Analysis
-
max time kernel
156s -
max time network
163s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
08-03-2022 14:03
Static task
static1
Behavioral task
behavioral1
Sample
88a0c42f1ce46ba4d2e99c386cb9728bb29fae0eed07207c356ce40ff60382c7.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
88a0c42f1ce46ba4d2e99c386cb9728bb29fae0eed07207c356ce40ff60382c7.exe
Resource
win10v2004-en-20220112
General
-
Target
88a0c42f1ce46ba4d2e99c386cb9728bb29fae0eed07207c356ce40ff60382c7.exe
-
Size
340KB
-
MD5
9569fed4ee0f5c92baaa60b4df7ffcf6
-
SHA1
36354316a0c0d835c2e2357edfcb31c032e0f728
-
SHA256
88a0c42f1ce46ba4d2e99c386cb9728bb29fae0eed07207c356ce40ff60382c7
-
SHA512
adf4381fac9cb4d319c37aad144188fedaab7da5c258e7d8fb139e00c25cdcd734857fe68b38312f6bb29ee6763bc6d714d1e1c7fca9543d582aa1d3d69e8d0b
Malware Config
Signatures
-
ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
-
ISR Stealer Payload 2 IoCs
resource yara_rule behavioral1/memory/1448-69-0x0000000000400000-0x0000000000442000-memory.dmp family_isrstealer behavioral1/memory/1448-71-0x0000000000400000-0x0000000000442000-memory.dmp family_isrstealer -
NirSoft MailPassView 4 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral1/memory/1280-95-0x0000000000400000-0x000000000041F000-memory.dmp MailPassView behavioral1/memory/1280-94-0x0000000000400000-0x000000000041F000-memory.dmp MailPassView behavioral1/memory/936-129-0x0000000000400000-0x000000000041F000-memory.dmp MailPassView behavioral1/memory/936-128-0x0000000000400000-0x000000000041F000-memory.dmp MailPassView -
Nirsoft 4 IoCs
resource yara_rule behavioral1/memory/1280-95-0x0000000000400000-0x000000000041F000-memory.dmp Nirsoft behavioral1/memory/1280-94-0x0000000000400000-0x000000000041F000-memory.dmp Nirsoft behavioral1/memory/936-129-0x0000000000400000-0x000000000041F000-memory.dmp Nirsoft behavioral1/memory/936-128-0x0000000000400000-0x000000000041F000-memory.dmp Nirsoft -
Executes dropped EXE 48 IoCs
pid Process 668 filename.exe 2036 filename.exe 1448 filename.exe 936 filename.exe 1280 filename.exe 616 filename.exe 1600 filename.exe 1396 filename.exe 936 filename.exe 2016 filename.exe 460 filename.exe 888 filename.exe 1896 filename.exe 916 filename.exe 748 filename.exe 1692 filename.exe 1096 filename.exe 1892 filename.exe 1556 filename.exe 1500 filename.exe 1616 filename.exe 888 filename.exe 1600 filename.exe 2024 filename.exe 1104 filename.exe 284 filename.exe 1360 filename.exe 428 filename.exe 1764 filename.exe 1444 filename.exe 1556 filename.exe 1212 filename.exe 1244 filename.exe 1056 filename.exe 1732 filename.exe 2036 filename.exe 1504 filename.exe 1708 filename.exe 1376 filename.exe 1704 filename.exe 1096 filename.exe 896 filename.exe 924 filename.exe 1180 filename.exe 1592 filename.exe 1308 filename.exe 908 filename.exe 736 filename.exe -
resource yara_rule behavioral1/memory/936-80-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral1/memory/936-84-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral1/memory/936-85-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral1/memory/936-86-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral1/memory/1280-89-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral1/memory/1280-93-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral1/memory/1280-95-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral1/memory/1280-94-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral1/memory/1396-118-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral1/memory/1396-119-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral1/memory/1396-120-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral1/memory/936-127-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral1/memory/936-129-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral1/memory/936-128-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral1/memory/888-149-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral1/memory/888-151-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral1/memory/888-150-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral1/memory/2036-335-0x0000000000130000-0x0000000000170000-memory.dmp upx -
Loads dropped DLL 2 IoCs
pid Process 756 cmd.exe 756 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 7 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts filename.exe Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts filename.exe Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts filename.exe Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts filename.exe Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts filename.exe Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts filename.exe Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts filename.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" reg.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" reg.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" reg.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" reg.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" reg.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" reg.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" reg.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" reg.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" reg.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" reg.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" reg.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" reg.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" reg.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" reg.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" reg.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" reg.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" reg.exe -
Suspicious use of SetThreadContext 32 IoCs
description pid Process procid_target PID 668 set thread context of 1448 668 filename.exe 35 PID 1448 set thread context of 936 1448 filename.exe 39 PID 1448 set thread context of 1280 1448 filename.exe 66 PID 616 set thread context of 1600 616 filename.exe 77 PID 1600 set thread context of 1396 1600 filename.exe 80 PID 1600 set thread context of 936 1600 filename.exe 91 PID 2016 set thread context of 460 2016 filename.exe 103 PID 460 set thread context of 888 460 filename.exe 106 PID 460 set thread context of 1896 460 filename.exe 119 PID 916 set thread context of 748 916 filename.exe 131 PID 748 set thread context of 1692 748 filename.exe 134 PID 748 set thread context of 1096 748 filename.exe 145 PID 1892 set thread context of 1556 1892 filename.exe 157 PID 1556 set thread context of 1500 1556 filename.exe 160 PID 1556 set thread context of 1616 1556 filename.exe 171 PID 888 set thread context of 1600 888 filename.exe 181 PID 1600 set thread context of 2024 1600 filename.exe 184 PID 1600 set thread context of 1104 1600 filename.exe 195 PID 284 set thread context of 1360 284 filename.exe 203 PID 1360 set thread context of 428 1360 filename.exe 204 PID 1360 set thread context of 1764 1360 filename.exe 217 PID 1444 set thread context of 1244 1444 filename.exe 231 PID 1244 set thread context of 1056 1244 filename.exe 234 PID 1244 set thread context of 1732 1244 filename.exe 245 PID 2036 set thread context of 1708 2036 filename.exe 258 PID 1708 set thread context of 1376 1708 filename.exe 262 PID 1708 set thread context of 1704 1708 filename.exe 272 PID 1096 set thread context of 896 1096 filename.exe 284 PID 896 set thread context of 924 896 filename.exe 287 PID 896 set thread context of 1180 896 filename.exe 298 PID 1592 set thread context of 908 1592 filename.exe 311 PID 908 set thread context of 736 908 filename.exe 312 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1536 88a0c42f1ce46ba4d2e99c386cb9728bb29fae0eed07207c356ce40ff60382c7.exe 1536 88a0c42f1ce46ba4d2e99c386cb9728bb29fae0eed07207c356ce40ff60382c7.exe 668 filename.exe 668 filename.exe 668 filename.exe 668 filename.exe 668 filename.exe 668 filename.exe 668 filename.exe 668 filename.exe 668 filename.exe 668 filename.exe 668 filename.exe 668 filename.exe 668 filename.exe 668 filename.exe 668 filename.exe 668 filename.exe 668 filename.exe 668 filename.exe 668 filename.exe 668 filename.exe 668 filename.exe 668 filename.exe 668 filename.exe 668 filename.exe 668 filename.exe 668 filename.exe 668 filename.exe 668 filename.exe 668 filename.exe 668 filename.exe 668 filename.exe 668 filename.exe 668 filename.exe 668 filename.exe 668 filename.exe 668 filename.exe 668 filename.exe 668 filename.exe 668 filename.exe 668 filename.exe 668 filename.exe 668 filename.exe 668 filename.exe 668 filename.exe 668 filename.exe 668 filename.exe 668 filename.exe 668 filename.exe 668 filename.exe 668 filename.exe 668 filename.exe 668 filename.exe 668 filename.exe 668 filename.exe 668 filename.exe 668 filename.exe 668 filename.exe 668 filename.exe 668 filename.exe 668 filename.exe 668 filename.exe 668 filename.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeDebugPrivilege 1536 88a0c42f1ce46ba4d2e99c386cb9728bb29fae0eed07207c356ce40ff60382c7.exe Token: SeDebugPrivilege 668 filename.exe Token: SeDebugPrivilege 616 filename.exe Token: SeDebugPrivilege 2016 filename.exe Token: SeDebugPrivilege 916 filename.exe Token: SeDebugPrivilege 1892 filename.exe Token: SeDebugPrivilege 888 filename.exe Token: SeDebugPrivilege 284 filename.exe Token: SeDebugPrivilege 1444 filename.exe Token: SeDebugPrivilege 2036 filename.exe Token: SeDebugPrivilege 1096 filename.exe Token: SeDebugPrivilege 1592 filename.exe -
Suspicious use of SetWindowsHookEx 11 IoCs
pid Process 1448 filename.exe 1600 filename.exe 460 filename.exe 748 filename.exe 1556 filename.exe 1600 filename.exe 1360 filename.exe 1244 filename.exe 1708 filename.exe 896 filename.exe 908 filename.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1536 wrote to memory of 756 1536 88a0c42f1ce46ba4d2e99c386cb9728bb29fae0eed07207c356ce40ff60382c7.exe 27 PID 1536 wrote to memory of 756 1536 88a0c42f1ce46ba4d2e99c386cb9728bb29fae0eed07207c356ce40ff60382c7.exe 27 PID 1536 wrote to memory of 756 1536 88a0c42f1ce46ba4d2e99c386cb9728bb29fae0eed07207c356ce40ff60382c7.exe 27 PID 1536 wrote to memory of 756 1536 88a0c42f1ce46ba4d2e99c386cb9728bb29fae0eed07207c356ce40ff60382c7.exe 27 PID 756 wrote to memory of 668 756 cmd.exe 30 PID 756 wrote to memory of 668 756 cmd.exe 30 PID 756 wrote to memory of 668 756 cmd.exe 30 PID 756 wrote to memory of 668 756 cmd.exe 30 PID 668 wrote to memory of 1092 668 filename.exe 31 PID 668 wrote to memory of 1092 668 filename.exe 31 PID 668 wrote to memory of 1092 668 filename.exe 31 PID 668 wrote to memory of 1092 668 filename.exe 31 PID 1092 wrote to memory of 1076 1092 cmd.exe 33 PID 1092 wrote to memory of 1076 1092 cmd.exe 33 PID 1092 wrote to memory of 1076 1092 cmd.exe 33 PID 1092 wrote to memory of 1076 1092 cmd.exe 33 PID 668 wrote to memory of 2036 668 filename.exe 34 PID 668 wrote to memory of 2036 668 filename.exe 34 PID 668 wrote to memory of 2036 668 filename.exe 34 PID 668 wrote to memory of 2036 668 filename.exe 34 PID 668 wrote to memory of 1448 668 filename.exe 35 PID 668 wrote to memory of 1448 668 filename.exe 35 PID 668 wrote to memory of 1448 668 filename.exe 35 PID 668 wrote to memory of 1448 668 filename.exe 35 PID 668 wrote to memory of 1448 668 filename.exe 35 PID 668 wrote to memory of 1448 668 filename.exe 35 PID 668 wrote to memory of 1448 668 filename.exe 35 PID 668 wrote to memory of 1448 668 filename.exe 35 PID 668 wrote to memory of 1556 668 filename.exe 37 PID 668 wrote to memory of 1556 668 filename.exe 37 PID 668 wrote to memory of 1556 668 filename.exe 37 PID 668 wrote to memory of 1556 668 filename.exe 37 PID 1556 wrote to memory of 988 1556 cmd.exe 38 PID 1556 wrote to memory of 988 1556 cmd.exe 38 PID 1556 wrote to memory of 988 1556 cmd.exe 38 PID 1556 wrote to memory of 988 1556 cmd.exe 38 PID 1448 wrote to memory of 936 1448 filename.exe 39 PID 1448 wrote to memory of 936 1448 filename.exe 39 PID 1448 wrote to memory of 936 1448 filename.exe 39 PID 1448 wrote to memory of 936 1448 filename.exe 39 PID 1448 wrote to memory of 936 1448 filename.exe 39 PID 1448 wrote to memory of 936 1448 filename.exe 39 PID 1448 wrote to memory of 936 1448 filename.exe 39 PID 1448 wrote to memory of 936 1448 filename.exe 39 PID 1448 wrote to memory of 936 1448 filename.exe 39 PID 668 wrote to memory of 1896 668 filename.exe 40 PID 668 wrote to memory of 1896 668 filename.exe 40 PID 668 wrote to memory of 1896 668 filename.exe 40 PID 668 wrote to memory of 1896 668 filename.exe 40 PID 1896 wrote to memory of 588 1896 cmd.exe 42 PID 1896 wrote to memory of 588 1896 cmd.exe 42 PID 1896 wrote to memory of 588 1896 cmd.exe 42 PID 1896 wrote to memory of 588 1896 cmd.exe 42 PID 668 wrote to memory of 840 668 filename.exe 43 PID 668 wrote to memory of 840 668 filename.exe 43 PID 668 wrote to memory of 840 668 filename.exe 43 PID 668 wrote to memory of 840 668 filename.exe 43 PID 840 wrote to memory of 852 840 cmd.exe 45 PID 840 wrote to memory of 852 840 cmd.exe 45 PID 840 wrote to memory of 852 840 cmd.exe 45 PID 840 wrote to memory of 852 840 cmd.exe 45 PID 668 wrote to memory of 1916 668 filename.exe 46 PID 668 wrote to memory of 1916 668 filename.exe 46 PID 668 wrote to memory of 1916 668 filename.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\88a0c42f1ce46ba4d2e99c386cb9728bb29fae0eed07207c356ce40ff60382c7.exe"C:\Users\Admin\AppData\Local\Temp\88a0c42f1ce46ba4d2e99c386cb9728bb29fae0eed07207c356ce40ff60382c7.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1536 -
C:\Windows\SysWOW64\cmd.exe"cmd"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:756 -
C:\Users\Admin\Desktop\jyhtgrfdsdhjkllkj\filename.exe"C:\Users\Admin\Desktop\jyhtgrfdsdhjkllkj\filename.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:668 -
C:\Windows\SysWOW64\cmd.exe"cmd"4⤵
- Suspicious use of WriteProcessMemory
PID:1092 -
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"5⤵
- Adds Run key to start application
PID:1076
-
-
-
C:\Users\Admin\Desktop\jyhtgrfdsdhjkllkj\filename.exe"C:\Users\Admin\Desktop\jyhtgrfdsdhjkllkj\filename.exe"4⤵
- Executes dropped EXE
PID:2036
-
-
C:\Users\Admin\Desktop\jyhtgrfdsdhjkllkj\filename.exe"C:\Users\Admin\Desktop\jyhtgrfdsdhjkllkj\filename.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1448 -
C:\Users\Admin\Desktop\jyhtgrfdsdhjkllkj\filename.exe/scomma "C:\Users\Admin\AppData\Local\Temp\sbCVzGNl9I.ini"5⤵
- Executes dropped EXE
PID:936
-
-
C:\Users\Admin\Desktop\jyhtgrfdsdhjkllkj\filename.exe/scomma "C:\Users\Admin\AppData\Local\Temp\MJGvYE8avF.ini"5⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
PID:1280
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"4⤵
- Suspicious use of WriteProcessMemory
PID:1556 -
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"5⤵PID:988
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"4⤵
- Suspicious use of WriteProcessMemory
PID:1896 -
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"5⤵
- Adds Run key to start application
PID:588
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"4⤵
- Suspicious use of WriteProcessMemory
PID:840 -
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"5⤵
- Adds Run key to start application
PID:852
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"4⤵PID:1916
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"5⤵
- Adds Run key to start application
PID:1704
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"4⤵PID:2040
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"5⤵
- Adds Run key to start application
PID:1580
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"4⤵PID:756
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"5⤵
- Adds Run key to start application
PID:736
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"4⤵PID:1308
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"5⤵PID:1096
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"4⤵PID:1164
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"5⤵
- Adds Run key to start application
PID:816
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"4⤵PID:1416
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"5⤵
- Adds Run key to start application
PID:1684
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"4⤵PID:1700
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"5⤵
- Adds Run key to start application
PID:988
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"4⤵PID:1556
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"5⤵
- Adds Run key to start application
PID:552
-
-
-
C:\Users\Admin\Desktop\jyhtgrfdsdhjkllkj\filename.exe"C:\Users\Admin\Desktop\jyhtgrfdsdhjkllkj\filename.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:616 -
C:\Windows\SysWOW64\cmd.exe"cmd"5⤵PID:1876
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"6⤵PID:1188
-
-
-
C:\Users\Admin\Desktop\jyhtgrfdsdhjkllkj\filename.exe"C:\Users\Admin\Desktop\jyhtgrfdsdhjkllkj\filename.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1600 -
C:\Users\Admin\Desktop\jyhtgrfdsdhjkllkj\filename.exe/scomma "C:\Users\Admin\AppData\Local\Temp\mG3TXGRJCz.ini"6⤵
- Executes dropped EXE
PID:1396
-
-
C:\Users\Admin\Desktop\jyhtgrfdsdhjkllkj\filename.exe/scomma "C:\Users\Admin\AppData\Local\Temp\DVNTCJrYaX.ini"6⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
PID:936
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"5⤵PID:1484
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"6⤵
- Adds Run key to start application
PID:1352
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"5⤵PID:916
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"6⤵
- Adds Run key to start application
PID:1964
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"5⤵PID:992
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"6⤵
- Adds Run key to start application
PID:1716
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"5⤵PID:1036
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"6⤵PID:1744
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"5⤵PID:1556
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"6⤵
- Adds Run key to start application
PID:1464
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"5⤵PID:1536
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"6⤵
- Adds Run key to start application
PID:1460
-
-
-
C:\Users\Admin\Desktop\jyhtgrfdsdhjkllkj\filename.exe"C:\Users\Admin\Desktop\jyhtgrfdsdhjkllkj\filename.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2016 -
C:\Windows\SysWOW64\cmd.exe"cmd"6⤵PID:1812
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"7⤵
- Adds Run key to start application
PID:1444
-
-
-
C:\Users\Admin\Desktop\jyhtgrfdsdhjkllkj\filename.exe"C:\Users\Admin\Desktop\jyhtgrfdsdhjkllkj\filename.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:460 -
C:\Users\Admin\Desktop\jyhtgrfdsdhjkllkj\filename.exe/scomma "C:\Users\Admin\AppData\Local\Temp\QERJy5XIRf.ini"7⤵
- Executes dropped EXE
PID:888
-
-
C:\Users\Admin\Desktop\jyhtgrfdsdhjkllkj\filename.exe/scomma "C:\Users\Admin\AppData\Local\Temp\u6RZw3kRCv.ini"7⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
PID:1896
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"6⤵PID:1484
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"7⤵
- Adds Run key to start application
PID:1620
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"6⤵PID:1056
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"7⤵PID:1172
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"6⤵PID:1468
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"7⤵
- Adds Run key to start application
PID:1820
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"6⤵PID:1916
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"7⤵PID:840
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"6⤵PID:1932
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"7⤵PID:2024
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"6⤵PID:1512
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"7⤵
- Adds Run key to start application
PID:1764
-
-
-
C:\Users\Admin\Desktop\jyhtgrfdsdhjkllkj\filename.exe"C:\Users\Admin\Desktop\jyhtgrfdsdhjkllkj\filename.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:916 -
C:\Windows\SysWOW64\cmd.exe"cmd"7⤵PID:1556
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"8⤵
- Adds Run key to start application
PID:2032
-
-
-
C:\Users\Admin\Desktop\jyhtgrfdsdhjkllkj\filename.exe"C:\Users\Admin\Desktop\jyhtgrfdsdhjkllkj\filename.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:748 -
C:\Users\Admin\Desktop\jyhtgrfdsdhjkllkj\filename.exe/scomma "C:\Users\Admin\AppData\Local\Temp\gVUbpML1jM.ini"8⤵
- Executes dropped EXE
PID:1692
-
-
C:\Users\Admin\Desktop\jyhtgrfdsdhjkllkj\filename.exe/scomma "C:\Users\Admin\AppData\Local\Temp\0KEqB5MXFn.ini"8⤵
- Executes dropped EXE
PID:1096
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"7⤵PID:988
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"8⤵
- Adds Run key to start application
PID:1600
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"7⤵PID:1552
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"8⤵PID:324
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"7⤵PID:1932
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"8⤵
- Adds Run key to start application
PID:756
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"7⤵PID:1536
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"8⤵
- Adds Run key to start application
PID:1512
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"7⤵PID:2040
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"8⤵
- Adds Run key to start application
PID:1788
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"7⤵PID:1484
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"8⤵
- Adds Run key to start application
PID:596
-
-
-
C:\Users\Admin\Desktop\jyhtgrfdsdhjkllkj\filename.exe"C:\Users\Admin\Desktop\jyhtgrfdsdhjkllkj\filename.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1892 -
C:\Windows\SysWOW64\cmd.exe"cmd"8⤵PID:520
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"9⤵PID:2032
-
-
-
C:\Users\Admin\Desktop\jyhtgrfdsdhjkllkj\filename.exe"C:\Users\Admin\Desktop\jyhtgrfdsdhjkllkj\filename.exe"8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1556 -
C:\Users\Admin\Desktop\jyhtgrfdsdhjkllkj\filename.exe/scomma "C:\Users\Admin\AppData\Local\Temp\bnVySGGSvJ.ini"9⤵
- Executes dropped EXE
PID:1500
-
-
C:\Users\Admin\Desktop\jyhtgrfdsdhjkllkj\filename.exe/scomma "C:\Users\Admin\AppData\Local\Temp\QedZFC9nRE.ini"9⤵
- Executes dropped EXE
PID:1616
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"8⤵PID:576
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"9⤵
- Adds Run key to start application
PID:564
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"8⤵PID:756
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"9⤵
- Adds Run key to start application
PID:1340
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"8⤵PID:1704
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"9⤵
- Adds Run key to start application
PID:1512
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"8⤵PID:1176
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"9⤵
- Adds Run key to start application
PID:1788
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"8⤵PID:928
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"9⤵
- Adds Run key to start application
PID:1740
-
-
-
C:\Users\Admin\Desktop\jyhtgrfdsdhjkllkj\filename.exe"C:\Users\Admin\Desktop\jyhtgrfdsdhjkllkj\filename.exe"8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:888 -
C:\Windows\SysWOW64\cmd.exe"cmd"9⤵PID:1468
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"10⤵PID:1604
-
-
-
C:\Users\Admin\Desktop\jyhtgrfdsdhjkllkj\filename.exe"C:\Users\Admin\Desktop\jyhtgrfdsdhjkllkj\filename.exe"9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1600 -
C:\Users\Admin\Desktop\jyhtgrfdsdhjkllkj\filename.exe/scomma "C:\Users\Admin\AppData\Local\Temp\W4WL59Bs8F.ini"10⤵
- Executes dropped EXE
PID:2024
-
-
C:\Users\Admin\Desktop\jyhtgrfdsdhjkllkj\filename.exe/scomma "C:\Users\Admin\AppData\Local\Temp\J8bLrWaCC9.ini"10⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
PID:1104
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"9⤵PID:1972
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"10⤵PID:1196
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"9⤵PID:564
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"10⤵
- Adds Run key to start application
PID:324
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"9⤵PID:1932
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"10⤵PID:1920
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"9⤵PID:2016
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"10⤵
- Adds Run key to start application
PID:1536
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"9⤵PID:1748
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"10⤵
- Adds Run key to start application
PID:1176
-
-
-
C:\Users\Admin\Desktop\jyhtgrfdsdhjkllkj\filename.exe"C:\Users\Admin\Desktop\jyhtgrfdsdhjkllkj\filename.exe"9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:284 -
C:\Windows\SysWOW64\cmd.exe"cmd"10⤵PID:1484
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"11⤵
- Adds Run key to start application
PID:544
-
-
-
C:\Users\Admin\Desktop\jyhtgrfdsdhjkllkj\filename.exe"C:\Users\Admin\Desktop\jyhtgrfdsdhjkllkj\filename.exe"10⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1360 -
C:\Users\Admin\Desktop\jyhtgrfdsdhjkllkj\filename.exe/scomma "C:\Users\Admin\AppData\Local\Temp\2LIC0x8vFC.ini"11⤵
- Executes dropped EXE
PID:428
-
-
C:\Users\Admin\Desktop\jyhtgrfdsdhjkllkj\filename.exe/scomma "C:\Users\Admin\AppData\Local\Temp\N3WaDJekLK.ini"11⤵
- Executes dropped EXE
PID:1764
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"10⤵PID:920
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"11⤵
- Adds Run key to start application
PID:1720
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"10⤵PID:1308
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"11⤵PID:816
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"10⤵PID:1172
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"11⤵
- Adds Run key to start application
PID:1604
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"10⤵PID:1060
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"11⤵
- Adds Run key to start application
PID:1932
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"10⤵PID:1180
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"11⤵PID:1164
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"10⤵PID:1176
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"11⤵
- Adds Run key to start application
PID:240
-
-
-
C:\Users\Admin\Desktop\jyhtgrfdsdhjkllkj\filename.exe"C:\Users\Admin\Desktop\jyhtgrfdsdhjkllkj\filename.exe"10⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1444 -
C:\Windows\SysWOW64\cmd.exe"cmd"11⤵PID:1692
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"12⤵PID:1076
-
-
-
C:\Users\Admin\Desktop\jyhtgrfdsdhjkllkj\filename.exe"C:\Users\Admin\Desktop\jyhtgrfdsdhjkllkj\filename.exe"11⤵
- Executes dropped EXE
PID:1556
-
-
C:\Users\Admin\Desktop\jyhtgrfdsdhjkllkj\filename.exe"C:\Users\Admin\Desktop\jyhtgrfdsdhjkllkj\filename.exe"11⤵
- Executes dropped EXE
PID:1212
-
-
C:\Users\Admin\Desktop\jyhtgrfdsdhjkllkj\filename.exe"C:\Users\Admin\Desktop\jyhtgrfdsdhjkllkj\filename.exe"11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1244 -
C:\Users\Admin\Desktop\jyhtgrfdsdhjkllkj\filename.exe/scomma "C:\Users\Admin\AppData\Local\Temp\6m8Hr22rXx.ini"12⤵
- Executes dropped EXE
PID:1056
-
-
C:\Users\Admin\Desktop\jyhtgrfdsdhjkllkj\filename.exe/scomma "C:\Users\Admin\AppData\Local\Temp\7SV6CkI4gQ.ini"12⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
PID:1732
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"11⤵PID:972
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"12⤵
- Adds Run key to start application
PID:1708
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"11⤵PID:908
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"12⤵
- Adds Run key to start application
PID:1308
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"11⤵PID:1972
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"12⤵PID:1920
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"11⤵PID:912
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"12⤵
- Adds Run key to start application
PID:1100
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"11⤵PID:1176
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"12⤵
- Adds Run key to start application
PID:1768
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"11⤵PID:1652
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"12⤵PID:1088
-
-
-
C:\Users\Admin\Desktop\jyhtgrfdsdhjkllkj\filename.exe"C:\Users\Admin\Desktop\jyhtgrfdsdhjkllkj\filename.exe"11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2036 -
C:\Windows\SysWOW64\cmd.exe"cmd"12⤵PID:1264
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"13⤵
- Adds Run key to start application
PID:1196
-
-
-
C:\Users\Admin\Desktop\jyhtgrfdsdhjkllkj\filename.exe"C:\Users\Admin\Desktop\jyhtgrfdsdhjkllkj\filename.exe"12⤵
- Executes dropped EXE
PID:1504
-
-
C:\Users\Admin\Desktop\jyhtgrfdsdhjkllkj\filename.exe"C:\Users\Admin\Desktop\jyhtgrfdsdhjkllkj\filename.exe"12⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1708 -
C:\Users\Admin\Desktop\jyhtgrfdsdhjkllkj\filename.exe/scomma "C:\Users\Admin\AppData\Local\Temp\tF73M7vfgr.ini"13⤵
- Executes dropped EXE
PID:1376
-
-
C:\Users\Admin\Desktop\jyhtgrfdsdhjkllkj\filename.exe/scomma "C:\Users\Admin\AppData\Local\Temp\PRyRy3Yl7U.ini"13⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
PID:1704
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"12⤵PID:1788
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"13⤵
- Adds Run key to start application
PID:324
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"12⤵PID:1896
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"13⤵
- Adds Run key to start application
PID:1716
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"12⤵PID:1100
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"13⤵PID:988
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"12⤵PID:1616
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"13⤵PID:1748
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"12⤵PID:1180
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"13⤵PID:1732
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"12⤵PID:1620
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"13⤵
- Adds Run key to start application
PID:648
-
-
-
C:\Users\Admin\Desktop\jyhtgrfdsdhjkllkj\filename.exe"C:\Users\Admin\Desktop\jyhtgrfdsdhjkllkj\filename.exe"12⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1096 -
C:\Windows\SysWOW64\cmd.exe"cmd"13⤵PID:1076
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"14⤵PID:1120
-
-
-
C:\Users\Admin\Desktop\jyhtgrfdsdhjkllkj\filename.exe"C:\Users\Admin\Desktop\jyhtgrfdsdhjkllkj\filename.exe"13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:896 -
C:\Users\Admin\Desktop\jyhtgrfdsdhjkllkj\filename.exe/scomma "C:\Users\Admin\AppData\Local\Temp\uVSsS9uZYZ.ini"14⤵
- Executes dropped EXE
PID:924
-
-
C:\Users\Admin\Desktop\jyhtgrfdsdhjkllkj\filename.exe/scomma "C:\Users\Admin\AppData\Local\Temp\wApgnr9lh2.ini"14⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
PID:1180
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"13⤵PID:1188
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"14⤵PID:916
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"13⤵PID:1160
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"14⤵
- Adds Run key to start application
PID:1232
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"13⤵PID:988
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"14⤵
- Adds Run key to start application
PID:1548
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"13⤵PID:1616
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"14⤵
- Adds Run key to start application
PID:1104
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"13⤵PID:1396
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"14⤵PID:1924
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"13⤵PID:1364
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"14⤵
- Adds Run key to start application
PID:1936
-
-
-
C:\Users\Admin\Desktop\jyhtgrfdsdhjkllkj\filename.exe"C:\Users\Admin\Desktop\jyhtgrfdsdhjkllkj\filename.exe"13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1592 -
C:\Windows\SysWOW64\cmd.exe"cmd"14⤵PID:1604
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"15⤵PID:1536
-
-
-
C:\Users\Admin\Desktop\jyhtgrfdsdhjkllkj\filename.exe"C:\Users\Admin\Desktop\jyhtgrfdsdhjkllkj\filename.exe"14⤵
- Executes dropped EXE
PID:1308
-
-
C:\Users\Admin\Desktop\jyhtgrfdsdhjkllkj\filename.exe"C:\Users\Admin\Desktop\jyhtgrfdsdhjkllkj\filename.exe"14⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:908 -
C:\Users\Admin\Desktop\jyhtgrfdsdhjkllkj\filename.exe/scomma "C:\Users\Admin\AppData\Local\Temp\SSlSF9qwiE.ini"15⤵
- Executes dropped EXE
PID:736
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"14⤵PID:1904
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"15⤵
- Adds Run key to start application
PID:1760
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"14⤵PID:1656
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"15⤵PID:1716
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"8⤵PID:2036
-
-
-
-
-
-
-