Analysis
-
max time kernel
102s -
max time network
168s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
30-12-2023 12:58
Behavioral task
behavioral1
Sample
193e22249aad4b2a1757cf613cf63a5d.exe
Resource
win7-20231129-en
windows7-x64
1 signatures
150 seconds
Behavioral task
behavioral2
Sample
193e22249aad4b2a1757cf613cf63a5d.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
193e22249aad4b2a1757cf613cf63a5d.exe
-
Size
9KB
-
MD5
193e22249aad4b2a1757cf613cf63a5d
-
SHA1
d171474c73a0fe4b99f0599a81264a7fdaceef33
-
SHA256
cf25ba9eb19298bceaa12c0fb5570b6dbe4c4caacf3b6b8f17438671d024ad8d
-
SHA512
9f28d9d6b870aa0e139a5b59c517cfea75c73d89de7435ecbd29f1cec8861f1aec7962b73269454b1f5038993c0d87e4efb3e11b54fb456d49c24095856dd236
-
SSDEEP
192:5f4SJfN8bkFrDoPvk1m0jc21yaT7/LpqyJd366f+:dXfN8wrDoPvb0jRyav37f
Score
7/10
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
pid Process 5088 sgqpy.exe 2160 jytzbduc.exe 1852 nqrmblba.exe 3788 natra.exe 1432 vccpxoyd.exe 1940 nzarhoat.exe 1968 lmpifxb.exe 1776 llkrtyuz.exe 4640 pfsdond.exe 3940 hibty.exe 4312 tjybzr.exe 3520 lyfrwfh.exe 4496 jbtcts.exe 4396 wgnaahn.exe 4964 ddalg.exe 2252 uoedl.exe 3976 zxmhgcbo.exe 852 alkracgp.exe 1924 muhud.exe 3948 qwgss.exe 4236 kucyi.exe 3336 jdhvg.exe 4200 kczkumtm.exe 2484 pmyjf.exe 224 xrqyy.exe 736 kwmwdx.exe 3060 ajosgd.exe 2396 qexjoyb.exe 1176 fgwijl.exe 924 dpgrrcna.exe 5000 jnvuz.exe 2824 nivdi.exe 2332 vwdaskh.exe 2652 gowlw.exe 4596 lxebk.exe 2176 gthajv.exe 4024 qqqcbdve.exe 4008 htianjy.exe 4628 wiiqwq.exe 3276 zlproff.exe 4916 mimgu.exe 4976 foyfndsp.exe 4604 dphyyi.exe 3488 ifjxy.exe 228 fvhkhqg.exe 3616 adqak.exe 944 hezsfdn.exe 3408 unmcjml.exe 3256 xntuh.exe 3928 qeyqwb.exe 4868 cgxhwl.exe 3544 qfofw.exe 4940 bizdmy.exe 2780 pcnzs.exe 404 ixctftp.exe 4508 xnsjowih.exe 3080 ahoxdug.exe 3936 huoub.exe 2272 vibcr.exe 1772 gkpvzzh.exe 3208 bftyslk.exe 4708 hfklfgrg.exe 3484 axpsjrw.exe 4044 drnbotpz.exe -
resource yara_rule behavioral2/memory/4292-0-0x0000000031420000-0x000000003142B000-memory.dmp upx behavioral2/files/0x00080000000224fc-3.dat upx behavioral2/memory/1852-13-0x0000000031420000-0x000000003142B000-memory.dmp upx behavioral2/memory/4292-41-0x0000000031420000-0x000000003142B000-memory.dmp upx behavioral2/memory/5088-46-0x0000000031420000-0x000000003142B000-memory.dmp upx behavioral2/memory/2160-51-0x0000000031420000-0x000000003142B000-memory.dmp upx behavioral2/memory/1968-73-0x0000000031420000-0x000000003142B000-memory.dmp upx behavioral2/memory/3940-85-0x0000000031420000-0x000000003142B000-memory.dmp upx behavioral2/memory/2396-119-0x0000000031420000-0x000000003142B000-memory.dmp upx behavioral2/memory/4596-142-0x0000000031420000-0x000000003142B000-memory.dmp upx behavioral2/memory/3256-191-0x0000000031420000-0x000000003142B000-memory.dmp upx behavioral2/memory/2780-203-0x0000000031420000-0x000000003142B000-memory.dmp upx behavioral2/memory/3936-212-0x0000000031420000-0x000000003142B000-memory.dmp upx behavioral2/memory/4700-255-0x0000000031420000-0x000000003142B000-memory.dmp upx behavioral2/memory/5324-327-0x0000000031420000-0x000000003142B000-memory.dmp upx behavioral2/memory/6272-412-0x0000000031420000-0x000000003142B000-memory.dmp upx behavioral2/memory/6944-543-0x0000000031420000-0x000000003142B000-memory.dmp upx behavioral2/memory/9036-1894-0x0000000031420000-0x000000003142B000-memory.dmp upx behavioral2/memory/8356-1923-0x0000000031420000-0x000000003142B000-memory.dmp upx behavioral2/memory/9524-2019-0x0000000031420000-0x000000003142B000-memory.dmp upx behavioral2/memory/8796-3633-0x0000000031420000-0x000000003142B000-memory.dmp upx behavioral2/memory/6400-3871-0x0000000031420000-0x000000003142B000-memory.dmp upx behavioral2/memory/10040-3944-0x0000000031420000-0x000000003142B000-memory.dmp upx behavioral2/memory/1052-4092-0x0000000031420000-0x000000003142B000-memory.dmp upx behavioral2/memory/10400-4108-0x0000000031420000-0x000000003142B000-memory.dmp upx behavioral2/memory/12096-4230-0x0000000031420000-0x000000003142B000-memory.dmp upx -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\vwdaskh.exe" nivdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\drnbotpz.exe" axpsjrw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\wtfiujir.exe" lwoqkkas.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\jqpwhkt.exe" snsams.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\hncbfvx.exe" kkeajrpx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\fzkypyae.exe" tcnqwhr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\hibty.exe" pfsdond.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\xjqdgjnb.exe" vsypuwqm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\ykxol.exe" mivmyoif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\gowlw.exe" vwdaskh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\fzgshjxh.exe" fggup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\inhzrar.exe" txkrlqv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\ncplbbmo.exe" lortpt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\hcunywx.exe" sslnpt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\lpyvvr.exe" dgigo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\wphaxnl.exe" dbwxlwik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\szxjcvc.exe" hhuzehmr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\oewuid.exe" dnpzrfu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\eujhm.exe" reabcbsj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\zyxswtw.exe" corra.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\zvzhkylr.exe" dzgnpfoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\rcphkm.exe" zvyueg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\obbiksdf.exe" ltttdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\hkvlcsee.exe" sojbno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\jttsvaz.exe" czpmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\uynkvsb.exe" dycdxgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\yqxxka.exe" fmcnmolp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\hfklfgrg.exe" bftyslk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\eiahpsx.exe" wwdxt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\mzwpzgp.exe" qmdsaqhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\vmxpba.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\nmdziz.exe" cbqvpwq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\apaxycm.exe" gdboy.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\mkwpqi.exe" phvkkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\pznbsj.exe" sqomq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\lwyelz.exe" wtwyycr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\bmzevetn.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\yzhcypb.exe" nului.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\qlvwi.exe" gpxjqcgw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\gjzwdnjo.exe" qyvxavcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\sjoccrai.exe" asnbmpq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\gyzmvh.exe" vaydob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\iatyx.exe" egijrzny.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\jaulz.exe" nupwoul.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\titgym.exe" wphaxnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\cbolimp.exe" ygchczc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\armqrjm.exe" efdkogip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\uxmjdy.exe" jkerqps.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\okvqblw.exe" xoseq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\ygchczc.exe" ttrpmspk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\fleoij.exe" wgfpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\jjlqtesm.exe" qlerjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\zxmhgcbo.exe" uoedl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\ydmrkl.exe" xcdrdzae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\fzyeu.exe" gzoqye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\qoewhv.exe" wrtvcpup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\fbznd.exe" vpnxnha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\cdbtgft.exe" zribt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\sojbno.exe" khlxvvzp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\enuqdni.exe" wffysgye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\dsyjyi.exe" oavgbxe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\uungh.exe" frznu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\msjaex.exe" hhcsh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\bwjpeu.exe" bvdtvt.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\abgcx.exe mynhze.exe File opened for modification C:\Windows\SysWOW64\hedvn.exe qorfov.exe File created C:\Windows\SysWOW64\bvnml.exe Process not Found File created C:\Windows\SysWOW64\jxviwluw.exe tscnrgdq.exe File created C:\Windows\SysWOW64\zatdqb.exe tqrhhs.exe File opened for modification C:\Windows\SysWOW64\rhaytm.exe uuijigwj.exe File opened for modification C:\Windows\SysWOW64\kkeajrpx.exe fmket.exe File created C:\Windows\SysWOW64\skckxnf.exe ntmqgid.exe File created C:\Windows\SysWOW64\gtohid.exe afepruhb.exe File opened for modification C:\Windows\SysWOW64\yacuk.exe olvyknr.exe File created C:\Windows\SysWOW64\qxfgptx.exe mehpbip.exe File created C:\Windows\SysWOW64\enuqdni.exe wffysgye.exe File created C:\Windows\SysWOW64\nkeusq.exe glbxfq.exe File opened for modification C:\Windows\SysWOW64\kfipus.exe iwwcktr.exe File created C:\Windows\SysWOW64\jnhfglqc.exe afjhjqm.exe File created C:\Windows\SysWOW64\ottmz.exe xoqbgd.exe File created C:\Windows\SysWOW64\epiosbhc.exe zswnr.exe File created C:\Windows\SysWOW64\xfttdrqk.exe salucu.exe File opened for modification C:\Windows\SysWOW64\bdkws.exe hsqjqzt.exe File created C:\Windows\SysWOW64\xqyskip.exe cukkcuy.exe File opened for modification C:\Windows\SysWOW64\wqcutw.exe ndkjd.exe File created C:\Windows\SysWOW64\hwrwj.exe cjqtsq.exe File created C:\Windows\SysWOW64\cbolimp.exe ygchczc.exe File opened for modification C:\Windows\SysWOW64\jmtsbkcc.exe yytrbnzn.exe File created C:\Windows\SysWOW64\cttjhuo.exe xitkua.exe File created C:\Windows\SysWOW64\hcunywx.exe sslnpt.exe File created C:\Windows\SysWOW64\nxacnz.exe fodzhqpa.exe File opened for modification C:\Windows\SysWOW64\txkrlqv.exe jxvtsjg.exe File opened for modification C:\Windows\SysWOW64\cbjyzmy.exe szpyoxc.exe File created C:\Windows\SysWOW64\jupgcyv.exe leusk.exe File created C:\Windows\SysWOW64\jlwov.exe mpnhp.exe File created C:\Windows\SysWOW64\ufmvryq.exe Process not Found File created C:\Windows\SysWOW64\adqapom.exe bimmp.exe File opened for modification C:\Windows\SysWOW64\ruddfsl.exe qxfgptx.exe File created C:\Windows\SysWOW64\ystfz.exe gtohid.exe File opened for modification C:\Windows\SysWOW64\leyiv.exe dsybnh.exe File created C:\Windows\SysWOW64\oqsaqp.exe powqvc.exe File created C:\Windows\SysWOW64\tmylohy.exe gyngwl.exe File opened for modification C:\Windows\SysWOW64\pstcpa.exe ucjldi.exe File created C:\Windows\SysWOW64\pndawbv.exe qiewt.exe File opened for modification C:\Windows\SysWOW64\uakoejs.exe znxqi.exe File opened for modification C:\Windows\SysWOW64\afjhjqm.exe ynoje.exe File created C:\Windows\SysWOW64\aeovjffr.exe ihohuhov.exe File opened for modification C:\Windows\SysWOW64\jqpwhkt.exe snsams.exe File opened for modification C:\Windows\SysWOW64\rezcdtn.exe jmzwx.exe File opened for modification C:\Windows\SysWOW64\jldusw.exe dwcxulj.exe File created C:\Windows\SysWOW64\yodupcf.exe fgpapncj.exe File opened for modification C:\Windows\SysWOW64\tjtkajq.exe lxeyc.exe File opened for modification C:\Windows\SysWOW64\fdycao.exe doljzqlz.exe File opened for modification C:\Windows\SysWOW64\wkqkm.exe sjjngwsd.exe File created C:\Windows\SysWOW64\wgfpb.exe tdgkto.exe File created C:\Windows\SysWOW64\donkwpih.exe mbxbqu.exe File created C:\Windows\SysWOW64\ixedwy.exe oxgpbure.exe File created C:\Windows\SysWOW64\pdzkpeth.exe aqqvv.exe File opened for modification C:\Windows\SysWOW64\rwfns.exe bpupl.exe File opened for modification C:\Windows\SysWOW64\ousgvffs.exe jqafbp.exe File opened for modification C:\Windows\SysWOW64\fsnrdip.exe divyo.exe File created C:\Windows\SysWOW64\oauqz.exe Process not Found File created C:\Windows\SysWOW64\lszmazj.exe Process not Found File opened for modification C:\Windows\SysWOW64\dtecuo.exe Process not Found File opened for modification C:\Windows\SysWOW64\ajhcpp.exe xktguhn.exe File created C:\Windows\SysWOW64\fxneebof.exe uoieih.exe File created C:\Windows\SysWOW64\jzopfgai.exe hfmhbjmt.exe File opened for modification C:\Windows\SysWOW64\xendu.exe kwerhu.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4292 193e22249aad4b2a1757cf613cf63a5d.exe Token: SeDebugPrivilege 5088 sgqpy.exe Token: SeDebugPrivilege 2160 jytzbduc.exe Token: SeDebugPrivilege 1852 nqrmblba.exe Token: SeDebugPrivilege 3788 natra.exe Token: SeDebugPrivilege 1432 vccpxoyd.exe Token: SeDebugPrivilege 1940 nzarhoat.exe Token: SeDebugPrivilege 1968 lmpifxb.exe Token: SeDebugPrivilege 1776 llkrtyuz.exe Token: SeDebugPrivilege 4640 pfsdond.exe Token: SeDebugPrivilege 3940 hibty.exe Token: SeDebugPrivilege 4312 tjybzr.exe Token: SeDebugPrivilege 3520 lyfrwfh.exe Token: SeDebugPrivilege 4496 jbtcts.exe Token: SeDebugPrivilege 4396 wgnaahn.exe Token: SeDebugPrivilege 4964 ddalg.exe Token: SeDebugPrivilege 2252 uoedl.exe Token: SeDebugPrivilege 3976 zxmhgcbo.exe Token: SeDebugPrivilege 852 alkracgp.exe Token: SeDebugPrivilege 1924 muhud.exe Token: SeDebugPrivilege 3948 qwgss.exe Token: SeDebugPrivilege 4236 kucyi.exe Token: SeDebugPrivilege 3336 jdhvg.exe Token: SeDebugPrivilege 4200 kczkumtm.exe Token: SeDebugPrivilege 2484 pmyjf.exe Token: SeDebugPrivilege 224 xrqyy.exe Token: SeDebugPrivilege 736 kwmwdx.exe Token: SeDebugPrivilege 3060 ajosgd.exe Token: SeDebugPrivilege 2396 qexjoyb.exe Token: SeDebugPrivilege 1176 fgwijl.exe Token: SeDebugPrivilege 924 dpgrrcna.exe Token: SeDebugPrivilege 5000 jnvuz.exe Token: SeDebugPrivilege 2824 nivdi.exe Token: SeDebugPrivilege 2332 vwdaskh.exe Token: SeDebugPrivilege 2652 gowlw.exe Token: SeDebugPrivilege 4596 lxebk.exe Token: SeDebugPrivilege 2176 gthajv.exe Token: SeDebugPrivilege 4536 coudg.exe Token: SeDebugPrivilege 4008 htianjy.exe Token: SeDebugPrivilege 4628 wiiqwq.exe Token: SeDebugPrivilege 3276 zlproff.exe Token: SeDebugPrivilege 4916 mimgu.exe Token: SeDebugPrivilege 4976 foyfndsp.exe Token: SeDebugPrivilege 4604 dphyyi.exe Token: SeDebugPrivilege 3488 ifjxy.exe Token: SeDebugPrivilege 228 fvhkhqg.exe Token: SeDebugPrivilege 3616 adqak.exe Token: SeDebugPrivilege 944 hezsfdn.exe Token: SeDebugPrivilege 3408 unmcjml.exe Token: SeDebugPrivilege 3256 xntuh.exe Token: SeDebugPrivilege 3928 qeyqwb.exe Token: SeDebugPrivilege 4868 cgxhwl.exe Token: SeDebugPrivilege 3544 qfofw.exe Token: SeDebugPrivilege 4940 bizdmy.exe Token: SeDebugPrivilege 2780 pcnzs.exe Token: SeDebugPrivilege 404 ixctftp.exe Token: SeDebugPrivilege 4508 xnsjowih.exe Token: SeDebugPrivilege 3080 ahoxdug.exe Token: SeDebugPrivilege 3936 huoub.exe Token: SeDebugPrivilege 2272 vibcr.exe Token: SeDebugPrivilege 1772 gkpvzzh.exe Token: SeDebugPrivilege 3208 bftyslk.exe Token: SeDebugPrivilege 4708 hfklfgrg.exe Token: SeDebugPrivilege 3484 axpsjrw.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4292 wrote to memory of 5088 4292 193e22249aad4b2a1757cf613cf63a5d.exe 90 PID 4292 wrote to memory of 5088 4292 193e22249aad4b2a1757cf613cf63a5d.exe 90 PID 4292 wrote to memory of 5088 4292 193e22249aad4b2a1757cf613cf63a5d.exe 90 PID 5088 wrote to memory of 2160 5088 sgqpy.exe 91 PID 5088 wrote to memory of 2160 5088 sgqpy.exe 91 PID 5088 wrote to memory of 2160 5088 sgqpy.exe 91 PID 2160 wrote to memory of 1852 2160 jytzbduc.exe 92 PID 2160 wrote to memory of 1852 2160 jytzbduc.exe 92 PID 2160 wrote to memory of 1852 2160 jytzbduc.exe 92 PID 1852 wrote to memory of 3788 1852 nqrmblba.exe 93 PID 1852 wrote to memory of 3788 1852 nqrmblba.exe 93 PID 1852 wrote to memory of 3788 1852 nqrmblba.exe 93 PID 3788 wrote to memory of 1432 3788 natra.exe 94 PID 3788 wrote to memory of 1432 3788 natra.exe 94 PID 3788 wrote to memory of 1432 3788 natra.exe 94 PID 1432 wrote to memory of 1940 1432 vccpxoyd.exe 95 PID 1432 wrote to memory of 1940 1432 vccpxoyd.exe 95 PID 1432 wrote to memory of 1940 1432 vccpxoyd.exe 95 PID 1940 wrote to memory of 1968 1940 nzarhoat.exe 96 PID 1940 wrote to memory of 1968 1940 nzarhoat.exe 96 PID 1940 wrote to memory of 1968 1940 nzarhoat.exe 96 PID 1968 wrote to memory of 1776 1968 lmpifxb.exe 98 PID 1968 wrote to memory of 1776 1968 lmpifxb.exe 98 PID 1968 wrote to memory of 1776 1968 lmpifxb.exe 98 PID 1776 wrote to memory of 4640 1776 llkrtyuz.exe 99 PID 1776 wrote to memory of 4640 1776 llkrtyuz.exe 99 PID 1776 wrote to memory of 4640 1776 llkrtyuz.exe 99 PID 4640 wrote to memory of 3940 4640 pfsdond.exe 101 PID 4640 wrote to memory of 3940 4640 pfsdond.exe 101 PID 4640 wrote to memory of 3940 4640 pfsdond.exe 101 PID 3940 wrote to memory of 4312 3940 hibty.exe 102 PID 3940 wrote to memory of 4312 3940 hibty.exe 102 PID 3940 wrote to memory of 4312 3940 hibty.exe 102 PID 4312 wrote to memory of 3520 4312 tjybzr.exe 103 PID 4312 wrote to memory of 3520 4312 tjybzr.exe 103 PID 4312 wrote to memory of 3520 4312 tjybzr.exe 103 PID 3520 wrote to memory of 4496 3520 lyfrwfh.exe 104 PID 3520 wrote to memory of 4496 3520 lyfrwfh.exe 104 PID 3520 wrote to memory of 4496 3520 lyfrwfh.exe 104 PID 4496 wrote to memory of 4396 4496 jbtcts.exe 105 PID 4496 wrote to memory of 4396 4496 jbtcts.exe 105 PID 4496 wrote to memory of 4396 4496 jbtcts.exe 105 PID 4396 wrote to memory of 4964 4396 wgnaahn.exe 106 PID 4396 wrote to memory of 4964 4396 wgnaahn.exe 106 PID 4396 wrote to memory of 4964 4396 wgnaahn.exe 106 PID 4964 wrote to memory of 2252 4964 ddalg.exe 107 PID 4964 wrote to memory of 2252 4964 ddalg.exe 107 PID 4964 wrote to memory of 2252 4964 ddalg.exe 107 PID 2252 wrote to memory of 3976 2252 uoedl.exe 109 PID 2252 wrote to memory of 3976 2252 uoedl.exe 109 PID 2252 wrote to memory of 3976 2252 uoedl.exe 109 PID 3976 wrote to memory of 852 3976 zxmhgcbo.exe 110 PID 3976 wrote to memory of 852 3976 zxmhgcbo.exe 110 PID 3976 wrote to memory of 852 3976 zxmhgcbo.exe 110 PID 852 wrote to memory of 1924 852 alkracgp.exe 111 PID 852 wrote to memory of 1924 852 alkracgp.exe 111 PID 852 wrote to memory of 1924 852 alkracgp.exe 111 PID 1924 wrote to memory of 3948 1924 muhud.exe 112 PID 1924 wrote to memory of 3948 1924 muhud.exe 112 PID 1924 wrote to memory of 3948 1924 muhud.exe 112 PID 3948 wrote to memory of 4236 3948 qwgss.exe 113 PID 3948 wrote to memory of 4236 3948 qwgss.exe 113 PID 3948 wrote to memory of 4236 3948 qwgss.exe 113 PID 4236 wrote to memory of 3336 4236 kucyi.exe 114
Processes
-
C:\Users\Admin\AppData\Local\Temp\193e22249aad4b2a1757cf613cf63a5d.exe"C:\Users\Admin\AppData\Local\Temp\193e22249aad4b2a1757cf613cf63a5d.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4292 -
C:\Windows\SysWOW64\sgqpy.exeC:\Windows\system32\sgqpy.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5088 -
C:\Windows\SysWOW64\jytzbduc.exeC:\Windows\system32\jytzbduc.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Windows\SysWOW64\nqrmblba.exeC:\Windows\system32\nqrmblba.exe4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1852 -
C:\Windows\SysWOW64\natra.exeC:\Windows\system32\natra.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3788 -
C:\Windows\SysWOW64\vccpxoyd.exeC:\Windows\system32\vccpxoyd.exe6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1432 -
C:\Windows\SysWOW64\nzarhoat.exeC:\Windows\system32\nzarhoat.exe7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Windows\SysWOW64\lmpifxb.exeC:\Windows\system32\lmpifxb.exe8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\SysWOW64\llkrtyuz.exeC:\Windows\system32\llkrtyuz.exe9⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1776 -
C:\Windows\SysWOW64\pfsdond.exeC:\Windows\system32\pfsdond.exe10⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4640 -
C:\Windows\SysWOW64\hibty.exeC:\Windows\system32\hibty.exe11⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3940 -
C:\Windows\SysWOW64\tjybzr.exeC:\Windows\system32\tjybzr.exe12⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4312 -
C:\Windows\SysWOW64\lyfrwfh.exeC:\Windows\system32\lyfrwfh.exe13⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3520 -
C:\Windows\SysWOW64\jbtcts.exeC:\Windows\system32\jbtcts.exe14⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4496 -
C:\Windows\SysWOW64\wgnaahn.exeC:\Windows\system32\wgnaahn.exe15⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4396 -
C:\Windows\SysWOW64\ddalg.exeC:\Windows\system32\ddalg.exe16⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4964 -
C:\Windows\SysWOW64\uoedl.exeC:\Windows\system32\uoedl.exe17⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Windows\SysWOW64\zxmhgcbo.exeC:\Windows\system32\zxmhgcbo.exe18⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3976 -
C:\Windows\SysWOW64\alkracgp.exeC:\Windows\system32\alkracgp.exe19⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:852 -
C:\Windows\SysWOW64\muhud.exeC:\Windows\system32\muhud.exe20⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1924 -
C:\Windows\SysWOW64\qwgss.exeC:\Windows\system32\qwgss.exe21⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3948 -
C:\Windows\SysWOW64\kucyi.exeC:\Windows\system32\kucyi.exe22⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4236 -
C:\Windows\SysWOW64\jdhvg.exeC:\Windows\system32\jdhvg.exe23⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3336 -
C:\Windows\SysWOW64\kczkumtm.exeC:\Windows\system32\kczkumtm.exe24⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4200 -
C:\Windows\SysWOW64\pmyjf.exeC:\Windows\system32\pmyjf.exe25⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2484 -
C:\Windows\SysWOW64\xrqyy.exeC:\Windows\system32\xrqyy.exe26⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:224 -
C:\Windows\SysWOW64\kwmwdx.exeC:\Windows\system32\kwmwdx.exe27⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:736 -
C:\Windows\SysWOW64\ajosgd.exeC:\Windows\system32\ajosgd.exe28⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3060 -
C:\Windows\SysWOW64\qexjoyb.exeC:\Windows\system32\qexjoyb.exe29⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2396 -
C:\Windows\SysWOW64\fgwijl.exeC:\Windows\system32\fgwijl.exe30⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1176 -
C:\Windows\SysWOW64\dpgrrcna.exeC:\Windows\system32\dpgrrcna.exe31⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:924 -
C:\Windows\SysWOW64\jnvuz.exeC:\Windows\system32\jnvuz.exe32⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5000 -
C:\Windows\SysWOW64\nivdi.exeC:\Windows\system32\nivdi.exe33⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:2824 -
C:\Windows\SysWOW64\vwdaskh.exeC:\Windows\system32\vwdaskh.exe34⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:2332 -
C:\Windows\SysWOW64\gowlw.exeC:\Windows\system32\gowlw.exe35⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2652 -
C:\Windows\SysWOW64\lxebk.exeC:\Windows\system32\lxebk.exe36⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4596 -
C:\Windows\SysWOW64\gthajv.exeC:\Windows\system32\gthajv.exe37⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2176 -
C:\Windows\SysWOW64\qqqcbdve.exeC:\Windows\system32\qqqcbdve.exe38⤵
- Executes dropped EXE
PID:4024 -
C:\Windows\SysWOW64\coudg.exeC:\Windows\system32\coudg.exe39⤵
- Suspicious use of AdjustPrivilegeToken
PID:4536 -
C:\Windows\SysWOW64\htianjy.exeC:\Windows\system32\htianjy.exe40⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4008 -
C:\Windows\SysWOW64\wiiqwq.exeC:\Windows\system32\wiiqwq.exe41⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4628 -
C:\Windows\SysWOW64\zlproff.exeC:\Windows\system32\zlproff.exe42⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3276 -
C:\Windows\SysWOW64\mimgu.exeC:\Windows\system32\mimgu.exe43⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4916 -
C:\Windows\SysWOW64\foyfndsp.exeC:\Windows\system32\foyfndsp.exe44⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4976 -
C:\Windows\SysWOW64\dphyyi.exeC:\Windows\system32\dphyyi.exe45⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4604 -
C:\Windows\SysWOW64\ifjxy.exeC:\Windows\system32\ifjxy.exe46⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3488 -
C:\Windows\SysWOW64\fvhkhqg.exeC:\Windows\system32\fvhkhqg.exe47⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:228 -
C:\Windows\SysWOW64\adqak.exeC:\Windows\system32\adqak.exe48⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3616 -
C:\Windows\SysWOW64\hezsfdn.exeC:\Windows\system32\hezsfdn.exe49⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:944 -
C:\Windows\SysWOW64\unmcjml.exeC:\Windows\system32\unmcjml.exe50⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3408 -
C:\Windows\SysWOW64\xntuh.exeC:\Windows\system32\xntuh.exe51⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3256 -
C:\Windows\SysWOW64\qeyqwb.exeC:\Windows\system32\qeyqwb.exe52⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3928 -
C:\Windows\SysWOW64\cgxhwl.exeC:\Windows\system32\cgxhwl.exe53⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4868 -
C:\Windows\SysWOW64\qfofw.exeC:\Windows\system32\qfofw.exe54⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3544 -
C:\Windows\SysWOW64\bizdmy.exeC:\Windows\system32\bizdmy.exe55⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4940 -
C:\Windows\SysWOW64\pcnzs.exeC:\Windows\system32\pcnzs.exe56⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2780 -
C:\Windows\SysWOW64\ixctftp.exeC:\Windows\system32\ixctftp.exe57⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:404 -
C:\Windows\SysWOW64\xnsjowih.exeC:\Windows\system32\xnsjowih.exe58⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4508 -
C:\Windows\SysWOW64\ahoxdug.exeC:\Windows\system32\ahoxdug.exe59⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3080 -
C:\Windows\SysWOW64\huoub.exeC:\Windows\system32\huoub.exe60⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3936 -
C:\Windows\SysWOW64\vibcr.exeC:\Windows\system32\vibcr.exe61⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2272 -
C:\Windows\SysWOW64\gkpvzzh.exeC:\Windows\system32\gkpvzzh.exe62⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1772 -
C:\Windows\SysWOW64\bftyslk.exeC:\Windows\system32\bftyslk.exe63⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:3208 -
C:\Windows\SysWOW64\hfklfgrg.exeC:\Windows\system32\hfklfgrg.exe64⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4708 -
C:\Windows\SysWOW64\axpsjrw.exeC:\Windows\system32\axpsjrw.exe65⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:3484 -
C:\Windows\SysWOW64\drnbotpz.exeC:\Windows\system32\drnbotpz.exe66⤵
- Executes dropped EXE
PID:4044 -
C:\Windows\SysWOW64\ckzusj.exeC:\Windows\system32\ckzusj.exe67⤵PID:4224
-
C:\Windows\SysWOW64\bthbjtho.exeC:\Windows\system32\bthbjtho.exe68⤵PID:1740
-
C:\Windows\SysWOW64\ocovy.exeC:\Windows\system32\ocovy.exe69⤵PID:624
-
C:\Windows\SysWOW64\aenrkjj.exeC:\Windows\system32\aenrkjj.exe70⤵PID:1464
-
C:\Windows\SysWOW64\zswnr.exeC:\Windows\system32\zswnr.exe71⤵
- Drops file in System32 directory
PID:448 -
C:\Windows\SysWOW64\epiosbhc.exeC:\Windows\system32\epiosbhc.exe72⤵PID:3380
-
C:\Windows\SysWOW64\cmzgvq.exeC:\Windows\system32\cmzgvq.exe73⤵PID:2968
-
C:\Windows\SysWOW64\agsdngo.exeC:\Windows\system32\agsdngo.exe74⤵PID:2512
-
C:\Windows\SysWOW64\znqjr.exeC:\Windows\system32\znqjr.exe75⤵PID:1664
-
C:\Windows\SysWOW64\efqgwt.exeC:\Windows\system32\efqgwt.exe76⤵PID:1084
-
C:\Windows\SysWOW64\qyyvexa.exeC:\Windows\system32\qyyvexa.exe77⤵PID:4424
-
C:\Windows\SysWOW64\kalvrvx.exeC:\Windows\system32\kalvrvx.exe78⤵PID:2692
-
C:\Windows\SysWOW64\jwwpnqm.exeC:\Windows\system32\jwwpnqm.exe79⤵PID:3796
-
C:\Windows\SysWOW64\xktguhn.exeC:\Windows\system32\xktguhn.exe80⤵
- Drops file in System32 directory
PID:4060 -
C:\Windows\SysWOW64\ajhcpp.exeC:\Windows\system32\ajhcpp.exe81⤵PID:4700
-
C:\Windows\SysWOW64\faszaos.exeC:\Windows\system32\faszaos.exe82⤵PID:4712
-
C:\Windows\SysWOW64\yytrbnzn.exeC:\Windows\system32\yytrbnzn.exe83⤵
- Drops file in System32 directory
PID:5144 -
C:\Windows\SysWOW64\jmtsbkcc.exeC:\Windows\system32\jmtsbkcc.exe84⤵PID:5168
-
C:\Windows\SysWOW64\zvwtccw.exeC:\Windows\system32\zvwtccw.exe85⤵PID:5192
-
C:\Windows\SysWOW64\vsypuwqm.exeC:\Windows\system32\vsypuwqm.exe86⤵
- Adds Run key to start application
PID:5216 -
C:\Windows\SysWOW64\xjqdgjnb.exeC:\Windows\system32\xjqdgjnb.exe87⤵PID:5240
-
C:\Windows\SysWOW64\blffqcl.exeC:\Windows\system32\blffqcl.exe88⤵PID:5268
-
C:\Windows\SysWOW64\aqdbxr.exeC:\Windows\system32\aqdbxr.exe89⤵PID:5292
-
C:\Windows\SysWOW64\vjwbpwuz.exeC:\Windows\system32\vjwbpwuz.exe90⤵PID:5316
-
C:\Windows\SysWOW64\mfcdrw.exeC:\Windows\system32\mfcdrw.exe91⤵PID:5340
-
C:\Windows\SysWOW64\ugwaa.exeC:\Windows\system32\ugwaa.exe92⤵PID:5368
-
C:\Windows\SysWOW64\xcdrdzae.exeC:\Windows\system32\xcdrdzae.exe93⤵
- Adds Run key to start application
PID:5392 -
C:\Windows\SysWOW64\ydmrkl.exeC:\Windows\system32\ydmrkl.exe94⤵PID:5416
-
C:\Windows\SysWOW64\vqmravo.exeC:\Windows\system32\vqmravo.exe95⤵PID:5440
-
C:\Windows\SysWOW64\srygzr.exeC:\Windows\system32\srygzr.exe96⤵PID:5464
-
C:\Windows\SysWOW64\yjmcp.exeC:\Windows\system32\yjmcp.exe97⤵PID:5492
-
C:\Windows\SysWOW64\iequwmi.exeC:\Windows\system32\iequwmi.exe98⤵PID:5516
-
C:\Windows\SysWOW64\kllzm.exeC:\Windows\system32\kllzm.exe99⤵PID:5540
-
C:\Windows\SysWOW64\xitkua.exeC:\Windows\system32\xitkua.exe100⤵
- Drops file in System32 directory
PID:5572 -
C:\Windows\SysWOW64\cttjhuo.exeC:\Windows\system32\cttjhuo.exe101⤵PID:5596
-
C:\Windows\SysWOW64\nemrdxx.exeC:\Windows\system32\nemrdxx.exe102⤵PID:5620
-
C:\Windows\SysWOW64\vpnxnha.exeC:\Windows\system32\vpnxnha.exe103⤵
- Adds Run key to start application
PID:5644 -
C:\Windows\SysWOW64\fbznd.exeC:\Windows\system32\fbznd.exe104⤵PID:5668
-
C:\Windows\SysWOW64\vmbhdxg.exeC:\Windows\system32\vmbhdxg.exe105⤵PID:5692
-
C:\Windows\SysWOW64\cenvui.exeC:\Windows\system32\cenvui.exe106⤵PID:5720
-
C:\Windows\SysWOW64\tvufzix.exeC:\Windows\system32\tvufzix.exe107⤵PID:5744
-
C:\Windows\SysWOW64\thzwvhu.exeC:\Windows\system32\thzwvhu.exe108⤵PID:5768
-
C:\Windows\SysWOW64\drctccmb.exeC:\Windows\system32\drctccmb.exe109⤵PID:5792
-
C:\Windows\SysWOW64\cxqiosoh.exeC:\Windows\system32\cxqiosoh.exe110⤵PID:5816
-
C:\Windows\SysWOW64\qnsxaafd.exeC:\Windows\system32\qnsxaafd.exe111⤵PID:5840
-
C:\Windows\SysWOW64\fggup.exeC:\Windows\system32\fggup.exe112⤵
- Adds Run key to start application
PID:5868 -
C:\Windows\SysWOW64\fzgshjxh.exeC:\Windows\system32\fzgshjxh.exe113⤵PID:5896
-
C:\Windows\SysWOW64\nadfp.exeC:\Windows\system32\nadfp.exe114⤵PID:5920
-
C:\Windows\SysWOW64\axtdiuq.exeC:\Windows\system32\axtdiuq.exe115⤵PID:5944
-
C:\Windows\SysWOW64\lzoyzt.exeC:\Windows\system32\lzoyzt.exe116⤵PID:5968
-
C:\Windows\SysWOW64\wzriz.exeC:\Windows\system32\wzriz.exe117⤵PID:5996
-
C:\Windows\SysWOW64\nfozeun.exeC:\Windows\system32\nfozeun.exe118⤵PID:6024
-
C:\Windows\SysWOW64\vlpkskvt.exeC:\Windows\system32\vlpkskvt.exe119⤵PID:6048
-
C:\Windows\SysWOW64\znraq.exeC:\Windows\system32\znraq.exe120⤵PID:6072
-
C:\Windows\SysWOW64\sxpijhdh.exeC:\Windows\system32\sxpijhdh.exe121⤵PID:6096
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-