Analysis
-
max time kernel
153s -
max time network
146s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
08-03-2022 18:41
Static task
static1
Behavioral task
behavioral1
Sample
4a29c2b1e77adcd0dba368a4713d5089a686a0ce4857e9b6447c3503ca0fbf4d.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
4a29c2b1e77adcd0dba368a4713d5089a686a0ce4857e9b6447c3503ca0fbf4d.exe
Resource
win10v2004-en-20220112
General
-
Target
4a29c2b1e77adcd0dba368a4713d5089a686a0ce4857e9b6447c3503ca0fbf4d.exe
-
Size
340KB
-
MD5
688d0b8e41ec120ca2d2a43d55cd7bef
-
SHA1
c15c834cec66a405e32189ecfb332eb9a5013fa4
-
SHA256
4a29c2b1e77adcd0dba368a4713d5089a686a0ce4857e9b6447c3503ca0fbf4d
-
SHA512
cd5e0447935471736618d87197d65a6a329fbdc5edc1e44a83de6a51557bcf07fd097dae1657d25544f72b9fec20ae4ec2541a8cd9fce5884218e222f0683339
Malware Config
Signatures
-
ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
-
ISR Stealer Payload 2 IoCs
resource yara_rule behavioral1/memory/1432-71-0x0000000000400000-0x0000000000442000-memory.dmp family_isrstealer behavioral1/memory/1432-73-0x0000000000400000-0x0000000000442000-memory.dmp family_isrstealer -
NirSoft MailPassView 2 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral1/memory/696-92-0x0000000000400000-0x000000000041F000-memory.dmp MailPassView behavioral1/memory/696-91-0x0000000000400000-0x000000000041F000-memory.dmp MailPassView -
Nirsoft 2 IoCs
resource yara_rule behavioral1/memory/696-92-0x0000000000400000-0x000000000041F000-memory.dmp Nirsoft behavioral1/memory/696-91-0x0000000000400000-0x000000000041F000-memory.dmp Nirsoft -
Executes dropped EXE 35 IoCs
pid Process 2016 filename.exe 1432 filename.exe 1776 filename.exe 696 filename.exe 864 filename.exe 1540 filename.exe 1796 filename.exe 1116 filename.exe 1836 filename.exe 1700 filename.exe 1432 filename.exe 968 filename.exe 1760 filename.exe 1776 filename.exe 1120 filename.exe 1276 filename.exe 1088 filename.exe 624 filename.exe 768 filename.exe 1624 filename.exe 1252 filename.exe 884 filename.exe 1748 filename.exe 760 filename.exe 1804 filename.exe 1780 filename.exe 1448 filename.exe 1456 filename.exe 1976 filename.exe 1276 filename.exe 1760 filename.exe 1912 filename.exe 1264 filename.exe 1716 filename.exe 1708 filename.exe -
resource yara_rule behavioral1/memory/1776-79-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral1/memory/1776-83-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral1/memory/1776-85-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral1/memory/1776-84-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral1/memory/696-86-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral1/memory/696-90-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral1/memory/696-92-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral1/memory/696-91-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral1/memory/1796-112-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral1/memory/1796-114-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral1/memory/1796-113-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral1/memory/1432-141-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral1/memory/1432-142-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral1/memory/1432-143-0x0000000000400000-0x0000000000453000-memory.dmp upx -
Loads dropped DLL 2 IoCs
pid Process 580 cmd.exe 580 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 6 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts filename.exe Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts filename.exe Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts filename.exe Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts filename.exe Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts filename.exe Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts filename.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" reg.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" reg.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" reg.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" reg.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" reg.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" reg.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" reg.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" reg.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" reg.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" reg.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" reg.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" reg.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" reg.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" reg.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" reg.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" reg.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" reg.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" reg.exe -
Suspicious use of SetThreadContext 25 IoCs
description pid Process procid_target PID 2016 set thread context of 1432 2016 filename.exe 34 PID 1432 set thread context of 1776 1432 filename.exe 41 PID 1432 set thread context of 696 1432 filename.exe 51 PID 864 set thread context of 1540 864 filename.exe 62 PID 1540 set thread context of 1796 1540 filename.exe 65 PID 1540 set thread context of 1116 1540 filename.exe 95 PID 1836 set thread context of 1700 1836 filename.exe 106 PID 1700 set thread context of 1432 1700 filename.exe 109 PID 1700 set thread context of 968 1700 filename.exe 124 PID 1760 set thread context of 1776 1760 filename.exe 135 PID 1776 set thread context of 1120 1776 filename.exe 138 PID 1776 set thread context of 1276 1776 filename.exe 153 PID 1088 set thread context of 624 1088 filename.exe 164 PID 624 set thread context of 768 624 filename.exe 166 PID 624 set thread context of 1624 624 filename.exe 182 PID 1252 set thread context of 1748 1252 filename.exe 191 PID 1748 set thread context of 760 1748 filename.exe 195 PID 1748 set thread context of 1804 1748 filename.exe 212 PID 1780 set thread context of 1448 1780 filename.exe 223 PID 1448 set thread context of 1456 1448 filename.exe 227 PID 1448 set thread context of 1976 1448 filename.exe 241 PID 1276 set thread context of 1760 1276 filename.exe 252 PID 1760 set thread context of 1912 1760 filename.exe 255 PID 1760 set thread context of 1264 1760 filename.exe 266 PID 1716 set thread context of 1708 1716 filename.exe 274 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1580 4a29c2b1e77adcd0dba368a4713d5089a686a0ce4857e9b6447c3503ca0fbf4d.exe 1580 4a29c2b1e77adcd0dba368a4713d5089a686a0ce4857e9b6447c3503ca0fbf4d.exe 2016 filename.exe 2016 filename.exe 2016 filename.exe 2016 filename.exe 2016 filename.exe 2016 filename.exe 2016 filename.exe 2016 filename.exe 2016 filename.exe 2016 filename.exe 2016 filename.exe 2016 filename.exe 2016 filename.exe 2016 filename.exe 2016 filename.exe 2016 filename.exe 2016 filename.exe 2016 filename.exe 2016 filename.exe 2016 filename.exe 2016 filename.exe 2016 filename.exe 2016 filename.exe 2016 filename.exe 2016 filename.exe 2016 filename.exe 2016 filename.exe 2016 filename.exe 2016 filename.exe 2016 filename.exe 2016 filename.exe 2016 filename.exe 2016 filename.exe 2016 filename.exe 2016 filename.exe 2016 filename.exe 2016 filename.exe 2016 filename.exe 2016 filename.exe 2016 filename.exe 2016 filename.exe 2016 filename.exe 2016 filename.exe 2016 filename.exe 2016 filename.exe 2016 filename.exe 2016 filename.exe 2016 filename.exe 2016 filename.exe 2016 filename.exe 2016 filename.exe 2016 filename.exe 2016 filename.exe 2016 filename.exe 2016 filename.exe 2016 filename.exe 2016 filename.exe 2016 filename.exe 2016 filename.exe 2016 filename.exe 2016 filename.exe 2016 filename.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
description pid Process Token: SeDebugPrivilege 1580 4a29c2b1e77adcd0dba368a4713d5089a686a0ce4857e9b6447c3503ca0fbf4d.exe Token: SeDebugPrivilege 2016 filename.exe Token: SeDebugPrivilege 864 filename.exe Token: SeDebugPrivilege 1836 filename.exe Token: SeDebugPrivilege 1760 filename.exe Token: SeDebugPrivilege 1088 filename.exe Token: SeDebugPrivilege 1252 filename.exe Token: SeDebugPrivilege 1780 filename.exe Token: SeDebugPrivilege 1276 filename.exe Token: SeDebugPrivilege 1716 filename.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 1432 filename.exe 1540 filename.exe 1700 filename.exe 1776 filename.exe 624 filename.exe 1748 filename.exe 1448 filename.exe 1760 filename.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1580 wrote to memory of 580 1580 4a29c2b1e77adcd0dba368a4713d5089a686a0ce4857e9b6447c3503ca0fbf4d.exe 27 PID 1580 wrote to memory of 580 1580 4a29c2b1e77adcd0dba368a4713d5089a686a0ce4857e9b6447c3503ca0fbf4d.exe 27 PID 1580 wrote to memory of 580 1580 4a29c2b1e77adcd0dba368a4713d5089a686a0ce4857e9b6447c3503ca0fbf4d.exe 27 PID 1580 wrote to memory of 580 1580 4a29c2b1e77adcd0dba368a4713d5089a686a0ce4857e9b6447c3503ca0fbf4d.exe 27 PID 580 wrote to memory of 2016 580 cmd.exe 30 PID 580 wrote to memory of 2016 580 cmd.exe 30 PID 580 wrote to memory of 2016 580 cmd.exe 30 PID 580 wrote to memory of 2016 580 cmd.exe 30 PID 2016 wrote to memory of 1100 2016 filename.exe 31 PID 2016 wrote to memory of 1100 2016 filename.exe 31 PID 2016 wrote to memory of 1100 2016 filename.exe 31 PID 2016 wrote to memory of 1100 2016 filename.exe 31 PID 1100 wrote to memory of 1508 1100 cmd.exe 33 PID 1100 wrote to memory of 1508 1100 cmd.exe 33 PID 1100 wrote to memory of 1508 1100 cmd.exe 33 PID 1100 wrote to memory of 1508 1100 cmd.exe 33 PID 2016 wrote to memory of 1432 2016 filename.exe 34 PID 2016 wrote to memory of 1432 2016 filename.exe 34 PID 2016 wrote to memory of 1432 2016 filename.exe 34 PID 2016 wrote to memory of 1432 2016 filename.exe 34 PID 2016 wrote to memory of 1432 2016 filename.exe 34 PID 2016 wrote to memory of 1432 2016 filename.exe 34 PID 2016 wrote to memory of 1432 2016 filename.exe 34 PID 2016 wrote to memory of 1432 2016 filename.exe 34 PID 2016 wrote to memory of 1012 2016 filename.exe 35 PID 2016 wrote to memory of 1012 2016 filename.exe 35 PID 2016 wrote to memory of 1012 2016 filename.exe 35 PID 2016 wrote to memory of 1012 2016 filename.exe 35 PID 1012 wrote to memory of 1032 1012 cmd.exe 37 PID 1012 wrote to memory of 1032 1012 cmd.exe 37 PID 1012 wrote to memory of 1032 1012 cmd.exe 37 PID 1012 wrote to memory of 1032 1012 cmd.exe 37 PID 2016 wrote to memory of 1900 2016 filename.exe 38 PID 2016 wrote to memory of 1900 2016 filename.exe 38 PID 2016 wrote to memory of 1900 2016 filename.exe 38 PID 2016 wrote to memory of 1900 2016 filename.exe 38 PID 1900 wrote to memory of 1904 1900 cmd.exe 40 PID 1900 wrote to memory of 1904 1900 cmd.exe 40 PID 1900 wrote to memory of 1904 1900 cmd.exe 40 PID 1900 wrote to memory of 1904 1900 cmd.exe 40 PID 1432 wrote to memory of 1776 1432 filename.exe 41 PID 1432 wrote to memory of 1776 1432 filename.exe 41 PID 1432 wrote to memory of 1776 1432 filename.exe 41 PID 1432 wrote to memory of 1776 1432 filename.exe 41 PID 1432 wrote to memory of 1776 1432 filename.exe 41 PID 1432 wrote to memory of 1776 1432 filename.exe 41 PID 1432 wrote to memory of 1776 1432 filename.exe 41 PID 1432 wrote to memory of 1776 1432 filename.exe 41 PID 1432 wrote to memory of 1776 1432 filename.exe 41 PID 2016 wrote to memory of 1408 2016 filename.exe 42 PID 2016 wrote to memory of 1408 2016 filename.exe 42 PID 2016 wrote to memory of 1408 2016 filename.exe 42 PID 2016 wrote to memory of 1408 2016 filename.exe 42 PID 1408 wrote to memory of 532 1408 cmd.exe 44 PID 1408 wrote to memory of 532 1408 cmd.exe 44 PID 1408 wrote to memory of 532 1408 cmd.exe 44 PID 1408 wrote to memory of 532 1408 cmd.exe 44 PID 2016 wrote to memory of 1944 2016 filename.exe 45 PID 2016 wrote to memory of 1944 2016 filename.exe 45 PID 2016 wrote to memory of 1944 2016 filename.exe 45 PID 2016 wrote to memory of 1944 2016 filename.exe 45 PID 1944 wrote to memory of 1504 1944 cmd.exe 47 PID 1944 wrote to memory of 1504 1944 cmd.exe 47 PID 1944 wrote to memory of 1504 1944 cmd.exe 47
Processes
-
C:\Users\Admin\AppData\Local\Temp\4a29c2b1e77adcd0dba368a4713d5089a686a0ce4857e9b6447c3503ca0fbf4d.exe"C:\Users\Admin\AppData\Local\Temp\4a29c2b1e77adcd0dba368a4713d5089a686a0ce4857e9b6447c3503ca0fbf4d.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\Windows\SysWOW64\cmd.exe"cmd"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:580 -
C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe"C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\SysWOW64\cmd.exe"cmd"4⤵
- Suspicious use of WriteProcessMemory
PID:1100 -
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"5⤵
- Adds Run key to start application
PID:1508
-
-
-
C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe"C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1432 -
C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe/scomma "C:\Users\Admin\AppData\Local\Temp\IFWf0d3OIl.ini"5⤵
- Executes dropped EXE
PID:1776
-
-
C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe/scomma "C:\Users\Admin\AppData\Local\Temp\izwdA8AEkY.ini"5⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
PID:696
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"4⤵
- Suspicious use of WriteProcessMemory
PID:1012 -
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"5⤵
- Adds Run key to start application
PID:1032
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"4⤵
- Suspicious use of WriteProcessMemory
PID:1900 -
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"5⤵PID:1904
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"4⤵
- Suspicious use of WriteProcessMemory
PID:1408 -
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"5⤵PID:532
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"4⤵
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"5⤵
- Adds Run key to start application
PID:1504
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"4⤵PID:1696
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"5⤵PID:604
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"4⤵PID:1888
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"5⤵
- Adds Run key to start application
PID:2024
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"4⤵PID:1620
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"5⤵
- Adds Run key to start application
PID:1548
-
-
-
C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe"C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:864 -
C:\Windows\SysWOW64\cmd.exe"cmd"5⤵PID:672
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"6⤵
- Adds Run key to start application
PID:1804
-
-
-
C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe"C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1540 -
C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe/scomma "C:\Users\Admin\AppData\Local\Temp\IqsGLEM4M9.ini"6⤵
- Executes dropped EXE
PID:1796
-
-
C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe/scomma "C:\Users\Admin\AppData\Local\Temp\KZxOVK36TH.ini"6⤵
- Executes dropped EXE
PID:1116
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"5⤵PID:1208
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"6⤵
- Adds Run key to start application
PID:1392
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"5⤵PID:1244
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"6⤵
- Adds Run key to start application
PID:1012
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"5⤵PID:888
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"6⤵
- Adds Run key to start application
PID:1692
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"5⤵PID:1784
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"6⤵PID:2008
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"5⤵PID:1196
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"6⤵PID:1760
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"5⤵PID:1888
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"6⤵
- Adds Run key to start application
PID:1624
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"5⤵PID:1432
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"6⤵
- Adds Run key to start application
PID:964
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"5⤵PID:1056
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"6⤵
- Adds Run key to start application
PID:520
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"5⤵PID:1360
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"6⤵
- Adds Run key to start application
PID:908
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"5⤵PID:1448
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"6⤵
- Adds Run key to start application
PID:1172
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"5⤵PID:624
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"6⤵
- Adds Run key to start application
PID:1392
-
-
-
C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe"C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1836 -
C:\Windows\SysWOW64\cmd.exe"cmd"6⤵PID:1736
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"7⤵
- Adds Run key to start application
PID:1784
-
-
-
C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe"C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1700 -
C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe/scomma "C:\Users\Admin\AppData\Local\Temp\FxhNHfTYPS.ini"7⤵
- Executes dropped EXE
PID:1432
-
-
C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe/scomma "C:\Users\Admin\AppData\Local\Temp\eqNMrVo7gu.ini"7⤵
- Executes dropped EXE
PID:968
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"6⤵PID:1828
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"7⤵PID:520
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"6⤵PID:1600
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"7⤵
- Adds Run key to start application
PID:1068
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"6⤵PID:2000
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"7⤵
- Adds Run key to start application
PID:988
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"6⤵PID:672
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"7⤵
- Adds Run key to start application
PID:1208
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"6⤵PID:1976
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"7⤵PID:1304
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"6⤵PID:1136
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"7⤵PID:1508
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"6⤵PID:1112
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"7⤵
- Adds Run key to start application
PID:1748
-
-
-
C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe"C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1760 -
C:\Windows\SysWOW64\cmd.exe"cmd"7⤵PID:572
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"8⤵
- Adds Run key to start application
PID:1980
-
-
-
C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe"C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1776 -
C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe/scomma "C:\Users\Admin\AppData\Local\Temp\W2ou2E8R97.ini"8⤵
- Executes dropped EXE
PID:1120
-
-
C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe/scomma "C:\Users\Admin\AppData\Local\Temp\rDEviCuDDp.ini"8⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
PID:1276
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"7⤵PID:1636
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"8⤵
- Adds Run key to start application
PID:2000
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"7⤵PID:672
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"8⤵
- Adds Run key to start application
PID:768
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"7⤵PID:1704
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"8⤵
- Adds Run key to start application
PID:1976
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"7⤵PID:888
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"8⤵PID:1360
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"7⤵PID:1028
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"8⤵PID:1448
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"7⤵PID:1628
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"8⤵
- Adds Run key to start application
PID:964
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"7⤵PID:696
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"8⤵
- Adds Run key to start application
PID:1936
-
-
-
C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe"C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1088 -
C:\Windows\SysWOW64\cmd.exe"cmd"8⤵PID:1128
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"9⤵PID:836
-
-
-
C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe"C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe"8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:624 -
C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe/scomma "C:\Users\Admin\AppData\Local\Temp\1gLrZaKA5z.ini"9⤵
- Executes dropped EXE
PID:768
-
-
C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe/scomma "C:\Users\Admin\AppData\Local\Temp\NrlsEY5w8i.ini"9⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
PID:1624
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"8⤵PID:380
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"9⤵
- Adds Run key to start application
PID:1432
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"8⤵PID:968
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"9⤵
- Adds Run key to start application
PID:1028
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"8⤵PID:1012
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"9⤵
- Adds Run key to start application
PID:1700
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"8⤵PID:1120
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"9⤵
- Adds Run key to start application
PID:1712
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"8⤵PID:688
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"9⤵
- Adds Run key to start application
PID:1404
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"8⤵PID:1760
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"9⤵PID:1644
-
-
-
C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe"C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe"8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1252 -
C:\Windows\SysWOW64\cmd.exe"cmd"9⤵PID:1092
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"10⤵PID:2008
-
-
-
C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe"C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe"9⤵
- Executes dropped EXE
PID:884
-
-
C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe"C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe"9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1748 -
C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe/scomma "C:\Users\Admin\AppData\Local\Temp\U6cTNDBHbl.ini"10⤵
- Executes dropped EXE
PID:760
-
-
C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe/scomma "C:\Users\Admin\AppData\Local\Temp\23ZITHZcu6.ini"10⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
PID:1804
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"9⤵PID:380
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"10⤵
- Adds Run key to start application
PID:1448
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"9⤵PID:1696
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"10⤵
- Adds Run key to start application
PID:1120
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"9⤵PID:1992
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"10⤵
- Adds Run key to start application
PID:688
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"9⤵PID:1196
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"10⤵
- Adds Run key to start application
PID:1416
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"9⤵PID:1644
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"10⤵PID:1564
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"9⤵PID:1624
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"10⤵
- Adds Run key to start application
PID:2036
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"9⤵PID:1100
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"10⤵
- Adds Run key to start application
PID:936
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"9⤵PID:1360
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"10⤵
- Adds Run key to start application
PID:1756
-
-
-
C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe"C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe"9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1780 -
C:\Windows\SysWOW64\cmd.exe"cmd"10⤵PID:2032
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"11⤵
- Adds Run key to start application
PID:1212
-
-
-
C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe"C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe"10⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1448 -
C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe/scomma "C:\Users\Admin\AppData\Local\Temp\ZsLAhzgPOs.ini"11⤵
- Executes dropped EXE
PID:1456
-
-
C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe/scomma "C:\Users\Admin\AppData\Local\Temp\jb5FBWlGGA.ini"11⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
PID:1976
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"10⤵PID:688
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"11⤵
- Adds Run key to start application
PID:1744
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"10⤵PID:1116
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"11⤵
- Adds Run key to start application
PID:624
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"10⤵PID:532
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"11⤵
- Adds Run key to start application
PID:1636
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"10⤵PID:936
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"11⤵
- Adds Run key to start application
PID:888
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"10⤵PID:1360
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"11⤵
- Adds Run key to start application
PID:760
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"10⤵PID:544
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"11⤵
- Adds Run key to start application
PID:560
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"10⤵PID:1252
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"11⤵PID:1028
-
-
-
C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe"C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe"10⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1276 -
C:\Windows\SysWOW64\cmd.exe"cmd"11⤵PID:1776
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"12⤵
- Adds Run key to start application
PID:1784
-
-
-
C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe"C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe"11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1760 -
C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe/scomma "C:\Users\Admin\AppData\Local\Temp\wHVbdUGLbJ.ini"12⤵
- Executes dropped EXE
PID:1912
-
-
C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe/scomma "C:\Users\Admin\AppData\Local\Temp\0Xwgm2L1PV.ini"12⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
PID:1264
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"11⤵PID:1744
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"12⤵
- Adds Run key to start application
PID:572
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"11⤵PID:1636
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"12⤵
- Adds Run key to start application
PID:672
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"11⤵PID:1568
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"12⤵PID:888
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"11⤵PID:1740
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"12⤵
- Adds Run key to start application
PID:760
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"11⤵PID:884
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"12⤵
- Adds Run key to start application
PID:1236
-
-
-
C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe"C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe"11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1716 -
C:\Windows\SysWOW64\cmd.exe"cmd"12⤵PID:1976
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"13⤵PID:1936
-
-
-
C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe"C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe"12⤵
- Executes dropped EXE
PID:1708
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"12⤵PID:1120
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"13⤵
- Adds Run key to start application
PID:1548
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"12⤵PID:1664
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"13⤵PID:824
-
-
-
-
-
-
-
-
-
-
-
-