isrstealer | e89152a061a968b6747019e51c3b27a8238e51d7958d894fb3a6cc517cdfc69e

Analysis

max time kernel
4294212s
max time network
160s
platform
windows7_x64
resource
win7-20220223-en
submitted
08-03-2022 00:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e89152a061a968b6747019e51c3b27a8238e51d7958d894fb3a6cc517cdfc69e.exe
Size

340KB
MD5

3b4298ca0de8b3c4380d424c2119c99c
SHA1

f89168ce4986220753adeae47d069af8407284a4
SHA256

e89152a061a968b6747019e51c3b27a8238e51d7958d894fb3a6cc517cdfc69e
SHA512

33a69a00dbf76ca3dc3a8184522c7c8f36a4f277b846f84b9def594350b386e9d766d7e815d24c478f227bab1f4fca340fc96a55c695d241e49ca95dec189fa2

Score

10^/10

isrstealer collection persistence spyware stealer trojan upx

Malware Config

Signatures

ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
trojan stealer isrstealer

ISR Stealer Payload 2 IoCs

resource	yara_rule
behavioral1/memory/2012-67-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral1/memory/2012-69-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer

NirSoft MailPassView 6 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral1/memory/1164-93-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral1/memory/1164-92-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral1/memory/912-127-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral1/memory/912-126-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral1/memory/112-154-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral1/memory/112-153-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView

Nirsoft 6 IoCs

resource	yara_rule
behavioral1/memory/1164-93-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral1/memory/1164-92-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral1/memory/912-127-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral1/memory/912-126-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral1/memory/112-154-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral1/memory/112-153-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft

Executes dropped EXE 55 IoCs

pid	Process
1960	filename.exe
2012	filename.exe
1196	filename.exe
1164	filename.exe
1704	filename.exe
1176	filename.exe
960	filename.exe
912	filename.exe
828	filename.exe
1764	filename.exe
548	filename.exe
112	filename.exe
1184	filename.exe
956	filename.exe
976	filename.exe
1564	filename.exe
1448	filename.exe
972	filename.exe
1552	filename.exe
1912	filename.exe
1076	filename.exe
1448	filename.exe
1832	filename.exe
1956	filename.exe
548	filename.exe
828	filename.exe
1092	filename.exe
1400	filename.exe
1636	filename.exe
1000	filename.exe
1660	filename.exe
1156	filename.exe
112	filename.exe
460	filename.exe
1000	filename.exe
1940	filename.exe
628	filename.exe
1532	filename.exe
268	filename.exe
1844	filename.exe
1700	filename.exe
1832	filename.exe
1156	filename.exe
1940	filename.exe
600	filename.exe
112	filename.exe
1480	filename.exe
1520	filename.exe
1712	filename.exe
1408	filename.exe
1848	filename.exe
956	filename.exe
1560	filename.exe
1576	filename.exe
1944	filename.exe

UPX packed file 17 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1196-75-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/1196-80-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/1196-81-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/1196-79-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/1164-87-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1164-91-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1164-93-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1164-92-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/960-115-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/960-114-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/960-113-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/912-125-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/912-127-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/912-126-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/112-152-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/112-154-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/112-153-0x0000000000400000-0x000000000041F000-memory.dmp	upx

Loads dropped DLL 2 IoCs

pid	Process
1144	cmd.exe
1144	cmd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook accounts 1 TTPs 11 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	filename.exe
Key opened	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	filename.exe
Key opened	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	filename.exe
Key opened	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	filename.exe
Key opened	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	filename.exe
Key opened	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	filename.exe
Key opened	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	filename.exe
Key opened	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	filename.exe
Key opened	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	filename.exe
Key opened	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	filename.exe
Key opened	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	filename.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe

Suspicious use of SetThreadContext 39 IoCs

description	pid	Process	procid_target
PID 1960 set thread context of 2012	1960	filename.exe	33
PID 2012 set thread context of 1196	2012	filename.exe	36
PID 2012 set thread context of 1164	2012	filename.exe	53
PID 1704 set thread context of 1176	1704	filename.exe	64
PID 1176 set thread context of 960	1176	filename.exe	67
PID 1176 set thread context of 912	1176	filename.exe	78
PID 828 set thread context of 1764	828	filename.exe	90
PID 1764 set thread context of 548	1764	filename.exe	94
PID 1764 set thread context of 112	1764	filename.exe	106
PID 1184 set thread context of 976	1184	filename.exe	115
PID 976 set thread context of 1564	976	filename.exe	117
PID 976 set thread context of 1448	976	filename.exe	129
PID 972 set thread context of 1912	972	filename.exe	139
PID 1912 set thread context of 1076	1912	filename.exe	140
PID 1912 set thread context of 1448	1912	filename.exe	153
PID 1832 set thread context of 1956	1832	filename.exe	164
PID 1956 set thread context of 548	1956	filename.exe	168
PID 1956 set thread context of 828	1956	filename.exe	178
PID 1092 set thread context of 1636	1092	filename.exe	187
PID 1636 set thread context of 1000	1636	filename.exe	191
PID 1636 set thread context of 1660	1636	filename.exe	201
PID 1156 set thread context of 112	1156	filename.exe	212
PID 112 set thread context of 460	112	filename.exe	216
PID 112 set thread context of 1000	112	filename.exe	226
PID 1940 set thread context of 628	1940	filename.exe	238
PID 628 set thread context of 1532	628	filename.exe	242
PID 628 set thread context of 268	628	filename.exe	252
PID 1844 set thread context of 1700	1844	filename.exe	264
PID 1700 set thread context of 1832	1700	filename.exe	268
PID 1700 set thread context of 1156	1700	filename.exe	278
PID 1940 set thread context of 600	1940	filename.exe	290
PID 600 set thread context of 112	600	filename.exe	294
PID 600 set thread context of 1480	600	filename.exe	304
PID 1520 set thread context of 1712	1520	filename.exe	316
PID 1712 set thread context of 1408	1712	filename.exe	319
PID 1712 set thread context of 1848	1712	filename.exe	330
PID 956 set thread context of 1560	956	filename.exe	342
PID 1560 set thread context of 1576	1560	filename.exe	344
PID 1560 set thread context of 1944	1560	filename.exe	356

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1692	e89152a061a968b6747019e51c3b27a8238e51d7958d894fb3a6cc517cdfc69e.exe
1692	e89152a061a968b6747019e51c3b27a8238e51d7958d894fb3a6cc517cdfc69e.exe
1960	filename.exe
1960	filename.exe
1960	filename.exe
1960	filename.exe
1960	filename.exe
1960	filename.exe
1960	filename.exe
1960	filename.exe
1960	filename.exe
1960	filename.exe
1960	filename.exe
1960	filename.exe
1960	filename.exe
1960	filename.exe
1960	filename.exe
1960	filename.exe
1960	filename.exe
1960	filename.exe
1960	filename.exe
1960	filename.exe
1960	filename.exe
1960	filename.exe
1960	filename.exe
1960	filename.exe
1960	filename.exe
1960	filename.exe
1960	filename.exe
1960	filename.exe
1960	filename.exe
1960	filename.exe
1960	filename.exe
1960	filename.exe
1960	filename.exe
1960	filename.exe
1960	filename.exe
1960	filename.exe
1960	filename.exe
1960	filename.exe
1960	filename.exe
1960	filename.exe
1960	filename.exe
1960	filename.exe
1960	filename.exe
1960	filename.exe
1960	filename.exe
1960	filename.exe
1960	filename.exe
1960	filename.exe
1960	filename.exe
1960	filename.exe
1960	filename.exe
1960	filename.exe
1960	filename.exe
1960	filename.exe
1960	filename.exe
1960	filename.exe
1960	filename.exe
1960	filename.exe
1960	filename.exe
1960	filename.exe
1960	filename.exe
1960	filename.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	1692	e89152a061a968b6747019e51c3b27a8238e51d7958d894fb3a6cc517cdfc69e.exe
Token: SeDebugPrivilege	1960	filename.exe
Token: SeDebugPrivilege	1704	filename.exe
Token: SeDebugPrivilege	828	filename.exe
Token: SeDebugPrivilege	1184	filename.exe
Token: SeDebugPrivilege	972	filename.exe
Token: SeDebugPrivilege	1832	filename.exe
Token: SeDebugPrivilege	1092	filename.exe
Token: SeDebugPrivilege	1156	filename.exe
Token: SeDebugPrivilege	1940	filename.exe
Token: SeDebugPrivilege	1844	filename.exe
Token: SeDebugPrivilege	1940	filename.exe
Token: SeDebugPrivilege	1520	filename.exe
Token: SeDebugPrivilege	956	filename.exe

Suspicious use of SetWindowsHookEx 13 IoCs

pid	Process
2012	filename.exe
1176	filename.exe
1764	filename.exe
976	filename.exe
1912	filename.exe
1956	filename.exe
1636	filename.exe
112	filename.exe
628	filename.exe
1700	filename.exe
600	filename.exe
1712	filename.exe
1560	filename.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1692 wrote to memory of 1144	1692	e89152a061a968b6747019e51c3b27a8238e51d7958d894fb3a6cc517cdfc69e.exe	27
PID 1692 wrote to memory of 1144	1692	e89152a061a968b6747019e51c3b27a8238e51d7958d894fb3a6cc517cdfc69e.exe	27
PID 1692 wrote to memory of 1144	1692	e89152a061a968b6747019e51c3b27a8238e51d7958d894fb3a6cc517cdfc69e.exe	27
PID 1692 wrote to memory of 1144	1692	e89152a061a968b6747019e51c3b27a8238e51d7958d894fb3a6cc517cdfc69e.exe	27
PID 1144 wrote to memory of 1960	1144	cmd.exe	29
PID 1144 wrote to memory of 1960	1144	cmd.exe	29
PID 1144 wrote to memory of 1960	1144	cmd.exe	29
PID 1144 wrote to memory of 1960	1144	cmd.exe	29
PID 1960 wrote to memory of 1972	1960	filename.exe	30
PID 1960 wrote to memory of 1972	1960	filename.exe	30
PID 1960 wrote to memory of 1972	1960	filename.exe	30
PID 1960 wrote to memory of 1972	1960	filename.exe	30
PID 1972 wrote to memory of 432	1972	cmd.exe	32
PID 1972 wrote to memory of 432	1972	cmd.exe	32
PID 1972 wrote to memory of 432	1972	cmd.exe	32
PID 1972 wrote to memory of 432	1972	cmd.exe	32
PID 1960 wrote to memory of 2012	1960	filename.exe	33
PID 1960 wrote to memory of 2012	1960	filename.exe	33
PID 1960 wrote to memory of 2012	1960	filename.exe	33
PID 1960 wrote to memory of 2012	1960	filename.exe	33
PID 1960 wrote to memory of 2012	1960	filename.exe	33
PID 1960 wrote to memory of 2012	1960	filename.exe	33
PID 1960 wrote to memory of 2012	1960	filename.exe	33
PID 1960 wrote to memory of 2012	1960	filename.exe	33
PID 1960 wrote to memory of 980	1960	filename.exe	34
PID 1960 wrote to memory of 980	1960	filename.exe	34
PID 1960 wrote to memory of 980	1960	filename.exe	34
PID 1960 wrote to memory of 980	1960	filename.exe	34
PID 2012 wrote to memory of 1196	2012	filename.exe	36
PID 2012 wrote to memory of 1196	2012	filename.exe	36
PID 2012 wrote to memory of 1196	2012	filename.exe	36
PID 2012 wrote to memory of 1196	2012	filename.exe	36
PID 2012 wrote to memory of 1196	2012	filename.exe	36
PID 2012 wrote to memory of 1196	2012	filename.exe	36
PID 2012 wrote to memory of 1196	2012	filename.exe	36
PID 2012 wrote to memory of 1196	2012	filename.exe	36
PID 2012 wrote to memory of 1196	2012	filename.exe	36
PID 980 wrote to memory of 1176	980	cmd.exe	37
PID 980 wrote to memory of 1176	980	cmd.exe	37
PID 980 wrote to memory of 1176	980	cmd.exe	37
PID 980 wrote to memory of 1176	980	cmd.exe	37
PID 1960 wrote to memory of 1996	1960	filename.exe	39
PID 1960 wrote to memory of 1996	1960	filename.exe	39
PID 1960 wrote to memory of 1996	1960	filename.exe	39
PID 1960 wrote to memory of 1996	1960	filename.exe	39
PID 1996 wrote to memory of 664	1996	cmd.exe	41
PID 1996 wrote to memory of 664	1996	cmd.exe	41
PID 1996 wrote to memory of 664	1996	cmd.exe	41
PID 1996 wrote to memory of 664	1996	cmd.exe	41
PID 1960 wrote to memory of 768	1960	filename.exe	42
PID 1960 wrote to memory of 768	1960	filename.exe	42
PID 1960 wrote to memory of 768	1960	filename.exe	42
PID 1960 wrote to memory of 768	1960	filename.exe	42
PID 768 wrote to memory of 788	768	cmd.exe	44
PID 768 wrote to memory of 788	768	cmd.exe	44
PID 768 wrote to memory of 788	768	cmd.exe	44
PID 768 wrote to memory of 788	768	cmd.exe	44
PID 1960 wrote to memory of 1780	1960	filename.exe	45
PID 1960 wrote to memory of 1780	1960	filename.exe	45
PID 1960 wrote to memory of 1780	1960	filename.exe	45
PID 1960 wrote to memory of 1780	1960	filename.exe	45
PID 1780 wrote to memory of 1636	1780	cmd.exe	47
PID 1780 wrote to memory of 1636	1780	cmd.exe	47
PID 1780 wrote to memory of 1636	1780	cmd.exe	47

C:\Users\Admin\AppData\Local\Temp\e89152a061a968b6747019e51c3b27a8238e51d7958d894fb3a6cc517cdfc69e.exe
"C:\Users\Admin\AppData\Local\Temp\e89152a061a968b6747019e51c3b27a8238e51d7958d894fb3a6cc517cdfc69e.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1692
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1144
- - C:\Users\Admin\Desktop\ssaffewgybgeff\filename.exe
    "C:\Users\Admin\Desktop\ssaffewgybgeff\filename.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1960
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1972
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        5⤵
        Adds Run key to start application
        
        PID:432
  - - C:\Users\Admin\Desktop\ssaffewgybgeff\filename.exe
      "C:\Users\Admin\Desktop\ssaffewgybgeff\filename.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2012
    - - C:\Users\Admin\Desktop\ssaffewgybgeff\filename.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\lWi9Pr7y8P.ini"
        5⤵
        Executes dropped EXE
        
        PID:1196
    - - C:\Users\Admin\Desktop\ssaffewgybgeff\filename.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\LQchgQk5Pt.ini"
        5⤵
        Executes dropped EXE
        Accesses Microsoft Outlook accounts
        
        PID:1164
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:980
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        5⤵
        
        PID:1176
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1996
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        5⤵
        
        PID:664
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:768
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        5⤵
        Adds Run key to start application
        
        PID:788
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1780
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        5⤵
        Adds Run key to start application
        
        PID:1636
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:240
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        5⤵
        Adds Run key to start application
        
        PID:1608
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:1100
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        5⤵
        Adds Run key to start application
        
        PID:1572
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:1924
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        5⤵
        Adds Run key to start application
        
        PID:1876
  - - C:\Users\Admin\Desktop\ssaffewgybgeff\filename.exe
      "C:\Users\Admin\Desktop\ssaffewgybgeff\filename.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      PID:1704
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:1908
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        6⤵
        
        PID:1244
    - - C:\Users\Admin\Desktop\ssaffewgybgeff\filename.exe
        
        "C:\Users\Admin\Desktop\ssaffewgybgeff\filename.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1176
      - C:\Users\Admin\Desktop\ssaffewgybgeff\filename.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\lDW4f2imy4.ini"
        6⤵
        Executes dropped EXE
        
        PID:960
      - C:\Users\Admin\Desktop\ssaffewgybgeff\filename.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\5edZH7O5ap.ini"
        6⤵
        Executes dropped EXE
        Accesses Microsoft Outlook accounts
        
        PID:912
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:1400
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        6⤵
        Adds Run key to start application
        
        PID:1996
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:1564
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        6⤵
        Adds Run key to start application
        
        PID:900
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:1608
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        6⤵
        
        PID:1144
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:1688
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        6⤵
        Adds Run key to start application
        
        PID:1924
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:1456
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        6⤵
        Adds Run key to start application
        
        PID:840
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:756
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        6⤵
        
        PID:1520
    - - C:\Users\Admin\Desktop\ssaffewgybgeff\filename.exe
        
        "C:\Users\Admin\Desktop\ssaffewgybgeff\filename.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:828
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        7⤵
        Adds Run key to start application
        
        PID:1496
      - C:\Users\Admin\Desktop\ssaffewgybgeff\filename.exe
        
        "C:\Users\Admin\Desktop\ssaffewgybgeff\filename.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1764
        
        C:\Users\Admin\Desktop\ssaffewgybgeff\filename.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\8cgLVX7pzZ.ini"
        7⤵
        Executes dropped EXE
        
        PID:548
        
        C:\Users\Admin\Desktop\ssaffewgybgeff\filename.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\DCBLc1s6Fl.ini"
        7⤵
        Executes dropped EXE
        Accesses Microsoft Outlook accounts
        
        PID:112
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        7⤵
        
        PID:1400
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        7⤵
        
        PID:1608
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:1836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        7⤵
        
        PID:1104
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        7⤵
        
        PID:364
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        7⤵
        Adds Run key to start application
        
        PID:2012
      - C:\Users\Admin\Desktop\ssaffewgybgeff\filename.exe
        
        "C:\Users\Admin\Desktop\ssaffewgybgeff\filename.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:1184
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        7⤵
        
        PID:288
        
        C:\Users\Admin\Desktop\ssaffewgybgeff\filename.exe
        
        "C:\Users\Admin\Desktop\ssaffewgybgeff\filename.exe"
        7⤵
        Executes dropped EXE
        
        PID:956
        
        C:\Users\Admin\Desktop\ssaffewgybgeff\filename.exe
        
        "C:\Users\Admin\Desktop\ssaffewgybgeff\filename.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:976
        
        C:\Users\Admin\Desktop\ssaffewgybgeff\filename.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\1VLQ6J50ID.ini"
        8⤵
        Executes dropped EXE
        
        PID:1564
        
        C:\Users\Admin\Desktop\ssaffewgybgeff\filename.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\rP1PlUis24.ini"
        8⤵
        Executes dropped EXE
        
        PID:1448
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        7⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        8⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        7⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        8⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        7⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        8⤵
        Adds Run key to start application
        
        PID:1628
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        7⤵
        
        PID:1408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        8⤵
        Adds Run key to start application
        
        PID:1560
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        7⤵
        
        PID:540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        8⤵
        
        PID:1724
        
        C:\Users\Admin\Desktop\ssaffewgybgeff\filename.exe
        
        "C:\Users\Admin\Desktop\ssaffewgybgeff\filename.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:972
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        8⤵
        
        PID:1780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        9⤵
        
        PID:900
        
        C:\Users\Admin\Desktop\ssaffewgybgeff\filename.exe
        
        "C:\Users\Admin\Desktop\ssaffewgybgeff\filename.exe"
        8⤵
        Executes dropped EXE
        
        PID:1552
        
        C:\Users\Admin\Desktop\ssaffewgybgeff\filename.exe
        
        "C:\Users\Admin\Desktop\ssaffewgybgeff\filename.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1912
        
        C:\Users\Admin\Desktop\ssaffewgybgeff\filename.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\kNlAq5muZN.ini"
        9⤵
        Executes dropped EXE
        
        PID:1076
        
        C:\Users\Admin\Desktop\ssaffewgybgeff\filename.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\PImuw1yLlR.ini"
        9⤵
        Executes dropped EXE
        Accesses Microsoft Outlook accounts
        
        PID:1448
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        8⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        9⤵
        Adds Run key to start application
        
        PID:1956
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        8⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        9⤵
        
        PID:548
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        8⤵
        
        PID:912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        9⤵
        Adds Run key to start application
        
        PID:1000
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        8⤵
        
        PID:836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        9⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        8⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        9⤵
        
        PID:240
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        8⤵
        
        PID:1160
        
        C:\Users\Admin\Desktop\ssaffewgybgeff\filename.exe
        
        "C:\Users\Admin\Desktop\ssaffewgybgeff\filename.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:1832
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        9⤵
        
        PID:1836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        10⤵
        Adds Run key to start application
        
        PID:1456
        
        C:\Users\Admin\Desktop\ssaffewgybgeff\filename.exe
        
        "C:\Users\Admin\Desktop\ssaffewgybgeff\filename.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1956
        
        C:\Users\Admin\Desktop\ssaffewgybgeff\filename.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\Edt9wkv4MD.ini"
        10⤵
        Executes dropped EXE
        
        PID:548
        
        C:\Users\Admin\Desktop\ssaffewgybgeff\filename.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\WHrTpeBZe5.ini"
        10⤵
        Executes dropped EXE
        
        PID:828
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        9⤵
        
        PID:1404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        10⤵
        Adds Run key to start application
        
        PID:1648
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        9⤵
        
        PID:964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        10⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        9⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        10⤵
        Adds Run key to start application
        
        PID:1656
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        9⤵
        
        PID:768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        10⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        9⤵
        
        PID:268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        10⤵
        Adds Run key to start application
        
        PID:1840
        
        C:\Users\Admin\Desktop\ssaffewgybgeff\filename.exe
        
        "C:\Users\Admin\Desktop\ssaffewgybgeff\filename.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:1092
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        10⤵
        
        PID:1392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        11⤵
        
        PID:2028
        
        C:\Users\Admin\Desktop\ssaffewgybgeff\filename.exe
        
        "C:\Users\Admin\Desktop\ssaffewgybgeff\filename.exe"
        10⤵
        Executes dropped EXE
        
        PID:1400
        
        C:\Users\Admin\Desktop\ssaffewgybgeff\filename.exe
        
        "C:\Users\Admin\Desktop\ssaffewgybgeff\filename.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1636
        
        C:\Users\Admin\Desktop\ssaffewgybgeff\filename.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\qeAAGeaw7p.ini"
        11⤵
        Executes dropped EXE
        
        PID:1000
        
        C:\Users\Admin\Desktop\ssaffewgybgeff\filename.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\MSHQQYP5X4.ini"
        11⤵
        Executes dropped EXE
        Accesses Microsoft Outlook accounts
        
        PID:1660
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        10⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        11⤵
        Adds Run key to start application
        
        PID:364
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        10⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        11⤵
        Adds Run key to start application
        
        PID:1244
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        10⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        11⤵
        
        PID:528
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        10⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        11⤵
        Adds Run key to start application
        
        PID:768
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        10⤵
        
        PID:600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        11⤵
        
        PID:548
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        10⤵
        
        PID:1780
        
        C:\Users\Admin\Desktop\ssaffewgybgeff\filename.exe
        
        "C:\Users\Admin\Desktop\ssaffewgybgeff\filename.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:1156
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        11⤵
        
        PID:1164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        12⤵
        Adds Run key to start application
        
        PID:1036
        
        C:\Users\Admin\Desktop\ssaffewgybgeff\filename.exe
        
        "C:\Users\Admin\Desktop\ssaffewgybgeff\filename.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:112
        
        C:\Users\Admin\Desktop\ssaffewgybgeff\filename.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\NxcpFsVSmD.ini"
        12⤵
        Executes dropped EXE
        
        PID:460
        
        C:\Users\Admin\Desktop\ssaffewgybgeff\filename.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\AWgPoL8bpf.ini"
        12⤵
        Executes dropped EXE
        Accesses Microsoft Outlook accounts
        
        PID:1000
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        11⤵
        
        PID:1392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        12⤵
        
        PID:860
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        11⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        12⤵
        Adds Run key to start application
        
        PID:956
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        11⤵
        
        PID:768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        12⤵
        Adds Run key to start application
        
        PID:2008
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        11⤵
        
        PID:548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        12⤵
        Adds Run key to start application
        
        PID:240
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        11⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        12⤵
        Adds Run key to start application
        
        PID:1912
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        11⤵
        
        PID:1780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        12⤵
        Adds Run key to start application
        
        PID:1748
        
        C:\Users\Admin\Desktop\ssaffewgybgeff\filename.exe
        
        "C:\Users\Admin\Desktop\ssaffewgybgeff\filename.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:1940
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        12⤵
        
        PID:1404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        13⤵
        
        PID:532
        
        C:\Users\Admin\Desktop\ssaffewgybgeff\filename.exe
        
        "C:\Users\Admin\Desktop\ssaffewgybgeff\filename.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:628
        
        C:\Users\Admin\Desktop\ssaffewgybgeff\filename.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\MDABFZGdoM.ini"
        13⤵
        Executes dropped EXE
        
        PID:1532
        
        C:\Users\Admin\Desktop\ssaffewgybgeff\filename.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\wexhhOsgbK.ini"
        13⤵
        Executes dropped EXE
        Accesses Microsoft Outlook accounts
        
        PID:268
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        12⤵
        
        PID:884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        13⤵
        Adds Run key to start application
        
        PID:1876
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        12⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        13⤵
        Adds Run key to start application
        
        PID:1612
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        12⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        13⤵
        Adds Run key to start application
        
        PID:1992
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        12⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        13⤵
        
        PID:460
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        12⤵
        
        PID:1780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        13⤵
        Adds Run key to start application
        
        PID:900
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        12⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        13⤵
        
        PID:1572
        
        C:\Users\Admin\Desktop\ssaffewgybgeff\filename.exe
        
        "C:\Users\Admin\Desktop\ssaffewgybgeff\filename.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:1844
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        13⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        14⤵
        
        PID:2008
        
        C:\Users\Admin\Desktop\ssaffewgybgeff\filename.exe
        
        "C:\Users\Admin\Desktop\ssaffewgybgeff\filename.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1700
        
        C:\Users\Admin\Desktop\ssaffewgybgeff\filename.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\aPxeFR1GIl.ini"
        14⤵
        Executes dropped EXE
        
        PID:1832
        
        C:\Users\Admin\Desktop\ssaffewgybgeff\filename.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\BnrqePBgy5.ini"
        14⤵
        Executes dropped EXE
        Accesses Microsoft Outlook accounts
        
        PID:1156
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        13⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        14⤵
        
        PID:892
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        13⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        14⤵
        Adds Run key to start application
        
        PID:1792
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        13⤵
        
        PID:832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        14⤵
        Adds Run key to start application
        
        PID:912
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        13⤵
        
        PID:1780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        14⤵
        Adds Run key to start application
        
        PID:1944
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        13⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        14⤵
        Adds Run key to start application
        
        PID:1400
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        13⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        14⤵
        Adds Run key to start application
        
        PID:1648
        
        C:\Users\Admin\Desktop\ssaffewgybgeff\filename.exe
        
        "C:\Users\Admin\Desktop\ssaffewgybgeff\filename.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:1940
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        14⤵
        
        PID:948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        15⤵
        Adds Run key to start application
        
        PID:584
        
        C:\Users\Admin\Desktop\ssaffewgybgeff\filename.exe
        
        "C:\Users\Admin\Desktop\ssaffewgybgeff\filename.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:600
        
        C:\Users\Admin\Desktop\ssaffewgybgeff\filename.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\4GWeEYX8R8.ini"
        15⤵
        Executes dropped EXE
        
        PID:112
        
        C:\Users\Admin\Desktop\ssaffewgybgeff\filename.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\ZzHgqhnQzO.ini"
        15⤵
        Executes dropped EXE
        Accesses Microsoft Outlook accounts
        
        PID:1480
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        14⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        15⤵
        Adds Run key to start application
        
        PID:1612
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        14⤵
        
        PID:392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        15⤵
        Adds Run key to start application
        
        PID:1676
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        14⤵
        
        PID:912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        15⤵
        Adds Run key to start application
        
        PID:460
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        14⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        15⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        14⤵
        
        PID:980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        15⤵
        Adds Run key to start application
        
        PID:1832
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        14⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        15⤵
        
        PID:1124
        
        C:\Users\Admin\Desktop\ssaffewgybgeff\filename.exe
        
        "C:\Users\Admin\Desktop\ssaffewgybgeff\filename.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:1520
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        15⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        16⤵
        Adds Run key to start application
        
        PID:1340
        
        C:\Users\Admin\Desktop\ssaffewgybgeff\filename.exe
        
        "C:\Users\Admin\Desktop\ssaffewgybgeff\filename.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1712
        
        C:\Users\Admin\Desktop\ssaffewgybgeff\filename.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\SE8DH35N0b.ini"
        16⤵
        Executes dropped EXE
        
        PID:1408
        
        C:\Users\Admin\Desktop\ssaffewgybgeff\filename.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\1lURLoTIeY.ini"
        16⤵
        Executes dropped EXE
        Accesses Microsoft Outlook accounts
        
        PID:1848
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        15⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        16⤵
        Adds Run key to start application
        
        PID:1612
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        15⤵
        
        PID:540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        16⤵
        Adds Run key to start application
        
        PID:832
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        15⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        16⤵
        
        PID:392
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        15⤵
        
        PID:1252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        16⤵
        Adds Run key to start application
        
        PID:1944
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        15⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        16⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        15⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        16⤵
        Adds Run key to start application
        
        PID:844
        
        C:\Users\Admin\Desktop\ssaffewgybgeff\filename.exe
        
        "C:\Users\Admin\Desktop\ssaffewgybgeff\filename.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:956
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        16⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        17⤵
        Adds Run key to start application
        
        PID:1968
        
        C:\Users\Admin\Desktop\ssaffewgybgeff\filename.exe
        
        "C:\Users\Admin\Desktop\ssaffewgybgeff\filename.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1560
        
        C:\Users\Admin\Desktop\ssaffewgybgeff\filename.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\5yyRIswpcv.ini"
        17⤵
        Executes dropped EXE
        
        PID:1576
        
        C:\Users\Admin\Desktop\ssaffewgybgeff\filename.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\c75dnMHdRm.ini"
        17⤵
        Executes dropped EXE
        Accesses Microsoft Outlook accounts
        
        PID:1944
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        16⤵
        
        PID:1244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        17⤵
        Adds Run key to start application
        
        PID:1596
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        16⤵
        
        PID:684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        17⤵
        
        PID:1000
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        16⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        17⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        16⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        17⤵
        Adds Run key to start application
        
        PID:1476
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        16⤵
        
        PID:1400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        17⤵
        Adds Run key to start application
        
        PID:1524

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
1⤵
PID:2028

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/112-153-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/112-152-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/112-154-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/828-146-0x0000000000AD0000-0x0000000000AD1000-memory.dmp

Filesize
4KB

Download
memory/828-145-0x0000000074D10000-0x00000000752BB000-memory.dmp

Filesize
5.7MB

Download
memory/828-147-0x0000000074D10000-0x00000000752BB000-memory.dmp

Filesize
5.7MB

Download
memory/912-126-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/912-125-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/912-127-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/956-457-0x0000000074700000-0x0000000074CAB000-memory.dmp

Filesize
5.7MB

Download
memory/956-455-0x0000000074700000-0x0000000074CAB000-memory.dmp

Filesize
5.7MB

Download
memory/956-456-0x0000000000360000-0x0000000000361000-memory.dmp

Filesize
4KB

Download
memory/960-114-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/960-113-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/960-115-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/972-210-0x0000000074D10000-0x00000000752BB000-memory.dmp

Filesize
5.7MB

Download
memory/972-208-0x0000000074D10000-0x00000000752BB000-memory.dmp

Filesize
5.7MB

Download
memory/972-209-0x0000000000C50000-0x0000000000C51000-memory.dmp

Filesize
4KB

Download
memory/1092-256-0x0000000074CB0000-0x000000007525B000-memory.dmp

Filesize
5.7MB

Download
memory/1092-257-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/1092-259-0x0000000074CB0000-0x000000007525B000-memory.dmp

Filesize
5.7MB

Download
memory/1156-281-0x0000000074CB0000-0x000000007525B000-memory.dmp

Filesize
5.7MB

Download
memory/1156-285-0x0000000074CB0000-0x000000007525B000-memory.dmp

Filesize
5.7MB

Download
memory/1156-282-0x0000000000B80000-0x0000000000B81000-memory.dmp

Filesize
4KB

Download
memory/1164-91-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1164-93-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1164-87-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1164-92-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1184-160-0x0000000074D10000-0x00000000752BB000-memory.dmp

Filesize
5.7MB

Download
memory/1184-157-0x0000000074D10000-0x00000000752BB000-memory.dmp

Filesize
5.7MB

Download
memory/1184-159-0x0000000000BE0000-0x0000000000BE1000-memory.dmp

Filesize
4KB

Download
memory/1196-75-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1196-79-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1196-81-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1196-80-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1520-428-0x0000000074CB0000-0x000000007525B000-memory.dmp

Filesize
5.7MB

Download
memory/1520-429-0x0000000074CB0000-0x000000007525B000-memory.dmp

Filesize
5.7MB

Download
memory/1520-426-0x0000000074CB0000-0x000000007525B000-memory.dmp

Filesize
5.7MB

Download
memory/1520-427-0x0000000000AB0000-0x0000000000AB1000-memory.dmp

Filesize
4KB

Download
memory/1692-56-0x0000000000920000-0x0000000000921000-memory.dmp

Filesize
4KB

Download
memory/1692-55-0x0000000074D20000-0x00000000752CB000-memory.dmp

Filesize
5.7MB

Download
memory/1692-54-0x0000000076731000-0x0000000076733000-memory.dmp

Filesize
8KB

Download
memory/1692-57-0x0000000074D20000-0x00000000752CB000-memory.dmp

Filesize
5.7MB

Download
memory/1704-118-0x0000000074D20000-0x00000000752CB000-memory.dmp

Filesize
5.7MB

Download
memory/1704-116-0x0000000074D20000-0x00000000752CB000-memory.dmp

Filesize
5.7MB

Download
memory/1704-117-0x0000000000D20000-0x0000000000D21000-memory.dmp

Filesize
4KB

Download
memory/1832-238-0x0000000000D80000-0x0000000000D81000-memory.dmp

Filesize
4KB

Download
memory/1832-239-0x0000000074CB0000-0x000000007525B000-memory.dmp

Filesize
5.7MB

Download
memory/1832-237-0x0000000074CB0000-0x000000007525B000-memory.dmp

Filesize
5.7MB

Download
memory/1844-347-0x0000000074CB0000-0x000000007525B000-memory.dmp

Filesize
5.7MB

Download
memory/1844-348-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/1844-350-0x0000000074CB0000-0x000000007525B000-memory.dmp

Filesize
5.7MB

Download
memory/1940-381-0x0000000074CB0000-0x000000007525B000-memory.dmp

Filesize
5.7MB

Download
memory/1940-316-0x0000000074CB0000-0x000000007525B000-memory.dmp

Filesize
5.7MB

Download
memory/1940-317-0x0000000000B80000-0x0000000000B81000-memory.dmp

Filesize
4KB

Download
memory/1940-320-0x0000000074CB0000-0x000000007525B000-memory.dmp

Filesize
5.7MB

Download
memory/1940-382-0x00000000009C0000-0x00000000009C1000-memory.dmp

Filesize
4KB

Download
memory/1940-383-0x0000000074CB0000-0x000000007525B000-memory.dmp

Filesize
5.7MB

Download
memory/1960-84-0x0000000074D20000-0x00000000752CB000-memory.dmp

Filesize
5.7MB

Download
memory/1960-83-0x0000000000D50000-0x0000000000D51000-memory.dmp

Filesize
4KB

Download
memory/1960-82-0x0000000074D20000-0x00000000752CB000-memory.dmp

Filesize
5.7MB

Download
memory/2012-63-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2012-65-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2012-67-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2012-69-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download