Analysis
-
max time kernel
154s -
max time network
163s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
08-03-2022 17:29
Static task
static1
Behavioral task
behavioral1
Sample
5bce63a780424047f798d0c9f5447361d852d02a323d829e9689e20a3b338bb4.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
5bce63a780424047f798d0c9f5447361d852d02a323d829e9689e20a3b338bb4.exe
Resource
win10v2004-en-20220112
General
-
Target
5bce63a780424047f798d0c9f5447361d852d02a323d829e9689e20a3b338bb4.exe
-
Size
340KB
-
MD5
011c3bfda83c0754b5062e6733c3bbe2
-
SHA1
cef51b1828c3d83b90af62f9ba5ed8fa9aeb9112
-
SHA256
5bce63a780424047f798d0c9f5447361d852d02a323d829e9689e20a3b338bb4
-
SHA512
f2486c77307d9f9572276679fc166bbe03c23a457571302fd844b5ee8af15d1535703a25c7b81ef31b018e9abf8572cb8e295dd793aac70f3177aba697e70279
Malware Config
Signatures
-
ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
-
ISR Stealer Payload 2 IoCs
resource yara_rule behavioral1/memory/1096-70-0x0000000000400000-0x0000000000442000-memory.dmp family_isrstealer behavioral1/memory/1096-72-0x0000000000400000-0x0000000000442000-memory.dmp family_isrstealer -
NirSoft MailPassView 5 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral1/memory/1972-87-0x0000000000400000-0x000000000041F000-memory.dmp MailPassView behavioral1/memory/2040-120-0x0000000000400000-0x000000000041F000-memory.dmp MailPassView behavioral1/memory/2040-121-0x0000000000400000-0x000000000041F000-memory.dmp MailPassView behavioral1/memory/1960-148-0x0000000000400000-0x000000000041F000-memory.dmp MailPassView behavioral1/memory/1960-147-0x0000000000400000-0x000000000041F000-memory.dmp MailPassView -
Nirsoft 5 IoCs
resource yara_rule behavioral1/memory/1972-87-0x0000000000400000-0x000000000041F000-memory.dmp Nirsoft behavioral1/memory/2040-120-0x0000000000400000-0x000000000041F000-memory.dmp Nirsoft behavioral1/memory/2040-121-0x0000000000400000-0x000000000041F000-memory.dmp Nirsoft behavioral1/memory/1960-148-0x0000000000400000-0x000000000041F000-memory.dmp Nirsoft behavioral1/memory/1960-147-0x0000000000400000-0x000000000041F000-memory.dmp Nirsoft -
Executes dropped EXE 43 IoCs
pid Process 688 filename.exe 1096 filename.exe 1780 filename.exe 1972 filename.exe 696 filename.exe 1104 filename.exe 1912 filename.exe 2040 filename.exe 1940 filename.exe 932 filename.exe 688 filename.exe 1960 filename.exe 808 filename.exe 908 filename.exe 1660 filename.exe 1056 filename.exe 1536 filename.exe 1316 filename.exe 772 filename.exe 576 filename.exe 860 filename.exe 1004 filename.exe 272 filename.exe 772 filename.exe 1552 filename.exe 2044 filename.exe 808 filename.exe 1384 filename.exe 2020 filename.exe 1004 filename.exe 1524 filename.exe 1576 filename.exe 836 filename.exe 696 filename.exe 2008 filename.exe 988 filename.exe 892 filename.exe 768 filename.exe 952 filename.exe 1152 filename.exe 1644 filename.exe 772 filename.exe 1188 filename.exe -
resource yara_rule behavioral1/memory/1780-78-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral1/memory/1780-82-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral1/memory/1780-84-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral1/memory/1780-83-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral1/memory/1972-85-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral1/memory/1972-87-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral1/memory/1912-111-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral1/memory/1912-112-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral1/memory/1912-110-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral1/memory/2040-119-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral1/memory/2040-120-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral1/memory/2040-121-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral1/memory/1960-146-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral1/memory/1960-148-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral1/memory/1960-147-0x0000000000400000-0x000000000041F000-memory.dmp upx -
Loads dropped DLL 2 IoCs
pid Process 696 cmd.exe 696 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 8 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts filename.exe Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts filename.exe Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts filename.exe Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts filename.exe Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts filename.exe Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts filename.exe Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts filename.exe Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts filename.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" reg.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" reg.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" reg.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" reg.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" reg.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" reg.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" reg.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" reg.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" reg.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" reg.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" reg.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" reg.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" reg.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" reg.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe -
Suspicious use of SetThreadContext 32 IoCs
description pid Process procid_target PID 688 set thread context of 1096 688 filename.exe 34 PID 1096 set thread context of 1780 1096 filename.exe 41 PID 1096 set thread context of 1972 1096 filename.exe 54 PID 696 set thread context of 1104 696 filename.exe 65 PID 1104 set thread context of 1912 1104 filename.exe 68 PID 1104 set thread context of 2040 1104 filename.exe 96 PID 1940 set thread context of 932 1940 filename.exe 107 PID 932 set thread context of 688 932 filename.exe 111 PID 932 set thread context of 1960 932 filename.exe 123 PID 808 set thread context of 908 808 filename.exe 131 PID 908 set thread context of 1660 908 filename.exe 134 PID 908 set thread context of 1056 908 filename.exe 145 PID 1536 set thread context of 1316 1536 filename.exe 157 PID 1316 set thread context of 772 1316 filename.exe 160 PID 1316 set thread context of 576 1316 filename.exe 171 PID 860 set thread context of 1004 860 filename.exe 183 PID 1004 set thread context of 272 1004 filename.exe 186 PID 1004 set thread context of 772 1004 filename.exe 197 PID 1552 set thread context of 2044 1552 filename.exe 209 PID 2044 set thread context of 808 2044 filename.exe 212 PID 2044 set thread context of 1384 2044 filename.exe 223 PID 2020 set thread context of 1004 2020 filename.exe 231 PID 1004 set thread context of 1524 1004 filename.exe 234 PID 1004 set thread context of 1576 1004 filename.exe 245 PID 836 set thread context of 696 836 filename.exe 253 PID 696 set thread context of 2008 696 filename.exe 256 PID 696 set thread context of 988 696 filename.exe 267 PID 892 set thread context of 768 892 filename.exe 279 PID 768 set thread context of 952 768 filename.exe 282 PID 768 set thread context of 1152 768 filename.exe 293 PID 1644 set thread context of 772 1644 filename.exe 305 PID 772 set thread context of 1188 772 filename.exe 308 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1716 5bce63a780424047f798d0c9f5447361d852d02a323d829e9689e20a3b338bb4.exe 1716 5bce63a780424047f798d0c9f5447361d852d02a323d829e9689e20a3b338bb4.exe 688 filename.exe 688 filename.exe 688 filename.exe 688 filename.exe 688 filename.exe 688 filename.exe 688 filename.exe 688 filename.exe 688 filename.exe 688 filename.exe 688 filename.exe 688 filename.exe 688 filename.exe 688 filename.exe 688 filename.exe 688 filename.exe 688 filename.exe 688 filename.exe 688 filename.exe 688 filename.exe 688 filename.exe 688 filename.exe 688 filename.exe 688 filename.exe 688 filename.exe 688 filename.exe 688 filename.exe 688 filename.exe 688 filename.exe 688 filename.exe 688 filename.exe 688 filename.exe 688 filename.exe 688 filename.exe 688 filename.exe 688 filename.exe 688 filename.exe 688 filename.exe 688 filename.exe 688 filename.exe 688 filename.exe 688 filename.exe 688 filename.exe 688 filename.exe 688 filename.exe 688 filename.exe 688 filename.exe 688 filename.exe 688 filename.exe 688 filename.exe 688 filename.exe 688 filename.exe 688 filename.exe 688 filename.exe 688 filename.exe 688 filename.exe 688 filename.exe 688 filename.exe 688 filename.exe 688 filename.exe 688 filename.exe 688 filename.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeDebugPrivilege 1716 5bce63a780424047f798d0c9f5447361d852d02a323d829e9689e20a3b338bb4.exe Token: SeDebugPrivilege 688 filename.exe Token: SeDebugPrivilege 696 filename.exe Token: SeDebugPrivilege 1940 filename.exe Token: SeDebugPrivilege 808 filename.exe Token: SeDebugPrivilege 1536 filename.exe Token: SeDebugPrivilege 860 filename.exe Token: SeDebugPrivilege 1552 filename.exe Token: SeDebugPrivilege 2020 filename.exe Token: SeDebugPrivilege 836 filename.exe Token: SeDebugPrivilege 892 filename.exe Token: SeDebugPrivilege 1644 filename.exe -
Suspicious use of SetWindowsHookEx 11 IoCs
pid Process 1096 filename.exe 1104 filename.exe 932 filename.exe 908 filename.exe 1316 filename.exe 1004 filename.exe 2044 filename.exe 1004 filename.exe 696 filename.exe 768 filename.exe 772 filename.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1716 wrote to memory of 696 1716 5bce63a780424047f798d0c9f5447361d852d02a323d829e9689e20a3b338bb4.exe 27 PID 1716 wrote to memory of 696 1716 5bce63a780424047f798d0c9f5447361d852d02a323d829e9689e20a3b338bb4.exe 27 PID 1716 wrote to memory of 696 1716 5bce63a780424047f798d0c9f5447361d852d02a323d829e9689e20a3b338bb4.exe 27 PID 1716 wrote to memory of 696 1716 5bce63a780424047f798d0c9f5447361d852d02a323d829e9689e20a3b338bb4.exe 27 PID 696 wrote to memory of 688 696 cmd.exe 30 PID 696 wrote to memory of 688 696 cmd.exe 30 PID 696 wrote to memory of 688 696 cmd.exe 30 PID 696 wrote to memory of 688 696 cmd.exe 30 PID 688 wrote to memory of 924 688 filename.exe 31 PID 688 wrote to memory of 924 688 filename.exe 31 PID 688 wrote to memory of 924 688 filename.exe 31 PID 688 wrote to memory of 924 688 filename.exe 31 PID 924 wrote to memory of 1504 924 cmd.exe 33 PID 924 wrote to memory of 1504 924 cmd.exe 33 PID 924 wrote to memory of 1504 924 cmd.exe 33 PID 924 wrote to memory of 1504 924 cmd.exe 33 PID 688 wrote to memory of 1096 688 filename.exe 34 PID 688 wrote to memory of 1096 688 filename.exe 34 PID 688 wrote to memory of 1096 688 filename.exe 34 PID 688 wrote to memory of 1096 688 filename.exe 34 PID 688 wrote to memory of 1096 688 filename.exe 34 PID 688 wrote to memory of 1096 688 filename.exe 34 PID 688 wrote to memory of 1096 688 filename.exe 34 PID 688 wrote to memory of 1096 688 filename.exe 34 PID 688 wrote to memory of 1008 688 filename.exe 35 PID 688 wrote to memory of 1008 688 filename.exe 35 PID 688 wrote to memory of 1008 688 filename.exe 35 PID 688 wrote to memory of 1008 688 filename.exe 35 PID 1008 wrote to memory of 1664 1008 cmd.exe 37 PID 1008 wrote to memory of 1664 1008 cmd.exe 37 PID 1008 wrote to memory of 1664 1008 cmd.exe 37 PID 1008 wrote to memory of 1664 1008 cmd.exe 37 PID 688 wrote to memory of 1696 688 filename.exe 38 PID 688 wrote to memory of 1696 688 filename.exe 38 PID 688 wrote to memory of 1696 688 filename.exe 38 PID 688 wrote to memory of 1696 688 filename.exe 38 PID 1696 wrote to memory of 1756 1696 cmd.exe 40 PID 1696 wrote to memory of 1756 1696 cmd.exe 40 PID 1696 wrote to memory of 1756 1696 cmd.exe 40 PID 1696 wrote to memory of 1756 1696 cmd.exe 40 PID 1096 wrote to memory of 1780 1096 filename.exe 41 PID 1096 wrote to memory of 1780 1096 filename.exe 41 PID 1096 wrote to memory of 1780 1096 filename.exe 41 PID 1096 wrote to memory of 1780 1096 filename.exe 41 PID 1096 wrote to memory of 1780 1096 filename.exe 41 PID 1096 wrote to memory of 1780 1096 filename.exe 41 PID 1096 wrote to memory of 1780 1096 filename.exe 41 PID 1096 wrote to memory of 1780 1096 filename.exe 41 PID 1096 wrote to memory of 1780 1096 filename.exe 41 PID 688 wrote to memory of 1708 688 filename.exe 42 PID 688 wrote to memory of 1708 688 filename.exe 42 PID 688 wrote to memory of 1708 688 filename.exe 42 PID 688 wrote to memory of 1708 688 filename.exe 42 PID 1708 wrote to memory of 1388 1708 cmd.exe 44 PID 1708 wrote to memory of 1388 1708 cmd.exe 44 PID 1708 wrote to memory of 1388 1708 cmd.exe 44 PID 1708 wrote to memory of 1388 1708 cmd.exe 44 PID 688 wrote to memory of 2016 688 filename.exe 45 PID 688 wrote to memory of 2016 688 filename.exe 45 PID 688 wrote to memory of 2016 688 filename.exe 45 PID 688 wrote to memory of 2016 688 filename.exe 45 PID 2016 wrote to memory of 1768 2016 cmd.exe 47 PID 2016 wrote to memory of 1768 2016 cmd.exe 47 PID 2016 wrote to memory of 1768 2016 cmd.exe 47
Processes
-
C:\Users\Admin\AppData\Local\Temp\5bce63a780424047f798d0c9f5447361d852d02a323d829e9689e20a3b338bb4.exe"C:\Users\Admin\AppData\Local\Temp\5bce63a780424047f798d0c9f5447361d852d02a323d829e9689e20a3b338bb4.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Windows\SysWOW64\cmd.exe"cmd"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:696 -
C:\Users\Admin\Desktop\ertfyguhiljyhgfghr\filename.exe"C:\Users\Admin\Desktop\ertfyguhiljyhgfghr\filename.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:688 -
C:\Windows\SysWOW64\cmd.exe"cmd"4⤵
- Suspicious use of WriteProcessMemory
PID:924 -
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"5⤵
- Adds Run key to start application
PID:1504
-
-
-
C:\Users\Admin\Desktop\ertfyguhiljyhgfghr\filename.exe"C:\Users\Admin\Desktop\ertfyguhiljyhgfghr\filename.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1096 -
C:\Users\Admin\Desktop\ertfyguhiljyhgfghr\filename.exe/scomma "C:\Users\Admin\AppData\Local\Temp\6eurVxczYn.ini"5⤵
- Executes dropped EXE
PID:1780
-
-
C:\Users\Admin\Desktop\ertfyguhiljyhgfghr\filename.exe/scomma "C:\Users\Admin\AppData\Local\Temp\FPZBHdH3k4.ini"5⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
PID:1972
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"4⤵
- Suspicious use of WriteProcessMemory
PID:1008 -
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"5⤵
- Adds Run key to start application
PID:1664
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"4⤵
- Suspicious use of WriteProcessMemory
PID:1696 -
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"5⤵PID:1756
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"4⤵
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"5⤵PID:1388
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"4⤵
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"5⤵
- Adds Run key to start application
PID:1768
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"4⤵PID:1356
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"5⤵
- Adds Run key to start application
PID:900
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"4⤵PID:1924
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"5⤵PID:2020
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"4⤵PID:1536
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"5⤵
- Adds Run key to start application
PID:268
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"4⤵PID:1560
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"5⤵
- Adds Run key to start application
PID:1824
-
-
-
C:\Users\Admin\Desktop\ertfyguhiljyhgfghr\filename.exe"C:\Users\Admin\Desktop\ertfyguhiljyhgfghr\filename.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:696 -
C:\Windows\SysWOW64\cmd.exe"cmd"5⤵PID:788
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"6⤵
- Adds Run key to start application
PID:1960
-
-
-
C:\Users\Admin\Desktop\ertfyguhiljyhgfghr\filename.exe"C:\Users\Admin\Desktop\ertfyguhiljyhgfghr\filename.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1104 -
C:\Users\Admin\Desktop\ertfyguhiljyhgfghr\filename.exe/scomma "C:\Users\Admin\AppData\Local\Temp\fu9zZWkD4j.ini"6⤵
- Executes dropped EXE
PID:1912
-
-
C:\Users\Admin\Desktop\ertfyguhiljyhgfghr\filename.exe/scomma "C:\Users\Admin\AppData\Local\Temp\PKdVkplORu.ini"6⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
PID:2040
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"5⤵PID:1504
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"6⤵PID:304
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"5⤵PID:2024
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"6⤵
- Adds Run key to start application
PID:1500
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"5⤵PID:1680
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"6⤵PID:1092
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"5⤵PID:1756
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"6⤵
- Adds Run key to start application
PID:972
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"5⤵PID:2016
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"6⤵
- Adds Run key to start application
PID:908
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"5⤵PID:1840
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"6⤵
- Adds Run key to start application
PID:768
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"5⤵PID:576
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"6⤵PID:836
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"5⤵PID:1052
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"6⤵
- Adds Run key to start application
PID:2036
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"5⤵PID:1980
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"6⤵PID:848
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"5⤵PID:1380
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"6⤵
- Adds Run key to start application
PID:1664
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"5⤵PID:924
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"6⤵PID:1392
-
-
-
C:\Users\Admin\Desktop\ertfyguhiljyhgfghr\filename.exe"C:\Users\Admin\Desktop\ertfyguhiljyhgfghr\filename.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1940 -
C:\Windows\SysWOW64\cmd.exe"cmd"6⤵PID:2024
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"7⤵
- Adds Run key to start application
PID:972
-
-
-
C:\Users\Admin\Desktop\ertfyguhiljyhgfghr\filename.exe"C:\Users\Admin\Desktop\ertfyguhiljyhgfghr\filename.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:932 -
C:\Users\Admin\Desktop\ertfyguhiljyhgfghr\filename.exe/scomma "C:\Users\Admin\AppData\Local\Temp\HW33wZ6iu7.ini"7⤵
- Executes dropped EXE
PID:688
-
-
C:\Users\Admin\Desktop\ertfyguhiljyhgfghr\filename.exe/scomma "C:\Users\Admin\AppData\Local\Temp\Gsh9Fvjq39.ini"7⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
PID:1960
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"6⤵PID:1660
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"7⤵
- Adds Run key to start application
PID:836
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"6⤵PID:1060
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"7⤵
- Adds Run key to start application
PID:1340
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"6⤵PID:1824
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"7⤵
- Adds Run key to start application
PID:1664
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"6⤵PID:1692
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"7⤵PID:1792
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"6⤵PID:960
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"7⤵
- Adds Run key to start application
PID:1056
-
-
-
C:\Users\Admin\Desktop\ertfyguhiljyhgfghr\filename.exe"C:\Users\Admin\Desktop\ertfyguhiljyhgfghr\filename.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:808 -
C:\Windows\SysWOW64\cmd.exe"cmd"7⤵PID:876
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"8⤵
- Adds Run key to start application
PID:604
-
-
-
C:\Users\Admin\Desktop\ertfyguhiljyhgfghr\filename.exe"C:\Users\Admin\Desktop\ertfyguhiljyhgfghr\filename.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:908 -
C:\Users\Admin\Desktop\ertfyguhiljyhgfghr\filename.exe/scomma "C:\Users\Admin\AppData\Local\Temp\AQeJy04pMJ.ini"8⤵
- Executes dropped EXE
PID:1660
-
-
C:\Users\Admin\Desktop\ertfyguhiljyhgfghr\filename.exe/scomma "C:\Users\Admin\AppData\Local\Temp\QXEviBzzvh.ini"8⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
PID:1056
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"7⤵PID:1576
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"8⤵
- Adds Run key to start application
PID:1788
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"7⤵PID:1380
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"8⤵
- Adds Run key to start application
PID:768
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"7⤵PID:1340
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"8⤵PID:788
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"7⤵PID:1392
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"8⤵
- Adds Run key to start application
PID:520
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"7⤵PID:1836
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"8⤵
- Adds Run key to start application
PID:1180
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"7⤵PID:1524
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"8⤵PID:1388
-
-
-
C:\Users\Admin\Desktop\ertfyguhiljyhgfghr\filename.exe"C:\Users\Admin\Desktop\ertfyguhiljyhgfghr\filename.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1536 -
C:\Windows\SysWOW64\cmd.exe"cmd"8⤵PID:1528
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"9⤵
- Adds Run key to start application
PID:2036
-
-
-
C:\Users\Admin\Desktop\ertfyguhiljyhgfghr\filename.exe"C:\Users\Admin\Desktop\ertfyguhiljyhgfghr\filename.exe"8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1316 -
C:\Users\Admin\Desktop\ertfyguhiljyhgfghr\filename.exe/scomma "C:\Users\Admin\AppData\Local\Temp\dEaWSH5Hbp.ini"9⤵
- Executes dropped EXE
PID:772
-
-
C:\Users\Admin\Desktop\ertfyguhiljyhgfghr\filename.exe/scomma "C:\Users\Admin\AppData\Local\Temp\AJxc4riOqP.ini"9⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
PID:576
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"8⤵PID:1060
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"9⤵
- Adds Run key to start application
PID:1552
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"8⤵PID:584
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"9⤵
- Adds Run key to start application
PID:1596
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"8⤵PID:896
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"9⤵PID:2044
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"8⤵PID:1616
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"9⤵
- Adds Run key to start application
PID:1388
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"8⤵PID:2016
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"9⤵
- Adds Run key to start application
PID:2020
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"8⤵PID:1788
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"9⤵
- Adds Run key to start application
PID:1384
-
-
-
C:\Users\Admin\Desktop\ertfyguhiljyhgfghr\filename.exe"C:\Users\Admin\Desktop\ertfyguhiljyhgfghr\filename.exe"8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:860 -
C:\Windows\SysWOW64\cmd.exe"cmd"9⤵PID:1768
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"10⤵PID:1968
-
-
-
C:\Users\Admin\Desktop\ertfyguhiljyhgfghr\filename.exe"C:\Users\Admin\Desktop\ertfyguhiljyhgfghr\filename.exe"9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1004 -
C:\Users\Admin\Desktop\ertfyguhiljyhgfghr\filename.exe/scomma "C:\Users\Admin\AppData\Local\Temp\ZE96n6BIeU.ini"10⤵
- Executes dropped EXE
PID:272
-
-
C:\Users\Admin\Desktop\ertfyguhiljyhgfghr\filename.exe/scomma "C:\Users\Admin\AppData\Local\Temp\ZVCZFEuxiC.ini"10⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
PID:772
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"9⤵PID:1708
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"10⤵
- Adds Run key to start application
PID:1976
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"9⤵PID:988
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"10⤵PID:1056
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"9⤵PID:1772
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"10⤵
- Adds Run key to start application
PID:1084
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"9⤵PID:876
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"10⤵
- Adds Run key to start application
PID:1984
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"9⤵PID:576
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"10⤵PID:836
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"9⤵PID:788
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"10⤵
- Adds Run key to start application
PID:1392
-
-
-
C:\Users\Admin\Desktop\ertfyguhiljyhgfghr\filename.exe"C:\Users\Admin\Desktop\ertfyguhiljyhgfghr\filename.exe"9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1552 -
C:\Windows\SysWOW64\cmd.exe"cmd"10⤵PID:648
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"11⤵PID:1836
-
-
-
C:\Users\Admin\Desktop\ertfyguhiljyhgfghr\filename.exe"C:\Users\Admin\Desktop\ertfyguhiljyhgfghr\filename.exe"10⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2044 -
C:\Users\Admin\Desktop\ertfyguhiljyhgfghr\filename.exe/scomma "C:\Users\Admin\AppData\Local\Temp\FOAcbayDz8.ini"11⤵
- Executes dropped EXE
PID:808
-
-
C:\Users\Admin\Desktop\ertfyguhiljyhgfghr\filename.exe/scomma "C:\Users\Admin\AppData\Local\Temp\6vn11QiJJS.ini"11⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
PID:1384
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"10⤵PID:268
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"11⤵
- Adds Run key to start application
PID:1860
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"10⤵PID:1084
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"11⤵PID:1616
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"10⤵PID:1544
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"11⤵PID:1744
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"10⤵PID:1732
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"11⤵PID:876
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"10⤵PID:1340
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"11⤵
- Adds Run key to start application
PID:984
-
-
-
C:\Users\Admin\Desktop\ertfyguhiljyhgfghr\filename.exe"C:\Users\Admin\Desktop\ertfyguhiljyhgfghr\filename.exe"10⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2020 -
C:\Windows\SysWOW64\cmd.exe"cmd"11⤵PID:1184
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"12⤵
- Adds Run key to start application
PID:2036
-
-
-
C:\Users\Admin\Desktop\ertfyguhiljyhgfghr\filename.exe"C:\Users\Admin\Desktop\ertfyguhiljyhgfghr\filename.exe"11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1004 -
C:\Users\Admin\Desktop\ertfyguhiljyhgfghr\filename.exe/scomma "C:\Users\Admin\AppData\Local\Temp\NFps4SdVLK.ini"12⤵
- Executes dropped EXE
PID:1524
-
-
C:\Users\Admin\Desktop\ertfyguhiljyhgfghr\filename.exe/scomma "C:\Users\Admin\AppData\Local\Temp\op1fHCopQ9.ini"12⤵
- Executes dropped EXE
PID:1576
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"11⤵PID:1596
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"12⤵PID:1692
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"11⤵PID:1220
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"12⤵
- Adds Run key to start application
PID:1836
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"11⤵PID:648
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"12⤵
- Adds Run key to start application
PID:1964
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"11⤵PID:1316
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"12⤵
- Adds Run key to start application
PID:1056
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"11⤵PID:1744
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"12⤵
- Adds Run key to start application
PID:1052
-
-
-
C:\Users\Admin\Desktop\ertfyguhiljyhgfghr\filename.exe"C:\Users\Admin\Desktop\ertfyguhiljyhgfghr\filename.exe"11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:836 -
C:\Windows\SysWOW64\cmd.exe"cmd"12⤵PID:1096
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"13⤵
- Adds Run key to start application
PID:520
-
-
-
C:\Users\Admin\Desktop\ertfyguhiljyhgfghr\filename.exe"C:\Users\Admin\Desktop\ertfyguhiljyhgfghr\filename.exe"12⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:696 -
C:\Users\Admin\Desktop\ertfyguhiljyhgfghr\filename.exe/scomma "C:\Users\Admin\AppData\Local\Temp\2LEghODUCN.ini"13⤵
- Executes dropped EXE
PID:2008
-
-
C:\Users\Admin\Desktop\ertfyguhiljyhgfghr\filename.exe/scomma "C:\Users\Admin\AppData\Local\Temp\ZQbmJyqbRx.ini"13⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
PID:988
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"12⤵PID:1552
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"13⤵PID:1960
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"12⤵PID:1312
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"13⤵
- Adds Run key to start application
PID:1456
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"12⤵PID:980
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"13⤵
- Adds Run key to start application
PID:1596
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"12⤵PID:1728
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"13⤵
- Adds Run key to start application
PID:1220
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"12⤵PID:1316
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"13⤵PID:1624
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"12⤵PID:2040
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"13⤵
- Adds Run key to start application
PID:2016
-
-
-
C:\Users\Admin\Desktop\ertfyguhiljyhgfghr\filename.exe"C:\Users\Admin\Desktop\ertfyguhiljyhgfghr\filename.exe"12⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:892 -
C:\Windows\SysWOW64\cmd.exe"cmd"13⤵PID:1844
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"14⤵
- Adds Run key to start application
PID:1748
-
-
-
C:\Users\Admin\Desktop\ertfyguhiljyhgfghr\filename.exe"C:\Users\Admin\Desktop\ertfyguhiljyhgfghr\filename.exe"13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:768 -
C:\Users\Admin\Desktop\ertfyguhiljyhgfghr\filename.exe/scomma "C:\Users\Admin\AppData\Local\Temp\happM7uscL.ini"14⤵
- Executes dropped EXE
PID:952
-
-
C:\Users\Admin\Desktop\ertfyguhiljyhgfghr\filename.exe/scomma "C:\Users\Admin\AppData\Local\Temp\2EWznGq3gT.ini"14⤵
- Executes dropped EXE
PID:1152
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"13⤵PID:1980
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"14⤵PID:964
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"13⤵PID:2036
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"14⤵PID:1312
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"13⤵PID:1964
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"14⤵
- Adds Run key to start application
PID:1220
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"13⤵PID:1084
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"14⤵PID:452
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"13⤵PID:1608
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"14⤵
- Adds Run key to start application
PID:1648
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"13⤵PID:552
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"14⤵
- Adds Run key to start application
PID:1536
-
-
-
C:\Users\Admin\Desktop\ertfyguhiljyhgfghr\filename.exe"C:\Users\Admin\Desktop\ertfyguhiljyhgfghr\filename.exe"13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1644 -
C:\Windows\SysWOW64\cmd.exe"cmd"14⤵PID:848
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"15⤵
- Adds Run key to start application
PID:1588
-
-
-
C:\Users\Admin\Desktop\ertfyguhiljyhgfghr\filename.exe"C:\Users\Admin\Desktop\ertfyguhiljyhgfghr\filename.exe"14⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:772 -
C:\Users\Admin\Desktop\ertfyguhiljyhgfghr\filename.exe/scomma "C:\Users\Admin\AppData\Local\Temp\ASPUBD5zMr.ini"15⤵
- Executes dropped EXE
PID:1188
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"14⤵PID:1504
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"15⤵PID:1068
-
-
-
-
-
-
-
-
-
-
-
-
-
-