxbm.exe Token: SeDebugPrivilege 1676 intsuvkkg.exe Token: SeDebugPrivilege 2432 intpaiupe.exe Token: SeDebugPrivilege 476 inrcangym.exe Token: SeDebugPrivilege 2824 intcrvwiy.exe Token: SeDebugPrivilege 1968 inmprqjiy.exe Token: SeDebugPrivilege 2612 inogwahsa.exe Token: SeDebugPrivilege 2460 inazpsjiq.exe Token: SeDebugPrivilege 408 inbohznex.exe Token: SeDebugPrivilege 1560 infudswxj.exe Token: SeDebugPrivilege 1456 inlsmacbt.exe Token: SeDebugPrivilege 2292 inaphxbit.exe Token: SeDebugPrivilege 1948 insezthji.exe Token: SeDebugPrivilege 1624 indwztgsi.exe Token: SeDebugPrivilege 1084 inyjbrycn.exe Token: SeDebugPrivilege 2852 inljyapnv.exe Token: SeDebugPrivilege 1240 inwsdlxsh.exe Token: SeDebugPrivilege 592 inwixlnmf.exe Token: SeDebugPrivilege 2988 inykznpoh.exe Token: SeDebugPrivilege 2384 inrfpuysy.exe Token: SeDebugPrivilege 2864 inoavpdfe.exe Token: SeDebugPrivilege 444 indskelwb.exe Token: SeDebugPrivilege 1640 infumgnyd.exe Token: SeDebugPrivilege 1744 incgzwjvl.exe Token: SeDebugPrivilege 2312 inmeufqjy.exe Token: SeDebugPrivilege 2356 inuqbjvqf.exe Token: SeDebugPrivilege 784 inetlfmxc.exe Token: SeDebugPrivilege 3028 inzhpyfbx.exe Token: SeDebugPrivilege 2064 injmdckxk.exe Token: SeDebugPrivilege 2768 inmkxopbr.exe Token: SeDebugPrivilege 476 insvxwpco.exe Token: SeDebugPrivilege 408 invhwkmle.exe Token: SeDebugPrivilege 1840 infvypoww.exe Token: SeDebugPrivilege 324 inortslka.exe Token: SeDebugPrivilege 2328 incwvxbyn.exe Token: SeDebugPrivilege 2836 incsvmltt.exe Token: SeDebugPrivilege 1884 inytozkkh.exe Token: SeDebugPrivilege 2264 inpsutmlb.exe Token: SeDebugPrivilege 1572 ineybxzdp.exe Token: SeDebugPrivilege 572 inbaqtkjr.exe Token: SeDebugPrivilege 2192 ingerepgv.exe -
Suspicious use of SetWindowsHookEx 29 IoCs
pid Process 2648 8c5be896b660b59046f1e0990c72fd7abed0f51369a8510e805c1db8f6f582ffN.exe 1264 inxjymong.exe 2980 inpleqlxa.exe 2924 insohtodl.exe 2364 inrdysgih.exe 3032 incvyzsfr.exe 596 indhxkwmb.exe 1780 innfvgrkz.exe 2064 inqcxrfhg.exe 2692 inbuxzyre.exe 1352 inixpjqgj.exe 2228 inmtnbdcu.exe 2488 inqtvunam.exe 2372 inugvjlkd.exe 1736 injyqkarh.exe 1732 innqsrkjz.exe 2972 inyorihpp.exe 788 inqgdzfrf.exe 2768 inwhpwale.exe 2016 inigtklnv.exe 2396 inpbwqegf.exe 356 inatwyxqd.exe 2572 inhegsgsd.exe 1980 inxiaqxbm.exe 1676 intsuvkkg.exe 2432 intpaiupe.exe 476 inrcangym.exe 2824 intcrvwiy.exe 1968 inmprqjiy.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2648 wrote to memory of 1264 2648 8c5be896b660b59046f1e0990c72fd7abed0f51369a8510e805c1db8f6f582ffN.exe 30 PID 2648 wrote to memory of 1264 2648 8c5be896b660b59046f1e0990c72fd7abed0f51369a8510e805c1db8f6f582ffN.exe 30 PID 2648 wrote to memory of 1264 2648 8c5be896b660b59046f1e0990c72fd7abed0f51369a8510e805c1db8f6f582ffN.exe 30 PID 2648 wrote to memory of 1264 2648 8c5be896b660b59046f1e0990c72fd7abed0f51369a8510e805c1db8f6f582ffN.exe 30 PID 2648 wrote to memory of 1264 2648 8c5be896b660b59046f1e0990c72fd7abed0f51369a8510e805c1db8f6f582ffN.exe 30 PID 2648 wrote to memory of 1264 2648 8c5be896b660b59046f1e0990c72fd7abed0f51369a8510e805c1db8f6f582ffN.exe 30 PID 2648 wrote to memory of 1264 2648 8c5be896b660b59046f1e0990c72fd7abed0f51369a8510e805c1db8f6f582ffN.exe 30 PID 1264 wrote to memory of 2980 1264 inxjymong.exe 31 PID 1264 wrote to memory of 2980 1264 inxjymong.exe 31 PID 1264 wrote to memory of 2980 1264 inxjymong.exe 31 PID 1264 wrote to memory of 2980 1264 inxjymong.exe 31 PID 1264 wrote to memory of 2980 1264 inxjymong.exe 31 PID 1264 wrote to memory of 2980 1264 inxjymong.exe 31 PID 1264 wrote to memory of 2980 1264 inxjymong.exe 31 PID 2980 wrote to memory of 2924 2980 inpleqlxa.exe 32 PID 2980 wrote to memory of 2924 2980 inpleqlxa.exe 32 PID 2980 wrote to memory of 2924 2980 inpleqlxa.exe 32 PID 2980 wrote to memory of 2924 2980 inpleqlxa.exe 32 PID 2980 wrote to memory of 2924 2980 inpleqlxa.exe 32 PID 2980 wrote to memory of 2924 2980 inpleqlxa.exe 32 PID 2980 wrote to memory of 2924 2980 inpleqlxa.exe 32 PID 2924 wrote to memory of 2364 2924 insohtodl.exe 33 PID 2924 wrote to memory of 2364 2924 insohtodl.exe 33 PID 2924 wrote to memory of 2364 2924 insohtodl.exe 33 PID 2924 wrote to memory of 2364 2924 insohtodl.exe 33 PID 2924 wrote to memory of 2364 2924 insohtodl.exe 33 PID 2924 wrote to memory of 2364 2924 insohtodl.exe 33 PID 2924 wrote to memory of 2364 2924 insohtodl.exe 33 PID 2364 wrote to memory of 3032 2364 inrdysgih.exe 34 PID 2364 wrote to memory of 3032 2364 inrdysgih.exe 34 PID 2364 wrote to memory of 3032 2364 inrdysgih.exe 34 PID 2364 wrote to memory of 3032 2364 inrdysgih.exe 34 PID 2364 wrote to memory of 3032 2364 inrdysgih.exe 34 PID 2364 wrote to memory of 3032 2364 inrdysgih.exe 34 PID 2364 wrote to memory of 3032 2364 inrdysgih.exe 34 PID 3032 wrote to memory of 596 3032 incvyzsfr.exe 35 PID 3032 wrote to memory of 596 3032 incvyzsfr.exe 35 PID 3032 wrote to memory of 596 3032 incvyzsfr.exe 35 PID 3032 wrote to memory of 596 3032 incvyzsfr.exe 35 PID 3032 wrote to memory of 596 3032 incvyzsfr.exe 35 PID 3032 wrote to memory of 596 3032 incvyzsfr.exe 35 PID 3032 wrote to memory of 596 3032 incvyzsfr.exe 35 PID 596 wrote to memory of 1780 596 indhxkwmb.exe 36 PID 596 wrote to memory of 1780 596 indhxkwmb.exe 36 PID 596 wrote to memory of 1780 596 indhxkwmb.exe 36 PID 596 wrote to memory of 1780 596 indhxkwmb.exe 36 PID 596 wrote to memory of 1780 596 indhxkwmb.exe 36 PID 596 wrote to memory of 1780 596 indhxkwmb.exe 36 PID 596 wrote to memory of 1780 596 indhxkwmb.exe 36 PID 1780 wrote to memory of 2064 1780 innfvgrkz.exe 37 PID 1780 wrote to memory of 2064 1780 innfvgrkz.exe 37 PID 1780 wrote to memory of 2064 1780 innfvgrkz.exe 37 PID 1780 wrote to memory of 2064 1780 innfvgrkz.exe 37 PID 1780 wrote to memory of 2064 1780 innfvgrkz.exe 37 PID 1780 wrote to memory of 2064 1780 innfvgrkz.exe 37 PID 1780 wrote to memory of 2064 1780 innfvgrkz.exe 37 PID 2064 wrote to memory of 2692 2064 inqcxrfhg.exe 38 PID 2064 wrote to memory of 2692 2064 inqcxrfhg.exe 38 PID 2064 wrote to memory of 2692 2064 inqcxrfhg.exe 38 PID 2064 wrote to memory of 2692 2064 inqcxrfhg.exe 38 PID 2064 wrote to memory of 2692 2064 inqcxrfhg.exe 38 PID 2064 wrote to memory of 2692 2064 inqcxrfhg.exe 38 PID 2064 wrote to memory of 2692 2064 inqcxrfhg.exe 38 PID 2692 wrote to memory of 1352 2692 inbuxzyre.exe 39
Processes
-
C:\Users\Admin\AppData\Local\Temp\8c5be896b660b59046f1e0990c72fd7abed0f51369a8510e805c1db8f6f582ffN.exe"C:\Users\Admin\AppData\Local\Temp\8c5be896b660b59046f1e0990c72fd7abed0f51369a8510e805c1db8f6f582ffN.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\SysWOW64\inxjymong.exeC:\Windows\system32\inxjymong.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1264 -
C:\Windows\SysWOW64\inpleqlxa.exeC:\Windows\system32\inpleqlxa.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Windows\SysWOW64\insohtodl.exeC:\Windows\system32\insohtodl.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\SysWOW64\inrdysgih.exeC:\Windows\system32\inrdysgih.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\SysWOW64\incvyzsfr.exeC:\Windows\system32\incvyzsfr.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\SysWOW64\indhxkwmb.exeC:\Windows\system32\indhxkwmb.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:596 -
C:\Windows\SysWOW64\innfvgrkz.exeC:\Windows\system32\innfvgrkz.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1780 -
C:\Windows\SysWOW64\inqcxrfhg.exeC:\Windows\system32\inqcxrfhg.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Windows\SysWOW64\inbuxzyre.exeC:\Windows\system32\inbuxzyre.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\inixpjqgj.exeC:\Windows\system32\inixpjqgj.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1352 -
C:\Windows\SysWOW64\inmtnbdcu.exeC:\Windows\system32\inmtnbdcu.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2228 -
C:\Windows\SysWOW64\inqtvunam.exeC:\Windows\system32\inqtvunam.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2488 -
C:\Windows\SysWOW64\inugvjlkd.exeC:\Windows\system32\inugvjlkd.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2372 -
C:\Windows\SysWOW64\injyqkarh.exeC:\Windows\system32\injyqkarh.exe15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1736 -
C:\Windows\SysWOW64\innqsrkjz.exeC:\Windows\system32\innqsrkjz.exe16⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1732 -
C:\Windows\SysWOW64\inyorihpp.exeC:\Windows\system32\inyorihpp.exe17⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2972 -
C:\Windows\SysWOW64\inqgdzfrf.exeC:\Windows\system32\inqgdzfrf.exe18⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:788 -
C:\Windows\SysWOW64\inwhpwale.exeC:\Windows\system32\inwhpwale.exe19⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2768 -
C:\Windows\SysWOW64\inigtklnv.exeC:\Windows\system32\inigtklnv.exe20⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2016 -
C:\Windows\SysWOW64\inpbwqegf.exeC:\Windows\system32\inpbwqegf.exe21⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2396 -
C:\Windows\SysWOW64\inatwyxqd.exeC:\Windows\system32\inatwyxqd.exe22⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:356 -
C:\Windows\SysWOW64\inhegsgsd.exeC:\Windows\system32\inhegsgsd.exe23⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2572 -
C:\Windows\SysWOW64\inxiaqxbm.exeC:\Windows\system32\inxiaqxbm.exe24⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1980 -
C:\Windows\SysWOW64\intsuvkkg.exeC:\Windows\system32\intsuvkkg.exe25⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1676 -
C:\Windows\SysWOW64\intpaiupe.exeC:\Windows\system32\intpaiupe.exe26⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2432 -
C:\Windows\SysWOW64\inrcangym.exeC:\Windows\system32\inrcangym.exe27⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:476 -
C:\Windows\SysWOW64\intcrvwiy.exeC:\Windows\system32\intcrvwiy.exe28⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2824 -
C:\Windows\SysWOW64\inmprqjiy.exeC:\Windows\system32\inmprqjiy.exe29⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1968 -
C:\Windows\SysWOW64\inogwahsa.exeC:\Windows\system32\inogwahsa.exe30⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2612 -
C:\Windows\SysWOW64\inazpsjiq.exeC:\Windows\system32\inazpsjiq.exe31⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2460 -
C:\Windows\SysWOW64\inbohznex.exeC:\Windows\system32\inbohznex.exe32⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:408 -
C:\Windows\SysWOW64\infudswxj.exeC:\Windows\system32\infudswxj.exe33⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1560 -
C:\Windows\SysWOW64\inlsmacbt.exeC:\Windows\system32\inlsmacbt.exe34⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1456 -
C:\Windows\SysWOW64\inaphxbit.exeC:\Windows\system32\inaphxbit.exe35⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2292 -
C:\Windows\SysWOW64\insezthji.exeC:\Windows\system32\insezthji.exe36⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1948 -
C:\Windows\SysWOW64\indwztgsi.exeC:\Windows\system32\indwztgsi.exe37⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1624 -
C:\Windows\SysWOW64\inyjbrycn.exeC:\Windows\system32\inyjbrycn.exe38⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1084 -
C:\Windows\SysWOW64\inljyapnv.exeC:\Windows\system32\inljyapnv.exe39⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2852 -
C:\Windows\SysWOW64\inwsdlxsh.exeC:\Windows\system32\inwsdlxsh.exe40⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1240 -
C:\Windows\SysWOW64\inwixlnmf.exeC:\Windows\system32\inwixlnmf.exe41⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:592 -
C:\Windows\SysWOW64\inykznpoh.exeC:\Windows\system32\inykznpoh.exe42⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2988 -
C:\Windows\SysWOW64\inrfpuysy.exeC:\Windows\system32\inrfpuysy.exe43⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2384 -
C:\Windows\SysWOW64\inoavpdfe.exeC:\Windows\system32\inoavpdfe.exe44⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2864 -
C:\Windows\SysWOW64\indskelwb.exeC:\Windows\system32\indskelwb.exe45⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:444 -
C:\Windows\SysWOW64\infumgnyd.exeC:\Windows\system32\infumgnyd.exe46⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1640 -
C:\Windows\SysWOW64\incgzwjvl.exeC:\Windows\system32\incgzwjvl.exe47⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1744 -
C:\Windows\SysWOW64\inmeufqjy.exeC:\Windows\system32\inmeufqjy.exe48⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2312 -
C:\Windows\SysWOW64\inuqbjvqf.exeC:\Windows\system32\inuqbjvqf.exe49⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2356 -
C:\Windows\SysWOW64\inetlfmxc.exeC:\Windows\system32\inetlfmxc.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:784 -
C:\Windows\SysWOW64\inzhpyfbx.exeC:\Windows\system32\inzhpyfbx.exe51⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3028 -
C:\Windows\SysWOW64\injmdckxk.exeC:\Windows\system32\injmdckxk.exe52⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2064 -
C:\Windows\SysWOW64\inmkxopbr.exeC:\Windows\system32\inmkxopbr.exe53⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2768 -
C:\Windows\SysWOW64\insvxwpco.exeC:\Windows\system32\insvxwpco.exe54⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:476 -
C:\Windows\SysWOW64\invhwkmle.exeC:\Windows\system32\invhwkmle.exe55⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:408 -
C:\Windows\SysWOW64\infvypoww.exeC:\Windows\system32\infvypoww.exe56⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1840 -
C:\Windows\SysWOW64\inortslka.exeC:\Windows\system32\inortslka.exe57⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:324 -
C:\Windows\SysWOW64\incwvxbyn.exeC:\Windows\system32\incwvxbyn.exe58⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2328 -
C:\Windows\SysWOW64\incsvmltt.exeC:\Windows\system32\incsvmltt.exe59⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2836 -
C:\Windows\SysWOW64\inytozkkh.exeC:\Windows\system32\inytozkkh.exe60⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1884 -
C:\Windows\SysWOW64\inpsutmlb.exeC:\Windows\system32\inpsutmlb.exe61⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2264 -
C:\Windows\SysWOW64\ineybxzdp.exeC:\Windows\system32\ineybxzdp.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1572 -
C:\Windows\SysWOW64\inbaqtkjr.exeC:\Windows\system32\inbaqtkjr.exe63⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:572 -
C:\Windows\SysWOW64\ingerepgv.exeC:\Windows\system32\ingerepgv.exe64⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2192 -
C:\Windows\SysWOW64\inahuhbcs.exeC:\Windows\system32\inahuhbcs.exe65⤵
- Executes dropped EXE
PID:2816 -
C:\Windows\SysWOW64\inutvwllh.exeC:\Windows\system32\inutvwllh.exe66⤵PID:3056
-
C:\Windows\SysWOW64\inapnrseu.exeC:\Windows\system32\inapnrseu.exe67⤵PID:1964
-
C:\Windows\SysWOW64\inzvgovkd.exeC:\Windows\system32\inzvgovkd.exe68⤵PID:3064
-
C:\Windows\SysWOW64\inkbaivic.exeC:\Windows\system32\inkbaivic.exe69⤵PID:1756
-
C:\Windows\SysWOW64\inldtepix.exeC:\Windows\system32\inldtepix.exe70⤵PID:344
-
C:\Windows\SysWOW64\inixomukg.exeC:\Windows\system32\inixomukg.exe71⤵PID:3052
-
C:\Windows\SysWOW64\inzhuwqpq.exeC:\Windows\system32\inzhuwqpq.exe72⤵PID:2824
-
C:\Windows\SysWOW64\invrckwrg.exeC:\Windows\system32\invrckwrg.exe73⤵PID:2136
-
C:\Windows\SysWOW64\inyufnzuj.exeC:\Windows\system32\inyufnzuj.exe74⤵PID:1684
-
C:\Windows\SysWOW64\ingoxeawx.exeC:\Windows\system32\ingoxeawx.exe75⤵PID:1492
-
C:\Windows\SysWOW64\inqrggyxc.exeC:\Windows\system32\inqrggyxc.exe76⤵PID:320
-
C:\Windows\SysWOW64\insrzztuj.exeC:\Windows\system32\insrzztuj.exe77⤵PID:2784
-
C:\Windows\SysWOW64\inknedlyl.exeC:\Windows\system32\inknedlyl.exe78⤵PID:2060
-
C:\Windows\SysWOW64\inxnqhgoo.exeC:\Windows\system32\inxnqhgoo.exe79⤵PID:1888
-
C:\Windows\SysWOW64\innlypqcs.exeC:\Windows\system32\innlypqcs.exe80⤵
- Drops file in System32 directory
PID:2444 -
C:\Windows\SysWOW64\inckxztas.exeC:\Windows\system32\inckxztas.exe81⤵PID:2844
-
C:\Windows\SysWOW64\infdqdofu.exeC:\Windows\system32\infdqdofu.exe82⤵PID:444
-
C:\Windows\SysWOW64\ingvnhoze.exeC:\Windows\system32\ingvnhoze.exe83⤵PID:1768
-
C:\Windows\SysWOW64\inbfyviuk.exeC:\Windows\system32\inbfyviuk.exe84⤵PID:2192
-
C:\Windows\SysWOW64\injlxlxig.exeC:\Windows\system32\injlxlxig.exe85⤵PID:1728
-
C:\Windows\SysWOW64\injyixbhg.exeC:\Windows\system32\injyixbhg.exe86⤵PID:1088
-
C:\Windows\SysWOW64\invuwaxma.exeC:\Windows\system32\invuwaxma.exe87⤵PID:2656
-
C:\Windows\SysWOW64\inbmkzbqa.exeC:\Windows\system32\inbmkzbqa.exe88⤵PID:2940
-
C:\Windows\SysWOW64\inecpcnet.exeC:\Windows\system32\inecpcnet.exe89⤵
- Boot or Logon Autostart Execution: Active Setup
PID:1952 -
C:\Windows\SysWOW64\indwezqep.exeC:\Windows\system32\indwezqep.exe90⤵PID:1736
-
C:\Windows\SysWOW64\infhthtec.exeC:\Windows\system32\infhthtec.exe91⤵PID:2572
-
C:\Windows\SysWOW64\innbxlquo.exeC:\Windows\system32\innbxlquo.exe92⤵PID:600
-
C:\Windows\SysWOW64\indqsmlmh.exeC:\Windows\system32\indqsmlmh.exe93⤵PID:2632
-
C:\Windows\SysWOW64\infgwnmcy.exeC:\Windows\system32\infgwnmcy.exe94⤵PID:2896
-
C:\Windows\SysWOW64\inijzqpfx.exeC:\Windows\system32\inijzqpfx.exe95⤵PID:2136
-
C:\Windows\SysWOW64\incrjzdkv.exeC:\Windows\system32\incrjzdkv.exe96⤵PID:2852
-
C:\Windows\SysWOW64\inesqmezb.exeC:\Windows\system32\inesqmezb.exe97⤵PID:2608
-
C:\Windows\SysWOW64\inhfsfaqh.exeC:\Windows\system32\inhfsfaqh.exe98⤵PID:2828
-
C:\Windows\SysWOW64\indtkzjxv.exeC:\Windows\system32\indtkzjxv.exe99⤵PID:2172
-
C:\Windows\SysWOW64\intmsjkwc.exeC:\Windows\system32\intmsjkwc.exe100⤵PID:2168
-
C:\Windows\SysWOW64\inyteppma.exeC:\Windows\system32\inyteppma.exe101⤵PID:3012
-
C:\Windows\SysWOW64\inmibthrw.exeC:\Windows\system32\inmibthrw.exe102⤵PID:2752
-
C:\Windows\SysWOW64\indrzpldy.exeC:\Windows\system32\indrzpldy.exe103⤵PID:1284
-
C:\Windows\SysWOW64\inionprva.exeC:\Windows\system32\inionprva.exe104⤵PID:1080
-
C:\Windows\SysWOW64\insnyjjgx.exeC:\Windows\system32\insnyjjgx.exe105⤵PID:2068
-
C:\Windows\SysWOW64\inufueytz.exeC:\Windows\system32\inufueytz.exe106⤵PID:2240
-
C:\Windows\SysWOW64\incsnrmiw.exeC:\Windows\system32\incsnrmiw.exe107⤵PID:1628
-
C:\Windows\SysWOW64\inumafjdj.exeC:\Windows\system32\inumafjdj.exe108⤵PID:1960
-
C:\Windows\SysWOW64\inbnjcuis.exeC:\Windows\system32\inbnjcuis.exe109⤵PID:2120
-
C:\Windows\SysWOW64\inadbobmd.exeC:\Windows\system32\inadbobmd.exe110⤵PID:3064
-
C:\Windows\SysWOW64\inbbkvfva.exeC:\Windows\system32\inbbkvfva.exe111⤵PID:2420
-
C:\Windows\SysWOW64\inwgusogd.exeC:\Windows\system32\inwgusogd.exe112⤵PID:860
-
C:\Windows\SysWOW64\inrjcgagg.exeC:\Windows\system32\inrjcgagg.exe113⤵PID:2164
-
C:\Windows\SysWOW64\ingvzmksi.exeC:\Windows\system32\ingvzmksi.exe114⤵PID:1280
-
C:\Windows\SysWOW64\inqzfhsqg.exeC:\Windows\system32\inqzfhsqg.exe115⤵PID:1040
-
C:\Windows\SysWOW64\inulkzdji.exeC:\Windows\system32\inulkzdji.exe116⤵PID:292
-
C:\Windows\SysWOW64\indpalewk.exeC:\Windows\system32\indpalewk.exe117⤵PID:1840
-
C:\Windows\SysWOW64\inrlmbbts.exeC:\Windows\system32\inrlmbbts.exe118⤵PID:1440
-
C:\Windows\SysWOW64\indtwnmuu.exeC:\Windows\system32\indtwnmuu.exe119⤵PID:3024
-
C:\Windows\SysWOW64\injyiwuqi.exeC:\Windows\system32\injyiwuqi.exe120⤵PID:320
-
C:\Windows\SysWOW64\inkzrlbas.exeC:\Windows\system32\inkzrlbas.exe121⤵PID:2784
-
C:\Windows\SysWOW64\injsnioht.exeC:\Windows\system32\injsnioht.exe122⤵PID:2260
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-