Malware Analysis Report

2025-01-18 16:46

Sample ID 220308-vk2shahdd2
Target 620222355eb493bacfc0409b4704af8c253ade0142844093f5c541c69f4c9484
SHA256 620222355eb493bacfc0409b4704af8c253ade0142844093f5c541c69f4c9484
Tags
isrstealer collection persistence spyware stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

620222355eb493bacfc0409b4704af8c253ade0142844093f5c541c69f4c9484

Threat Level: Known bad

The file 620222355eb493bacfc0409b4704af8c253ade0142844093f5c541c69f4c9484 was found to be: Known bad.

Malicious Activity Summary

isrstealer collection persistence spyware stealer trojan upx

ISR Stealer

ISR Stealer Payload

Nirsoft

NirSoft MailPassView

UPX packed file

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Adds Run key to start application

Accesses Microsoft Outlook accounts

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-03-08 17:03

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-03-08 17:03

Reported

2022-03-08 17:08

Platform

win7-20220223-en

Max time kernel

4294212s

Max time network

159s

Command Line

"C:\Users\Admin\AppData\Local\Temp\620222355eb493bacfc0409b4704af8c253ade0142844093f5c541c69f4c9484.exe"

Signatures

ISR Stealer

trojan stealer isrstealer

ISR Stealer Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 840 set thread context of 388 N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe
PID 388 set thread context of 1400 N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe
PID 388 set thread context of 1124 N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe
PID 1556 set thread context of 1768 N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe
PID 1768 set thread context of 1628 N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe
PID 1768 set thread context of 1056 N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe
PID 624 set thread context of 1324 N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe
PID 1324 set thread context of 1792 N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe
PID 1324 set thread context of 1260 N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe
PID 1592 set thread context of 1128 N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe
PID 1128 set thread context of 1964 N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe
PID 1128 set thread context of 956 N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe
PID 1596 set thread context of 1720 N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe
PID 1720 set thread context of 824 N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe
PID 1720 set thread context of 1712 N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe
PID 936 set thread context of 1792 N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe
PID 1792 set thread context of 1700 N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe
PID 1792 set thread context of 1548 N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe
PID 1688 set thread context of 1812 N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe
PID 1812 set thread context of 1508 N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe
PID 1812 set thread context of 1396 N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe
PID 1592 set thread context of 1684 N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe
PID 1684 set thread context of 388 N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe
PID 1684 set thread context of 1720 N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe
PID 1316 set thread context of 784 N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe
PID 784 set thread context of 1056 N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe
PID 784 set thread context of 112 N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe
PID 1508 set thread context of 1712 N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe
PID 1712 set thread context of 1900 N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe
PID 1712 set thread context of 1216 N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe
PID 1628 set thread context of 1560 N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe
PID 1560 set thread context of 1616 N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe
PID 1560 set thread context of 1340 N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe
PID 1768 set thread context of 1160 N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe
PID 1160 set thread context of 1500 N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe
PID 1160 set thread context of 1764 N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe
PID 928 set thread context of 1516 N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe
PID 1516 set thread context of 1512 N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe
PID 1516 set thread context of 1068 N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\620222355eb493bacfc0409b4704af8c253ade0142844093f5c541c69f4c9484.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\620222355eb493bacfc0409b4704af8c253ade0142844093f5c541c69f4c9484.exe N/A
N/A N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1636 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\620222355eb493bacfc0409b4704af8c253ade0142844093f5c541c69f4c9484.exe C:\Windows\SysWOW64\cmd.exe
PID 1636 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\620222355eb493bacfc0409b4704af8c253ade0142844093f5c541c69f4c9484.exe C:\Windows\SysWOW64\cmd.exe
PID 1636 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\620222355eb493bacfc0409b4704af8c253ade0142844093f5c541c69f4c9484.exe C:\Windows\SysWOW64\cmd.exe
PID 1636 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\620222355eb493bacfc0409b4704af8c253ade0142844093f5c541c69f4c9484.exe C:\Windows\SysWOW64\cmd.exe
PID 1256 wrote to memory of 840 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe
PID 1256 wrote to memory of 840 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe
PID 1256 wrote to memory of 840 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe
PID 1256 wrote to memory of 840 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe
PID 840 wrote to memory of 1800 N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe C:\Windows\SysWOW64\cmd.exe
PID 840 wrote to memory of 1800 N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe C:\Windows\SysWOW64\cmd.exe
PID 840 wrote to memory of 1800 N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe C:\Windows\SysWOW64\cmd.exe
PID 840 wrote to memory of 1800 N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe C:\Windows\SysWOW64\cmd.exe
PID 1800 wrote to memory of 1556 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1800 wrote to memory of 1556 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1800 wrote to memory of 1556 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1800 wrote to memory of 1556 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 840 wrote to memory of 388 N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe
PID 840 wrote to memory of 388 N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe
PID 840 wrote to memory of 388 N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe
PID 840 wrote to memory of 388 N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe
PID 840 wrote to memory of 388 N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe
PID 840 wrote to memory of 388 N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe
PID 840 wrote to memory of 388 N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe
PID 840 wrote to memory of 388 N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe
PID 840 wrote to memory of 1324 N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe C:\Windows\SysWOW64\cmd.exe
PID 840 wrote to memory of 1324 N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe C:\Windows\SysWOW64\cmd.exe
PID 840 wrote to memory of 1324 N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe C:\Windows\SysWOW64\cmd.exe
PID 840 wrote to memory of 1324 N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe C:\Windows\SysWOW64\cmd.exe
PID 1324 wrote to memory of 1444 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1324 wrote to memory of 1444 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1324 wrote to memory of 1444 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1324 wrote to memory of 1444 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 388 wrote to memory of 1400 N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe
PID 388 wrote to memory of 1400 N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe
PID 388 wrote to memory of 1400 N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe
PID 388 wrote to memory of 1400 N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe
PID 388 wrote to memory of 1400 N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe
PID 388 wrote to memory of 1400 N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe
PID 388 wrote to memory of 1400 N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe
PID 388 wrote to memory of 1400 N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe
PID 388 wrote to memory of 1400 N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe
PID 840 wrote to memory of 1272 N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe C:\Windows\SysWOW64\cmd.exe
PID 840 wrote to memory of 1272 N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe C:\Windows\SysWOW64\cmd.exe
PID 840 wrote to memory of 1272 N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe C:\Windows\SysWOW64\cmd.exe
PID 840 wrote to memory of 1272 N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe C:\Windows\SysWOW64\cmd.exe
PID 1272 wrote to memory of 2008 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1272 wrote to memory of 2008 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1272 wrote to memory of 2008 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1272 wrote to memory of 2008 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 840 wrote to memory of 1520 N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe C:\Windows\SysWOW64\cmd.exe
PID 840 wrote to memory of 1520 N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe C:\Windows\SysWOW64\cmd.exe
PID 840 wrote to memory of 1520 N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe C:\Windows\SysWOW64\cmd.exe
PID 840 wrote to memory of 1520 N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe C:\Windows\SysWOW64\cmd.exe
PID 1520 wrote to memory of 892 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1520 wrote to memory of 892 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1520 wrote to memory of 892 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1520 wrote to memory of 892 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 840 wrote to memory of 1352 N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe C:\Windows\SysWOW64\cmd.exe
PID 840 wrote to memory of 1352 N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe C:\Windows\SysWOW64\cmd.exe
PID 840 wrote to memory of 1352 N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe C:\Windows\SysWOW64\cmd.exe
PID 840 wrote to memory of 1352 N/A C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe C:\Windows\SysWOW64\cmd.exe
PID 1352 wrote to memory of 1212 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1352 wrote to memory of 1212 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1352 wrote to memory of 1212 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\620222355eb493bacfc0409b4704af8c253ade0142844093f5c541c69f4c9484.exe

"C:\Users\Admin\AppData\Local\Temp\620222355eb493bacfc0409b4704af8c253ade0142844093f5c541c69f4c9484.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe

"C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe

"C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe

/scomma "C:\Users\Admin\AppData\Local\Temp\1vuF36pYLx.ini"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe

/scomma "C:\Users\Admin\AppData\Local\Temp\YX3942h0Og.ini"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe

"C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe

"C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe

/scomma "C:\Users\Admin\AppData\Local\Temp\hePoJcRFgk.ini"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe

/scomma "C:\Users\Admin\AppData\Local\Temp\kEBzo5nykt.ini"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe

"C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe

"C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe

/scomma "C:\Users\Admin\AppData\Local\Temp\qhx4htGgYZ.ini"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe

/scomma "C:\Users\Admin\AppData\Local\Temp\F6VGIhcTI4.ini"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe

"C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe

"C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe"

C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe

"C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe

/scomma "C:\Users\Admin\AppData\Local\Temp\p15MoczxRf.ini"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe

/scomma "C:\Users\Admin\AppData\Local\Temp\yxolVsiM5F.ini"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe

"C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe

"C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe

/scomma "C:\Users\Admin\AppData\Local\Temp\HABadeNG0T.ini"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe

/scomma "C:\Users\Admin\AppData\Local\Temp\FDqER9hyZs.ini"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe

"C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe

"C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe"

C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe

"C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe

/scomma "C:\Users\Admin\AppData\Local\Temp\9EwN9WUkB7.ini"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe

/scomma "C:\Users\Admin\AppData\Local\Temp\i9x82SRjMN.ini"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe

"C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe

"C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe

/scomma "C:\Users\Admin\AppData\Local\Temp\O2pllDi6wO.ini"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe

/scomma "C:\Users\Admin\AppData\Local\Temp\TOkEEP6ELu.ini"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe

"C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe

"C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe

/scomma "C:\Users\Admin\AppData\Local\Temp\4o9xg0h796.ini"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe

/scomma "C:\Users\Admin\AppData\Local\Temp\qzlpbkb7dJ.ini"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe

"C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe

"C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe"

C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe

/scomma "C:\Users\Admin\AppData\Local\Temp\NHdlZS17Bp.ini"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe

/scomma "C:\Users\Admin\AppData\Local\Temp\EyP1ekEKcT.ini"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe

"C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe

"C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe

/scomma "C:\Users\Admin\AppData\Local\Temp\hBIdK4XRaW.ini"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe

/scomma "C:\Users\Admin\AppData\Local\Temp\HUqkL41kzX.ini"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe

"C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe

"C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe"

C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe

"C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe

/scomma "C:\Users\Admin\AppData\Local\Temp\UdMAX2q1PQ.ini"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe

/scomma "C:\Users\Admin\AppData\Local\Temp\PYLAGmazPh.ini"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe

"C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe

"C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe

/scomma "C:\Users\Admin\AppData\Local\Temp\RoqknH7Ayj.ini"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe

/scomma "C:\Users\Admin\AppData\Local\Temp\4LbRNhyLkT.ini"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe

"C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe

"C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe

/scomma "C:\Users\Admin\AppData\Local\Temp\G9KjUIpj7a.ini"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe

/scomma "C:\Users\Admin\AppData\Local\Temp\l1KzRF3tsq.ini"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

Network

Country Destination Domain Proto
US 8.8.8.8:53 brightsports.com udp
US 104.255.170.244:80 brightsports.com tcp
US 104.255.170.244:80 brightsports.com tcp
US 104.255.170.244:80 brightsports.com tcp
US 104.255.170.244:80 brightsports.com tcp
US 104.255.170.244:80 brightsports.com tcp
US 104.255.170.244:80 brightsports.com tcp
US 104.255.170.244:80 brightsports.com tcp
US 104.255.170.244:80 brightsports.com tcp

Files

memory/1636-54-0x0000000075781000-0x0000000075783000-memory.dmp

memory/1636-56-0x0000000000370000-0x0000000000371000-memory.dmp

memory/1636-55-0x0000000074220000-0x00000000747CB000-memory.dmp

memory/1636-57-0x0000000074220000-0x00000000747CB000-memory.dmp

C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe

MD5 bb63a9a8be7756b02e2706a967bef3f6
SHA1 0e30c97d88fc84758b0ad097a4c3c1cf011d03f6
SHA256 620222355eb493bacfc0409b4704af8c253ade0142844093f5c541c69f4c9484
SHA512 4e838c9e9bfc8bd288970d3860b919b01ba52376717beff6b3ade6dddd2af77dc8a450a36bd3d9f6e9ab084b4f727e47305e6ac45da54a5f32f3ed5507e20d42

\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe

MD5 bb63a9a8be7756b02e2706a967bef3f6
SHA1 0e30c97d88fc84758b0ad097a4c3c1cf011d03f6
SHA256 620222355eb493bacfc0409b4704af8c253ade0142844093f5c541c69f4c9484
SHA512 4e838c9e9bfc8bd288970d3860b919b01ba52376717beff6b3ade6dddd2af77dc8a450a36bd3d9f6e9ab084b4f727e47305e6ac45da54a5f32f3ed5507e20d42

\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe

MD5 bb63a9a8be7756b02e2706a967bef3f6
SHA1 0e30c97d88fc84758b0ad097a4c3c1cf011d03f6
SHA256 620222355eb493bacfc0409b4704af8c253ade0142844093f5c541c69f4c9484
SHA512 4e838c9e9bfc8bd288970d3860b919b01ba52376717beff6b3ade6dddd2af77dc8a450a36bd3d9f6e9ab084b4f727e47305e6ac45da54a5f32f3ed5507e20d42

C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe

MD5 bb63a9a8be7756b02e2706a967bef3f6
SHA1 0e30c97d88fc84758b0ad097a4c3c1cf011d03f6
SHA256 620222355eb493bacfc0409b4704af8c253ade0142844093f5c541c69f4c9484
SHA512 4e838c9e9bfc8bd288970d3860b919b01ba52376717beff6b3ade6dddd2af77dc8a450a36bd3d9f6e9ab084b4f727e47305e6ac45da54a5f32f3ed5507e20d42

memory/840-63-0x0000000074220000-0x00000000747CB000-memory.dmp

memory/840-64-0x0000000000350000-0x0000000000351000-memory.dmp

memory/840-65-0x0000000074220000-0x00000000747CB000-memory.dmp

memory/388-66-0x0000000000400000-0x0000000000442000-memory.dmp

memory/388-68-0x0000000000400000-0x0000000000442000-memory.dmp

memory/388-70-0x0000000000400000-0x0000000000442000-memory.dmp

memory/388-72-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe

MD5 bb63a9a8be7756b02e2706a967bef3f6
SHA1 0e30c97d88fc84758b0ad097a4c3c1cf011d03f6
SHA256 620222355eb493bacfc0409b4704af8c253ade0142844093f5c541c69f4c9484
SHA512 4e838c9e9bfc8bd288970d3860b919b01ba52376717beff6b3ade6dddd2af77dc8a450a36bd3d9f6e9ab084b4f727e47305e6ac45da54a5f32f3ed5507e20d42

memory/1400-78-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe

MD5 bb63a9a8be7756b02e2706a967bef3f6
SHA1 0e30c97d88fc84758b0ad097a4c3c1cf011d03f6
SHA256 620222355eb493bacfc0409b4704af8c253ade0142844093f5c541c69f4c9484
SHA512 4e838c9e9bfc8bd288970d3860b919b01ba52376717beff6b3ade6dddd2af77dc8a450a36bd3d9f6e9ab084b4f727e47305e6ac45da54a5f32f3ed5507e20d42

memory/1400-82-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1400-84-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1400-83-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1vuF36pYLx.ini

MD5 d1ea279fb5559c020a1b4137dc4de237
SHA1 db6f8988af46b56216a6f0daf95ab8c9bdb57400
SHA256 fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba
SHA512 720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3

memory/1124-87-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe

MD5 bb63a9a8be7756b02e2706a967bef3f6
SHA1 0e30c97d88fc84758b0ad097a4c3c1cf011d03f6
SHA256 620222355eb493bacfc0409b4704af8c253ade0142844093f5c541c69f4c9484
SHA512 4e838c9e9bfc8bd288970d3860b919b01ba52376717beff6b3ade6dddd2af77dc8a450a36bd3d9f6e9ab084b4f727e47305e6ac45da54a5f32f3ed5507e20d42

memory/1124-91-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1124-92-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1124-93-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe

MD5 bb63a9a8be7756b02e2706a967bef3f6
SHA1 0e30c97d88fc84758b0ad097a4c3c1cf011d03f6
SHA256 620222355eb493bacfc0409b4704af8c253ade0142844093f5c541c69f4c9484
SHA512 4e838c9e9bfc8bd288970d3860b919b01ba52376717beff6b3ade6dddd2af77dc8a450a36bd3d9f6e9ab084b4f727e47305e6ac45da54a5f32f3ed5507e20d42

C:\Users\Admin\AppData\Local\Temp\Update.txt

MD5 59539087ffb8fbb8a96b4b2c46234259
SHA1 969bb88cb550feda57d26ce457d9ce647f309456
SHA256 78b97b6d5b04665887a50963696333d93f32268bd18069f15ba7ad0ff1fbc1d4
SHA512 98a4fc0e1f444a2474ba0f4efde9458a6aee6c65dea578c686841e0956e28b386c93b1f027348f50b4846e3cb5bfd6f9edc60baf6caafa84cf0b8197e5521f7f

C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe

MD5 bb63a9a8be7756b02e2706a967bef3f6
SHA1 0e30c97d88fc84758b0ad097a4c3c1cf011d03f6
SHA256 620222355eb493bacfc0409b4704af8c253ade0142844093f5c541c69f4c9484
SHA512 4e838c9e9bfc8bd288970d3860b919b01ba52376717beff6b3ade6dddd2af77dc8a450a36bd3d9f6e9ab084b4f727e47305e6ac45da54a5f32f3ed5507e20d42

C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe

MD5 bb63a9a8be7756b02e2706a967bef3f6
SHA1 0e30c97d88fc84758b0ad097a4c3c1cf011d03f6
SHA256 620222355eb493bacfc0409b4704af8c253ade0142844093f5c541c69f4c9484
SHA512 4e838c9e9bfc8bd288970d3860b919b01ba52376717beff6b3ade6dddd2af77dc8a450a36bd3d9f6e9ab084b4f727e47305e6ac45da54a5f32f3ed5507e20d42

memory/1628-113-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1628-114-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1628-115-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1556-117-0x0000000002050000-0x0000000002051000-memory.dmp

memory/1556-116-0x0000000074220000-0x00000000747CB000-memory.dmp

memory/1556-118-0x0000000074220000-0x00000000747CB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\hePoJcRFgk.ini

MD5 d1ea279fb5559c020a1b4137dc4de237
SHA1 db6f8988af46b56216a6f0daf95ab8c9bdb57400
SHA256 fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba
SHA512 720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3

C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe

MD5 bb63a9a8be7756b02e2706a967bef3f6
SHA1 0e30c97d88fc84758b0ad097a4c3c1cf011d03f6
SHA256 620222355eb493bacfc0409b4704af8c253ade0142844093f5c541c69f4c9484
SHA512 4e838c9e9bfc8bd288970d3860b919b01ba52376717beff6b3ade6dddd2af77dc8a450a36bd3d9f6e9ab084b4f727e47305e6ac45da54a5f32f3ed5507e20d42

memory/1056-125-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1056-127-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1056-126-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe

MD5 bb63a9a8be7756b02e2706a967bef3f6
SHA1 0e30c97d88fc84758b0ad097a4c3c1cf011d03f6
SHA256 620222355eb493bacfc0409b4704af8c253ade0142844093f5c541c69f4c9484
SHA512 4e838c9e9bfc8bd288970d3860b919b01ba52376717beff6b3ade6dddd2af77dc8a450a36bd3d9f6e9ab084b4f727e47305e6ac45da54a5f32f3ed5507e20d42

C:\Users\Admin\AppData\Local\Temp\Update.txt

MD5 59539087ffb8fbb8a96b4b2c46234259
SHA1 969bb88cb550feda57d26ce457d9ce647f309456
SHA256 78b97b6d5b04665887a50963696333d93f32268bd18069f15ba7ad0ff1fbc1d4
SHA512 98a4fc0e1f444a2474ba0f4efde9458a6aee6c65dea578c686841e0956e28b386c93b1f027348f50b4846e3cb5bfd6f9edc60baf6caafa84cf0b8197e5521f7f

C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe

MD5 bb63a9a8be7756b02e2706a967bef3f6
SHA1 0e30c97d88fc84758b0ad097a4c3c1cf011d03f6
SHA256 620222355eb493bacfc0409b4704af8c253ade0142844093f5c541c69f4c9484
SHA512 4e838c9e9bfc8bd288970d3860b919b01ba52376717beff6b3ade6dddd2af77dc8a450a36bd3d9f6e9ab084b4f727e47305e6ac45da54a5f32f3ed5507e20d42

C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe

MD5 bb63a9a8be7756b02e2706a967bef3f6
SHA1 0e30c97d88fc84758b0ad097a4c3c1cf011d03f6
SHA256 620222355eb493bacfc0409b4704af8c253ade0142844093f5c541c69f4c9484
SHA512 4e838c9e9bfc8bd288970d3860b919b01ba52376717beff6b3ade6dddd2af77dc8a450a36bd3d9f6e9ab084b4f727e47305e6ac45da54a5f32f3ed5507e20d42

memory/624-145-0x0000000074220000-0x00000000747CB000-memory.dmp

memory/624-146-0x0000000002240000-0x0000000002241000-memory.dmp

memory/624-147-0x0000000074220000-0x00000000747CB000-memory.dmp

C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe

MD5 bb63a9a8be7756b02e2706a967bef3f6
SHA1 0e30c97d88fc84758b0ad097a4c3c1cf011d03f6
SHA256 620222355eb493bacfc0409b4704af8c253ade0142844093f5c541c69f4c9484
SHA512 4e838c9e9bfc8bd288970d3860b919b01ba52376717beff6b3ade6dddd2af77dc8a450a36bd3d9f6e9ab084b4f727e47305e6ac45da54a5f32f3ed5507e20d42

memory/1260-152-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1260-154-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1260-153-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe

MD5 bb63a9a8be7756b02e2706a967bef3f6
SHA1 0e30c97d88fc84758b0ad097a4c3c1cf011d03f6
SHA256 620222355eb493bacfc0409b4704af8c253ade0142844093f5c541c69f4c9484
SHA512 4e838c9e9bfc8bd288970d3860b919b01ba52376717beff6b3ade6dddd2af77dc8a450a36bd3d9f6e9ab084b4f727e47305e6ac45da54a5f32f3ed5507e20d42

C:\Users\Admin\AppData\Local\Temp\Update.txt

MD5 59539087ffb8fbb8a96b4b2c46234259
SHA1 969bb88cb550feda57d26ce457d9ce647f309456
SHA256 78b97b6d5b04665887a50963696333d93f32268bd18069f15ba7ad0ff1fbc1d4
SHA512 98a4fc0e1f444a2474ba0f4efde9458a6aee6c65dea578c686841e0956e28b386c93b1f027348f50b4846e3cb5bfd6f9edc60baf6caafa84cf0b8197e5521f7f

C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe

MD5 bb63a9a8be7756b02e2706a967bef3f6
SHA1 0e30c97d88fc84758b0ad097a4c3c1cf011d03f6
SHA256 620222355eb493bacfc0409b4704af8c253ade0142844093f5c541c69f4c9484
SHA512 4e838c9e9bfc8bd288970d3860b919b01ba52376717beff6b3ade6dddd2af77dc8a450a36bd3d9f6e9ab084b4f727e47305e6ac45da54a5f32f3ed5507e20d42

memory/1592-160-0x0000000073C70000-0x000000007421B000-memory.dmp

memory/1592-164-0x0000000073C70000-0x000000007421B000-memory.dmp

memory/1592-161-0x0000000000680000-0x0000000000681000-memory.dmp

C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe

MD5 bb63a9a8be7756b02e2706a967bef3f6
SHA1 0e30c97d88fc84758b0ad097a4c3c1cf011d03f6
SHA256 620222355eb493bacfc0409b4704af8c253ade0142844093f5c541c69f4c9484
SHA512 4e838c9e9bfc8bd288970d3860b919b01ba52376717beff6b3ade6dddd2af77dc8a450a36bd3d9f6e9ab084b4f727e47305e6ac45da54a5f32f3ed5507e20d42

C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe

MD5 bb63a9a8be7756b02e2706a967bef3f6
SHA1 0e30c97d88fc84758b0ad097a4c3c1cf011d03f6
SHA256 620222355eb493bacfc0409b4704af8c253ade0142844093f5c541c69f4c9484
SHA512 4e838c9e9bfc8bd288970d3860b919b01ba52376717beff6b3ade6dddd2af77dc8a450a36bd3d9f6e9ab084b4f727e47305e6ac45da54a5f32f3ed5507e20d42

C:\Users\Admin\AppData\Local\Temp\p15MoczxRf.ini

MD5 d1ea279fb5559c020a1b4137dc4de237
SHA1 db6f8988af46b56216a6f0daf95ab8c9bdb57400
SHA256 fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba
SHA512 720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3

C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe

MD5 bb63a9a8be7756b02e2706a967bef3f6
SHA1 0e30c97d88fc84758b0ad097a4c3c1cf011d03f6
SHA256 620222355eb493bacfc0409b4704af8c253ade0142844093f5c541c69f4c9484
SHA512 4e838c9e9bfc8bd288970d3860b919b01ba52376717beff6b3ade6dddd2af77dc8a450a36bd3d9f6e9ab084b4f727e47305e6ac45da54a5f32f3ed5507e20d42

C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe

MD5 bb63a9a8be7756b02e2706a967bef3f6
SHA1 0e30c97d88fc84758b0ad097a4c3c1cf011d03f6
SHA256 620222355eb493bacfc0409b4704af8c253ade0142844093f5c541c69f4c9484
SHA512 4e838c9e9bfc8bd288970d3860b919b01ba52376717beff6b3ade6dddd2af77dc8a450a36bd3d9f6e9ab084b4f727e47305e6ac45da54a5f32f3ed5507e20d42

C:\Users\Admin\AppData\Local\Temp\Update.txt

MD5 59539087ffb8fbb8a96b4b2c46234259
SHA1 969bb88cb550feda57d26ce457d9ce647f309456
SHA256 78b97b6d5b04665887a50963696333d93f32268bd18069f15ba7ad0ff1fbc1d4
SHA512 98a4fc0e1f444a2474ba0f4efde9458a6aee6c65dea578c686841e0956e28b386c93b1f027348f50b4846e3cb5bfd6f9edc60baf6caafa84cf0b8197e5521f7f

memory/1596-194-0x0000000001FA0000-0x0000000001FA1000-memory.dmp

memory/1596-193-0x0000000073C70000-0x000000007421B000-memory.dmp

memory/1596-195-0x0000000073C70000-0x000000007421B000-memory.dmp

C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe

MD5 bb63a9a8be7756b02e2706a967bef3f6
SHA1 0e30c97d88fc84758b0ad097a4c3c1cf011d03f6
SHA256 620222355eb493bacfc0409b4704af8c253ade0142844093f5c541c69f4c9484
SHA512 4e838c9e9bfc8bd288970d3860b919b01ba52376717beff6b3ade6dddd2af77dc8a450a36bd3d9f6e9ab084b4f727e47305e6ac45da54a5f32f3ed5507e20d42

C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe

MD5 bb63a9a8be7756b02e2706a967bef3f6
SHA1 0e30c97d88fc84758b0ad097a4c3c1cf011d03f6
SHA256 620222355eb493bacfc0409b4704af8c253ade0142844093f5c541c69f4c9484
SHA512 4e838c9e9bfc8bd288970d3860b919b01ba52376717beff6b3ade6dddd2af77dc8a450a36bd3d9f6e9ab084b4f727e47305e6ac45da54a5f32f3ed5507e20d42

C:\Users\Admin\AppData\Local\Temp\HABadeNG0T.ini

MD5 d1ea279fb5559c020a1b4137dc4de237
SHA1 db6f8988af46b56216a6f0daf95ab8c9bdb57400
SHA256 fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba
SHA512 720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3

C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe

MD5 bb63a9a8be7756b02e2706a967bef3f6
SHA1 0e30c97d88fc84758b0ad097a4c3c1cf011d03f6
SHA256 620222355eb493bacfc0409b4704af8c253ade0142844093f5c541c69f4c9484
SHA512 4e838c9e9bfc8bd288970d3860b919b01ba52376717beff6b3ade6dddd2af77dc8a450a36bd3d9f6e9ab084b4f727e47305e6ac45da54a5f32f3ed5507e20d42

C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe

MD5 bb63a9a8be7756b02e2706a967bef3f6
SHA1 0e30c97d88fc84758b0ad097a4c3c1cf011d03f6
SHA256 620222355eb493bacfc0409b4704af8c253ade0142844093f5c541c69f4c9484
SHA512 4e838c9e9bfc8bd288970d3860b919b01ba52376717beff6b3ade6dddd2af77dc8a450a36bd3d9f6e9ab084b4f727e47305e6ac45da54a5f32f3ed5507e20d42

C:\Users\Admin\AppData\Local\Temp\Update.txt

MD5 59539087ffb8fbb8a96b4b2c46234259
SHA1 969bb88cb550feda57d26ce457d9ce647f309456
SHA256 78b97b6d5b04665887a50963696333d93f32268bd18069f15ba7ad0ff1fbc1d4
SHA512 98a4fc0e1f444a2474ba0f4efde9458a6aee6c65dea578c686841e0956e28b386c93b1f027348f50b4846e3cb5bfd6f9edc60baf6caafa84cf0b8197e5521f7f

C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe

MD5 bb63a9a8be7756b02e2706a967bef3f6
SHA1 0e30c97d88fc84758b0ad097a4c3c1cf011d03f6
SHA256 620222355eb493bacfc0409b4704af8c253ade0142844093f5c541c69f4c9484
SHA512 4e838c9e9bfc8bd288970d3860b919b01ba52376717beff6b3ade6dddd2af77dc8a450a36bd3d9f6e9ab084b4f727e47305e6ac45da54a5f32f3ed5507e20d42

memory/936-238-0x0000000073C70000-0x000000007421B000-memory.dmp

C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe

MD5 bb63a9a8be7756b02e2706a967bef3f6
SHA1 0e30c97d88fc84758b0ad097a4c3c1cf011d03f6
SHA256 620222355eb493bacfc0409b4704af8c253ade0142844093f5c541c69f4c9484
SHA512 4e838c9e9bfc8bd288970d3860b919b01ba52376717beff6b3ade6dddd2af77dc8a450a36bd3d9f6e9ab084b4f727e47305e6ac45da54a5f32f3ed5507e20d42

memory/936-239-0x0000000000670000-0x0000000000671000-memory.dmp

memory/936-240-0x0000000073C70000-0x000000007421B000-memory.dmp

C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe

MD5 bb63a9a8be7756b02e2706a967bef3f6
SHA1 0e30c97d88fc84758b0ad097a4c3c1cf011d03f6
SHA256 620222355eb493bacfc0409b4704af8c253ade0142844093f5c541c69f4c9484
SHA512 4e838c9e9bfc8bd288970d3860b919b01ba52376717beff6b3ade6dddd2af77dc8a450a36bd3d9f6e9ab084b4f727e47305e6ac45da54a5f32f3ed5507e20d42

C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe

MD5 bb63a9a8be7756b02e2706a967bef3f6
SHA1 0e30c97d88fc84758b0ad097a4c3c1cf011d03f6
SHA256 620222355eb493bacfc0409b4704af8c253ade0142844093f5c541c69f4c9484
SHA512 4e838c9e9bfc8bd288970d3860b919b01ba52376717beff6b3ade6dddd2af77dc8a450a36bd3d9f6e9ab084b4f727e47305e6ac45da54a5f32f3ed5507e20d42

C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe

MD5 bb63a9a8be7756b02e2706a967bef3f6
SHA1 0e30c97d88fc84758b0ad097a4c3c1cf011d03f6
SHA256 620222355eb493bacfc0409b4704af8c253ade0142844093f5c541c69f4c9484
SHA512 4e838c9e9bfc8bd288970d3860b919b01ba52376717beff6b3ade6dddd2af77dc8a450a36bd3d9f6e9ab084b4f727e47305e6ac45da54a5f32f3ed5507e20d42

C:\Users\Admin\AppData\Local\Temp\Update.txt

MD5 59539087ffb8fbb8a96b4b2c46234259
SHA1 969bb88cb550feda57d26ce457d9ce647f309456
SHA256 78b97b6d5b04665887a50963696333d93f32268bd18069f15ba7ad0ff1fbc1d4
SHA512 98a4fc0e1f444a2474ba0f4efde9458a6aee6c65dea578c686841e0956e28b386c93b1f027348f50b4846e3cb5bfd6f9edc60baf6caafa84cf0b8197e5521f7f

C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe

MD5 bb63a9a8be7756b02e2706a967bef3f6
SHA1 0e30c97d88fc84758b0ad097a4c3c1cf011d03f6
SHA256 620222355eb493bacfc0409b4704af8c253ade0142844093f5c541c69f4c9484
SHA512 4e838c9e9bfc8bd288970d3860b919b01ba52376717beff6b3ade6dddd2af77dc8a450a36bd3d9f6e9ab084b4f727e47305e6ac45da54a5f32f3ed5507e20d42

C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe

MD5 bb63a9a8be7756b02e2706a967bef3f6
SHA1 0e30c97d88fc84758b0ad097a4c3c1cf011d03f6
SHA256 620222355eb493bacfc0409b4704af8c253ade0142844093f5c541c69f4c9484
SHA512 4e838c9e9bfc8bd288970d3860b919b01ba52376717beff6b3ade6dddd2af77dc8a450a36bd3d9f6e9ab084b4f727e47305e6ac45da54a5f32f3ed5507e20d42

memory/1688-275-0x0000000000400000-0x0000000000401000-memory.dmp

memory/1688-274-0x0000000073C70000-0x000000007421B000-memory.dmp

memory/1688-276-0x0000000073C70000-0x000000007421B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\O2pllDi6wO.ini

MD5 d1ea279fb5559c020a1b4137dc4de237
SHA1 db6f8988af46b56216a6f0daf95ab8c9bdb57400
SHA256 fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba
SHA512 720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3

C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe

MD5 bb63a9a8be7756b02e2706a967bef3f6
SHA1 0e30c97d88fc84758b0ad097a4c3c1cf011d03f6
SHA256 620222355eb493bacfc0409b4704af8c253ade0142844093f5c541c69f4c9484
SHA512 4e838c9e9bfc8bd288970d3860b919b01ba52376717beff6b3ade6dddd2af77dc8a450a36bd3d9f6e9ab084b4f727e47305e6ac45da54a5f32f3ed5507e20d42

C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe

MD5 bb63a9a8be7756b02e2706a967bef3f6
SHA1 0e30c97d88fc84758b0ad097a4c3c1cf011d03f6
SHA256 620222355eb493bacfc0409b4704af8c253ade0142844093f5c541c69f4c9484
SHA512 4e838c9e9bfc8bd288970d3860b919b01ba52376717beff6b3ade6dddd2af77dc8a450a36bd3d9f6e9ab084b4f727e47305e6ac45da54a5f32f3ed5507e20d42

memory/1592-288-0x0000000073C70000-0x000000007421B000-memory.dmp

memory/1592-291-0x0000000073C70000-0x000000007421B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Update.txt

MD5 59539087ffb8fbb8a96b4b2c46234259
SHA1 969bb88cb550feda57d26ce457d9ce647f309456
SHA256 78b97b6d5b04665887a50963696333d93f32268bd18069f15ba7ad0ff1fbc1d4
SHA512 98a4fc0e1f444a2474ba0f4efde9458a6aee6c65dea578c686841e0956e28b386c93b1f027348f50b4846e3cb5bfd6f9edc60baf6caafa84cf0b8197e5521f7f

memory/1592-289-0x00000000001D0000-0x00000000001D1000-memory.dmp

C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe

MD5 bb63a9a8be7756b02e2706a967bef3f6
SHA1 0e30c97d88fc84758b0ad097a4c3c1cf011d03f6
SHA256 620222355eb493bacfc0409b4704af8c253ade0142844093f5c541c69f4c9484
SHA512 4e838c9e9bfc8bd288970d3860b919b01ba52376717beff6b3ade6dddd2af77dc8a450a36bd3d9f6e9ab084b4f727e47305e6ac45da54a5f32f3ed5507e20d42

C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe

MD5 bb63a9a8be7756b02e2706a967bef3f6
SHA1 0e30c97d88fc84758b0ad097a4c3c1cf011d03f6
SHA256 620222355eb493bacfc0409b4704af8c253ade0142844093f5c541c69f4c9484
SHA512 4e838c9e9bfc8bd288970d3860b919b01ba52376717beff6b3ade6dddd2af77dc8a450a36bd3d9f6e9ab084b4f727e47305e6ac45da54a5f32f3ed5507e20d42

C:\Users\Admin\AppData\Local\Temp\4o9xg0h796.ini

MD5 d1ea279fb5559c020a1b4137dc4de237
SHA1 db6f8988af46b56216a6f0daf95ab8c9bdb57400
SHA256 fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba
SHA512 720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3

C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe

MD5 bb63a9a8be7756b02e2706a967bef3f6
SHA1 0e30c97d88fc84758b0ad097a4c3c1cf011d03f6
SHA256 620222355eb493bacfc0409b4704af8c253ade0142844093f5c541c69f4c9484
SHA512 4e838c9e9bfc8bd288970d3860b919b01ba52376717beff6b3ade6dddd2af77dc8a450a36bd3d9f6e9ab084b4f727e47305e6ac45da54a5f32f3ed5507e20d42

C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe

MD5 bb63a9a8be7756b02e2706a967bef3f6
SHA1 0e30c97d88fc84758b0ad097a4c3c1cf011d03f6
SHA256 620222355eb493bacfc0409b4704af8c253ade0142844093f5c541c69f4c9484
SHA512 4e838c9e9bfc8bd288970d3860b919b01ba52376717beff6b3ade6dddd2af77dc8a450a36bd3d9f6e9ab084b4f727e47305e6ac45da54a5f32f3ed5507e20d42

memory/1316-323-0x0000000001F80000-0x0000000001F81000-memory.dmp

memory/1316-322-0x0000000073C70000-0x000000007421B000-memory.dmp

memory/1316-324-0x0000000073C70000-0x000000007421B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Update.txt

MD5 59539087ffb8fbb8a96b4b2c46234259
SHA1 969bb88cb550feda57d26ce457d9ce647f309456
SHA256 78b97b6d5b04665887a50963696333d93f32268bd18069f15ba7ad0ff1fbc1d4
SHA512 98a4fc0e1f444a2474ba0f4efde9458a6aee6c65dea578c686841e0956e28b386c93b1f027348f50b4846e3cb5bfd6f9edc60baf6caafa84cf0b8197e5521f7f

C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe

MD5 bb63a9a8be7756b02e2706a967bef3f6
SHA1 0e30c97d88fc84758b0ad097a4c3c1cf011d03f6
SHA256 620222355eb493bacfc0409b4704af8c253ade0142844093f5c541c69f4c9484
SHA512 4e838c9e9bfc8bd288970d3860b919b01ba52376717beff6b3ade6dddd2af77dc8a450a36bd3d9f6e9ab084b4f727e47305e6ac45da54a5f32f3ed5507e20d42

C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe

MD5 bb63a9a8be7756b02e2706a967bef3f6
SHA1 0e30c97d88fc84758b0ad097a4c3c1cf011d03f6
SHA256 620222355eb493bacfc0409b4704af8c253ade0142844093f5c541c69f4c9484
SHA512 4e838c9e9bfc8bd288970d3860b919b01ba52376717beff6b3ade6dddd2af77dc8a450a36bd3d9f6e9ab084b4f727e47305e6ac45da54a5f32f3ed5507e20d42

C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe

MD5 bb63a9a8be7756b02e2706a967bef3f6
SHA1 0e30c97d88fc84758b0ad097a4c3c1cf011d03f6
SHA256 620222355eb493bacfc0409b4704af8c253ade0142844093f5c541c69f4c9484
SHA512 4e838c9e9bfc8bd288970d3860b919b01ba52376717beff6b3ade6dddd2af77dc8a450a36bd3d9f6e9ab084b4f727e47305e6ac45da54a5f32f3ed5507e20d42

C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe

MD5 bb63a9a8be7756b02e2706a967bef3f6
SHA1 0e30c97d88fc84758b0ad097a4c3c1cf011d03f6
SHA256 620222355eb493bacfc0409b4704af8c253ade0142844093f5c541c69f4c9484
SHA512 4e838c9e9bfc8bd288970d3860b919b01ba52376717beff6b3ade6dddd2af77dc8a450a36bd3d9f6e9ab084b4f727e47305e6ac45da54a5f32f3ed5507e20d42

C:\Users\Admin\AppData\Local\Temp\Update.txt

MD5 59539087ffb8fbb8a96b4b2c46234259
SHA1 969bb88cb550feda57d26ce457d9ce647f309456
SHA256 78b97b6d5b04665887a50963696333d93f32268bd18069f15ba7ad0ff1fbc1d4
SHA512 98a4fc0e1f444a2474ba0f4efde9458a6aee6c65dea578c686841e0956e28b386c93b1f027348f50b4846e3cb5bfd6f9edc60baf6caafa84cf0b8197e5521f7f

C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe

MD5 bb63a9a8be7756b02e2706a967bef3f6
SHA1 0e30c97d88fc84758b0ad097a4c3c1cf011d03f6
SHA256 620222355eb493bacfc0409b4704af8c253ade0142844093f5c541c69f4c9484
SHA512 4e838c9e9bfc8bd288970d3860b919b01ba52376717beff6b3ade6dddd2af77dc8a450a36bd3d9f6e9ab084b4f727e47305e6ac45da54a5f32f3ed5507e20d42

C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe

MD5 bb63a9a8be7756b02e2706a967bef3f6
SHA1 0e30c97d88fc84758b0ad097a4c3c1cf011d03f6
SHA256 620222355eb493bacfc0409b4704af8c253ade0142844093f5c541c69f4c9484
SHA512 4e838c9e9bfc8bd288970d3860b919b01ba52376717beff6b3ade6dddd2af77dc8a450a36bd3d9f6e9ab084b4f727e47305e6ac45da54a5f32f3ed5507e20d42

memory/1508-370-0x0000000000470000-0x0000000000471000-memory.dmp

memory/1508-369-0x0000000074220000-0x00000000747CB000-memory.dmp

memory/1508-371-0x0000000074220000-0x00000000747CB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\hBIdK4XRaW.ini

MD5 d1ea279fb5559c020a1b4137dc4de237
SHA1 db6f8988af46b56216a6f0daf95ab8c9bdb57400
SHA256 fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba
SHA512 720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3

C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe

MD5 bb63a9a8be7756b02e2706a967bef3f6
SHA1 0e30c97d88fc84758b0ad097a4c3c1cf011d03f6
SHA256 620222355eb493bacfc0409b4704af8c253ade0142844093f5c541c69f4c9484
SHA512 4e838c9e9bfc8bd288970d3860b919b01ba52376717beff6b3ade6dddd2af77dc8a450a36bd3d9f6e9ab084b4f727e47305e6ac45da54a5f32f3ed5507e20d42

C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe

MD5 bb63a9a8be7756b02e2706a967bef3f6
SHA1 0e30c97d88fc84758b0ad097a4c3c1cf011d03f6
SHA256 620222355eb493bacfc0409b4704af8c253ade0142844093f5c541c69f4c9484
SHA512 4e838c9e9bfc8bd288970d3860b919b01ba52376717beff6b3ade6dddd2af77dc8a450a36bd3d9f6e9ab084b4f727e47305e6ac45da54a5f32f3ed5507e20d42

C:\Users\Admin\AppData\Local\Temp\Update.txt

MD5 59539087ffb8fbb8a96b4b2c46234259
SHA1 969bb88cb550feda57d26ce457d9ce647f309456
SHA256 78b97b6d5b04665887a50963696333d93f32268bd18069f15ba7ad0ff1fbc1d4
SHA512 98a4fc0e1f444a2474ba0f4efde9458a6aee6c65dea578c686841e0956e28b386c93b1f027348f50b4846e3cb5bfd6f9edc60baf6caafa84cf0b8197e5521f7f

C:\Users\Admin\Desktop\dhfjkbvdfgrhr\filename.exe

MD5 bb63a9a8be7756b02e2706a967bef3f6
SHA1 0e30c97d88fc84758b0ad097a4c3c1cf011d03f6
SHA256 620222355eb493bacfc0409b4704af8c253ade0142844093f5c541c69f4c9484
SHA512 4e838c9e9bfc8bd288970d3860b919b01ba52376717beff6b3ade6dddd2af77dc8a450a36bd3d9f6e9ab084b4f727e47305e6ac45da54a5f32f3ed5507e20d42

memory/1628-393-0x0000000000600000-0x0000000000601000-memory.dmp

memory/1628-392-0x0000000073C70000-0x000000007421B000-memory.dmp

memory/1628-394-0x0000000073C70000-0x000000007421B000-memory.dmp

memory/1768-403-0x0000000000260000-0x0000000000261000-memory.dmp

memory/1768-402-0x0000000074220000-0x00000000747CB000-memory.dmp

memory/1768-407-0x0000000074220000-0x00000000747CB000-memory.dmp

memory/928-436-0x0000000074220000-0x00000000747CB000-memory.dmp

memory/928-437-0x0000000001F50000-0x0000000001F51000-memory.dmp

memory/928-438-0x0000000074220000-0x00000000747CB000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-03-08 17:03

Reported

2022-03-08 17:08

Platform

win10v2004-en-20220113

Max time kernel

135s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\620222355eb493bacfc0409b4704af8c253ade0142844093f5c541c69f4c9484.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\620222355eb493bacfc0409b4704af8c253ade0142844093f5c541c69f4c9484.exe

"C:\Users\Admin\AppData\Local\Temp\620222355eb493bacfc0409b4704af8c253ade0142844093f5c541c69f4c9484.exe"

C:\Windows\SysWOW64\fondue.exe

"C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll

C:\Windows\system32\FonDUE.EXE

"C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll

Network

Country Destination Domain Proto
NL 104.110.191.133:80 tcp
NL 104.110.191.133:80 tcp
US 8.8.8.8:53 crl4.digicert.com udp
US 93.184.220.29:80 crl4.digicert.com tcp
US 93.184.220.29:80 crl4.digicert.com tcp
US 8.8.8.8:53 oneocsp.microsoft.com udp
US 131.253.33.203:80 oneocsp.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
NL 2.21.41.70:80 www.microsoft.com tcp

Files

N/A