Analysis
-
max time kernel
120s -
max time network
92s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
30/12/2024, 16:29
Behavioral task
behavioral1
Sample
8c5be896b660b59046f1e0990c72fd7abed0f51369a8510e805c1db8f6f582ffN.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
8c5be896b660b59046f1e0990c72fd7abed0f51369a8510e805c1db8f6f582ffN.exe
Resource
win10v2004-20241007-en
General
-
Target
8c5be896b660b59046f1e0990c72fd7abed0f51369a8510e805c1db8f6f582ffN.exe
-
Size
348KB
-
MD5
bdc1ddc53cbccb1282d8ea5a71e93d00
-
SHA1
3c0c44b40da2bf72021db3e1bb72f3ab5e3508ba
-
SHA256
8c5be896b660b59046f1e0990c72fd7abed0f51369a8510e805c1db8f6f582ff
-
SHA512
3d10acc75e96b18d9b42575de73c19d221c5a2cf7ba58f69ccb4afbc4155ff493b8ed0adbad9c44e729fd2f6d7377aa7a305bc9bb9dccae0aad39df415393cb8
-
SSDEEP
6144:MJueTkwOwoWOQ3dwaWB28edeP/deUv80P80Ap8UGwoTGHZOWJkqd0K4rG7eVT0S8:ouLwoZQGpnedeP/deUe1ppGjTGHZRT0g
Malware Config
Signatures
-
Gh0st RAT payload 46 IoCs
resource yara_rule behavioral2/memory/3080-0-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/files/0x000b000000023b91-13.dat family_gh0strat behavioral2/files/0x000a000000023b92-20.dat family_gh0strat behavioral2/memory/2396-45-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/files/0x000a000000023b97-43.dat family_gh0strat behavioral2/memory/2396-24-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/files/0x000a000000023b9b-66.dat family_gh0strat behavioral2/memory/492-70-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/memory/3080-76-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/files/0x000a000000023ba7-90.dat family_gh0strat behavioral2/memory/748-93-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/files/0x0009000000023bbd-114.dat family_gh0strat behavioral2/memory/2224-118-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/files/0x0008000000023bc7-138.dat family_gh0strat behavioral2/memory/1348-142-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/files/0x0008000000023bf9-165.dat family_gh0strat behavioral2/memory/4384-164-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/files/0x0008000000023bfc-186.dat family_gh0strat behavioral2/memory/3140-188-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/memory/4528-211-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/files/0x0008000000023c04-212.dat family_gh0strat behavioral2/memory/2644-234-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/files/0x0008000000023c1e-236.dat family_gh0strat behavioral2/files/0x0008000000023c22-257.dat family_gh0strat behavioral2/memory/3040-260-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/files/0x0008000000023c4e-280.dat family_gh0strat behavioral2/memory/4952-282-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/memory/736-312-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/files/0x0008000000023c52-304.dat family_gh0strat behavioral2/files/0x0008000000023c56-327.dat family_gh0strat behavioral2/memory/5076-332-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/files/0x0007000000023c62-350.dat family_gh0strat behavioral2/memory/2912-354-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/files/0x0007000000023c66-374.dat family_gh0strat behavioral2/memory/3236-377-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/memory/3144-398-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/memory/2600-417-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/memory/760-439-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/memory/3464-437-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/memory/760-458-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/memory/1780-497-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/memory/2208-483-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/memory/2224-515-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/memory/5060-534-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/memory/4036-555-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat behavioral2/memory/3872-572-0x0000000000400000-0x000000000042F000-memory.dmp family_gh0strat -
Gh0strat family
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 64 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{85E76DE0-4916-4826-8BF5-08AC522EDE2C}\stubpath = "C:\\Windows\\system32\\inpljrdzf.exe" injzuzsez.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{02D7C8A2-15BC-4fc8-9305-5B92AFEBFFF0} Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{336C4095-F862-4ffd-932E-D763C7B0C030} inwixlnmf.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{501D14FB-B47B-4d4f-B481-E997134A6CFC} inkmpmynm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8CBEC3B8-97D1-41f1-919E-12E75876DFB5}\stubpath = "C:\\Windows\\system32\\inhrpqpay.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{83DB5D57-C46F-4ebf-8A02-2FBB2CCCE82F}\stubpath = "C:\\Windows\\system32\\innktuggx.exe" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2CDE9D71-EFB8-406c-932A-BB6EC091D5F9} Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DDA315EB-1A46-4645-B5A8-D3493283014E}\stubpath = "C:\\Windows\\system32\\inumafjdj.exe" incehxwfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{963E3711-2273-4e33-A71D-BAC363C5FA42}\stubpath = "C:\\Windows\\system32\\insofpwae.exe" intkkwbze.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B6B605FD-A1C7-4b51-9BF5-3AF9F7722278}\stubpath = "C:\\Windows\\system32\\inlktiefo.exe" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F95FD5ED-7C4E-42e0-B071-96B64CDE4EA1} Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2E8E7843-1D12-4703-85D6-2F97A66C0226}\stubpath = "C:\\Windows\\system32\\insaxuglu.exe" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{510D8EB3-9324-4506-AC72-9696E082FC45} Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5F71E634-98AE-44b4-83E3-2B1C31974581}\stubpath = "C:\\Windows\\system32\\injrmowiv.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C6322305-C4A9-4d6f-9F82-D0A181660A6E}\stubpath = "C:\\Windows\\system32\\inkfaovfk.exe" inihodrxd.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B24B7F2A-E0D8-4b8c-BDE9-5E9926578F30} inwyoarng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9BA5E244-09ED-40f5-8415-E464367FC71E}\stubpath = "C:\\Windows\\system32\\injbrhuee.exe" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C96CE419-0567-46e9-9BC1-2F244AD39809} Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{50A62CBA-B43E-46b1-9968-8A003CF8AA8F} inbpftoif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A4380F16-1930-43c4-A071-3338302CEF8E}\stubpath = "C:\\Windows\\system32\\inlentqqz.exe" inclitmin.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5879EA53-CE56-4faa-8B5C-063D4C9ECCC8} inkghqfts.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{209D6E7F-C206-40b4-87F6-0DE3700EF05C} Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1D24ACBC-F84C-400a-A2B5-CC8C19B5464C} Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FEA1451C-DE11-453b-A770-E472BF90952C} Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{834ADE79-B783-4cf8-BF9B-C7D09D77A994} Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9A0D349A-E256-465c-AFF2-0729548F860B} Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A7063AEE-AD17-4e02-AD85-47924BF5C452}\stubpath = "C:\\Windows\\system32\\inptcowdq.exe" inyvsxuru.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{43F592DA-78C9-43cf-9980-C24E658464F1} innqsqpku.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{69C76ACD-B7AD-4ec6-B50C-497FCCB59FE7}\stubpath = "C:\\Windows\\system32\\inghrhxds.exe" intidlctm.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9C19F75F-EB7C-41dc-911E-B399B6C28B67} Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1CE689D6-B8F0-4da7-B63F-6105453DF98A} Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1C3ED4E9-C622-464f-BF62-A3FA98C1BCC4} inlvjosms.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8358B810-F5B6-4934-960E-76CF177D92F9} inapytoun.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ACDDA7EE-3FDE-4679-8DDD-E494204350A6}\stubpath = "C:\\Windows\\system32\\inlbjrbai.exe" inqfeufhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E0444F7C-A025-412e-ADDA-DCD5EEE35820}\stubpath = "C:\\Windows\\system32\\invfswsxy.exe" inriolaaj.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0AD066FF-B729-426b-830A-D1A21777524D} Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D11506AE-1722-4661-8202-430841A06FF0}\stubpath = "C:\\Windows\\system32\\inqivupvv.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BDB25938-82A5-4193-A802-BD5543F1C93D}\stubpath = "C:\\Windows\\system32\\inhomdgwi.exe" intndtuwg.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DE908A0E-D658-4348-9FD6-E6B80BF1B88B} inmtiwity.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A23B7D0E-CD0E-4ed4-9CE8-804CFEE0E6DF}\stubpath = "C:\\Windows\\system32\\inrtvzsdc.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{376A8F11-915B-4106-9DA3-65F883CD1ACA}\stubpath = "C:\\Windows\\system32\\inzcyezqa.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6FF2E771-6570-4c16-B3FB-917C2AEF2104}\stubpath = "C:\\Windows\\system32\\inildrase.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AF2342A3-95BA-45e4-B60F-121A563DB89A}\stubpath = "C:\\Windows\\system32\\inupynbif.exe" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D8EEA9F9-A068-40fc-BB26-1C9ECB60F26C} invfrxfpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C11ED479-64C4-47af-8C8E-3BD9EC905596}\stubpath = "C:\\Windows\\system32\\ingexjguv.exe" inawyqjag.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9EF44684-ED52-47d9-89EE-A508F163C02A} inyteppma.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7A66ED46-2EF2-4a22-9A43-2CB94E69F0B3} Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5012592C-21D6-4dac-B682-2FAF462B1B71}\stubpath = "C:\\Windows\\system32\\incgnutgo.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1BB618C0-C232-4665-8F46-658D9E52E096}\stubpath = "C:\\Windows\\system32\\injnedonb.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4567698B-7369-4c4c-9F15-B7A329CD0BE7}\stubpath = "C:\\Windows\\system32\\intkjtcvh.exe" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0592D0EF-DB9B-49a9-95D6-6DACE6547266} Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{34367C1D-E579-4eb7-AEA5-41B96BC588F4}\stubpath = "C:\\Windows\\system32\\inwducqii.exe" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B9351295-D7F8-4730-AE8A-CA8C01315EBC} Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{46BF8678-2BBB-4f1e-BBEF-D6C2964C2723} inmhxsddw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6958CD37-0195-42de-9F5C-77BBECCBAB58}\stubpath = "C:\\Windows\\system32\\inzjwmbpr.exe" inyoeaukm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2FE62213-9E3F-499b-A864-39A968130BD3}\stubpath = "C:\\Windows\\system32\\inlyiimvo.exe" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{013576F1-6D58-478f-B685-B564BC1F8E2A} Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5FE53743-E0F9-41a7-AB9F-A77105C6AC46} Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9E1EDF35-1818-41b1-8C1A-5D0DD7CD267F}\stubpath = "C:\\Windows\\system32\\inhqlgymf.exe" inyegtexf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B16C2725-000B-49f6-AFC4-5F36779C9565}\stubpath = "C:\\Windows\\system32\\inpgcztuw.exe" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6B3B25DA-A13B-4118-835B-68C8040D67D7} Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DAA819FB-31BD-4931-9B68-E1E63CB2DB78}\stubpath = "C:\\Windows\\system32\\inmqlrpew.exe" invbdruwx.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9EA5E476-0FDB-442e-89DB-DB5D34CEE6E2} Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5FC49A70-8910-4f92-A9A5-042A6206591D}\stubpath = "C:\\Windows\\system32\\inawcknai.exe" indvpwggs.exe -
ACProtect 1.3x - 1.4x DLL software 16 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral2/files/0x000b000000023b8b-2.dat acprotect behavioral2/files/0x000a000000023b95-27.dat acprotect behavioral2/files/0x000a000000023b99-50.dat acprotect behavioral2/files/0x000b000000023b9d-74.dat acprotect behavioral2/files/0x0008000000023bb7-96.dat acprotect behavioral2/files/0x000e000000023bc2-122.dat acprotect behavioral2/files/0x0008000000023bc9-146.dat acprotect behavioral2/files/0x0008000000023bfb-168.dat acprotect behavioral2/files/0x0008000000023bfe-192.dat acprotect behavioral2/files/0x0008000000023c17-215.dat acprotect behavioral2/files/0x0008000000023c20-239.dat acprotect behavioral2/files/0x0016000000023c38-265.dat acprotect behavioral2/files/0x0008000000023c50-288.dat acprotect behavioral2/files/0x0008000000023c54-310.dat acprotect behavioral2/files/0x0008000000023c58-335.dat acprotect behavioral2/files/0x0007000000023c64-358.dat acprotect -
Executes dropped EXE 64 IoCs
pid Process 2396 inqcxrfhg.exe 492 indskelwb.exe 748 inlsmacbt.exe 2224 inaphxbit.exe 1348 inhwoipfi.exe 4384 inmeufqjy.exe 3140 inpbwqegf.exe 4528 inwixlnmf.exe 2644 innqsrkjz.exe 3040 inetlfmxc.exe 4952 injyqkarh.exe 736 inqmfrmyb.exe 5076 inbqiycju.exe 2912 inbuxzyre.exe 3236 incgzwjvl.exe 3144 inxtemyti.exe 2600 inaikwkwh.exe 3464 insohtodl.exe 760 inbqostfv.exe 2208 ingtgabri.exe 1780 inkbaivic.exe 2224 inldtepix.exe 5060 inqtvunam.exe 4036 incvyzsfr.exe 3872 inykznpoh.exe 3808 injmdckxk.exe 504 incanalcr.exe 992 inecpcnet.exe 4468 inyufnzuj.exe 2776 inwhpwale.exe 648 inpsutmlb.exe 2492 inyorihpp.exe 212 invrckwrg.exe 3492 indlyubtu.exe 456 indwztgsi.exe 2692 inyjbrycn.exe 1720 inpleqlxa.exe 4964 inortslka.exe 2780 inxnqhgoo.exe 4124 incrjzdkv.exe 716 inpkvggzd.exe 4236 infhthtec.exe 1064 inbfyviuk.exe 4828 inigtklnv.exe 3964 intsuvkkg.exe 2988 inogwahsa.exe 2980 inbpxnjbw.exe 1264 insvxwpco.exe 1804 inhegsgsd.exe 2804 ineuxonvv.exe 1596 indtkzjxv.exe 2920 indhxkwmb.exe 1188 inrfpuysy.exe 4280 invuwaxma.exe 2004 injkrqgyq.exe 4860 incraptug.exe 3384 inaexuhtj.exe 760 infslrijv.exe 2156 inmprqjiy.exe 4144 inmibthrw.exe 2224 inbmkzbqa.exe 4236 inpiofygs.exe 1064 inbjudnts.exe 1660 insrzztuj.exe -
Loads dropped DLL 64 IoCs
pid Process 3080 8c5be896b660b59046f1e0990c72fd7abed0f51369a8510e805c1db8f6f582ffN.exe 3080 8c5be896b660b59046f1e0990c72fd7abed0f51369a8510e805c1db8f6f582ffN.exe 2396 inqcxrfhg.exe 2396 inqcxrfhg.exe 492 indskelwb.exe 492 indskelwb.exe 748 inlsmacbt.exe 748 inlsmacbt.exe 2224 inaphxbit.exe 2224 inaphxbit.exe 1348 inhwoipfi.exe 1348 inhwoipfi.exe 4384 inmeufqjy.exe 4384 inmeufqjy.exe 3140 inpbwqegf.exe 3140 inpbwqegf.exe 4528 inwixlnmf.exe 4528 inwixlnmf.exe 2644 innqsrkjz.exe 2644 innqsrkjz.exe 3040 inetlfmxc.exe 3040 inetlfmxc.exe 4952 injyqkarh.exe 4952 injyqkarh.exe 736 inqmfrmyb.exe 736 inqmfrmyb.exe 5076 inbqiycju.exe 5076 inbqiycju.exe 2912 inbuxzyre.exe 2912 inbuxzyre.exe 3236 incgzwjvl.exe 3236 incgzwjvl.exe 3144 inxtemyti.exe 3144 inxtemyti.exe 2600 inaikwkwh.exe 2600 inaikwkwh.exe 3464 insohtodl.exe 3464 insohtodl.exe 760 inbqostfv.exe 760 inbqostfv.exe 2208 ingtgabri.exe 2208 ingtgabri.exe 1780 inkbaivic.exe 1780 inkbaivic.exe 2224 inldtepix.exe 2224 inldtepix.exe 5060 inqtvunam.exe 5060 inqtvunam.exe 4036 incvyzsfr.exe 4036 incvyzsfr.exe 3872 inykznpoh.exe 3872 inykznpoh.exe 3808 injmdckxk.exe 3808 injmdckxk.exe 504 incanalcr.exe 504 incanalcr.exe 992 inecpcnet.exe 992 inecpcnet.exe 4468 inyufnzuj.exe 4468 inyufnzuj.exe 2776 inwhpwale.exe 2776 inwhpwale.exe 648 inpsutmlb.exe 648 inpsutmlb.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\inhwnltjf.exe inkzrlbas.exe File opened for modification C:\Windows\SysWOW64\ingonhsrh.exe_lang.ini Process not Found File created C:\Windows\SysWOW64\inskenieq.exe Process not Found File opened for modification C:\Windows\SysWOW64\inumhafey.exe_lang.ini Process not Found File opened for modification C:\Windows\SysWOW64\syslog.dat Process not Found File created C:\Windows\SysWOW64\inknldpih.exe Process not Found File created C:\Windows\SysWOW64\inyuxxcqj.exe Process not Found File created C:\Windows\SysWOW64\inqnzjawc.exe Process not Found File created C:\Windows\SysWOW64\inxajcwrn.exe infpibkqn.exe File created C:\Windows\SysWOW64\inrygcdmb.exe Process not Found File opened for modification C:\Windows\SysWOW64\syslog.dat Process not Found File opened for modification C:\Windows\SysWOW64\inwgusogd.exe_lang.ini inthmqkqb.exe File created C:\Windows\SysWOW64\intppvdug.exe Process not Found File created C:\Windows\SysWOW64\inniucjdf.exe inrnisxfb.exe File opened for modification C:\Windows\SysWOW64\syslog.dat inpiqqmhr.exe File created C:\Windows\SysWOW64\intxedkzb.exe Process not Found File created C:\Windows\SysWOW64\inabxbhvc.exe Process not Found File opened for modification C:\Windows\SysWOW64\syslog.dat Process not Found File opened for modification C:\Windows\SysWOW64\intmfourr.exe_lang.ini Process not Found File opened for modification C:\Windows\SysWOW64\syslog.dat indvgidcn.exe File opened for modification C:\Windows\SysWOW64\syslog.dat Process not Found File created C:\Windows\SysWOW64\injfdmorb.exe Process not Found File opened for modification C:\Windows\SysWOW64\syslog.dat iniwuyycw.exe File opened for modification C:\Windows\SysWOW64\inavgkgkt.exe_lang.ini inqjvuqid.exe File created C:\Windows\SysWOW64\inhnfsrms.exe Process not Found File created C:\Windows\SysWOW64\inxaihofi.exe Process not Found File opened for modification C:\Windows\SysWOW64\inhfsogkk.exe_lang.ini Process not Found File opened for modification C:\Windows\SysWOW64\inigjtteu.exe_lang.ini Process not Found File created C:\Windows\SysWOW64\incvdypdo.exe ingyagyjp.exe File opened for modification C:\Windows\SysWOW64\syslog.dat infauwnfj.exe File opened for modification C:\Windows\SysWOW64\syslog.dat inuakpshs.exe File opened for modification C:\Windows\SysWOW64\inqunxpro.exe_lang.ini Process not Found File opened for modification C:\Windows\SysWOW64\inhscspdt.exe_lang.ini innfvgrkz.exe File opened for modification C:\Windows\SysWOW64\syslog.dat inwyoarng.exe File opened for modification C:\Windows\SysWOW64\syslog.dat Process not Found File opened for modification C:\Windows\SysWOW64\inmtpiirh.exe_lang.ini Process not Found File opened for modification C:\Windows\SysWOW64\syslog.dat inahiaqgt.exe File opened for modification C:\Windows\SysWOW64\invxrmxgd.exe_lang.ini Process not Found File created C:\Windows\SysWOW64\inziwmdvp.exe Process not Found File opened for modification C:\Windows\SysWOW64\syslog.dat inoioprby.exe File created C:\Windows\SysWOW64\invatxejy.exe Process not Found File opened for modification C:\Windows\SysWOW64\inligcrtk.exe_lang.ini inqzaupvo.exe File created C:\Windows\SysWOW64\invtppiyy.exe Process not Found File opened for modification C:\Windows\SysWOW64\syslog.dat Process not Found File created C:\Windows\SysWOW64\inadbobmd.exe inijzqpfx.exe File opened for modification C:\Windows\SysWOW64\insywlfel.exe_lang.ini inorbpnrr.exe File created C:\Windows\SysWOW64\inhblsliw.exe Process not Found File created C:\Windows\SysWOW64\innxlswhx.exe Process not Found File created C:\Windows\SysWOW64\ineoimnnt.exe Process not Found File created C:\Windows\SysWOW64\inscmnxgf.exe Process not Found File created C:\Windows\SysWOW64\inoxdfqoe.exe inpkfxleq.exe File opened for modification C:\Windows\SysWOW64\syslog.dat innfajbav.exe File opened for modification C:\Windows\SysWOW64\inmsevrki.exe_lang.ini inbfffozj.exe File opened for modification C:\Windows\SysWOW64\syslog.dat Process not Found File opened for modification C:\Windows\SysWOW64\syslog.dat Process not Found File created C:\Windows\SysWOW64\inrnisxfb.exe inyvyscpf.exe File opened for modification C:\Windows\SysWOW64\syslog.dat inmrxryds.exe File opened for modification C:\Windows\SysWOW64\syslog.dat Process not Found File opened for modification C:\Windows\SysWOW64\intvsvjfw.exe_lang.ini Process not Found File opened for modification C:\Windows\SysWOW64\syslog.dat inpiextzn.exe File opened for modification C:\Windows\SysWOW64\syslog.dat indaxahla.exe File opened for modification C:\Windows\SysWOW64\injcpsbeq.exe_lang.ini Process not Found File opened for modification C:\Windows\SysWOW64\syslog.dat indzleble.exe File opened for modification C:\Windows\SysWOW64\syslog.dat inqwuteip.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language insrzztuj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language inniyteex.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language innoddvuk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language inboqtqar.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language infzicqlp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language inhgblcvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language intndtuwg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language inzydrlkr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language incldxuje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language injlxlxig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language inotjfrzg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language intbosajb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language inavgkgkt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language inrkdmspp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language inkmpmynm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language invzesqzg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language inigkkvii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language inlhnqivx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language invawifmu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language inzloqpih.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language inmgmynpz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language innvrumqh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language inmbpckft.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language inzjwmbpr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language infxsuasm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language inqfeufhj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language inzrqlnxa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language inriolaaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language inbbkvfva.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language inizrmbvn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language incbskfog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language incibocxs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language inmsuirlm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3080 8c5be896b660b59046f1e0990c72fd7abed0f51369a8510e805c1db8f6f582ffN.exe 3080 8c5be896b660b59046f1e0990c72fd7abed0f51369a8510e805c1db8f6f582ffN.exe 2396 inqcxrfhg.exe 2396 inqcxrfhg.exe 492 indskelwb.exe 492 indskelwb.exe 748 inlsmacbt.exe 748 inlsmacbt.exe 2224 inaphxbit.exe 2224 inaphxbit.exe 1348 inhwoipfi.exe 1348 inhwoipfi.exe 4384 inmeufqjy.exe 4384 inmeufqjy.exe 3140 inpbwqegf.exe 3140 inpbwqegf.exe 4528 inwixlnmf.exe 4528 inwixlnmf.exe 2644 innqsrkjz.exe 2644 innqsrkjz.exe 3040 inetlfmxc.exe 3040 inetlfmxc.exe 4952 injyqkarh.exe 4952 injyqkarh.exe 736 inqmfrmyb.exe 736 inqmfrmyb.exe 5076 inbqiycju.exe 5076 inbqiycju.exe 2912 inbuxzyre.exe 2912 inbuxzyre.exe 3236 incgzwjvl.exe 3236 incgzwjvl.exe 3144 inxtemyti.exe 3144 inxtemyti.exe 2600 inaikwkwh.exe 2600 inaikwkwh.exe 3464 insohtodl.exe 3464 insohtodl.exe 760 inbqostfv.exe 760 inbqostfv.exe 2208 ingtgabri.exe 2208 ingtgabri.exe 1780 inkbaivic.exe 1780 inkbaivic.exe 2224 inldtepix.exe 2224 inldtepix.exe 5060 inqtvunam.exe 5060 inqtvunam.exe 4036 incvyzsfr.exe 4036 incvyzsfr.exe 3872 inykznpoh.exe 3872 inykznpoh.exe 3808 injmdckxk.exe 3808 injmdckxk.exe 504 incanalcr.exe 504 incanalcr.exe 992 inecpcnet.exe 992 inecpcnet.exe 4468 inyufnzuj.exe 4468 inyufnzuj.exe 2776 inwhpwale.exe 2776 inwhpwale.exe 648 inpsutmlb.exe 648 inpsutmlb.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3080 8c5be896b660b59046f1e0990c72fd7abed0f51369a8510e805c1db8f6f582ffN.exe Token: SeDebugPrivilege 2396 inqcxrfhg.exe Token: SeDebugPrivilege 492 indskelwb.exe Token: SeDebugPrivilege 748 inlsmacbt.exe Token: SeDebugPrivilege 2224 inaphxbit.exe Token: SeDebugPrivilege 1348 inhwoipfi.exe Token: SeDebugPrivilege 4384 inmeufqjy.exe Token: SeDebugPrivilege 3140 inpbwqegf.exe Token: SeDebugPrivilege 4528 inwixlnmf.exe Token: SeDebugPrivilege 2644 innqsrkjz.exe Token: SeDebugPrivilege 3040 inetlfmxc.exe Token: SeDebugPrivilege 4952 injyqkarh.exe Token: SeDebugPrivilege 736 inqmfrmyb.exe Token: SeDebugPrivilege 5076 inbqiycju.exe Token: SeDebugPrivilege 2912 inbuxzyre.exe Token: SeDebugPrivilege 3236 incgzwjvl.exe Token: SeDebugPrivilege 3144 inxtemyti.exe Token: SeDebugPrivilege 2600 inaikwkwh.exe Token: SeDebugPrivilege 3464 insohtodl.exe Token: SeDebugPrivilege 760 inbqostfv.exe Token: SeDebugPrivilege 2208 ingtgabri.exe Token: SeDebugPrivilege 1780 inkbaivic.exe Token: SeDebugPrivilege 2224 inldtepix.exe Token: SeDebugPrivilege 5060 inqtvunam.exe Token: SeDebugPrivilege 4036 incvyzsfr.exe Token: SeDebugPrivilege 3872 inykznpoh.exe Token: SeDebugPrivilege 3808 injmdckxk.exe Token: SeDebugPrivilege 504 incanalcr.exe Token: SeDebugPrivilege 992 inecpcnet.exe Token: SeDebugPrivilege 4468 inyufnzuj.exe Token: SeDebugPrivilege 2776 inwhpwale.exe Token: SeDebugPrivilege 648 inpsutmlb.exe Token: SeDebugPrivilege 2492 inyorihpp.exe Token: SeDebugPrivilege 212 invrckwrg.exe Token: SeDebugPrivilege 3492 indlyubtu.exe Token: SeDebugPrivilege 456 indwztgsi.exe Token: SeDebugPrivilege 2692 inyjbrycn.exe Token: SeDebugPrivilege 1720 inpleqlxa.exe Token: SeDebugPrivilege 4964 inortslka.exe Token: SeDebugPrivilege 2780 inxnqhgoo.exe Token: SeDebugPrivilege 4124 incrjzdkv.exe Token: SeDebugPrivilege 716 inpkvggzd.exe Token: SeDebugPrivilege 4236 infhthtec.exe Token: SeDebugPrivilege 1064 inbfyviuk.exe Token: SeDebugPrivilege 4828 inigtklnv.exe Token: SeDebugPrivilege 3964 intsuvkkg.exe Token: SeDebugPrivilege 2988 inogwahsa.exe Token: SeDebugPrivilege 2980 inbpxnjbw.exe Token: SeDebugPrivilege 1264 insvxwpco.exe Token: SeDebugPrivilege 1804 inhegsgsd.exe Token: SeDebugPrivilege 2804 ineuxonvv.exe Token: SeDebugPrivilege 1596 indtkzjxv.exe Token: SeDebugPrivilege 2920 indhxkwmb.exe Token: SeDebugPrivilege 1188 inrfpuysy.exe Token: SeDebugPrivilege 4280 invuwaxma.exe Token: SeDebugPrivilege 3080 inomzqrdt.exe Token: SeDebugPrivilege 4860 incraptug.exe Token: SeDebugPrivilege 3384 inaexuhtj.exe Token: SeDebugPrivilege 760 infslrijv.exe Token: SeDebugPrivilege 2156 inmprqjiy.exe Token: SeDebugPrivilege 4144 inmibthrw.exe Token: SeDebugPrivilege 2224 inbmkzbqa.exe Token: SeDebugPrivilege 4236 inpiofygs.exe Token: SeDebugPrivilege 1064 inbjudnts.exe -
Suspicious use of SetWindowsHookEx 28 IoCs
pid Process 3080 8c5be896b660b59046f1e0990c72fd7abed0f51369a8510e805c1db8f6f582ffN.exe 2396 inqcxrfhg.exe 492 indskelwb.exe 748 inlsmacbt.exe 2224 inaphxbit.exe 1348 inhwoipfi.exe 4384 inmeufqjy.exe 3140 inpbwqegf.exe 4528 inwixlnmf.exe 2644 innqsrkjz.exe 3040 inetlfmxc.exe 4952 injyqkarh.exe 736 inqmfrmyb.exe 5076 inbqiycju.exe 2912 inbuxzyre.exe 3236 incgzwjvl.exe 3144 inxtemyti.exe 2600 inaikwkwh.exe 3464 insohtodl.exe 760 inbqostfv.exe 2208 ingtgabri.exe 1780 inkbaivic.exe 2224 inldtepix.exe 5060 inqtvunam.exe 4036 incvyzsfr.exe 3872 inykznpoh.exe 3808 injmdckxk.exe 504 incanalcr.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3080 wrote to memory of 2396 3080 8c5be896b660b59046f1e0990c72fd7abed0f51369a8510e805c1db8f6f582ffN.exe 84 PID 3080 wrote to memory of 2396 3080 8c5be896b660b59046f1e0990c72fd7abed0f51369a8510e805c1db8f6f582ffN.exe 84 PID 3080 wrote to memory of 2396 3080 8c5be896b660b59046f1e0990c72fd7abed0f51369a8510e805c1db8f6f582ffN.exe 84 PID 2396 wrote to memory of 492 2396 inqcxrfhg.exe 85 PID 2396 wrote to memory of 492 2396 inqcxrfhg.exe 85 PID 2396 wrote to memory of 492 2396 inqcxrfhg.exe 85 PID 492 wrote to memory of 748 492 indskelwb.exe 86 PID 492 wrote to memory of 748 492 indskelwb.exe 86 PID 492 wrote to memory of 748 492 indskelwb.exe 86 PID 748 wrote to memory of 2224 748 inlsmacbt.exe 87 PID 748 wrote to memory of 2224 748 inlsmacbt.exe 87 PID 748 wrote to memory of 2224 748 inlsmacbt.exe 87 PID 2224 wrote to memory of 1348 2224 inaphxbit.exe 88 PID 2224 wrote to memory of 1348 2224 inaphxbit.exe 88 PID 2224 wrote to memory of 1348 2224 inaphxbit.exe 88 PID 1348 wrote to memory of 4384 1348 inhwoipfi.exe 89 PID 1348 wrote to memory of 4384 1348 inhwoipfi.exe 89 PID 1348 wrote to memory of 4384 1348 inhwoipfi.exe 89 PID 4384 wrote to memory of 3140 4384 inmeufqjy.exe 90 PID 4384 wrote to memory of 3140 4384 inmeufqjy.exe 90 PID 4384 wrote to memory of 3140 4384 inmeufqjy.exe 90 PID 3140 wrote to memory of 4528 3140 inpbwqegf.exe 91 PID 3140 wrote to memory of 4528 3140 inpbwqegf.exe 91 PID 3140 wrote to memory of 4528 3140 inpbwqegf.exe 91 PID 4528 wrote to memory of 2644 4528 inwixlnmf.exe 92 PID 4528 wrote to memory of 2644 4528 inwixlnmf.exe 92 PID 4528 wrote to memory of 2644 4528 inwixlnmf.exe 92 PID 2644 wrote to memory of 3040 2644 innqsrkjz.exe 93 PID 2644 wrote to memory of 3040 2644 innqsrkjz.exe 93 PID 2644 wrote to memory of 3040 2644 innqsrkjz.exe 93 PID 3040 wrote to memory of 4952 3040 inetlfmxc.exe 94 PID 3040 wrote to memory of 4952 3040 inetlfmxc.exe 94 PID 3040 wrote to memory of 4952 3040 inetlfmxc.exe 94 PID 4952 wrote to memory of 736 4952 injyqkarh.exe 95 PID 4952 wrote to memory of 736 4952 injyqkarh.exe 95 PID 4952 wrote to memory of 736 4952 injyqkarh.exe 95 PID 736 wrote to memory of 5076 736 inqmfrmyb.exe 96 PID 736 wrote to memory of 5076 736 inqmfrmyb.exe 96 PID 736 wrote to memory of 5076 736 inqmfrmyb.exe 96 PID 5076 wrote to memory of 2912 5076 inbqiycju.exe 97 PID 5076 wrote to memory of 2912 5076 inbqiycju.exe 97 PID 5076 wrote to memory of 2912 5076 inbqiycju.exe 97 PID 2912 wrote to memory of 3236 2912 inbuxzyre.exe 98 PID 2912 wrote to memory of 3236 2912 inbuxzyre.exe 98 PID 2912 wrote to memory of 3236 2912 inbuxzyre.exe 98 PID 3236 wrote to memory of 3144 3236 incgzwjvl.exe 99 PID 3236 wrote to memory of 3144 3236 incgzwjvl.exe 99 PID 3236 wrote to memory of 3144 3236 incgzwjvl.exe 99 PID 3144 wrote to memory of 2600 3144 inxtemyti.exe 100 PID 3144 wrote to memory of 2600 3144 inxtemyti.exe 100 PID 3144 wrote to memory of 2600 3144 inxtemyti.exe 100 PID 2600 wrote to memory of 3464 2600 inaikwkwh.exe 101 PID 2600 wrote to memory of 3464 2600 inaikwkwh.exe 101 PID 2600 wrote to memory of 3464 2600 inaikwkwh.exe 101 PID 3464 wrote to memory of 760 3464 insohtodl.exe 102 PID 3464 wrote to memory of 760 3464 insohtodl.exe 102 PID 3464 wrote to memory of 760 3464 insohtodl.exe 102 PID 760 wrote to memory of 2208 760 inbqostfv.exe 103 PID 760 wrote to memory of 2208 760 inbqostfv.exe 103 PID 760 wrote to memory of 2208 760 inbqostfv.exe 103 PID 2208 wrote to memory of 1780 2208 ingtgabri.exe 104 PID 2208 wrote to memory of 1780 2208 ingtgabri.exe 104 PID 2208 wrote to memory of 1780 2208 ingtgabri.exe 104 PID 1780 wrote to memory of 2224 1780 inkbaivic.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\8c5be896b660b59046f1e0990c72fd7abed0f51369a8510e805c1db8f6f582ffN.exe"C:\Users\Admin\AppData\Local\Temp\8c5be896b660b59046f1e0990c72fd7abed0f51369a8510e805c1db8f6f582ffN.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3080 -
C:\Windows\SysWOW64\inqcxrfhg.exeC:\Windows\system32\inqcxrfhg.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Windows\SysWOW64\indskelwb.exeC:\Windows\system32\indskelwb.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:492 -
C:\Windows\SysWOW64\inlsmacbt.exeC:\Windows\system32\inlsmacbt.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:748 -
C:\Windows\SysWOW64\inaphxbit.exeC:\Windows\system32\inaphxbit.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Windows\SysWOW64\inhwoipfi.exeC:\Windows\system32\inhwoipfi.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1348 -
C:\Windows\SysWOW64\inmeufqjy.exeC:\Windows\system32\inmeufqjy.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4384 -
C:\Windows\SysWOW64\inpbwqegf.exeC:\Windows\system32\inpbwqegf.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3140 -
C:\Windows\SysWOW64\inwixlnmf.exeC:\Windows\system32\inwixlnmf.exe9⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4528 -
C:\Windows\SysWOW64\innqsrkjz.exeC:\Windows\system32\innqsrkjz.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\inetlfmxc.exeC:\Windows\system32\inetlfmxc.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\SysWOW64\injyqkarh.exeC:\Windows\system32\injyqkarh.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4952 -
C:\Windows\SysWOW64\inqmfrmyb.exeC:\Windows\system32\inqmfrmyb.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:736 -
C:\Windows\SysWOW64\inbqiycju.exeC:\Windows\system32\inbqiycju.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5076 -
C:\Windows\SysWOW64\inbuxzyre.exeC:\Windows\system32\inbuxzyre.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\SysWOW64\incgzwjvl.exeC:\Windows\system32\incgzwjvl.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3236 -
C:\Windows\SysWOW64\inxtemyti.exeC:\Windows\system32\inxtemyti.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3144 -
C:\Windows\SysWOW64\inaikwkwh.exeC:\Windows\system32\inaikwkwh.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\SysWOW64\insohtodl.exeC:\Windows\system32\insohtodl.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3464 -
C:\Windows\SysWOW64\inbqostfv.exeC:\Windows\system32\inbqostfv.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:760 -
C:\Windows\SysWOW64\ingtgabri.exeC:\Windows\system32\ingtgabri.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\SysWOW64\inkbaivic.exeC:\Windows\system32\inkbaivic.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1780 -
C:\Windows\SysWOW64\inldtepix.exeC:\Windows\system32\inldtepix.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2224 -
C:\Windows\SysWOW64\inqtvunam.exeC:\Windows\system32\inqtvunam.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5060 -
C:\Windows\SysWOW64\incvyzsfr.exeC:\Windows\system32\incvyzsfr.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4036 -
C:\Windows\SysWOW64\inykznpoh.exeC:\Windows\system32\inykznpoh.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3872 -
C:\Windows\SysWOW64\injmdckxk.exeC:\Windows\system32\injmdckxk.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3808 -
C:\Windows\SysWOW64\incanalcr.exeC:\Windows\system32\incanalcr.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:504 -
C:\Windows\SysWOW64\inecpcnet.exeC:\Windows\system32\inecpcnet.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:992 -
C:\Windows\SysWOW64\inyufnzuj.exeC:\Windows\system32\inyufnzuj.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4468 -
C:\Windows\SysWOW64\inwhpwale.exeC:\Windows\system32\inwhpwale.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2776 -
C:\Windows\SysWOW64\inpsutmlb.exeC:\Windows\system32\inpsutmlb.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:648 -
C:\Windows\SysWOW64\inyorihpp.exeC:\Windows\system32\inyorihpp.exe33⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2492 -
C:\Windows\SysWOW64\invrckwrg.exeC:\Windows\system32\invrckwrg.exe34⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:212 -
C:\Windows\SysWOW64\indlyubtu.exeC:\Windows\system32\indlyubtu.exe35⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3492 -
C:\Windows\SysWOW64\indwztgsi.exeC:\Windows\system32\indwztgsi.exe36⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:456 -
C:\Windows\SysWOW64\inyjbrycn.exeC:\Windows\system32\inyjbrycn.exe37⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2692 -
C:\Windows\SysWOW64\inpleqlxa.exeC:\Windows\system32\inpleqlxa.exe38⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1720 -
C:\Windows\SysWOW64\inortslka.exeC:\Windows\system32\inortslka.exe39⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4964 -
C:\Windows\SysWOW64\inxnqhgoo.exeC:\Windows\system32\inxnqhgoo.exe40⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2780 -
C:\Windows\SysWOW64\incrjzdkv.exeC:\Windows\system32\incrjzdkv.exe41⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4124 -
C:\Windows\SysWOW64\inpkvggzd.exeC:\Windows\system32\inpkvggzd.exe42⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:716 -
C:\Windows\SysWOW64\infhthtec.exeC:\Windows\system32\infhthtec.exe43⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4236 -
C:\Windows\SysWOW64\inbfyviuk.exeC:\Windows\system32\inbfyviuk.exe44⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1064 -
C:\Windows\SysWOW64\inigtklnv.exeC:\Windows\system32\inigtklnv.exe45⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4828 -
C:\Windows\SysWOW64\intsuvkkg.exeC:\Windows\system32\intsuvkkg.exe46⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3964 -
C:\Windows\SysWOW64\inogwahsa.exeC:\Windows\system32\inogwahsa.exe47⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2988 -
C:\Windows\SysWOW64\inbpxnjbw.exeC:\Windows\system32\inbpxnjbw.exe48⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2980 -
C:\Windows\SysWOW64\insvxwpco.exeC:\Windows\system32\insvxwpco.exe49⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1264 -
C:\Windows\SysWOW64\inhegsgsd.exeC:\Windows\system32\inhegsgsd.exe50⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1804 -
C:\Windows\SysWOW64\ineuxonvv.exeC:\Windows\system32\ineuxonvv.exe51⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2804 -
C:\Windows\SysWOW64\indtkzjxv.exeC:\Windows\system32\indtkzjxv.exe52⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1596 -
C:\Windows\SysWOW64\indhxkwmb.exeC:\Windows\system32\indhxkwmb.exe53⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2920 -
C:\Windows\SysWOW64\inrfpuysy.exeC:\Windows\system32\inrfpuysy.exe54⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1188 -
C:\Windows\SysWOW64\invuwaxma.exeC:\Windows\system32\invuwaxma.exe55⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4280 -
C:\Windows\SysWOW64\injkrqgyq.exeC:\Windows\system32\injkrqgyq.exe56⤵
- Executes dropped EXE
PID:2004 -
C:\Windows\SysWOW64\inomzqrdt.exeC:\Windows\system32\inomzqrdt.exe57⤵
- Suspicious use of AdjustPrivilegeToken
PID:3080 -
C:\Windows\SysWOW64\incraptug.exeC:\Windows\system32\incraptug.exe58⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4860 -
C:\Windows\SysWOW64\inaexuhtj.exeC:\Windows\system32\inaexuhtj.exe59⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3384 -
C:\Windows\SysWOW64\infslrijv.exeC:\Windows\system32\infslrijv.exe60⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:760 -
C:\Windows\SysWOW64\inmprqjiy.exeC:\Windows\system32\inmprqjiy.exe61⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2156 -
C:\Windows\SysWOW64\inmibthrw.exeC:\Windows\system32\inmibthrw.exe62⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4144 -
C:\Windows\SysWOW64\inbmkzbqa.exeC:\Windows\system32\inbmkzbqa.exe63⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2224 -
C:\Windows\SysWOW64\inpiofygs.exeC:\Windows\system32\inpiofygs.exe64⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4236 -
C:\Windows\SysWOW64\inbjudnts.exeC:\Windows\system32\inbjudnts.exe65⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1064 -
C:\Windows\SysWOW64\insrzztuj.exeC:\Windows\system32\insrzztuj.exe66⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1660 -
C:\Windows\SysWOW64\inmtnbdcu.exeC:\Windows\system32\inmtnbdcu.exe67⤵PID:3964
-
C:\Windows\SysWOW64\inijzqpfx.exeC:\Windows\system32\inijzqpfx.exe68⤵
- Drops file in System32 directory
PID:4528 -
C:\Windows\SysWOW64\inadbobmd.exeC:\Windows\system32\inadbobmd.exe69⤵PID:2560
-
C:\Windows\SysWOW64\infdqdofu.exeC:\Windows\system32\infdqdofu.exe70⤵PID:2796
-
C:\Windows\SysWOW64\inzvgovkd.exeC:\Windows\system32\inzvgovkd.exe71⤵PID:968
-
C:\Windows\SysWOW64\inhjvjvge.exeC:\Windows\system32\inhjvjvge.exe72⤵PID:3496
-
C:\Windows\SysWOW64\ingvzmksi.exeC:\Windows\system32\ingvzmksi.exe73⤵PID:1296
-
C:\Windows\SysWOW64\inrngsnzc.exeC:\Windows\system32\inrngsnzc.exe74⤵PID:4792
-
C:\Windows\SysWOW64\inuqbjvqf.exeC:\Windows\system32\inuqbjvqf.exe75⤵PID:3236
-
C:\Windows\SysWOW64\ineybxzdp.exeC:\Windows\system32\ineybxzdp.exe76⤵PID:3940
-
C:\Windows\SysWOW64\intfuikjc.exeC:\Windows\system32\intfuikjc.exe77⤵PID:2908
-
C:\Windows\SysWOW64\inpqffxwb.exeC:\Windows\system32\inpqffxwb.exe78⤵PID:2304
-
C:\Windows\SysWOW64\inrjcgagg.exeC:\Windows\system32\inrjcgagg.exe79⤵PID:1980
-
C:\Windows\SysWOW64\inewrcnnk.exeC:\Windows\system32\inewrcnnk.exe80⤵PID:1584
-
C:\Windows\SysWOW64\innfvgrkz.exeC:\Windows\system32\innfvgrkz.exe81⤵
- Drops file in System32 directory
PID:4320 -
C:\Windows\SysWOW64\inhscspdt.exeC:\Windows\system32\inhscspdt.exe82⤵PID:4716
-
C:\Windows\SysWOW64\inbjwysrs.exeC:\Windows\system32\inbjwysrs.exe83⤵PID:2132
-
C:\Windows\SysWOW64\inwemzvcu.exeC:\Windows\system32\inwemzvcu.exe84⤵PID:2784
-
C:\Windows\SysWOW64\ingiuiufd.exeC:\Windows\system32\ingiuiufd.exe85⤵PID:4072
-
C:\Windows\SysWOW64\inuwftrhn.exeC:\Windows\system32\inuwftrhn.exe86⤵PID:4828
-
C:\Windows\SysWOW64\inefvmlzb.exeC:\Windows\system32\inefvmlzb.exe87⤵PID:3136
-
C:\Windows\SysWOW64\inulkzdji.exeC:\Windows\system32\inulkzdji.exe88⤵PID:2328
-
C:\Windows\SysWOW64\inejnhnnw.exeC:\Windows\system32\inejnhnnw.exe89⤵PID:1712
-
C:\Windows\SysWOW64\inniyteex.exeC:\Windows\system32\inniyteex.exe90⤵
- System Location Discovery: System Language Discovery
PID:1612 -
C:\Windows\SysWOW64\inuhqyjhd.exeC:\Windows\system32\inuhqyjhd.exe91⤵PID:2292
-
C:\Windows\SysWOW64\ingrakqpr.exeC:\Windows\system32\ingrakqpr.exe92⤵PID:3132
-
C:\Windows\SysWOW64\inxjymong.exeC:\Windows\system32\inxjymong.exe93⤵PID:2920
-
C:\Windows\SysWOW64\inkzrlbas.exeC:\Windows\system32\inkzrlbas.exe94⤵
- Drops file in System32 directory
PID:880 -
C:\Windows\SysWOW64\inhwnltjf.exeC:\Windows\system32\inhwnltjf.exe95⤵PID:5044
-
C:\Windows\SysWOW64\injwnoaqy.exeC:\Windows\system32\injwnoaqy.exe96⤵PID:4452
-
C:\Windows\SysWOW64\innlypqcs.exeC:\Windows\system32\innlypqcs.exe97⤵PID:4608
-
C:\Windows\SysWOW64\inatwyxqd.exeC:\Windows\system32\inatwyxqd.exe98⤵PID:1492
-
C:\Windows\SysWOW64\inugvjlkd.exeC:\Windows\system32\inugvjlkd.exe99⤵PID:792
-
C:\Windows\SysWOW64\inxhvtpha.exeC:\Windows\system32\inxhvtpha.exe100⤵PID:2284
-
C:\Windows\SysWOW64\inpkfxleq.exeC:\Windows\system32\inpkfxleq.exe101⤵
- Drops file in System32 directory
PID:3988 -
C:\Windows\SysWOW64\inoxdfqoe.exeC:\Windows\system32\inoxdfqoe.exe102⤵PID:1780
-
C:\Windows\SysWOW64\inkivmnpx.exeC:\Windows\system32\inkivmnpx.exe103⤵PID:3688
-
C:\Windows\SysWOW64\incwvxbyn.exeC:\Windows\system32\incwvxbyn.exe104⤵PID:2024
-
C:\Windows\SysWOW64\inwsdlxsh.exeC:\Windows\system32\inwsdlxsh.exe105⤵PID:3052
-
C:\Windows\SysWOW64\inbohznex.exeC:\Windows\system32\inbohznex.exe106⤵PID:1316
-
C:\Windows\SysWOW64\inkuaczqt.exeC:\Windows\system32\inkuaczqt.exe107⤵PID:752
-
C:\Windows\SysWOW64\inixomukg.exeC:\Windows\system32\inixomukg.exe108⤵PID:2988
-
C:\Windows\SysWOW64\intpaiupe.exeC:\Windows\system32\intpaiupe.exe109⤵PID:3452
-
C:\Windows\SysWOW64\inbsfowhf.exeC:\Windows\system32\inbsfowhf.exe110⤵PID:4984
-
C:\Windows\SysWOW64\inbrulkss.exeC:\Windows\system32\inbrulkss.exe111⤵PID:2436
-
C:\Windows\SysWOW64\invhwkmle.exeC:\Windows\system32\invhwkmle.exe112⤵PID:2804
-
C:\Windows\SysWOW64\ingwzqpxx.exeC:\Windows\system32\ingwzqpxx.exe113⤵PID:968
-
C:\Windows\SysWOW64\inxtleici.exeC:\Windows\system32\inxtleici.exe114⤵PID:2292
-
C:\Windows\SysWOW64\inxsdoolp.exeC:\Windows\system32\inxsdoolp.exe115⤵PID:3184
-
C:\Windows\SysWOW64\ingtvpopk.exeC:\Windows\system32\ingtvpopk.exe116⤵PID:1188
-
C:\Windows\SysWOW64\inruwvobn.exeC:\Windows\system32\inruwvobn.exe117⤵PID:3720
-
C:\Windows\SysWOW64\insezthji.exeC:\Windows\system32\insezthji.exe118⤵PID:3520
-
C:\Windows\SysWOW64\infumgnyd.exeC:\Windows\system32\infumgnyd.exe119⤵PID:3940
-
C:\Windows\SysWOW64\intcrvwiy.exeC:\Windows\system32\intcrvwiy.exe120⤵PID:3704
-
C:\Windows\SysWOW64\infvypoww.exeC:\Windows\system32\infvypoww.exe121⤵PID:3384
-
C:\Windows\SysWOW64\inilcbjwj.exeC:\Windows\system32\inilcbjwj.exe122⤵PID:1852
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-