isrstealer | 620222355eb493bacfc0409b4704af8c253ade0142844093f5c541c69f4c9484

Analysis

max time kernel
4294212s
max time network
159s
platform
windows7_x64
resource
win7-20220223-en
submitted
08-03-2022 17:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

620222355eb493bacfc0409b4704af8c253ade0142844093f5c541c69f4c9484.exe
Size

340KB
MD5

bb63a9a8be7756b02e2706a967bef3f6
SHA1

0e30c97d88fc84758b0ad097a4c3c1cf011d03f6
SHA256

620222355eb493bacfc0409b4704af8c253ade0142844093f5c541c69f4c9484
SHA512

4e838c9e9bfc8bd288970d3860b919b01ba52376717beff6b3ade6dddd2af77dc8a450a36bd3d9f6e9ab084b4f727e47305e6ac45da54a5f32f3ed5507e20d42

Score

10^/10

isrstealer collection persistence spyware stealer trojan upx

Malware Config

Signatures

ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
trojan stealer isrstealer

ISR Stealer Payload 2 IoCs

resource	yara_rule
behavioral1/memory/388-70-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral1/memory/388-72-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer

NirSoft MailPassView 6 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral1/memory/1124-92-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral1/memory/1124-93-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral1/memory/1056-127-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral1/memory/1056-126-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral1/memory/1260-154-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral1/memory/1260-153-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView

Nirsoft 6 IoCs

resource	yara_rule
behavioral1/memory/1124-92-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral1/memory/1124-93-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral1/memory/1056-127-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral1/memory/1056-126-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral1/memory/1260-154-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral1/memory/1260-153-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft

Executes dropped EXE 55 IoCs

pid	Process
840	filename.exe
388	filename.exe
1400	filename.exe
1124	filename.exe
1556	filename.exe
1768	filename.exe
1628	filename.exe
1056	filename.exe
624	filename.exe
1324	filename.exe
1792	filename.exe
1260	filename.exe
1592	filename.exe
1588	filename.exe
1128	filename.exe
1964	filename.exe
956	filename.exe
1596	filename.exe
1720	filename.exe
824	filename.exe
1712	filename.exe
936	filename.exe
920	filename.exe
1792	filename.exe
1700	filename.exe
1548	filename.exe
1688	filename.exe
1812	filename.exe
1508	filename.exe
1396	filename.exe
1592	filename.exe
1684	filename.exe
388	filename.exe
1720	filename.exe
1316	filename.exe
784	filename.exe
1056	filename.exe
112	filename.exe
1508	filename.exe
1712	filename.exe
1900	filename.exe
1216	filename.exe
1628	filename.exe
756	filename.exe
1560	filename.exe
1616	filename.exe
1340	filename.exe
1768	filename.exe
1160	filename.exe
1500	filename.exe
1764	filename.exe
928	filename.exe
1516	filename.exe
1512	filename.exe
1068	filename.exe

UPX packed file 17 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1400-78-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/1400-82-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/1400-84-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/1400-83-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/1124-87-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1124-91-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1124-92-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1124-93-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1628-113-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/1628-114-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/1628-115-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/1056-125-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1056-127-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1056-126-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1260-152-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1260-154-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1260-153-0x0000000000400000-0x000000000041F000-memory.dmp	upx

Loads dropped DLL 2 IoCs

pid	Process
1256	cmd.exe
1256	cmd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook accounts 1 TTPs 10 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	filename.exe
Key opened	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	filename.exe
Key opened	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	filename.exe
Key opened	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	filename.exe
Key opened	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	filename.exe
Key opened	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	filename.exe
Key opened	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	filename.exe
Key opened	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	filename.exe
Key opened	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	filename.exe
Key opened	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	filename.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe

Suspicious use of SetThreadContext 39 IoCs

description	pid	Process	procid_target
PID 840 set thread context of 388	840	filename.exe	34
PID 388 set thread context of 1400	388	filename.exe	38
PID 388 set thread context of 1124	388	filename.exe	58
PID 1556 set thread context of 1768	1556	filename.exe	66
PID 1768 set thread context of 1628	1768	filename.exe	69
PID 1768 set thread context of 1056	1768	filename.exe	81
PID 624 set thread context of 1324	624	filename.exe	93
PID 1324 set thread context of 1792	1324	filename.exe	96
PID 1324 set thread context of 1260	1324	filename.exe	107
PID 1592 set thread context of 1128	1592	filename.exe	116
PID 1128 set thread context of 1964	1128	filename.exe	119
PID 1128 set thread context of 956	1128	filename.exe	130
PID 1596 set thread context of 1720	1596	filename.exe	142
PID 1720 set thread context of 824	1720	filename.exe	145
PID 1720 set thread context of 1712	1720	filename.exe	156
PID 936 set thread context of 1792	936	filename.exe	169
PID 1792 set thread context of 1700	1792	filename.exe	172
PID 1792 set thread context of 1548	1792	filename.exe	182
PID 1688 set thread context of 1812	1688	filename.exe	191
PID 1812 set thread context of 1508	1812	filename.exe	195
PID 1812 set thread context of 1396	1812	filename.exe	205
PID 1592 set thread context of 1684	1592	filename.exe	217
PID 1684 set thread context of 388	1684	filename.exe	221
PID 1684 set thread context of 1720	1684	filename.exe	231
PID 1316 set thread context of 784	1316	filename.exe	243
PID 784 set thread context of 1056	784	filename.exe	245
PID 784 set thread context of 112	784	filename.exe	257
PID 1508 set thread context of 1712	1508	filename.exe	265
PID 1712 set thread context of 1900	1712	filename.exe	269
PID 1712 set thread context of 1216	1712	filename.exe	279
PID 1628 set thread context of 1560	1628	filename.exe	292
PID 1560 set thread context of 1616	1560	filename.exe	295
PID 1560 set thread context of 1340	1560	filename.exe	306
PID 1768 set thread context of 1160	1768	filename.exe	314
PID 1160 set thread context of 1500	1160	filename.exe	317
PID 1160 set thread context of 1764	1160	filename.exe	328
PID 928 set thread context of 1516	928	filename.exe	336
PID 1516 set thread context of 1512	1516	filename.exe	339
PID 1516 set thread context of 1068	1516	filename.exe	350

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1636	620222355eb493bacfc0409b4704af8c253ade0142844093f5c541c69f4c9484.exe
1636	620222355eb493bacfc0409b4704af8c253ade0142844093f5c541c69f4c9484.exe
840	filename.exe
840	filename.exe
840	filename.exe
840	filename.exe
840	filename.exe
840	filename.exe
840	filename.exe
840	filename.exe
840	filename.exe
840	filename.exe
840	filename.exe
840	filename.exe
840	filename.exe
840	filename.exe
840	filename.exe
840	filename.exe
840	filename.exe
840	filename.exe
840	filename.exe
840	filename.exe
840	filename.exe
840	filename.exe
840	filename.exe
840	filename.exe
840	filename.exe
840	filename.exe
840	filename.exe
840	filename.exe
840	filename.exe
840	filename.exe
840	filename.exe
840	filename.exe
840	filename.exe
840	filename.exe
840	filename.exe
840	filename.exe
840	filename.exe
840	filename.exe
840	filename.exe
840	filename.exe
840	filename.exe
840	filename.exe
840	filename.exe
840	filename.exe
840	filename.exe
840	filename.exe
840	filename.exe
840	filename.exe
840	filename.exe
840	filename.exe
840	filename.exe
840	filename.exe
840	filename.exe
840	filename.exe
840	filename.exe
840	filename.exe
840	filename.exe
840	filename.exe
840	filename.exe
840	filename.exe
840	filename.exe
840	filename.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	1636	620222355eb493bacfc0409b4704af8c253ade0142844093f5c541c69f4c9484.exe
Token: SeDebugPrivilege	840	filename.exe
Token: SeDebugPrivilege	1556	filename.exe
Token: SeDebugPrivilege	624	filename.exe
Token: SeDebugPrivilege	1592	filename.exe
Token: SeDebugPrivilege	1596	filename.exe
Token: SeDebugPrivilege	936	filename.exe
Token: SeDebugPrivilege	1688	filename.exe
Token: SeDebugPrivilege	1592	filename.exe
Token: SeDebugPrivilege	1316	filename.exe
Token: SeDebugPrivilege	1508	filename.exe
Token: SeDebugPrivilege	1628	filename.exe
Token: SeDebugPrivilege	1768	filename.exe
Token: SeDebugPrivilege	928	filename.exe

Suspicious use of SetWindowsHookEx 13 IoCs

pid	Process
388	filename.exe
1768	filename.exe
1324	filename.exe
1128	filename.exe
1720	filename.exe
1792	filename.exe
1812	filename.exe
1684	filename.exe
784	filename.exe
1712	filename.exe
1560	filename.exe
1160	filename.exe
1516	filename.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1636 wrote to memory of 1256	1636	620222355eb493bacfc0409b4704af8c253ade0142844093f5c541c69f4c9484.exe	27
PID 1636 wrote to memory of 1256	1636	620222355eb493bacfc0409b4704af8c253ade0142844093f5c541c69f4c9484.exe	27
PID 1636 wrote to memory of 1256	1636	620222355eb493bacfc0409b4704af8c253ade0142844093f5c541c69f4c9484.exe	27
PID 1636 wrote to memory of 1256	1636	620222355eb493bacfc0409b4704af8c253ade0142844093f5c541c69f4c9484.exe	27
PID 1256 wrote to memory of 840	1256	cmd.exe	29
PID 1256 wrote to memory of 840	1256	cmd.exe	29
PID 1256 wrote to memory of 840	1256	cmd.exe	29
PID 1256 wrote to memory of 840	1256	cmd.exe	29
PID 840 wrote to memory of 1800	840	filename.exe	31
PID 840 wrote to memory of 1800	840	filename.exe	31
PID 840 wrote to memory of 1800	840	filename.exe	31
PID 840 wrote to memory of 1800	840	filename.exe	31
PID 1800 wrote to memory of 1556	1800	cmd.exe	33
PID 1800 wrote to memory of 1556	1800	cmd.exe	33
PID 1800 wrote to memory of 1556	1800	cmd.exe	33
PID 1800 wrote to memory of 1556	1800	cmd.exe	33
PID 840 wrote to memory of 388	840	filename.exe	34
PID 840 wrote to memory of 388	840	filename.exe	34
PID 840 wrote to memory of 388	840	filename.exe	34
PID 840 wrote to memory of 388	840	filename.exe	34
PID 840 wrote to memory of 388	840	filename.exe	34
PID 840 wrote to memory of 388	840	filename.exe	34
PID 840 wrote to memory of 388	840	filename.exe	34
PID 840 wrote to memory of 388	840	filename.exe	34
PID 840 wrote to memory of 1324	840	filename.exe	35
PID 840 wrote to memory of 1324	840	filename.exe	35
PID 840 wrote to memory of 1324	840	filename.exe	35
PID 840 wrote to memory of 1324	840	filename.exe	35
PID 1324 wrote to memory of 1444	1324	cmd.exe	37
PID 1324 wrote to memory of 1444	1324	cmd.exe	37
PID 1324 wrote to memory of 1444	1324	cmd.exe	37
PID 1324 wrote to memory of 1444	1324	cmd.exe	37
PID 388 wrote to memory of 1400	388	filename.exe	38
PID 388 wrote to memory of 1400	388	filename.exe	38
PID 388 wrote to memory of 1400	388	filename.exe	38
PID 388 wrote to memory of 1400	388	filename.exe	38
PID 388 wrote to memory of 1400	388	filename.exe	38
PID 388 wrote to memory of 1400	388	filename.exe	38
PID 388 wrote to memory of 1400	388	filename.exe	38
PID 388 wrote to memory of 1400	388	filename.exe	38
PID 388 wrote to memory of 1400	388	filename.exe	38
PID 840 wrote to memory of 1272	840	filename.exe	40
PID 840 wrote to memory of 1272	840	filename.exe	40
PID 840 wrote to memory of 1272	840	filename.exe	40
PID 840 wrote to memory of 1272	840	filename.exe	40
PID 1272 wrote to memory of 2008	1272	cmd.exe	42
PID 1272 wrote to memory of 2008	1272	cmd.exe	42
PID 1272 wrote to memory of 2008	1272	cmd.exe	42
PID 1272 wrote to memory of 2008	1272	cmd.exe	42
PID 840 wrote to memory of 1520	840	filename.exe	44
PID 840 wrote to memory of 1520	840	filename.exe	44
PID 840 wrote to memory of 1520	840	filename.exe	44
PID 840 wrote to memory of 1520	840	filename.exe	44
PID 1520 wrote to memory of 892	1520	cmd.exe	46
PID 1520 wrote to memory of 892	1520	cmd.exe	46
PID 1520 wrote to memory of 892	1520	cmd.exe	46
PID 1520 wrote to memory of 892	1520	cmd.exe	46
PID 840 wrote to memory of 1352	840	filename.exe	47
PID 840 wrote to memory of 1352	840	filename.exe	47
PID 840 wrote to memory of 1352	840	filename.exe	47
PID 840 wrote to memory of 1352	840	filename.exe	47
PID 1352 wrote to memory of 1212	1352	cmd.exe	49
PID 1352 wrote to memory of 1212	1352	cmd.exe	49
PID 1352 wrote to memory of 1212	1352	cmd.exe	49

C:\Users\Admin\AppData\Local\Temp\620222355eb493bacfc0409b4704af8c253ade0142844093f5c541c69f4c9484.exe
"C:\Users\Admin\AppData\Local\Temp\620222355eb493bacfc0409b4704af8c253ade0142844093f5c541c69f4c9484.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1636
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1256
- - C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe
    "C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:840
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1800
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        5⤵
        Adds Run key to start application
        
        PID:1556
  - - C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe
      "C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:388
    - - C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\1vuF36pYLx.ini"
        5⤵
        Executes dropped EXE
        
        PID:1400
    - - C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\YX3942h0Og.ini"
        5⤵
        Executes dropped EXE
        Accesses Microsoft Outlook accounts
        
        PID:1124
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1324
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        5⤵
        Adds Run key to start application
        
        PID:1444
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1272
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        5⤵
        
        PID:2008
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1520
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        5⤵
        Adds Run key to start application
        
        PID:892
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1352
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        5⤵
        Adds Run key to start application
        
        PID:1212
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:976
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        5⤵
        
        PID:1256
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:1764
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        5⤵
        Adds Run key to start application
        
        PID:1804
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:1464
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        5⤵
        Adds Run key to start application
        
        PID:272
  - - C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe
      "C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      PID:1556
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:1028
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        6⤵
        Adds Run key to start application
        
        PID:1976
    - - C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe
        
        "C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1768
      - C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\hePoJcRFgk.ini"
        6⤵
        Executes dropped EXE
        
        PID:1628
      - C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\kEBzo5nykt.ini"
        6⤵
        Executes dropped EXE
        Accesses Microsoft Outlook accounts
        
        PID:1056
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:1352
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        6⤵
        Adds Run key to start application
        
        PID:1500
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:1548
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        6⤵
        Adds Run key to start application
        
        PID:964
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:1124
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        6⤵
        Adds Run key to start application
        
        PID:1052
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:1604
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        6⤵
        
        PID:1792
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:1072
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        6⤵
        
        PID:2008
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:1812
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        6⤵
        Adds Run key to start application
        
        PID:1560
    - - C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe
        
        "C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:624
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        7⤵
        
        PID:1448
      - C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe
        
        "C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1324
        
        C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\qhx4htGgYZ.ini"
        7⤵
        Executes dropped EXE
        
        PID:1792
        
        C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\F6VGIhcTI4.ini"
        7⤵
        Executes dropped EXE
        Accesses Microsoft Outlook accounts
        
        PID:1260
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        7⤵
        
        PID:920
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        7⤵
        Adds Run key to start application
        
        PID:1748
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        7⤵
        Adds Run key to start application
        
        PID:1628
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        7⤵
        Adds Run key to start application
        
        PID:1456
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        7⤵
        Adds Run key to start application
        
        PID:1564
      - C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe
        
        "C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:1592
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        7⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        8⤵
        Adds Run key to start application
        
        PID:2024
        
        C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe
        
        "C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe"
        7⤵
        Executes dropped EXE
        
        PID:1588
        
        C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe
        
        "C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1128
        
        C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\p15MoczxRf.ini"
        8⤵
        Executes dropped EXE
        
        PID:1964
        
        C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\yxolVsiM5F.ini"
        8⤵
        Executes dropped EXE
        Accesses Microsoft Outlook accounts
        
        PID:956
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        7⤵
        
        PID:1068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        8⤵
        Adds Run key to start application
        
        PID:732
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        7⤵
        
        PID:368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        8⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        7⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        8⤵
        Adds Run key to start application
        
        PID:1580
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        7⤵
        
        PID:940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        8⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        7⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        8⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        7⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        8⤵
        Adds Run key to start application
        
        PID:1180
        
        C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe
        
        "C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:1596
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        8⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        9⤵
        Adds Run key to start application
        
        PID:768
        
        C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe
        
        "C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1720
        
        C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\HABadeNG0T.ini"
        9⤵
        Executes dropped EXE
        
        PID:824
        
        C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\FDqER9hyZs.ini"
        9⤵
        Executes dropped EXE
        Accesses Microsoft Outlook accounts
        
        PID:1712
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        8⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        9⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        8⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        9⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        8⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        9⤵
        Adds Run key to start application
        
        PID:1604
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        8⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        9⤵
        
        PID:292
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        8⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        9⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        8⤵
        
        PID:624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        9⤵
        Adds Run key to start application
        
        PID:940
        
        C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe
        
        "C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:936
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        9⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        10⤵
        
        PID:1516
        
        C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe
        
        "C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe"
        9⤵
        Executes dropped EXE
        
        PID:920
        
        C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe
        
        "C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1792
        
        C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\9EwN9WUkB7.ini"
        10⤵
        Executes dropped EXE
        
        PID:1700
        
        C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\i9x82SRjMN.ini"
        10⤵
        Executes dropped EXE
        Accesses Microsoft Outlook accounts
        
        PID:1548
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        9⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        10⤵
        Adds Run key to start application
        
        PID:900
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        9⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        10⤵
        Adds Run key to start application
        
        PID:1244
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        9⤵
        
        PID:824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        10⤵
        Adds Run key to start application
        
        PID:480
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        9⤵
        
        PID:1152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        10⤵
        
        PID:940
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        9⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        10⤵
        Adds Run key to start application
        
        PID:1012
        
        C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe
        
        "C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:1688
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        10⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        11⤵
        Adds Run key to start application
        
        PID:840
        
        C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe
        
        "C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1812
        
        C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\O2pllDi6wO.ini"
        11⤵
        Executes dropped EXE
        
        PID:1508
        
        C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\TOkEEP6ELu.ini"
        11⤵
        Executes dropped EXE
        Accesses Microsoft Outlook accounts
        
        PID:1396
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        10⤵
        
        PID:1248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        11⤵
        Adds Run key to start application
        
        PID:1684
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        10⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        11⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        10⤵
        
        PID:1004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        11⤵
        
        PID:624
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        10⤵
        
        PID:992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        11⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        10⤵
        
        PID:1124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        11⤵
        Adds Run key to start application
        
        PID:1028
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        10⤵
        
        PID:936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        11⤵
        Adds Run key to start application
        
        PID:732
        
        C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe
        
        "C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:1592
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        11⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        12⤵
        Adds Run key to start application
        
        PID:784
        
        C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe
        
        "C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1684
        
        C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\4o9xg0h796.ini"
        12⤵
        Executes dropped EXE
        
        PID:388
        
        C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\qzlpbkb7dJ.ini"
        12⤵
        Executes dropped EXE
        Accesses Microsoft Outlook accounts
        
        PID:1720
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        11⤵
        
        PID:280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        12⤵
        Adds Run key to start application
        
        PID:1896
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        11⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        12⤵
        Adds Run key to start application
        
        PID:1084
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        11⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        12⤵
        Adds Run key to start application
        
        PID:1604
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        11⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        12⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        11⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        12⤵
        
        PID:1176
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        11⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        12⤵
        Adds Run key to start application
        
        PID:956
        
        C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe
        
        "C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:1316
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        12⤵
        
        PID:1012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        13⤵
        Adds Run key to start application
        
        PID:1748
        
        C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe
        
        "C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:784
        
        C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\NHdlZS17Bp.ini"
        13⤵
        Executes dropped EXE
        
        PID:1056
        
        C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\EyP1ekEKcT.ini"
        13⤵
        Executes dropped EXE
        Accesses Microsoft Outlook accounts
        
        PID:112
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        12⤵
        
        PID:964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        13⤵
        Adds Run key to start application
        
        PID:1028
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        12⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        13⤵
        Adds Run key to start application
        
        PID:1588
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        12⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        13⤵
        Adds Run key to start application
        
        PID:1996
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        12⤵
        
        PID:928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        13⤵
        Adds Run key to start application
        
        PID:2008
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        12⤵
        
        PID:1372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        13⤵
        
        PID:1564
        
        C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe
        
        "C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:1508
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        13⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        14⤵
        
        PID:480
        
        C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe
        
        "C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1712
        
        C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\hBIdK4XRaW.ini"
        14⤵
        Executes dropped EXE
        
        PID:1900
        
        C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\HUqkL41kzX.ini"
        14⤵
        Executes dropped EXE
        
        PID:1216
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        13⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        14⤵
        
        PID:768
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        13⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        14⤵
        Adds Run key to start application
        
        PID:1492
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        13⤵
        
        PID:1440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        14⤵
        Adds Run key to start application
        
        PID:1320
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        13⤵
        
        PID:936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        14⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        13⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        14⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        13⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        14⤵
        Adds Run key to start application
        
        PID:396
        
        C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe
        
        "C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:1628
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        14⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        15⤵
        Adds Run key to start application
        
        PID:1700
        
        C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe
        
        "C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe"
        14⤵
        Executes dropped EXE
        
        PID:756
        
        C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe
        
        "C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1560
        
        C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\UdMAX2q1PQ.ini"
        15⤵
        Executes dropped EXE
        
        PID:1616
        
        C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\PYLAGmazPh.ini"
        15⤵
        Executes dropped EXE
        Accesses Microsoft Outlook accounts
        
        PID:1340
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        14⤵
        
        PID:964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        15⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        14⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        15⤵
        Adds Run key to start application
        
        PID:1440
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        14⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        15⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        14⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        15⤵
        Adds Run key to start application
        
        PID:632
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        14⤵
        
        PID:960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        15⤵
        
        PID:1516
        
        C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe
        
        "C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:1768
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        15⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        16⤵
        Adds Run key to start application
        
        PID:1584
        
        C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe
        
        "C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1160
        
        C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\RoqknH7Ayj.ini"
        16⤵
        Executes dropped EXE
        
        PID:1500
        
        C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\4LbRNhyLkT.ini"
        16⤵
        Executes dropped EXE
        
        PID:1764
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        15⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        16⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        15⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        16⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        15⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        16⤵
        Adds Run key to start application
        
        PID:1352
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        15⤵
        
        PID:1176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        16⤵
        
        PID:1056
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        15⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        16⤵
        Adds Run key to start application
        
        PID:1660
        
        C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe
        
        "C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:928
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        16⤵
        
        PID:952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        17⤵
        Adds Run key to start application
        
        PID:940
        
        C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe
        
        "C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1516
        
        C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\G9KjUIpj7a.ini"
        17⤵
        Executes dropped EXE
        
        PID:1512
        
        C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\l1KzRF3tsq.ini"
        17⤵
        Executes dropped EXE
        
        PID:1068
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        16⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        17⤵
        Adds Run key to start application
        
        PID:756
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        16⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        17⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        16⤵
        
        PID:1212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        17⤵
        
        PID:1260
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        16⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        17⤵
        Adds Run key to start application
        
        PID:2036
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        16⤵
        
        PID:280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        17⤵
        Adds Run key to start application
        
        PID:1544

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/388-66-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/388-72-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/388-70-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/388-68-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/624-146-0x0000000002240000-0x0000000002241000-memory.dmp

Filesize
4KB

Download
memory/624-145-0x0000000074220000-0x00000000747CB000-memory.dmp

Filesize
5.7MB

Download
memory/624-147-0x0000000074220000-0x00000000747CB000-memory.dmp

Filesize
5.7MB

Download
memory/840-63-0x0000000074220000-0x00000000747CB000-memory.dmp

Filesize
5.7MB

Download
memory/840-65-0x0000000074220000-0x00000000747CB000-memory.dmp

Filesize
5.7MB

Download
memory/840-64-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/928-436-0x0000000074220000-0x00000000747CB000-memory.dmp

Filesize
5.7MB

Download
memory/928-437-0x0000000001F50000-0x0000000001F51000-memory.dmp

Filesize
4KB

Download
memory/928-438-0x0000000074220000-0x00000000747CB000-memory.dmp

Filesize
5.7MB

Download
memory/936-239-0x0000000000670000-0x0000000000671000-memory.dmp

Filesize
4KB

Download
memory/936-240-0x0000000073C70000-0x000000007421B000-memory.dmp

Filesize
5.7MB

Download
memory/936-238-0x0000000073C70000-0x000000007421B000-memory.dmp

Filesize
5.7MB

Download
memory/1056-126-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1056-125-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1056-127-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1124-93-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1124-87-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1124-91-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1124-92-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1260-152-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1260-154-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1260-153-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1316-323-0x0000000001F80000-0x0000000001F81000-memory.dmp

Filesize
4KB

Download
memory/1316-324-0x0000000073C70000-0x000000007421B000-memory.dmp

Filesize
5.7MB

Download
memory/1316-322-0x0000000073C70000-0x000000007421B000-memory.dmp

Filesize
5.7MB

Download
memory/1400-83-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1400-84-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1400-82-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1400-78-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1508-369-0x0000000074220000-0x00000000747CB000-memory.dmp

Filesize
5.7MB

Download
memory/1508-371-0x0000000074220000-0x00000000747CB000-memory.dmp

Filesize
5.7MB

Download
memory/1508-370-0x0000000000470000-0x0000000000471000-memory.dmp

Filesize
4KB

Download
memory/1556-116-0x0000000074220000-0x00000000747CB000-memory.dmp

Filesize
5.7MB

Download
memory/1556-117-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/1556-118-0x0000000074220000-0x00000000747CB000-memory.dmp

Filesize
5.7MB

Download
memory/1592-160-0x0000000073C70000-0x000000007421B000-memory.dmp

Filesize
5.7MB

Download
memory/1592-164-0x0000000073C70000-0x000000007421B000-memory.dmp

Filesize
5.7MB

Download
memory/1592-289-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1592-161-0x0000000000680000-0x0000000000681000-memory.dmp

Filesize
4KB

Download
memory/1592-291-0x0000000073C70000-0x000000007421B000-memory.dmp

Filesize
5.7MB

Download
memory/1592-288-0x0000000073C70000-0x000000007421B000-memory.dmp

Filesize
5.7MB

Download
memory/1596-194-0x0000000001FA0000-0x0000000001FA1000-memory.dmp

Filesize
4KB

Download
memory/1596-193-0x0000000073C70000-0x000000007421B000-memory.dmp

Filesize
5.7MB

Download
memory/1596-195-0x0000000073C70000-0x000000007421B000-memory.dmp

Filesize
5.7MB

Download
memory/1628-115-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1628-114-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1628-113-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1628-394-0x0000000073C70000-0x000000007421B000-memory.dmp

Filesize
5.7MB

Download
memory/1628-392-0x0000000073C70000-0x000000007421B000-memory.dmp

Filesize
5.7MB

Download
memory/1628-393-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/1636-55-0x0000000074220000-0x00000000747CB000-memory.dmp

Filesize
5.7MB

Download
memory/1636-56-0x0000000000370000-0x0000000000371000-memory.dmp

Filesize
4KB

Download
memory/1636-57-0x0000000074220000-0x00000000747CB000-memory.dmp

Filesize
5.7MB

Download
memory/1636-54-0x0000000075781000-0x0000000075783000-memory.dmp

Filesize
8KB

Download
memory/1688-275-0x0000000000400000-0x0000000000401000-memory.dmp

Filesize
4KB

Download
memory/1688-274-0x0000000073C70000-0x000000007421B000-memory.dmp

Filesize
5.7MB

Download
memory/1688-276-0x0000000073C70000-0x000000007421B000-memory.dmp

Filesize
5.7MB

Download
memory/1768-403-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/1768-402-0x0000000074220000-0x00000000747CB000-memory.dmp

Filesize
5.7MB

Download
memory/1768-407-0x0000000074220000-0x00000000747CB000-memory.dmp

Filesize
5.7MB

Download