isrstealer | d265fcb40a443162e0da3274ca4a0c81418c12756b929b29f34688abddae01b5

Analysis

max time kernel
75s
max time network
74s
platform
windows10_x64
resource
win10v20201028
submitted
15-11-2020 23:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d265fcb40a443162e0da3274ca4a0c81418c12756b929b29f34688abddae01b5.exe
Size

1.2MB
MD5

e9fea729bae2bd3a20d61829dc12c806
SHA1

d89fe8744aae2fa5164163045d6f91540cd49213
SHA256

d265fcb40a443162e0da3274ca4a0c81418c12756b929b29f34688abddae01b5
SHA512

9d60873b85bb2128e35258789b7c40d3d29a8ff476272759844bb8f74fd665fb82dcbe9672e9311b0c7537d6ab1f8662ac43abe8bc7aa4b63519b03d0fb45ab3

Score

10^/10

isrstealer evasion persistence stealer trojan upx

Malware Config

Signatures

ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
trojan stealer isrstealer

ISR Stealer Payload 8 IoCs

resource	yara_rule
behavioral2/memory/852-6-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral2/memory/852-7-0x0000000000401180-mapping.dmp	family_isrstealer
behavioral2/memory/852-8-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral2/memory/736-23-0x0000000000401180-mapping.dmp	family_isrstealer
behavioral2/memory/684-95-0x0000000000401180-mapping.dmp	family_isrstealer
behavioral2/memory/200-324-0x0000000000401180-mapping.dmp	family_isrstealer
behavioral2/memory/2792-510-0x0000000000401180-mapping.dmp	family_isrstealer
behavioral2/memory/3760-528-0x0000000000401180-mapping.dmp	family_isrstealer

NirSoft MailPassView 3 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral2/memory/2504-17-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral2/memory/2236-33-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral2/memory/900-267-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView

Nirsoft 3 IoCs

resource	yara_rule
behavioral2/memory/2504-17-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral2/memory/2236-33-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral2/memory/900-267-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft

Executes dropped EXE 6 IoCs

pid	Process
936	eYmFqcBd.exe
188	eYmFqcBd.exe
204	eYmFqcBd.exe
2632	eYmFqcBd.exe
1516	eYmFqcBd.exe
2484	eYmFqcBd.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2504-14-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2504-16-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2504-17-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2236-32-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2236-33-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2084-108-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/2084-112-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/2084-114-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/900-266-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/900-267-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/492-516-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/492-517-0x0000000000400000-0x0000000000453000-memory.dmp	upx

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\International\Geo\Nation	WScript.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	eYmFqcBd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\e9h2a4n = "C:\\Users\\Admin\\e9h2a4n\\66321.vbs"	eYmFqcBd.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	eYmFqcBd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\e9h2a4n = "C:\\Users\\Admin\\e9h2a4n\\66321.vbs"	eYmFqcBd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\e9h2a4n = "C:\\Users\\Admin\\e9h2a4n\\66321.vbs"	eYmFqcBd.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	eYmFqcBd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\e9h2a4n = "C:\\Users\\Admin\\e9h2a4n\\66321.vbs"	eYmFqcBd.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	eYmFqcBd.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	eYmFqcBd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\e9h2a4n = "C:\\Users\\Admin\\e9h2a4n\\66321.vbs"	eYmFqcBd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\e9h2a4n = "C:\\Users\\Admin\\e9h2a4n\\66321.vbs"	eYmFqcBd.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	eYmFqcBd.exe

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	eYmFqcBd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	eYmFqcBd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	eYmFqcBd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	eYmFqcBd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	eYmFqcBd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	eYmFqcBd.exe

Suspicious use of SetThreadContext 18 IoCs

description	pid	Process	procid_target
PID 936 set thread context of 852	936	eYmFqcBd.exe	78
PID 852 set thread context of 952	852	RegSvcs.exe	79
PID 852 set thread context of 2504	852	RegSvcs.exe	84
PID 188 set thread context of 736	188	eYmFqcBd.exe	88
PID 736 set thread context of 2180	736	RegSvcs.exe	89
PID 736 set thread context of 2236	736	RegSvcs.exe	91
PID 204 set thread context of 684	204	eYmFqcBd.exe	94
PID 684 set thread context of 2084	684	RegSvcs.exe	95
PID 684 set thread context of 900	684	RegSvcs.exe	96
PID 2632 set thread context of 200	2632	eYmFqcBd.exe	99
PID 200 set thread context of 3496	200	RegSvcs.exe	100
PID 200 set thread context of 2240	200	RegSvcs.exe	101
PID 1516 set thread context of 2792	1516	eYmFqcBd.exe	105
PID 2792 set thread context of 492	2792	RegSvcs.exe	106
PID 2792 set thread context of 768	2792	RegSvcs.exe	107
PID 2484 set thread context of 3760	2484	eYmFqcBd.exe	111
PID 3760 set thread context of 2728	3760	RegSvcs.exe	112
PID 3760 set thread context of 2156	3760	RegSvcs.exe	113

Program crash 5 IoCs

pid	pid_target	Process	procid_target
1744	952	WerFault.exe	79
1900	2180	WerFault.exe	89
812	2240	WerFault.exe	101
2668	768	WerFault.exe	107
3480	2156	WerFault.exe	113

Modifies registry class 11 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings	eYmFqcBd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings	eYmFqcBd.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings	eYmFqcBd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings	eYmFqcBd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings	eYmFqcBd.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings	eYmFqcBd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance	WScript.exe

Suspicious behavior: EnumeratesProcesses 612 IoCs

pid	Process
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
936	eYmFqcBd.exe
188	eYmFqcBd.exe
188	eYmFqcBd.exe
188	eYmFqcBd.exe
188	eYmFqcBd.exe
188	eYmFqcBd.exe
188	eYmFqcBd.exe
188	eYmFqcBd.exe
188	eYmFqcBd.exe
188	eYmFqcBd.exe
188	eYmFqcBd.exe
188	eYmFqcBd.exe
188	eYmFqcBd.exe
188	eYmFqcBd.exe
188	eYmFqcBd.exe
188	eYmFqcBd.exe
188	eYmFqcBd.exe
188	eYmFqcBd.exe
188	eYmFqcBd.exe
188	eYmFqcBd.exe
188	eYmFqcBd.exe
188	eYmFqcBd.exe
188	eYmFqcBd.exe
188	eYmFqcBd.exe
188	eYmFqcBd.exe
188	eYmFqcBd.exe
188	eYmFqcBd.exe
188	eYmFqcBd.exe
188	eYmFqcBd.exe
188	eYmFqcBd.exe
188	eYmFqcBd.exe
188	eYmFqcBd.exe
188	eYmFqcBd.exe
188	eYmFqcBd.exe
188	eYmFqcBd.exe
188	eYmFqcBd.exe
188	eYmFqcBd.exe
188	eYmFqcBd.exe
188	eYmFqcBd.exe
188	eYmFqcBd.exe
188	eYmFqcBd.exe
188	eYmFqcBd.exe
188	eYmFqcBd.exe
188	eYmFqcBd.exe
188	eYmFqcBd.exe
188	eYmFqcBd.exe
188	eYmFqcBd.exe
188	eYmFqcBd.exe
188	eYmFqcBd.exe
188	eYmFqcBd.exe
188	eYmFqcBd.exe
188	eYmFqcBd.exe
188	eYmFqcBd.exe
188	eYmFqcBd.exe
188	eYmFqcBd.exe
188	eYmFqcBd.exe
188	eYmFqcBd.exe
188	eYmFqcBd.exe
188	eYmFqcBd.exe
188	eYmFqcBd.exe
188	eYmFqcBd.exe
188	eYmFqcBd.exe
188	eYmFqcBd.exe
188	eYmFqcBd.exe
188	eYmFqcBd.exe
188	eYmFqcBd.exe
188	eYmFqcBd.exe
188	eYmFqcBd.exe
188	eYmFqcBd.exe
188	eYmFqcBd.exe
188	eYmFqcBd.exe
188	eYmFqcBd.exe
188	eYmFqcBd.exe
188	eYmFqcBd.exe
188	eYmFqcBd.exe
188	eYmFqcBd.exe
188	eYmFqcBd.exe
188	eYmFqcBd.exe
188	eYmFqcBd.exe
188	eYmFqcBd.exe
188	eYmFqcBd.exe
188	eYmFqcBd.exe
188	eYmFqcBd.exe
188	eYmFqcBd.exe
188	eYmFqcBd.exe
188	eYmFqcBd.exe
188	eYmFqcBd.exe
188	eYmFqcBd.exe
188	eYmFqcBd.exe
188	eYmFqcBd.exe
188	eYmFqcBd.exe
188	eYmFqcBd.exe
188	eYmFqcBd.exe
188	eYmFqcBd.exe
188	eYmFqcBd.exe
188	eYmFqcBd.exe
188	eYmFqcBd.exe
188	eYmFqcBd.exe
188	eYmFqcBd.exe
204	eYmFqcBd.exe
204	eYmFqcBd.exe
188	eYmFqcBd.exe
188	eYmFqcBd.exe
188	eYmFqcBd.exe
188	eYmFqcBd.exe
204	eYmFqcBd.exe
204	eYmFqcBd.exe
204	eYmFqcBd.exe
204	eYmFqcBd.exe
204	eYmFqcBd.exe
204	eYmFqcBd.exe
204	eYmFqcBd.exe
204	eYmFqcBd.exe
204	eYmFqcBd.exe
204	eYmFqcBd.exe
204	eYmFqcBd.exe
204	eYmFqcBd.exe
204	eYmFqcBd.exe
204	eYmFqcBd.exe
204	eYmFqcBd.exe
204	eYmFqcBd.exe
204	eYmFqcBd.exe
204	eYmFqcBd.exe
204	eYmFqcBd.exe
204	eYmFqcBd.exe
204	eYmFqcBd.exe
204	eYmFqcBd.exe
204	eYmFqcBd.exe
204	eYmFqcBd.exe
204	eYmFqcBd.exe
204	eYmFqcBd.exe
204	eYmFqcBd.exe
204	eYmFqcBd.exe
204	eYmFqcBd.exe
204	eYmFqcBd.exe
204	eYmFqcBd.exe
204	eYmFqcBd.exe
204	eYmFqcBd.exe
204	eYmFqcBd.exe
204	eYmFqcBd.exe
204	eYmFqcBd.exe
204	eYmFqcBd.exe
204	eYmFqcBd.exe
204	eYmFqcBd.exe
204	eYmFqcBd.exe
204	eYmFqcBd.exe
204	eYmFqcBd.exe
204	eYmFqcBd.exe
204	eYmFqcBd.exe
204	eYmFqcBd.exe
204	eYmFqcBd.exe
204	eYmFqcBd.exe
204	eYmFqcBd.exe
204	eYmFqcBd.exe
204	eYmFqcBd.exe
204	eYmFqcBd.exe
204	eYmFqcBd.exe
204	eYmFqcBd.exe
204	eYmFqcBd.exe
204	eYmFqcBd.exe
204	eYmFqcBd.exe
204	eYmFqcBd.exe
204	eYmFqcBd.exe
204	eYmFqcBd.exe
204	eYmFqcBd.exe
204	eYmFqcBd.exe
204	eYmFqcBd.exe
204	eYmFqcBd.exe
204	eYmFqcBd.exe
204	eYmFqcBd.exe
204	eYmFqcBd.exe
204	eYmFqcBd.exe
204	eYmFqcBd.exe
204	eYmFqcBd.exe
204	eYmFqcBd.exe
204	eYmFqcBd.exe
204	eYmFqcBd.exe
204	eYmFqcBd.exe
204	eYmFqcBd.exe
204	eYmFqcBd.exe
204	eYmFqcBd.exe
204	eYmFqcBd.exe
204	eYmFqcBd.exe
204	eYmFqcBd.exe
204	eYmFqcBd.exe
204	eYmFqcBd.exe
204	eYmFqcBd.exe
204	eYmFqcBd.exe
204	eYmFqcBd.exe
204	eYmFqcBd.exe
204	eYmFqcBd.exe
204	eYmFqcBd.exe
204	eYmFqcBd.exe
204	eYmFqcBd.exe
204	eYmFqcBd.exe
204	eYmFqcBd.exe
204	eYmFqcBd.exe
204	eYmFqcBd.exe
204	eYmFqcBd.exe
204	eYmFqcBd.exe
204	eYmFqcBd.exe
204	eYmFqcBd.exe
204	eYmFqcBd.exe
204	eYmFqcBd.exe
204	eYmFqcBd.exe
2632	eYmFqcBd.exe
2632	eYmFqcBd.exe
204	eYmFqcBd.exe
204	eYmFqcBd.exe
204	eYmFqcBd.exe
204	eYmFqcBd.exe
2632	eYmFqcBd.exe
2632	eYmFqcBd.exe
2632	eYmFqcBd.exe
2632	eYmFqcBd.exe
2632	eYmFqcBd.exe
2632	eYmFqcBd.exe
2632	eYmFqcBd.exe
2632	eYmFqcBd.exe
2632	eYmFqcBd.exe
2632	eYmFqcBd.exe
2632	eYmFqcBd.exe
2632	eYmFqcBd.exe
2632	eYmFqcBd.exe
2632	eYmFqcBd.exe
2632	eYmFqcBd.exe
2632	eYmFqcBd.exe
2632	eYmFqcBd.exe
2632	eYmFqcBd.exe
2632	eYmFqcBd.exe
2632	eYmFqcBd.exe
2632	eYmFqcBd.exe
2632	eYmFqcBd.exe
2632	eYmFqcBd.exe
2632	eYmFqcBd.exe
2632	eYmFqcBd.exe
2632	eYmFqcBd.exe
2632	eYmFqcBd.exe
2632	eYmFqcBd.exe
2632	eYmFqcBd.exe
2632	eYmFqcBd.exe
2632	eYmFqcBd.exe
2632	eYmFqcBd.exe
2632	eYmFqcBd.exe
2632	eYmFqcBd.exe
2632	eYmFqcBd.exe
2632	eYmFqcBd.exe
2632	eYmFqcBd.exe
2632	eYmFqcBd.exe
2632	eYmFqcBd.exe
2632	eYmFqcBd.exe
2632	eYmFqcBd.exe
2632	eYmFqcBd.exe
2632	eYmFqcBd.exe
2632	eYmFqcBd.exe
2632	eYmFqcBd.exe
2632	eYmFqcBd.exe
2632	eYmFqcBd.exe
2632	eYmFqcBd.exe
2632	eYmFqcBd.exe
2632	eYmFqcBd.exe
2632	eYmFqcBd.exe
2632	eYmFqcBd.exe
2632	eYmFqcBd.exe
2632	eYmFqcBd.exe
2632	eYmFqcBd.exe
2632	eYmFqcBd.exe
2632	eYmFqcBd.exe
2632	eYmFqcBd.exe
2632	eYmFqcBd.exe
2632	eYmFqcBd.exe
2632	eYmFqcBd.exe
2632	eYmFqcBd.exe
2632	eYmFqcBd.exe
2632	eYmFqcBd.exe
2632	eYmFqcBd.exe
2632	eYmFqcBd.exe
2632	eYmFqcBd.exe
2632	eYmFqcBd.exe
2632	eYmFqcBd.exe
2632	eYmFqcBd.exe
2632	eYmFqcBd.exe
2632	eYmFqcBd.exe
2632	eYmFqcBd.exe
2632	eYmFqcBd.exe
2632	eYmFqcBd.exe
2632	eYmFqcBd.exe
2632	eYmFqcBd.exe
2632	eYmFqcBd.exe
2632	eYmFqcBd.exe
2632	eYmFqcBd.exe
2632	eYmFqcBd.exe
2632	eYmFqcBd.exe
2632	eYmFqcBd.exe
2632	eYmFqcBd.exe
2632	eYmFqcBd.exe
2632	eYmFqcBd.exe
2632	eYmFqcBd.exe
2632	eYmFqcBd.exe
2632	eYmFqcBd.exe
2632	eYmFqcBd.exe
2632	eYmFqcBd.exe
2632	eYmFqcBd.exe
2632	eYmFqcBd.exe
2632	eYmFqcBd.exe
2632	eYmFqcBd.exe
2632	eYmFqcBd.exe
2632	eYmFqcBd.exe
2632	eYmFqcBd.exe
2632	eYmFqcBd.exe
2632	eYmFqcBd.exe
1516	eYmFqcBd.exe
1516	eYmFqcBd.exe
1516	eYmFqcBd.exe
1516	eYmFqcBd.exe
1516	eYmFqcBd.exe
1516	eYmFqcBd.exe
1516	eYmFqcBd.exe
1516	eYmFqcBd.exe
1516	eYmFqcBd.exe
1516	eYmFqcBd.exe
1516	eYmFqcBd.exe
1516	eYmFqcBd.exe
1516	eYmFqcBd.exe
1516	eYmFqcBd.exe
1516	eYmFqcBd.exe
1516	eYmFqcBd.exe
1516	eYmFqcBd.exe
1516	eYmFqcBd.exe
1516	eYmFqcBd.exe
1516	eYmFqcBd.exe
1516	eYmFqcBd.exe
1516	eYmFqcBd.exe
1516	eYmFqcBd.exe
1516	eYmFqcBd.exe
1516	eYmFqcBd.exe
1516	eYmFqcBd.exe
1516	eYmFqcBd.exe
1516	eYmFqcBd.exe
1516	eYmFqcBd.exe
1516	eYmFqcBd.exe
1516	eYmFqcBd.exe
1516	eYmFqcBd.exe
1516	eYmFqcBd.exe
1516	eYmFqcBd.exe
1516	eYmFqcBd.exe
1516	eYmFqcBd.exe
1516	eYmFqcBd.exe
1516	eYmFqcBd.exe
1516	eYmFqcBd.exe
1516	eYmFqcBd.exe
1516	eYmFqcBd.exe
1516	eYmFqcBd.exe
1516	eYmFqcBd.exe
1516	eYmFqcBd.exe
1516	eYmFqcBd.exe
1516	eYmFqcBd.exe
1516	eYmFqcBd.exe
1516	eYmFqcBd.exe
1516	eYmFqcBd.exe
1516	eYmFqcBd.exe
1516	eYmFqcBd.exe
1516	eYmFqcBd.exe
1516	eYmFqcBd.exe
1516	eYmFqcBd.exe
1516	eYmFqcBd.exe
1516	eYmFqcBd.exe
1516	eYmFqcBd.exe
1516	eYmFqcBd.exe
1516	eYmFqcBd.exe
1516	eYmFqcBd.exe
1516	eYmFqcBd.exe
1516	eYmFqcBd.exe
1516	eYmFqcBd.exe
1516	eYmFqcBd.exe
1516	eYmFqcBd.exe
1516	eYmFqcBd.exe
1516	eYmFqcBd.exe
1516	eYmFqcBd.exe
1516	eYmFqcBd.exe
1516	eYmFqcBd.exe
1516	eYmFqcBd.exe
1516	eYmFqcBd.exe
1516	eYmFqcBd.exe
1516	eYmFqcBd.exe
1516	eYmFqcBd.exe
1516	eYmFqcBd.exe
1516	eYmFqcBd.exe
1516	eYmFqcBd.exe
1516	eYmFqcBd.exe
1516	eYmFqcBd.exe
1516	eYmFqcBd.exe
1516	eYmFqcBd.exe
1516	eYmFqcBd.exe
1516	eYmFqcBd.exe
1516	eYmFqcBd.exe
1516	eYmFqcBd.exe
1516	eYmFqcBd.exe
1516	eYmFqcBd.exe
1516	eYmFqcBd.exe
1516	eYmFqcBd.exe
1516	eYmFqcBd.exe
1516	eYmFqcBd.exe
1516	eYmFqcBd.exe
1516	eYmFqcBd.exe
1516	eYmFqcBd.exe
1516	eYmFqcBd.exe
1516	eYmFqcBd.exe
1516	eYmFqcBd.exe
1516	eYmFqcBd.exe
1516	eYmFqcBd.exe
1516	eYmFqcBd.exe
1516	eYmFqcBd.exe
2484	eYmFqcBd.exe
2484	eYmFqcBd.exe
2484	eYmFqcBd.exe
2484	eYmFqcBd.exe
2484	eYmFqcBd.exe
2484	eYmFqcBd.exe
2484	eYmFqcBd.exe
2484	eYmFqcBd.exe
2484	eYmFqcBd.exe
2484	eYmFqcBd.exe
2484	eYmFqcBd.exe
2484	eYmFqcBd.exe
2484	eYmFqcBd.exe
2484	eYmFqcBd.exe
2484	eYmFqcBd.exe
2484	eYmFqcBd.exe
2484	eYmFqcBd.exe
2484	eYmFqcBd.exe
2484	eYmFqcBd.exe
2484	eYmFqcBd.exe
2484	eYmFqcBd.exe
2484	eYmFqcBd.exe
2484	eYmFqcBd.exe
2484	eYmFqcBd.exe
2484	eYmFqcBd.exe
2484	eYmFqcBd.exe
2484	eYmFqcBd.exe
2484	eYmFqcBd.exe
2484	eYmFqcBd.exe
2484	eYmFqcBd.exe
2484	eYmFqcBd.exe
2484	eYmFqcBd.exe
2484	eYmFqcBd.exe
2484	eYmFqcBd.exe
2484	eYmFqcBd.exe
2484	eYmFqcBd.exe
2484	eYmFqcBd.exe
2484	eYmFqcBd.exe
2484	eYmFqcBd.exe
2484	eYmFqcBd.exe
2484	eYmFqcBd.exe
2484	eYmFqcBd.exe
2484	eYmFqcBd.exe
2484	eYmFqcBd.exe
2484	eYmFqcBd.exe
2484	eYmFqcBd.exe
2484	eYmFqcBd.exe
2484	eYmFqcBd.exe
2484	eYmFqcBd.exe
2484	eYmFqcBd.exe
2484	eYmFqcBd.exe
2484	eYmFqcBd.exe
2484	eYmFqcBd.exe
2484	eYmFqcBd.exe
2484	eYmFqcBd.exe
2484	eYmFqcBd.exe
2484	eYmFqcBd.exe
2484	eYmFqcBd.exe
2484	eYmFqcBd.exe
2484	eYmFqcBd.exe
2484	eYmFqcBd.exe
2484	eYmFqcBd.exe
2484	eYmFqcBd.exe
2484	eYmFqcBd.exe
2484	eYmFqcBd.exe
2484	eYmFqcBd.exe
2484	eYmFqcBd.exe
2484	eYmFqcBd.exe
2484	eYmFqcBd.exe
2484	eYmFqcBd.exe
2484	eYmFqcBd.exe
2484	eYmFqcBd.exe
2484	eYmFqcBd.exe
2484	eYmFqcBd.exe
2484	eYmFqcBd.exe
2484	eYmFqcBd.exe
2484	eYmFqcBd.exe
2484	eYmFqcBd.exe
2484	eYmFqcBd.exe
2484	eYmFqcBd.exe
2484	eYmFqcBd.exe
2484	eYmFqcBd.exe
2484	eYmFqcBd.exe
2484	eYmFqcBd.exe
2484	eYmFqcBd.exe
2484	eYmFqcBd.exe
2484	eYmFqcBd.exe
2484	eYmFqcBd.exe
2484	eYmFqcBd.exe
2484	eYmFqcBd.exe
2484	eYmFqcBd.exe
2484	eYmFqcBd.exe
2484	eYmFqcBd.exe
2484	eYmFqcBd.exe
2484	eYmFqcBd.exe
2484	eYmFqcBd.exe
2484	eYmFqcBd.exe
2484	eYmFqcBd.exe
2484	eYmFqcBd.exe
2484	eYmFqcBd.exe
2484	eYmFqcBd.exe
2484	eYmFqcBd.exe

Suspicious use of AdjustPrivilegeToken 138 IoCs

description	pid	Process
Token: SeDebugPrivilege	936	eYmFqcBd.exe
Token: SeDebugPrivilege	936	eYmFqcBd.exe
Token: SeDebugPrivilege	936	eYmFqcBd.exe
Token: SeDebugPrivilege	936	eYmFqcBd.exe
Token: SeDebugPrivilege	936	eYmFqcBd.exe
Token: SeDebugPrivilege	936	eYmFqcBd.exe
Token: SeDebugPrivilege	936	eYmFqcBd.exe
Token: SeDebugPrivilege	936	eYmFqcBd.exe
Token: SeDebugPrivilege	936	eYmFqcBd.exe
Token: SeDebugPrivilege	936	eYmFqcBd.exe
Token: SeDebugPrivilege	936	eYmFqcBd.exe
Token: SeDebugPrivilege	936	eYmFqcBd.exe
Token: SeDebugPrivilege	936	eYmFqcBd.exe
Token: SeDebugPrivilege	936	eYmFqcBd.exe
Token: SeDebugPrivilege	936	eYmFqcBd.exe
Token: SeDebugPrivilege	936	eYmFqcBd.exe
Token: SeDebugPrivilege	936	eYmFqcBd.exe
Token: SeDebugPrivilege	936	eYmFqcBd.exe
Token: SeDebugPrivilege	936	eYmFqcBd.exe
Token: SeDebugPrivilege	936	eYmFqcBd.exe
Token: SeDebugPrivilege	936	eYmFqcBd.exe
Token: SeDebugPrivilege	936	eYmFqcBd.exe
Token: SeDebugPrivilege	188	eYmFqcBd.exe
Token: SeDebugPrivilege	188	eYmFqcBd.exe
Token: SeDebugPrivilege	188	eYmFqcBd.exe
Token: SeDebugPrivilege	188	eYmFqcBd.exe
Token: SeDebugPrivilege	188	eYmFqcBd.exe
Token: SeDebugPrivilege	188	eYmFqcBd.exe
Token: SeDebugPrivilege	188	eYmFqcBd.exe
Token: SeDebugPrivilege	188	eYmFqcBd.exe
Token: SeDebugPrivilege	188	eYmFqcBd.exe
Token: SeDebugPrivilege	188	eYmFqcBd.exe
Token: SeDebugPrivilege	188	eYmFqcBd.exe
Token: SeDebugPrivilege	188	eYmFqcBd.exe
Token: SeDebugPrivilege	188	eYmFqcBd.exe
Token: SeDebugPrivilege	188	eYmFqcBd.exe
Token: SeDebugPrivilege	188	eYmFqcBd.exe
Token: SeDebugPrivilege	188	eYmFqcBd.exe
Token: SeDebugPrivilege	188	eYmFqcBd.exe
Token: SeDebugPrivilege	188	eYmFqcBd.exe
Token: SeDebugPrivilege	188	eYmFqcBd.exe
Token: SeDebugPrivilege	188	eYmFqcBd.exe
Token: SeDebugPrivilege	188	eYmFqcBd.exe
Token: SeDebugPrivilege	188	eYmFqcBd.exe
Token: SeDebugPrivilege	188	eYmFqcBd.exe
Token: SeDebugPrivilege	204	eYmFqcBd.exe
Token: SeDebugPrivilege	204	eYmFqcBd.exe
Token: SeDebugPrivilege	204	eYmFqcBd.exe
Token: SeDebugPrivilege	204	eYmFqcBd.exe
Token: SeDebugPrivilege	204	eYmFqcBd.exe
Token: SeDebugPrivilege	204	eYmFqcBd.exe
Token: SeDebugPrivilege	204	eYmFqcBd.exe
Token: SeDebugPrivilege	204	eYmFqcBd.exe
Token: SeDebugPrivilege	204	eYmFqcBd.exe
Token: SeDebugPrivilege	204	eYmFqcBd.exe
Token: SeDebugPrivilege	204	eYmFqcBd.exe
Token: SeDebugPrivilege	204	eYmFqcBd.exe
Token: SeDebugPrivilege	204	eYmFqcBd.exe
Token: SeDebugPrivilege	204	eYmFqcBd.exe
Token: SeDebugPrivilege	204	eYmFqcBd.exe
Token: SeDebugPrivilege	204	eYmFqcBd.exe
Token: SeDebugPrivilege	204	eYmFqcBd.exe
Token: SeDebugPrivilege	204	eYmFqcBd.exe
Token: SeDebugPrivilege	204	eYmFqcBd.exe
Token: SeDebugPrivilege	204	eYmFqcBd.exe
Token: SeDebugPrivilege	204	eYmFqcBd.exe
Token: SeDebugPrivilege	204	eYmFqcBd.exe
Token: SeDebugPrivilege	204	eYmFqcBd.exe
Token: SeDebugPrivilege	204	eYmFqcBd.exe
Token: SeDebugPrivilege	2632	eYmFqcBd.exe
Token: SeDebugPrivilege	2632	eYmFqcBd.exe
Token: SeDebugPrivilege	2632	eYmFqcBd.exe
Token: SeDebugPrivilege	2632	eYmFqcBd.exe
Token: SeDebugPrivilege	2632	eYmFqcBd.exe
Token: SeDebugPrivilege	2632	eYmFqcBd.exe
Token: SeDebugPrivilege	2632	eYmFqcBd.exe
Token: SeDebugPrivilege	2632	eYmFqcBd.exe
Token: SeDebugPrivilege	2632	eYmFqcBd.exe
Token: SeDebugPrivilege	2632	eYmFqcBd.exe
Token: SeDebugPrivilege	2632	eYmFqcBd.exe
Token: SeDebugPrivilege	2632	eYmFqcBd.exe
Token: SeDebugPrivilege	2632	eYmFqcBd.exe
Token: SeDebugPrivilege	2632	eYmFqcBd.exe
Token: SeDebugPrivilege	2632	eYmFqcBd.exe
Token: SeDebugPrivilege	2632	eYmFqcBd.exe
Token: SeDebugPrivilege	2632	eYmFqcBd.exe
Token: SeDebugPrivilege	2632	eYmFqcBd.exe
Token: SeDebugPrivilege	2632	eYmFqcBd.exe
Token: SeDebugPrivilege	2632	eYmFqcBd.exe
Token: SeDebugPrivilege	2632	eYmFqcBd.exe
Token: SeDebugPrivilege	2632	eYmFqcBd.exe
Token: SeDebugPrivilege	2632	eYmFqcBd.exe
Token: SeDebugPrivilege	1516	eYmFqcBd.exe
Token: SeDebugPrivilege	1516	eYmFqcBd.exe
Token: SeDebugPrivilege	1516	eYmFqcBd.exe
Token: SeDebugPrivilege	1516	eYmFqcBd.exe
Token: SeDebugPrivilege	1516	eYmFqcBd.exe
Token: SeDebugPrivilege	1516	eYmFqcBd.exe
Token: SeDebugPrivilege	1516	eYmFqcBd.exe
Token: SeDebugPrivilege	1516	eYmFqcBd.exe
Token: SeDebugPrivilege	1516	eYmFqcBd.exe
Token: SeDebugPrivilege	1516	eYmFqcBd.exe
Token: SeDebugPrivilege	1516	eYmFqcBd.exe
Token: SeDebugPrivilege	1516	eYmFqcBd.exe
Token: SeDebugPrivilege	1516	eYmFqcBd.exe
Token: SeDebugPrivilege	1516	eYmFqcBd.exe
Token: SeDebugPrivilege	1516	eYmFqcBd.exe
Token: SeDebugPrivilege	1516	eYmFqcBd.exe
Token: SeDebugPrivilege	1516	eYmFqcBd.exe
Token: SeDebugPrivilege	1516	eYmFqcBd.exe
Token: SeDebugPrivilege	1516	eYmFqcBd.exe
Token: SeDebugPrivilege	1516	eYmFqcBd.exe
Token: SeDebugPrivilege	1516	eYmFqcBd.exe
Token: SeDebugPrivilege	1516	eYmFqcBd.exe
Token: SeDebugPrivilege	1516	eYmFqcBd.exe
Token: SeDebugPrivilege	2484	eYmFqcBd.exe
Token: SeDebugPrivilege	2484	eYmFqcBd.exe
Token: SeDebugPrivilege	2484	eYmFqcBd.exe
Token: SeDebugPrivilege	2484	eYmFqcBd.exe
Token: SeDebugPrivilege	2484	eYmFqcBd.exe
Token: SeDebugPrivilege	2484	eYmFqcBd.exe
Token: SeDebugPrivilege	2484	eYmFqcBd.exe
Token: SeDebugPrivilege	2484	eYmFqcBd.exe
Token: SeDebugPrivilege	2484	eYmFqcBd.exe
Token: SeDebugPrivilege	2484	eYmFqcBd.exe
Token: SeDebugPrivilege	2484	eYmFqcBd.exe
Token: SeDebugPrivilege	2484	eYmFqcBd.exe
Token: SeDebugPrivilege	2484	eYmFqcBd.exe
Token: SeDebugPrivilege	2484	eYmFqcBd.exe
Token: SeDebugPrivilege	2484	eYmFqcBd.exe
Token: SeDebugPrivilege	2484	eYmFqcBd.exe
Token: SeDebugPrivilege	2484	eYmFqcBd.exe
Token: SeDebugPrivilege	2484	eYmFqcBd.exe
Token: SeDebugPrivilege	2484	eYmFqcBd.exe
Token: SeDebugPrivilege	2484	eYmFqcBd.exe
Token: SeDebugPrivilege	2484	eYmFqcBd.exe
Token: SeDebugPrivilege	2484	eYmFqcBd.exe
Token: SeDebugPrivilege	2484	eYmFqcBd.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
852	RegSvcs.exe
736	RegSvcs.exe
684	RegSvcs.exe
200	RegSvcs.exe
2792	RegSvcs.exe
3760	RegSvcs.exe

Suspicious use of WriteProcessMemory 162 IoCs

description	pid	Process	procid_target
PID 1148 wrote to memory of 936	1148	d265fcb40a443162e0da3274ca4a0c81418c12756b929b29f34688abddae01b5.exe	75
PID 1148 wrote to memory of 936	1148	d265fcb40a443162e0da3274ca4a0c81418c12756b929b29f34688abddae01b5.exe	75
PID 1148 wrote to memory of 936	1148	d265fcb40a443162e0da3274ca4a0c81418c12756b929b29f34688abddae01b5.exe	75
PID 936 wrote to memory of 852	936	eYmFqcBd.exe	78
PID 936 wrote to memory of 852	936	eYmFqcBd.exe	78
PID 936 wrote to memory of 852	936	eYmFqcBd.exe	78
PID 936 wrote to memory of 852	936	eYmFqcBd.exe	78
PID 936 wrote to memory of 852	936	eYmFqcBd.exe	78
PID 852 wrote to memory of 952	852	RegSvcs.exe	79
PID 852 wrote to memory of 952	852	RegSvcs.exe	79
PID 852 wrote to memory of 952	852	RegSvcs.exe	79
PID 852 wrote to memory of 952	852	RegSvcs.exe	79
PID 852 wrote to memory of 952	852	RegSvcs.exe	79
PID 852 wrote to memory of 952	852	RegSvcs.exe	79
PID 852 wrote to memory of 952	852	RegSvcs.exe	79
PID 852 wrote to memory of 952	852	RegSvcs.exe	79
PID 852 wrote to memory of 2504	852	RegSvcs.exe	84
PID 852 wrote to memory of 2504	852	RegSvcs.exe	84
PID 852 wrote to memory of 2504	852	RegSvcs.exe	84
PID 852 wrote to memory of 2504	852	RegSvcs.exe	84
PID 852 wrote to memory of 2504	852	RegSvcs.exe	84
PID 852 wrote to memory of 2504	852	RegSvcs.exe	84
PID 852 wrote to memory of 2504	852	RegSvcs.exe	84
PID 852 wrote to memory of 2504	852	RegSvcs.exe	84
PID 936 wrote to memory of 2324	936	eYmFqcBd.exe	86
PID 936 wrote to memory of 2324	936	eYmFqcBd.exe	86
PID 936 wrote to memory of 2324	936	eYmFqcBd.exe	86
PID 2324 wrote to memory of 188	2324	WScript.exe	87
PID 2324 wrote to memory of 188	2324	WScript.exe	87
PID 2324 wrote to memory of 188	2324	WScript.exe	87
PID 188 wrote to memory of 736	188	eYmFqcBd.exe	88
PID 188 wrote to memory of 736	188	eYmFqcBd.exe	88
PID 188 wrote to memory of 736	188	eYmFqcBd.exe	88
PID 188 wrote to memory of 736	188	eYmFqcBd.exe	88
PID 188 wrote to memory of 736	188	eYmFqcBd.exe	88
PID 736 wrote to memory of 2180	736	RegSvcs.exe	89
PID 736 wrote to memory of 2180	736	RegSvcs.exe	89
PID 736 wrote to memory of 2180	736	RegSvcs.exe	89
PID 736 wrote to memory of 2180	736	RegSvcs.exe	89
PID 736 wrote to memory of 2180	736	RegSvcs.exe	89
PID 736 wrote to memory of 2180	736	RegSvcs.exe	89
PID 736 wrote to memory of 2180	736	RegSvcs.exe	89
PID 736 wrote to memory of 2180	736	RegSvcs.exe	89
PID 736 wrote to memory of 2236	736	RegSvcs.exe	91
PID 736 wrote to memory of 2236	736	RegSvcs.exe	91
PID 736 wrote to memory of 2236	736	RegSvcs.exe	91
PID 736 wrote to memory of 2236	736	RegSvcs.exe	91
PID 736 wrote to memory of 2236	736	RegSvcs.exe	91
PID 736 wrote to memory of 2236	736	RegSvcs.exe	91
PID 736 wrote to memory of 2236	736	RegSvcs.exe	91
PID 736 wrote to memory of 2236	736	RegSvcs.exe	91
PID 188 wrote to memory of 2648	188	eYmFqcBd.exe	92
PID 188 wrote to memory of 2648	188	eYmFqcBd.exe	92
PID 188 wrote to memory of 2648	188	eYmFqcBd.exe	92
PID 2648 wrote to memory of 204	2648	WScript.exe	93
PID 2648 wrote to memory of 204	2648	WScript.exe	93
PID 2648 wrote to memory of 204	2648	WScript.exe	93
PID 204 wrote to memory of 684	204	eYmFqcBd.exe	94
PID 204 wrote to memory of 684	204	eYmFqcBd.exe	94
PID 204 wrote to memory of 684	204	eYmFqcBd.exe	94
PID 204 wrote to memory of 684	204	eYmFqcBd.exe	94
PID 204 wrote to memory of 684	204	eYmFqcBd.exe	94
PID 684 wrote to memory of 2084	684	RegSvcs.exe	95
PID 684 wrote to memory of 2084	684	RegSvcs.exe	95
PID 684 wrote to memory of 2084	684	RegSvcs.exe	95
PID 684 wrote to memory of 2084	684	RegSvcs.exe	95
PID 684 wrote to memory of 2084	684	RegSvcs.exe	95
PID 684 wrote to memory of 2084	684	RegSvcs.exe	95
PID 684 wrote to memory of 2084	684	RegSvcs.exe	95
PID 684 wrote to memory of 2084	684	RegSvcs.exe	95
PID 684 wrote to memory of 900	684	RegSvcs.exe	96
PID 684 wrote to memory of 900	684	RegSvcs.exe	96
PID 684 wrote to memory of 900	684	RegSvcs.exe	96
PID 684 wrote to memory of 900	684	RegSvcs.exe	96
PID 684 wrote to memory of 900	684	RegSvcs.exe	96
PID 684 wrote to memory of 900	684	RegSvcs.exe	96
PID 684 wrote to memory of 900	684	RegSvcs.exe	96
PID 684 wrote to memory of 900	684	RegSvcs.exe	96
PID 204 wrote to memory of 2404	204	eYmFqcBd.exe	97
PID 204 wrote to memory of 2404	204	eYmFqcBd.exe	97
PID 204 wrote to memory of 2404	204	eYmFqcBd.exe	97
PID 2404 wrote to memory of 2632	2404	WScript.exe	98
PID 2404 wrote to memory of 2632	2404	WScript.exe	98
PID 2404 wrote to memory of 2632	2404	WScript.exe	98
PID 2632 wrote to memory of 200	2632	eYmFqcBd.exe	99
PID 2632 wrote to memory of 200	2632	eYmFqcBd.exe	99
PID 2632 wrote to memory of 200	2632	eYmFqcBd.exe	99
PID 2632 wrote to memory of 200	2632	eYmFqcBd.exe	99
PID 2632 wrote to memory of 200	2632	eYmFqcBd.exe	99
PID 200 wrote to memory of 3496	200	RegSvcs.exe	100
PID 200 wrote to memory of 3496	200	RegSvcs.exe	100
PID 200 wrote to memory of 3496	200	RegSvcs.exe	100
PID 200 wrote to memory of 3496	200	RegSvcs.exe	100
PID 200 wrote to memory of 3496	200	RegSvcs.exe	100
PID 200 wrote to memory of 3496	200	RegSvcs.exe	100
PID 200 wrote to memory of 3496	200	RegSvcs.exe	100
PID 200 wrote to memory of 3496	200	RegSvcs.exe	100
PID 200 wrote to memory of 2240	200	RegSvcs.exe	101
PID 200 wrote to memory of 2240	200	RegSvcs.exe	101
PID 200 wrote to memory of 2240	200	RegSvcs.exe	101
PID 200 wrote to memory of 2240	200	RegSvcs.exe	101
PID 200 wrote to memory of 2240	200	RegSvcs.exe	101
PID 200 wrote to memory of 2240	200	RegSvcs.exe	101
PID 200 wrote to memory of 2240	200	RegSvcs.exe	101
PID 200 wrote to memory of 2240	200	RegSvcs.exe	101
PID 2632 wrote to memory of 3616	2632	eYmFqcBd.exe	103
PID 2632 wrote to memory of 3616	2632	eYmFqcBd.exe	103
PID 2632 wrote to memory of 3616	2632	eYmFqcBd.exe	103
PID 3616 wrote to memory of 1516	3616	WScript.exe	104
PID 3616 wrote to memory of 1516	3616	WScript.exe	104
PID 3616 wrote to memory of 1516	3616	WScript.exe	104
PID 1516 wrote to memory of 2792	1516	eYmFqcBd.exe	105
PID 1516 wrote to memory of 2792	1516	eYmFqcBd.exe	105
PID 1516 wrote to memory of 2792	1516	eYmFqcBd.exe	105
PID 1516 wrote to memory of 2792	1516	eYmFqcBd.exe	105
PID 1516 wrote to memory of 2792	1516	eYmFqcBd.exe	105
PID 2792 wrote to memory of 492	2792	RegSvcs.exe	106
PID 2792 wrote to memory of 492	2792	RegSvcs.exe	106
PID 2792 wrote to memory of 492	2792	RegSvcs.exe	106
PID 2792 wrote to memory of 492	2792	RegSvcs.exe	106
PID 2792 wrote to memory of 492	2792	RegSvcs.exe	106
PID 2792 wrote to memory of 492	2792	RegSvcs.exe	106
PID 2792 wrote to memory of 492	2792	RegSvcs.exe	106
PID 2792 wrote to memory of 492	2792	RegSvcs.exe	106
PID 2792 wrote to memory of 768	2792	RegSvcs.exe	107
PID 2792 wrote to memory of 768	2792	RegSvcs.exe	107
PID 2792 wrote to memory of 768	2792	RegSvcs.exe	107
PID 2792 wrote to memory of 768	2792	RegSvcs.exe	107
PID 2792 wrote to memory of 768	2792	RegSvcs.exe	107
PID 2792 wrote to memory of 768	2792	RegSvcs.exe	107
PID 2792 wrote to memory of 768	2792	RegSvcs.exe	107
PID 2792 wrote to memory of 768	2792	RegSvcs.exe	107
PID 1516 wrote to memory of 1732	1516	eYmFqcBd.exe	109
PID 1516 wrote to memory of 1732	1516	eYmFqcBd.exe	109
PID 1516 wrote to memory of 1732	1516	eYmFqcBd.exe	109
PID 1732 wrote to memory of 2484	1732	WScript.exe	110
PID 1732 wrote to memory of 2484	1732	WScript.exe	110
PID 1732 wrote to memory of 2484	1732	WScript.exe	110
PID 2484 wrote to memory of 3760	2484	eYmFqcBd.exe	111
PID 2484 wrote to memory of 3760	2484	eYmFqcBd.exe	111
PID 2484 wrote to memory of 3760	2484	eYmFqcBd.exe	111
PID 2484 wrote to memory of 3760	2484	eYmFqcBd.exe	111
PID 2484 wrote to memory of 3760	2484	eYmFqcBd.exe	111
PID 3760 wrote to memory of 2728	3760	RegSvcs.exe	112
PID 3760 wrote to memory of 2728	3760	RegSvcs.exe	112
PID 3760 wrote to memory of 2728	3760	RegSvcs.exe	112
PID 3760 wrote to memory of 2728	3760	RegSvcs.exe	112
PID 3760 wrote to memory of 2728	3760	RegSvcs.exe	112
PID 3760 wrote to memory of 2728	3760	RegSvcs.exe	112
PID 3760 wrote to memory of 2728	3760	RegSvcs.exe	112
PID 3760 wrote to memory of 2728	3760	RegSvcs.exe	112
PID 3760 wrote to memory of 2156	3760	RegSvcs.exe	113
PID 3760 wrote to memory of 2156	3760	RegSvcs.exe	113
PID 3760 wrote to memory of 2156	3760	RegSvcs.exe	113
PID 3760 wrote to memory of 2156	3760	RegSvcs.exe	113
PID 3760 wrote to memory of 2156	3760	RegSvcs.exe	113
PID 3760 wrote to memory of 2156	3760	RegSvcs.exe	113
PID 3760 wrote to memory of 2156	3760	RegSvcs.exe	113
PID 3760 wrote to memory of 2156	3760	RegSvcs.exe	113
PID 2484 wrote to memory of 2696	2484	eYmFqcBd.exe	115
PID 2484 wrote to memory of 2696	2484	eYmFqcBd.exe	115
PID 2484 wrote to memory of 2696	2484	eYmFqcBd.exe	115

C:\Users\Admin\AppData\Local\Temp\d265fcb40a443162e0da3274ca4a0c81418c12756b929b29f34688abddae01b5.exe
"C:\Users\Admin\AppData\Local\Temp\d265fcb40a443162e0da3274ca4a0c81418c12756b929b29f34688abddae01b5.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1148
- C:\Users\Admin\e9h2a4n\eYmFqcBd.exe
  "C:\Users\Admin\e9h2a4n\eYmFqcBd.exe" CTHiXWASNE.ELH
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Suspicious use of SetThreadContext
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:936
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:852
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\ofRUoQ49WU.ini"
      4⤵
      PID:952
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 952 -s 96
        5⤵
        Program crash
        
        PID:1744
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\nYnW8KNIRm.ini"
      4⤵
      PID:2504
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\e9h2a4n\run.vbs"
    3⤵
    - Checks computer location settings
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2324
  - - C:\Users\Admin\e9h2a4n\eYmFqcBd.exe
      "C:\Users\Admin\e9h2a4n\eYmFqcBd.exe" CTHiXWASNE.ELH
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Checks whether UAC is enabled
      Suspicious use of SetThreadContext
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:188
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
        5⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:736
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\uMMmxyOATf.ini"
        6⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2180 -s 88
        7⤵
        Program crash
        
        PID:1900
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\GBqVlhSSmI.ini"
        6⤵
        
        PID:2236
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\e9h2a4n\run.vbs"
        5⤵
        Checks computer location settings
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2648
      - C:\Users\Admin\e9h2a4n\eYmFqcBd.exe
        
        "C:\Users\Admin\e9h2a4n\eYmFqcBd.exe" CTHiXWASNE.ELH
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:204
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
        7⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:684
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\cz8UktnVqM.ini"
        8⤵
        
        PID:2084
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\7zEqC2V4fW.ini"
        8⤵
        
        PID:900
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\e9h2a4n\run.vbs"
        7⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2404
        
        C:\Users\Admin\e9h2a4n\eYmFqcBd.exe
        
        "C:\Users\Admin\e9h2a4n\eYmFqcBd.exe" CTHiXWASNE.ELH
        8⤵
        Executes dropped EXE
        Adds Run key to start application
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        Modifies registry class
        
        PID:2632
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
        9⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:200
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\PrpMEBl4kp.ini"
        10⤵
        
        PID:3496
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\TYoUF0KRz9.ini"
        10⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2240 -s 24
        11⤵
        Program crash
        
        PID:812
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\e9h2a4n\run.vbs"
        9⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3616
        
        C:\Users\Admin\e9h2a4n\eYmFqcBd.exe
        
        "C:\Users\Admin\e9h2a4n\eYmFqcBd.exe" CTHiXWASNE.ELH
        10⤵
        Executes dropped EXE
        Adds Run key to start application
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        Modifies registry class
        
        PID:1516
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
        11⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2792
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\mJljVBJszD.ini"
        12⤵
        
        PID:492
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\5hLs4VqvXU.ini"
        12⤵
        
        PID:768
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 768 -s 88
        13⤵
        Program crash
        
        PID:2668
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\e9h2a4n\run.vbs"
        11⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1732
        
        C:\Users\Admin\e9h2a4n\eYmFqcBd.exe
        
        "C:\Users\Admin\e9h2a4n\eYmFqcBd.exe" CTHiXWASNE.ELH
        12⤵
        Executes dropped EXE
        Adds Run key to start application
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        Modifies registry class
        
        PID:2484
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
        13⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3760
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\vr6kRLoNTj.ini"
        14⤵
        
        PID:2728
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\FDnVD61O8h.ini"
        14⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2156 -s 88
        15⤵
        Program crash
        
        PID:3480
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\e9h2a4n\run.vbs"
        13⤵
        
        PID:2696

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/492-516-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/492-517-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/812-505-0x0000000004B80000-0x0000000004B81000-memory.dmp

Filesize
4KB

Download
memory/852-8-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/852-6-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/900-266-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/900-267-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1744-13-0x0000000004240000-0x0000000004241000-memory.dmp

Filesize
4KB

Download
memory/1900-29-0x0000000004CC0000-0x0000000004CC1000-memory.dmp

Filesize
4KB

Download
memory/2084-114-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2084-112-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2084-108-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2236-32-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2236-33-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2504-14-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2504-16-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2504-17-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2668-522-0x0000000004350000-0x0000000004351000-memory.dmp

Filesize
4KB

Download
memory/3480-540-0x00000000041B0000-0x00000000041B1000-memory.dmp

Filesize
4KB

Download