Analysis
-
max time kernel
72s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
04/02/2024, 13:01
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
VirusShare_16e64b83933c0ea42ec9de131c4d2527.exe
Resource
win7-20231215-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
VirusShare_16e64b83933c0ea42ec9de131c4d2527.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
VirusShare_16e64b83933c0ea42ec9de131c4d2527.exe
-
Size
24KB
-
MD5
16e64b83933c0ea42ec9de131c4d2527
-
SHA1
2d608bd9a248701068c50b8d6f9ca2d4150d8261
-
SHA256
b32781dffffaddc2ccab6f76dd0044894c2e3db8346bfc5e4e0d09624fee14c9
-
SHA512
927403fd454f786d1f91673fd32a0812e43700065699ef139443ebe03e3a3fbb8e159f5324cbce42de5f7141ac302e38a944d85ebdf62b9825d48553b6996f87
-
SSDEEP
192:oVAexK8tq37U5AlT0TwiyY9xGd46fA1F1/+oSGRPzR/QdmIcybcx:oVe7pSy2xGd4oQF1/rNRPzR/QD1k
Score
7/10
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 56 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation dgjm42e.exe Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation ilorc7e.exe Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation filo63f.exe Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation ilorfa6.exe Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation dgjm676.exe Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation mpsvef6.exe Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation ilor73e.exe Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation dgjmf6e.exe Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation nqtw6f7.exe Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation knqtc2f.exe Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation nqtwfe6.exe Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation ilor47e.exe Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation knqtf67.exe Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation hknq437.exe Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation VirusShare_16e64b83933c0ea42ec9de131c4d2527.exe Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation loru4ae.exe Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation filocf7.exe Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation nqtw5b6.exe Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation dgjm7be.exe Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation knqtda7.exe Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation adgjcee.exe Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation loru5a7.exe Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation gjmpf26.exe Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation adgj7be.exe Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation behk62f.exe Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation filofb7.exe Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation gjmp7a6.exe Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation loruc2f.exe Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation loru4ff.exe Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation mpsv4e6.exe Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation hknq4e7.exe Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation behkcfe.exe Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation filod37.exe Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation cfil4e6.exe Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation nqtw4ee.exe Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation hknqd6e.exe Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation dgjm52e.exe Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation behk67e.exe Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation adgjeb6.exe Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation mpsvebe.exe Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation nqtw46f.exe Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation dgjmd76.exe Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation jmpsf66.exe Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation cfileaf.exe Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation cfil537.exe Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation knqt4ee.exe Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation adgj7ff.exe Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation loru53f.exe Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation adgje76.exe Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation mpsvef7.exe Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation dgjm6bf.exe Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation gjmp4ef.exe -
Executes dropped EXE 64 IoCs
pid Process 1100 loru5a7.exe 1504 ilor47e.exe 4468 nqtw4ee.exe 2384 behkcfe.exe 3584 dgjm676.exe 3424 behk67e.exe 4900 mpsvef6.exe 4528 nqtw6f7.exe 1700 gjmp7a6.exe 3860 hknqd6e.exe 4724 Conhost.exe 3900 gjmpf26.exe 368 cfil537.exe 1188 knqt4ee.exe 3764 mpsvef7.exe 4460 adgj7ff.exe 4052 dgjm6bf.exe 2096 adgj7be.exe 888 Conhost.exe 2972 nqtw46f.exe 2124 gjmp4ef.exe 2612 filod37.exe 2856 ilorc7e.exe 1580 adgjeb6.exe 232 loru4ae.exe 5080 dgjm42e.exe 324 knqtf67.exe 1372 ilor73e.exe 4280 loruc2f.exe 3008 knqtda7.exe 3328 jmpsf66.exe 3696 dgjmd76.exe 3092 nqtw5b6.exe 4708 knqtc2f.exe 3304 nqtwfe6.exe 920 dgjm7be.exe 3948 mpsv4e6.exe 4728 ilorfa6.exe 4232 loru53f.exe 5080 dgjm42e.exe 3512 loru4ff.exe 4356 cfil4e6.exe 1452 cmd.exe 2348 dgjmf6e.exe 2156 cmd.exe 4724 mpsvebe.exe 1840 cmd.exe 1620 cfileaf.exe 4880 cmd.exe 4860 filocf7.exe 2604 behk62f.exe 3680 adgjcee.exe 392 Conhost.exe 3508 hknq437.exe 2076 adgje76.exe 116 dgjm52e.exe 992 filofb7.exe 4684 Conhost.exe 2072 filo63f.exe 2836 Conhost.exe 2396 Conhost.exe 3868 Conhost.exe 1972 Conhost.exe 1372 ilor73e.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\cfil537.exe gjmpf26.exe File opened for modification C:\Windows\SysWOW64\cfil537.exe gjmpf26.exe File created C:\Windows\SysWOW64\mpsvdbf.exe cfil4e6.exe File opened for modification C:\Windows\SysWOW64\mpsvebe.exe cmd.exe File created C:\Windows\SysWOW64\jmps6f6.exe filofb7.exe File opened for modification C:\Windows\SysWOW64\filocf7.exe ilor73e.exe File opened for modification C:\Windows\SysWOW64\nqtw4ee.exe ilor47e.exe File created C:\Windows\SysWOW64\nqtw6f7.exe mpsvef6.exe File opened for modification C:\Windows\SysWOW64\nqtw6f7.exe mpsvef6.exe File opened for modification C:\Windows\SysWOW64\knqt4ee.exe cfil537.exe File opened for modification C:\Windows\SysWOW64\loru7e6.exe filo63f.exe File created C:\Windows\SysWOW64\ilor73e.exe Conhost.exe File created C:\Windows\SysWOW64\ilord7e.exe hknq4e7.exe File created C:\Windows\SysWOW64\ilor47e.exe loru5a7.exe File created C:\Windows\SysWOW64\adgjeb6.exe ilorc7e.exe File opened for modification C:\Windows\SysWOW64\adgjeb6.exe ilorc7e.exe File created C:\Windows\SysWOW64\cfil66e.exe dgjmf6e.exe File created C:\Windows\SysWOW64\dgjm6e7.exe mpsvebe.exe File opened for modification C:\Windows\SysWOW64\filo63f.exe Conhost.exe File created C:\Windows\SysWOW64\ehkne27.exe Conhost.exe File opened for modification C:\Windows\SysWOW64\ilord7e.exe hknq4e7.exe File opened for modification C:\Windows\SysWOW64\mpsvef7.exe knqt4ee.exe File created C:\Windows\SysWOW64\nqtw46f.exe Conhost.exe File opened for modification C:\Windows\SysWOW64\knqtf67.exe dgjm42e.exe File created C:\Windows\SysWOW64\knqtc2f.exe nqtw5b6.exe File opened for modification C:\Windows\SysWOW64\jmps56e.exe adgjcee.exe File created C:\Windows\SysWOW64\dgjm676.exe behkcfe.exe File opened for modification C:\Windows\SysWOW64\behkd27.exe dgjm52e.exe File opened for modification C:\Windows\SysWOW64\behk67e.exe dgjm676.exe File opened for modification C:\Windows\SysWOW64\dgjm676.exe behkcfe.exe File created C:\Windows\SysWOW64\mpsvef6.exe behk67e.exe File created C:\Windows\SysWOW64\gjmp4ef.exe nqtw46f.exe File opened for modification C:\Windows\SysWOW64\dgjmd76.exe jmpsf66.exe File opened for modification C:\Windows\SysWOW64\dgjmf6e.exe cmd.exe File opened for modification C:\Windows\SysWOW64\nqtw5af.exe cfileaf.exe File created C:\Windows\SysWOW64\loru7e6.exe filo63f.exe File created C:\Windows\SysWOW64\behkcfe.exe nqtw4ee.exe File created C:\Windows\SysWOW64\hknq4e7.exe filocf7.exe File created C:\Windows\SysWOW64\filocf7.exe ilor73e.exe File created C:\Windows\SysWOW64\loru4ae.exe adgjeb6.exe File opened for modification C:\Windows\SysWOW64\loru4ae.exe adgjeb6.exe File created C:\Windows\SysWOW64\mpsvebe.exe cmd.exe File opened for modification C:\Windows\SysWOW64\dgjm6e7.exe mpsvebe.exe File created C:\Windows\SysWOW64\nqtw5af.exe cfileaf.exe File opened for modification C:\Windows\SysWOW64\hknqf3e.exe adgj7be.exe File created C:\Windows\SysWOW64\dgjm42e.exe loru53f.exe File opened for modification C:\Windows\SysWOW64\loru5a7.exe VirusShare_16e64b83933c0ea42ec9de131c4d2527.exe File opened for modification C:\Windows\SysWOW64\gjmp4ef.exe nqtw46f.exe File created C:\Windows\SysWOW64\gjmpf26.exe Conhost.exe File created C:\Windows\SysWOW64\loru5a7.exe VirusShare_16e64b83933c0ea42ec9de131c4d2527.exe File created C:\Windows\SysWOW64\behk7bf.exe behk62f.exe File opened for modification C:\Windows\SysWOW64\hknqcef.exe Conhost.exe File created C:\Windows\SysWOW64\adgj7be.exe dgjm6bf.exe File created C:\Windows\SysWOW64\knqt4ee.exe cfil537.exe File opened for modification C:\Windows\SysWOW64\filod37.exe gjmp4ef.exe File created C:\Windows\SysWOW64\knqtda7.exe loruc2f.exe File opened for modification C:\Windows\SysWOW64\knqtc2f.exe nqtw5b6.exe File created C:\Windows\SysWOW64\behk77f.exe cmd.exe File created C:\Windows\SysWOW64\behk67e.exe dgjm676.exe File opened for modification C:\Windows\SysWOW64\hknq426.exe loru4ae.exe File opened for modification C:\Windows\SysWOW64\filodef.exe Conhost.exe File opened for modification C:\Windows\SysWOW64\ilor73e.exe Conhost.exe File created C:\Windows\SysWOW64\ilorc7e.exe filod37.exe File created C:\Windows\SysWOW64\filod37.exe gjmp4ef.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ hknq4e7.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Conhost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Conhost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Conhost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ filofb7.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ ilor47e.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ nqtw6f7.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ dgjm42e.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Conhost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ mpsvef6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ gjmp7a6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ knqtf67.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ knqtc2f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ gjmpf26.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ gjmp4ef.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ adgje76.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Conhost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ loru4ff.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ filocf7.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ ilor73e.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ loruc2f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ cfil4e6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ hknq437.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Conhost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ mpsvef7.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ nqtw46f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ cfileaf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ adgjcee.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ dgjm52e.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ filo63f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ loru4ae.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ nqtwfe6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ mpsvebe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ behk62f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ VirusShare_16e64b83933c0ea42ec9de131c4d2527.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ behk67e.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ nqtw5b6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ loru53f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ dgjm676.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ adgjeb6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ filod37.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Conhost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ loru5a7.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ behkcfe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Conhost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ cfil537.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ knqtda7.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ ilorc7e.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ mpsv4e6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ dgjmf6e.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ hknqd6e.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ knqt4ee.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ dgjmd76.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ jmpsf66.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ ilorfa6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ adgj7ff.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ dgjm6bf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ dgjm7be.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ nqtw4ee.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ adgj7be.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1744 VirusShare_16e64b83933c0ea42ec9de131c4d2527.exe 1744 VirusShare_16e64b83933c0ea42ec9de131c4d2527.exe 1100 loru5a7.exe 1100 loru5a7.exe 1504 ilor47e.exe 1504 ilor47e.exe 4468 nqtw4ee.exe 4468 nqtw4ee.exe 2384 behkcfe.exe 2384 behkcfe.exe 3584 dgjm676.exe 3584 dgjm676.exe 3424 behk67e.exe 3424 behk67e.exe 4900 mpsvef6.exe 4900 mpsvef6.exe 4528 nqtw6f7.exe 4528 nqtw6f7.exe 1700 gjmp7a6.exe 1700 gjmp7a6.exe 3860 hknqd6e.exe 3860 hknqd6e.exe 4724 Conhost.exe 4724 Conhost.exe 3900 gjmpf26.exe 3900 gjmpf26.exe 368 cfil537.exe 368 cfil537.exe 1188 knqt4ee.exe 1188 knqt4ee.exe 3764 mpsvef7.exe 3764 mpsvef7.exe 4460 adgj7ff.exe 4460 adgj7ff.exe 4052 dgjm6bf.exe 4052 dgjm6bf.exe 2096 adgj7be.exe 2096 adgj7be.exe 888 Conhost.exe 888 Conhost.exe 2972 nqtw46f.exe 2972 nqtw46f.exe 2124 gjmp4ef.exe 2124 gjmp4ef.exe 2612 filod37.exe 2612 filod37.exe 2856 ilorc7e.exe 2856 ilorc7e.exe 1580 adgjeb6.exe 1580 adgjeb6.exe 232 loru4ae.exe 232 loru4ae.exe 5080 dgjm42e.exe 5080 dgjm42e.exe 324 knqtf67.exe 324 knqtf67.exe 1372 ilor73e.exe 1372 ilor73e.exe 4280 loruc2f.exe 4280 loruc2f.exe 3008 knqtda7.exe 3008 knqtda7.exe 3328 jmpsf66.exe 3328 jmpsf66.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1744 VirusShare_16e64b83933c0ea42ec9de131c4d2527.exe Token: SeDebugPrivilege 1100 loru5a7.exe Token: SeIncBasePriorityPrivilege 1744 VirusShare_16e64b83933c0ea42ec9de131c4d2527.exe Token: SeIncBasePriorityPrivilege 1100 loru5a7.exe Token: SeDebugPrivilege 1504 ilor47e.exe Token: SeIncBasePriorityPrivilege 1504 ilor47e.exe Token: SeDebugPrivilege 4468 nqtw4ee.exe Token: SeIncBasePriorityPrivilege 4468 nqtw4ee.exe Token: SeDebugPrivilege 2384 behkcfe.exe Token: SeIncBasePriorityPrivilege 2384 behkcfe.exe Token: SeDebugPrivilege 3584 dgjm676.exe Token: SeIncBasePriorityPrivilege 3584 dgjm676.exe Token: SeDebugPrivilege 3424 behk67e.exe Token: SeIncBasePriorityPrivilege 3424 behk67e.exe Token: SeDebugPrivilege 4900 mpsvef6.exe Token: SeIncBasePriorityPrivilege 4900 mpsvef6.exe Token: SeDebugPrivilege 4528 nqtw6f7.exe Token: SeIncBasePriorityPrivilege 4528 nqtw6f7.exe Token: SeDebugPrivilege 1700 gjmp7a6.exe Token: SeIncBasePriorityPrivilege 1700 gjmp7a6.exe Token: SeDebugPrivilege 3860 hknqd6e.exe Token: SeIncBasePriorityPrivilege 3860 hknqd6e.exe Token: SeDebugPrivilege 4724 Conhost.exe Token: SeIncBasePriorityPrivilege 4724 Conhost.exe Token: SeDebugPrivilege 3900 gjmpf26.exe Token: SeIncBasePriorityPrivilege 3900 gjmpf26.exe Token: SeDebugPrivilege 368 cfil537.exe Token: SeIncBasePriorityPrivilege 368 cfil537.exe Token: SeDebugPrivilege 1188 knqt4ee.exe Token: SeIncBasePriorityPrivilege 1188 knqt4ee.exe Token: SeDebugPrivilege 3764 mpsvef7.exe Token: SeIncBasePriorityPrivilege 3764 mpsvef7.exe Token: SeDebugPrivilege 4460 adgj7ff.exe Token: SeIncBasePriorityPrivilege 4460 adgj7ff.exe Token: SeDebugPrivilege 4052 dgjm6bf.exe Token: SeIncBasePriorityPrivilege 4052 dgjm6bf.exe Token: SeDebugPrivilege 2096 adgj7be.exe Token: SeIncBasePriorityPrivilege 2096 adgj7be.exe Token: SeDebugPrivilege 888 Conhost.exe Token: SeIncBasePriorityPrivilege 888 Conhost.exe Token: SeDebugPrivilege 2972 nqtw46f.exe Token: SeIncBasePriorityPrivilege 2972 nqtw46f.exe Token: SeDebugPrivilege 2124 gjmp4ef.exe Token: SeIncBasePriorityPrivilege 2124 gjmp4ef.exe Token: SeDebugPrivilege 2612 filod37.exe Token: SeIncBasePriorityPrivilege 2612 filod37.exe Token: SeDebugPrivilege 2856 ilorc7e.exe Token: SeIncBasePriorityPrivilege 2856 ilorc7e.exe Token: SeDebugPrivilege 1580 adgjeb6.exe Token: SeIncBasePriorityPrivilege 1580 adgjeb6.exe Token: SeDebugPrivilege 232 loru4ae.exe Token: SeIncBasePriorityPrivilege 232 loru4ae.exe Token: SeDebugPrivilege 5080 dgjm42e.exe Token: SeIncBasePriorityPrivilege 5080 dgjm42e.exe Token: SeDebugPrivilege 324 knqtf67.exe Token: SeIncBasePriorityPrivilege 324 knqtf67.exe Token: SeDebugPrivilege 1372 ilor73e.exe Token: SeIncBasePriorityPrivilege 1372 ilor73e.exe Token: SeDebugPrivilege 4280 loruc2f.exe Token: SeIncBasePriorityPrivilege 4280 loruc2f.exe Token: SeDebugPrivilege 3008 knqtda7.exe Token: SeIncBasePriorityPrivilege 3008 knqtda7.exe Token: SeDebugPrivilege 3328 jmpsf66.exe Token: SeIncBasePriorityPrivilege 3328 jmpsf66.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1744 wrote to memory of 1100 1744 VirusShare_16e64b83933c0ea42ec9de131c4d2527.exe 84 PID 1744 wrote to memory of 1100 1744 VirusShare_16e64b83933c0ea42ec9de131c4d2527.exe 84 PID 1744 wrote to memory of 1100 1744 VirusShare_16e64b83933c0ea42ec9de131c4d2527.exe 84 PID 1744 wrote to memory of 2324 1744 VirusShare_16e64b83933c0ea42ec9de131c4d2527.exe 85 PID 1744 wrote to memory of 2324 1744 VirusShare_16e64b83933c0ea42ec9de131c4d2527.exe 85 PID 1744 wrote to memory of 2324 1744 VirusShare_16e64b83933c0ea42ec9de131c4d2527.exe 85 PID 1100 wrote to memory of 1504 1100 loru5a7.exe 87 PID 1100 wrote to memory of 1504 1100 loru5a7.exe 87 PID 1100 wrote to memory of 1504 1100 loru5a7.exe 87 PID 1100 wrote to memory of 3152 1100 loru5a7.exe 88 PID 1100 wrote to memory of 3152 1100 loru5a7.exe 88 PID 1100 wrote to memory of 3152 1100 loru5a7.exe 88 PID 1504 wrote to memory of 4468 1504 ilor47e.exe 90 PID 1504 wrote to memory of 4468 1504 ilor47e.exe 90 PID 1504 wrote to memory of 4468 1504 ilor47e.exe 90 PID 1504 wrote to memory of 3304 1504 ilor47e.exe 91 PID 1504 wrote to memory of 3304 1504 ilor47e.exe 91 PID 1504 wrote to memory of 3304 1504 ilor47e.exe 91 PID 4468 wrote to memory of 2384 4468 nqtw4ee.exe 93 PID 4468 wrote to memory of 2384 4468 nqtw4ee.exe 93 PID 4468 wrote to memory of 2384 4468 nqtw4ee.exe 93 PID 4468 wrote to memory of 3936 4468 nqtw4ee.exe 94 PID 4468 wrote to memory of 3936 4468 nqtw4ee.exe 94 PID 4468 wrote to memory of 3936 4468 nqtw4ee.exe 94 PID 2384 wrote to memory of 3584 2384 behkcfe.exe 96 PID 2384 wrote to memory of 3584 2384 behkcfe.exe 96 PID 2384 wrote to memory of 3584 2384 behkcfe.exe 96 PID 2384 wrote to memory of 1268 2384 behkcfe.exe 97 PID 2384 wrote to memory of 1268 2384 behkcfe.exe 97 PID 2384 wrote to memory of 1268 2384 behkcfe.exe 97 PID 3584 wrote to memory of 3424 3584 dgjm676.exe 103 PID 3584 wrote to memory of 3424 3584 dgjm676.exe 103 PID 3584 wrote to memory of 3424 3584 dgjm676.exe 103 PID 3584 wrote to memory of 3672 3584 dgjm676.exe 102 PID 3584 wrote to memory of 3672 3584 dgjm676.exe 102 PID 3584 wrote to memory of 3672 3584 dgjm676.exe 102 PID 3424 wrote to memory of 4900 3424 behk67e.exe 105 PID 3424 wrote to memory of 4900 3424 behk67e.exe 105 PID 3424 wrote to memory of 4900 3424 behk67e.exe 105 PID 3424 wrote to memory of 1972 3424 behk67e.exe 106 PID 3424 wrote to memory of 1972 3424 behk67e.exe 106 PID 3424 wrote to memory of 1972 3424 behk67e.exe 106 PID 4900 wrote to memory of 4528 4900 mpsvef6.exe 109 PID 4900 wrote to memory of 4528 4900 mpsvef6.exe 109 PID 4900 wrote to memory of 4528 4900 mpsvef6.exe 109 PID 4900 wrote to memory of 3532 4900 mpsvef6.exe 110 PID 4900 wrote to memory of 3532 4900 mpsvef6.exe 110 PID 4900 wrote to memory of 3532 4900 mpsvef6.exe 110 PID 4528 wrote to memory of 1700 4528 nqtw6f7.exe 112 PID 4528 wrote to memory of 1700 4528 nqtw6f7.exe 112 PID 4528 wrote to memory of 1700 4528 nqtw6f7.exe 112 PID 4528 wrote to memory of 2412 4528 nqtw6f7.exe 113 PID 4528 wrote to memory of 2412 4528 nqtw6f7.exe 113 PID 4528 wrote to memory of 2412 4528 nqtw6f7.exe 113 PID 1700 wrote to memory of 3860 1700 gjmp7a6.exe 115 PID 1700 wrote to memory of 3860 1700 gjmp7a6.exe 115 PID 1700 wrote to memory of 3860 1700 gjmp7a6.exe 115 PID 1700 wrote to memory of 3356 1700 gjmp7a6.exe 116 PID 1700 wrote to memory of 3356 1700 gjmp7a6.exe 116 PID 1700 wrote to memory of 3356 1700 gjmp7a6.exe 116 PID 3860 wrote to memory of 4724 3860 hknqd6e.exe 144 PID 3860 wrote to memory of 4724 3860 hknqd6e.exe 144 PID 3860 wrote to memory of 4724 3860 hknqd6e.exe 144 PID 3860 wrote to memory of 4828 3860 hknqd6e.exe 120
Processes
-
C:\Users\Admin\AppData\Local\Temp\VirusShare_16e64b83933c0ea42ec9de131c4d2527.exe"C:\Users\Admin\AppData\Local\Temp\VirusShare_16e64b83933c0ea42ec9de131c4d2527.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Windows\SysWOW64\loru5a7.exe"C:\Windows\system32\loru5a7.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1100 -
C:\Windows\SysWOW64\ilor47e.exe"C:\Windows\system32\ilor47e.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1504 -
C:\Windows\SysWOW64\nqtw4ee.exe"C:\Windows\system32\nqtw4ee.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4468 -
C:\Windows\SysWOW64\behkcfe.exe"C:\Windows\system32\behkcfe.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\SysWOW64\dgjm676.exe"C:\Windows\system32\dgjm676.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3584 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c delC:\Windows\SysWOW64\dgjm676.exe > nul7⤵PID:3672
-
-
C:\Windows\SysWOW64\behk67e.exe"C:\Windows\system32\behk67e.exe"7⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3424 -
C:\Windows\SysWOW64\mpsvef6.exe"C:\Windows\system32\mpsvef6.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4900 -
C:\Windows\SysWOW64\nqtw6f7.exe"C:\Windows\system32\nqtw6f7.exe"9⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4528 -
C:\Windows\SysWOW64\gjmp7a6.exe"C:\Windows\system32\gjmp7a6.exe"10⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Windows\SysWOW64\hknqd6e.exe"C:\Windows\system32\hknqd6e.exe"11⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3860 -
C:\Windows\SysWOW64\hknqe36.exe"C:\Windows\system32\hknqe36.exe"12⤵PID:4724
-
C:\Windows\SysWOW64\gjmpf26.exe"C:\Windows\system32\gjmpf26.exe"13⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3900 -
C:\Windows\SysWOW64\cfil537.exe"C:\Windows\system32\cfil537.exe"14⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:368 -
C:\Windows\SysWOW64\knqt4ee.exe"C:\Windows\system32\knqt4ee.exe"15⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1188 -
C:\Windows\SysWOW64\mpsvef7.exe"C:\Windows\system32\mpsvef7.exe"16⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3764 -
C:\Windows\SysWOW64\adgj7ff.exe"C:\Windows\system32\adgj7ff.exe"17⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4460 -
C:\Windows\SysWOW64\dgjm6bf.exe"C:\Windows\system32\dgjm6bf.exe"18⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4052 -
C:\Windows\SysWOW64\adgj7be.exe"C:\Windows\system32\adgj7be.exe"19⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2096 -
C:\Windows\SysWOW64\hknqf3e.exe"C:\Windows\system32\hknqf3e.exe"20⤵PID:888
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c delC:\Windows\SysWOW64\hknqf3e.exe > nul21⤵PID:1604
-
-
C:\Windows\SysWOW64\nqtw46f.exe"C:\Windows\system32\nqtw46f.exe"21⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2972 -
C:\Windows\SysWOW64\gjmp4ef.exe"C:\Windows\system32\gjmp4ef.exe"22⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2124 -
C:\Windows\SysWOW64\filod37.exe"C:\Windows\system32\filod37.exe"23⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2612 -
C:\Windows\SysWOW64\ilorc7e.exe"C:\Windows\system32\ilorc7e.exe"24⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2856 -
C:\Windows\SysWOW64\adgjeb6.exe"C:\Windows\system32\adgjeb6.exe"25⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1580 -
C:\Windows\SysWOW64\loru4ae.exe"C:\Windows\system32\loru4ae.exe"26⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:232 -
C:\Windows\SysWOW64\hknq426.exe"C:\Windows\system32\hknq426.exe"27⤵PID:5080
-
C:\Windows\SysWOW64\knqtf67.exe"C:\Windows\system32\knqtf67.exe"28⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:324 -
C:\Windows\SysWOW64\knqtd26.exe"C:\Windows\system32\knqtd26.exe"29⤵PID:1372
-
C:\Windows\SysWOW64\loruc2f.exe"C:\Windows\system32\loruc2f.exe"30⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4280 -
C:\Windows\SysWOW64\knqtda7.exe"C:\Windows\system32\knqtda7.exe"31⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3008 -
C:\Windows\SysWOW64\jmpsf66.exe"C:\Windows\system32\jmpsf66.exe"32⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3328 -
C:\Windows\SysWOW64\dgjmd76.exe"C:\Windows\system32\dgjmd76.exe"33⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:3696 -
C:\Windows\SysWOW64\nqtw5b6.exe"C:\Windows\system32\nqtw5b6.exe"34⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3092 -
C:\Windows\SysWOW64\knqtc2f.exe"C:\Windows\system32\knqtc2f.exe"35⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:4708 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c delC:\Windows\SysWOW64\knqtc2f.exe > nul36⤵PID:3560
-
-
C:\Windows\SysWOW64\nqtwfe6.exe"C:\Windows\system32\nqtwfe6.exe"36⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:3304 -
C:\Windows\SysWOW64\hknqce6.exe"C:\Windows\system32\hknqce6.exe"37⤵PID:920
-
C:\Windows\SysWOW64\mpsv4e6.exe"C:\Windows\system32\mpsv4e6.exe"38⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:3948 -
C:\Windows\SysWOW64\mpsve77.exe"C:\Windows\system32\mpsve77.exe"39⤵PID:4728
-
C:\Windows\SysWOW64\loru53f.exe"C:\Windows\system32\loru53f.exe"40⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4232 -
C:\Windows\SysWOW64\dgjm42e.exe"C:\Windows\system32\dgjm42e.exe"41⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5080 -
C:\Windows\SysWOW64\loru4ff.exe"C:\Windows\system32\loru4ff.exe"42⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:3512 -
C:\Windows\SysWOW64\cfil4e6.exe"C:\Windows\system32\cfil4e6.exe"43⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4356 -
C:\Windows\SysWOW64\mpsvdbf.exe"C:\Windows\system32\mpsvdbf.exe"44⤵PID:1452
-
C:\Windows\SysWOW64\dgjmf6e.exe"C:\Windows\system32\dgjmf6e.exe"45⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2348 -
C:\Windows\SysWOW64\cfil66e.exe"C:\Windows\system32\cfil66e.exe"46⤵PID:2156
-
C:\Windows\SysWOW64\mpsvebe.exe"C:\Windows\system32\mpsvebe.exe"47⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4724 -
C:\Windows\SysWOW64\dgjm6e7.exe"C:\Windows\system32\dgjm6e7.exe"48⤵PID:1840
-
C:\Windows\SysWOW64\cfileaf.exe"C:\Windows\system32\cfileaf.exe"49⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1620 -
C:\Windows\SysWOW64\nqtw5af.exe"C:\Windows\system32\nqtw5af.exe"50⤵PID:4880
-
C:\Windows\SysWOW64\behk77f.exe"C:\Windows\system32\behk77f.exe"51⤵PID:4860
-
C:\Windows\SysWOW64\ehknce7.exe"C:\Windows\system32\ehknce7.exe"52⤵PID:2604
-
C:\Windows\SysWOW64\behk7bf.exe"C:\Windows\system32\behk7bf.exe"53⤵PID:3680
-
C:\Windows\SysWOW64\jmps56e.exe"C:\Windows\system32\jmps56e.exe"54⤵PID:392
-
C:\Windows\SysWOW64\hknq437.exe"C:\Windows\system32\hknq437.exe"55⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:3508 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c delC:\Windows\SysWOW64\hknq437.exe > nul56⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:1840
-
-
C:\Windows\SysWOW64\knqtc3e.exe"C:\Windows\system32\knqtc3e.exe"56⤵PID:2076
-
C:\Windows\SysWOW64\dgjm52e.exe"C:\Windows\system32\dgjm52e.exe"57⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:116 -
C:\Windows\SysWOW64\behkd27.exe"C:\Windows\system32\behkd27.exe"58⤵PID:992
-
C:\Windows\SysWOW64\jmps6f6.exe"C:\Windows\system32\jmps6f6.exe"59⤵PID:4684
-
C:\Windows\SysWOW64\filo63f.exe"C:\Windows\system32\filo63f.exe"60⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2072 -
C:\Windows\SysWOW64\loru7e6.exe"C:\Windows\system32\loru7e6.exe"61⤵PID:2836
-
C:\Windows\SysWOW64\ehkne27.exe"C:\Windows\system32\ehkne27.exe"62⤵PID:2396
-
C:\Windows\SysWOW64\hknqcef.exe"C:\Windows\system32\hknqcef.exe"63⤵PID:3868
-
C:\Windows\SysWOW64\filodef.exe"C:\Windows\system32\filodef.exe"64⤵PID:1972
-
C:\Windows\SysWOW64\ilor73e.exe"C:\Windows\system32\ilor73e.exe"65⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1372 -
C:\Windows\SysWOW64\filocf7.exe"C:\Windows\system32\filocf7.exe"66⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4860 -
C:\Windows\SysWOW64\hknq4e7.exe"C:\Windows\system32\hknq4e7.exe"67⤵
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
PID:860 -
C:\Windows\SysWOW64\ilord7e.exe"C:\Windows\system32\ilord7e.exe"68⤵PID:4876
-
C:\Windows\SysWOW64\mpsve2f.exe"C:\Windows\system32\mpsve2f.exe"69⤵PID:2288
-
C:\Windows\SysWOW64\ilore77.exe"C:\Windows\system32\ilore77.exe"70⤵PID:3064
-
C:\Windows\SysWOW64\adgj626.exe"C:\Windows\system32\adgj626.exe"71⤵PID:224
-
C:\Windows\SysWOW64\loru62e.exe"C:\Windows\system32\loru62e.exe"72⤵PID:2704
-
C:\Windows\SysWOW64\dgjm7be.exe"C:\Windows\system32\dgjm7be.exe"73⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:920 -
C:\Windows\SysWOW64\gjmpd77.exe"C:\Windows\system32\gjmpd77.exe"74⤵PID:3936
-
C:\Windows\SysWOW64\ilorfa6.exe"C:\Windows\system32\ilorfa6.exe"75⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:4728 -
C:\Windows\SysWOW64\filo6be.exe"C:\Windows\system32\filo6be.exe"76⤵PID:1704
-
C:\Windows\SysWOW64\behkebe.exe"C:\Windows\system32\behkebe.exe"77⤵PID:5044
-
C:\Windows\SysWOW64\filo52e.exe"C:\Windows\system32\filo52e.exe"78⤵PID:3976
-
C:\Windows\SysWOW64\ehkneb7.exe"C:\Windows\system32\ehkneb7.exe"79⤵PID:4540
-
C:\Windows\SysWOW64\knqtcff.exe"C:\Windows\system32\knqtcff.exe"80⤵PID:1972
-
C:\Windows\SysWOW64\nqtw6e7.exe"C:\Windows\system32\nqtw6e7.exe"81⤵PID:436
-
C:\Windows\SysWOW64\nqtwdef.exe"C:\Windows\system32\nqtwdef.exe"82⤵PID:4432
-
C:\Windows\SysWOW64\hknqfe6.exe"C:\Windows\system32\hknqfe6.exe"83⤵PID:4648
-
C:\Windows\SysWOW64\gjmpcbe.exe"C:\Windows\system32\gjmpcbe.exe"84⤵PID:3696
-
C:\Windows\SysWOW64\filoeef.exe"C:\Windows\system32\filoeef.exe"85⤵PID:3048
-
C:\Windows\SysWOW64\filo72f.exe"C:\Windows\system32\filo72f.exe"86⤵PID:4220
-
C:\Windows\SysWOW64\loruc76.exe"C:\Windows\system32\loruc76.exe"87⤵PID:2732
-
C:\Windows\SysWOW64\hknq4ff.exe"C:\Windows\system32\hknq4ff.exe"88⤵PID:2736
-
C:\Windows\SysWOW64\ilorc7e.exe"C:\Windows\system32\ilorc7e.exe"89⤵PID:3328
-
C:\Windows\SysWOW64\cfilda6.exe"C:\Windows\system32\cfilda6.exe"90⤵PID:712
-
C:\Windows\SysWOW64\behk62f.exe"C:\Windows\system32\behk62f.exe"91⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2604 -
C:\Windows\SysWOW64\dgjmf7f.exe"C:\Windows\system32\dgjmf7f.exe"92⤵PID:756
-
C:\Windows\SysWOW64\jmpsea6.exe"C:\Windows\system32\jmpsea6.exe"93⤵PID:3092
-
C:\Windows\SysWOW64\adgje76.exe"C:\Windows\system32\adgje76.exe"94⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:2076 -
C:\Windows\SysWOW64\behkf26.exe"C:\Windows\system32\behkf26.exe"95⤵PID:264
-
C:\Windows\SysWOW64\gjmpe3e.exe"C:\Windows\system32\gjmpe3e.exe"96⤵PID:5012
-
C:\Windows\SysWOW64\jmps6e6.exe"C:\Windows\system32\jmps6e6.exe"97⤵PID:4636
-
C:\Windows\SysWOW64\gjmpde6.exe"C:\Windows\system32\gjmpde6.exe"98⤵PID:1244
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c delC:\Windows\SysWOW64\gjmpde6.exe > nul99⤵PID:4596
-
-
C:\Windows\SysWOW64\hknqf37.exe"C:\Windows\system32\hknqf37.exe"99⤵PID:4380
-
C:\Windows\SysWOW64\gjmpe26.exe"C:\Windows\system32\gjmpe26.exe"100⤵PID:2656
-
C:\Windows\SysWOW64\ehkncf7.exe"C:\Windows\system32\ehkncf7.exe"101⤵PID:4976
-
C:\Windows\SysWOW64\hknqdaf.exe"C:\Windows\system32\hknqdaf.exe"102⤵PID:1624
-
C:\Windows\SysWOW64\dgjm6af.exe"C:\Windows\system32\dgjm6af.exe"103⤵PID:4540
-
C:\Windows\SysWOW64\dgjm4f7.exe"C:\Windows\system32\dgjm4f7.exe"104⤵PID:2596
-
C:\Windows\SysWOW64\dgjme3e.exe"C:\Windows\system32\dgjme3e.exe"105⤵PID:3736
-
C:\Windows\SysWOW64\adgjcee.exe"C:\Windows\system32\adgjcee.exe"106⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3680 -
C:\Windows\SysWOW64\dgjm6a7.exe"C:\Windows\system32\dgjm6a7.exe"107⤵PID:1776
-
C:\Windows\SysWOW64\ehkn477.exe"C:\Windows\system32\ehkn477.exe"108⤵PID:2412
-
C:\Windows\SysWOW64\ilorefe.exe"C:\Windows\system32\ilorefe.exe"109⤵PID:3676
-
C:\Windows\SysWOW64\mpsv727.exe"C:\Windows\system32\mpsv727.exe"110⤵PID:3584
-
C:\Windows\SysWOW64\filofb7.exe"C:\Windows\system32\filofb7.exe"111⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:992 -
C:\Windows\SysWOW64\knqtfbf.exe"C:\Windows\system32\knqtfbf.exe"112⤵PID:1088
-
C:\Windows\SysWOW64\ehknf37.exe"C:\Windows\system32\ehknf37.exe"113⤵PID:3328
-
C:\Windows\SysWOW64\adgj5bf.exe"C:\Windows\system32\adgj5bf.exe"114⤵PID:4720
-
C:\Windows\SysWOW64\cfil577.exe"C:\Windows\system32\cfil577.exe"115⤵PID:4732
-
C:\Windows\SysWOW64\knqt7bf.exe"C:\Windows\system32\knqt7bf.exe"116⤵PID:1300
-
C:\Windows\SysWOW64\behke7e.exe"C:\Windows\system32\behke7e.exe"117⤵PID:3428
-
C:\Windows\SysWOW64\adgjcfe.exe"C:\Windows\system32\adgjcfe.exe"118⤵PID:528
-
C:\Windows\SysWOW64\behk6f7.exe"C:\Windows\system32\behk6f7.exe"119⤵PID:2512
-
C:\Windows\SysWOW64\filoc26.exe"C:\Windows\system32\filoc26.exe"120⤵PID:4572
-
C:\Windows\SysWOW64\adgje2f.exe"C:\Windows\system32\adgje2f.exe"121⤵PID:4100
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-