Analysis

  • max time kernel
    153s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    08-03-2022 18:41

General

  • Target

    4a29c2b1e77adcd0dba368a4713d5089a686a0ce4857e9b6447c3503ca0fbf4d.exe

  • Size

    340KB

  • MD5

    688d0b8e41ec120ca2d2a43d55cd7bef

  • SHA1

    c15c834cec66a405e32189ecfb332eb9a5013fa4

  • SHA256

    4a29c2b1e77adcd0dba368a4713d5089a686a0ce4857e9b6447c3503ca0fbf4d

  • SHA512

    cd5e0447935471736618d87197d65a6a329fbdc5edc1e44a83de6a51557bcf07fd097dae1657d25544f72b9fec20ae4ec2541a8cd9fce5884218e222f0683339

Malware Config

Signatures

  • ISR Stealer

    ISR Stealer is a modified version of Hackhound Stealer written in visual basic.

  • ISR Stealer Payload 2 IoCs
  • NirSoft MailPassView 2 IoCs

    Password recovery tool for various email clients

  • Nirsoft 2 IoCs
  • Executes dropped EXE 35 IoCs
  • UPX packed file 14 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook accounts 1 TTPs 6 IoCs
  • Adds Run key to start application 2 TTPs 64 IoCs
  • Suspicious use of SetThreadContext 25 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4a29c2b1e77adcd0dba368a4713d5089a686a0ce4857e9b6447c3503ca0fbf4d.exe
    "C:\Users\Admin\AppData\Local\Temp\4a29c2b1e77adcd0dba368a4713d5089a686a0ce4857e9b6447c3503ca0fbf4d.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1580
    • C:\Windows\SysWOW64\cmd.exe
      "cmd"
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:580
      • C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe
        "C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2016
        • C:\Windows\SysWOW64\cmd.exe
          "cmd"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1100
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
            5⤵
            • Adds Run key to start application
            PID:1508
        • C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe
          "C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1432
          • C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe
            /scomma "C:\Users\Admin\AppData\Local\Temp\IFWf0d3OIl.ini"
            5⤵
            • Executes dropped EXE
            PID:1776
          • C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe
            /scomma "C:\Users\Admin\AppData\Local\Temp\izwdA8AEkY.ini"
            5⤵
            • Executes dropped EXE
            • Accesses Microsoft Outlook accounts
            PID:696
        • C:\Windows\SysWOW64\cmd.exe
          "cmd"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1012
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
            5⤵
            • Adds Run key to start application
            PID:1032
        • C:\Windows\SysWOW64\cmd.exe
          "cmd"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1900
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
            5⤵
              PID:1904
          • C:\Windows\SysWOW64\cmd.exe
            "cmd"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:1408
            • C:\Windows\SysWOW64\reg.exe
              reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
              5⤵
                PID:532
            • C:\Windows\SysWOW64\cmd.exe
              "cmd"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:1944
              • C:\Windows\SysWOW64\reg.exe
                reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
                5⤵
                • Adds Run key to start application
                PID:1504
            • C:\Windows\SysWOW64\cmd.exe
              "cmd"
              4⤵
                PID:1696
                • C:\Windows\SysWOW64\reg.exe
                  reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
                  5⤵
                    PID:604
                • C:\Windows\SysWOW64\cmd.exe
                  "cmd"
                  4⤵
                    PID:1888
                    • C:\Windows\SysWOW64\reg.exe
                      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
                      5⤵
                      • Adds Run key to start application
                      PID:2024
                  • C:\Windows\SysWOW64\cmd.exe
                    "cmd"
                    4⤵
                      PID:1620
                      • C:\Windows\SysWOW64\reg.exe
                        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
                        5⤵
                        • Adds Run key to start application
                        PID:1548
                    • C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe
                      "C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe"
                      4⤵
                      • Executes dropped EXE
                      • Suspicious use of SetThreadContext
                      • Suspicious use of AdjustPrivilegeToken
                      PID:864
                      • C:\Windows\SysWOW64\cmd.exe
                        "cmd"
                        5⤵
                          PID:672
                          • C:\Windows\SysWOW64\reg.exe
                            reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
                            6⤵
                            • Adds Run key to start application
                            PID:1804
                        • C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe
                          "C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe"
                          5⤵
                          • Executes dropped EXE
                          • Suspicious use of SetThreadContext
                          • Suspicious use of SetWindowsHookEx
                          PID:1540
                          • C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe
                            /scomma "C:\Users\Admin\AppData\Local\Temp\IqsGLEM4M9.ini"
                            6⤵
                            • Executes dropped EXE
                            PID:1796
                          • C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe
                            /scomma "C:\Users\Admin\AppData\Local\Temp\KZxOVK36TH.ini"
                            6⤵
                            • Executes dropped EXE
                            PID:1116
                        • C:\Windows\SysWOW64\cmd.exe
                          "cmd"
                          5⤵
                            PID:1208
                            • C:\Windows\SysWOW64\reg.exe
                              reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
                              6⤵
                              • Adds Run key to start application
                              PID:1392
                          • C:\Windows\SysWOW64\cmd.exe
                            "cmd"
                            5⤵
                              PID:1244
                              • C:\Windows\SysWOW64\reg.exe
                                reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
                                6⤵
                                • Adds Run key to start application
                                PID:1012
                            • C:\Windows\SysWOW64\cmd.exe
                              "cmd"
                              5⤵
                                PID:888
                                • C:\Windows\SysWOW64\reg.exe
                                  reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
                                  6⤵
                                  • Adds Run key to start application
                                  PID:1692
                              • C:\Windows\SysWOW64\cmd.exe
                                "cmd"
                                5⤵
                                  PID:1784
                                  • C:\Windows\SysWOW64\reg.exe
                                    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
                                    6⤵
                                      PID:2008
                                  • C:\Windows\SysWOW64\cmd.exe
                                    "cmd"
                                    5⤵
                                      PID:1196
                                      • C:\Windows\SysWOW64\reg.exe
                                        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
                                        6⤵
                                          PID:1760
                                      • C:\Windows\SysWOW64\cmd.exe
                                        "cmd"
                                        5⤵
                                          PID:1888
                                          • C:\Windows\SysWOW64\reg.exe
                                            reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
                                            6⤵
                                            • Adds Run key to start application
                                            PID:1624
                                        • C:\Windows\SysWOW64\cmd.exe
                                          "cmd"
                                          5⤵
                                            PID:1432
                                            • C:\Windows\SysWOW64\reg.exe
                                              reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
                                              6⤵
                                              • Adds Run key to start application
                                              PID:964
                                          • C:\Windows\SysWOW64\cmd.exe
                                            "cmd"
                                            5⤵
                                              PID:1056
                                              • C:\Windows\SysWOW64\reg.exe
                                                reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
                                                6⤵
                                                • Adds Run key to start application
                                                PID:520
                                            • C:\Windows\SysWOW64\cmd.exe
                                              "cmd"
                                              5⤵
                                                PID:1360
                                                • C:\Windows\SysWOW64\reg.exe
                                                  reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
                                                  6⤵
                                                  • Adds Run key to start application
                                                  PID:908
                                              • C:\Windows\SysWOW64\cmd.exe
                                                "cmd"
                                                5⤵
                                                  PID:1448
                                                  • C:\Windows\SysWOW64\reg.exe
                                                    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
                                                    6⤵
                                                    • Adds Run key to start application
                                                    PID:1172
                                                • C:\Windows\SysWOW64\cmd.exe
                                                  "cmd"
                                                  5⤵
                                                    PID:624
                                                    • C:\Windows\SysWOW64\reg.exe
                                                      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
                                                      6⤵
                                                      • Adds Run key to start application
                                                      PID:1392
                                                  • C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe
                                                    "C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe"
                                                    5⤵
                                                    • Executes dropped EXE
                                                    • Suspicious use of SetThreadContext
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    PID:1836
                                                    • C:\Windows\SysWOW64\cmd.exe
                                                      "cmd"
                                                      6⤵
                                                        PID:1736
                                                        • C:\Windows\SysWOW64\reg.exe
                                                          reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
                                                          7⤵
                                                          • Adds Run key to start application
                                                          PID:1784
                                                      • C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe
                                                        "C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe"
                                                        6⤵
                                                        • Executes dropped EXE
                                                        • Suspicious use of SetThreadContext
                                                        • Suspicious use of SetWindowsHookEx
                                                        PID:1700
                                                        • C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe
                                                          /scomma "C:\Users\Admin\AppData\Local\Temp\FxhNHfTYPS.ini"
                                                          7⤵
                                                          • Executes dropped EXE
                                                          PID:1432
                                                        • C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe
                                                          /scomma "C:\Users\Admin\AppData\Local\Temp\eqNMrVo7gu.ini"
                                                          7⤵
                                                          • Executes dropped EXE
                                                          PID:968
                                                      • C:\Windows\SysWOW64\cmd.exe
                                                        "cmd"
                                                        6⤵
                                                          PID:1828
                                                          • C:\Windows\SysWOW64\reg.exe
                                                            reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
                                                            7⤵
                                                              PID:520
                                                          • C:\Windows\SysWOW64\cmd.exe
                                                            "cmd"
                                                            6⤵
                                                              PID:1600
                                                              • C:\Windows\SysWOW64\reg.exe
                                                                reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
                                                                7⤵
                                                                • Adds Run key to start application
                                                                PID:1068
                                                            • C:\Windows\SysWOW64\cmd.exe
                                                              "cmd"
                                                              6⤵
                                                                PID:2000
                                                                • C:\Windows\SysWOW64\reg.exe
                                                                  reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
                                                                  7⤵
                                                                  • Adds Run key to start application
                                                                  PID:988
                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                "cmd"
                                                                6⤵
                                                                  PID:672
                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
                                                                    7⤵
                                                                    • Adds Run key to start application
                                                                    PID:1208
                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                  "cmd"
                                                                  6⤵
                                                                    PID:1976
                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
                                                                      7⤵
                                                                        PID:1304
                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                      "cmd"
                                                                      6⤵
                                                                        PID:1136
                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                          reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
                                                                          7⤵
                                                                            PID:1508
                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                          "cmd"
                                                                          6⤵
                                                                            PID:1112
                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                              reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
                                                                              7⤵
                                                                              • Adds Run key to start application
                                                                              PID:1748
                                                                          • C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe
                                                                            "C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe"
                                                                            6⤵
                                                                            • Executes dropped EXE
                                                                            • Suspicious use of SetThreadContext
                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                            PID:1760
                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                              "cmd"
                                                                              7⤵
                                                                                PID:572
                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                  reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
                                                                                  8⤵
                                                                                  • Adds Run key to start application
                                                                                  PID:1980
                                                                              • C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe
                                                                                "C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe"
                                                                                7⤵
                                                                                • Executes dropped EXE
                                                                                • Suspicious use of SetThreadContext
                                                                                • Suspicious use of SetWindowsHookEx
                                                                                PID:1776
                                                                                • C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe
                                                                                  /scomma "C:\Users\Admin\AppData\Local\Temp\W2ou2E8R97.ini"
                                                                                  8⤵
                                                                                  • Executes dropped EXE
                                                                                  PID:1120
                                                                                • C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe
                                                                                  /scomma "C:\Users\Admin\AppData\Local\Temp\rDEviCuDDp.ini"
                                                                                  8⤵
                                                                                  • Executes dropped EXE
                                                                                  • Accesses Microsoft Outlook accounts
                                                                                  PID:1276
                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                "cmd"
                                                                                7⤵
                                                                                  PID:1636
                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
                                                                                    8⤵
                                                                                    • Adds Run key to start application
                                                                                    PID:2000
                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                  "cmd"
                                                                                  7⤵
                                                                                    PID:672
                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
                                                                                      8⤵
                                                                                      • Adds Run key to start application
                                                                                      PID:768
                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                    "cmd"
                                                                                    7⤵
                                                                                      PID:1704
                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
                                                                                        8⤵
                                                                                        • Adds Run key to start application
                                                                                        PID:1976
                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                      "cmd"
                                                                                      7⤵
                                                                                        PID:888
                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                          reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
                                                                                          8⤵
                                                                                            PID:1360
                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                          "cmd"
                                                                                          7⤵
                                                                                            PID:1028
                                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                                              reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
                                                                                              8⤵
                                                                                                PID:1448
                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                              "cmd"
                                                                                              7⤵
                                                                                                PID:1628
                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                  reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
                                                                                                  8⤵
                                                                                                  • Adds Run key to start application
                                                                                                  PID:964
                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                "cmd"
                                                                                                7⤵
                                                                                                  PID:696
                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
                                                                                                    8⤵
                                                                                                    • Adds Run key to start application
                                                                                                    PID:1936
                                                                                                • C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe
                                                                                                  "C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe"
                                                                                                  7⤵
                                                                                                  • Executes dropped EXE
                                                                                                  • Suspicious use of SetThreadContext
                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                  PID:1088
                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                    "cmd"
                                                                                                    8⤵
                                                                                                      PID:1128
                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
                                                                                                        9⤵
                                                                                                          PID:836
                                                                                                      • C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe
                                                                                                        "C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe"
                                                                                                        8⤵
                                                                                                        • Executes dropped EXE
                                                                                                        • Suspicious use of SetThreadContext
                                                                                                        • Suspicious use of SetWindowsHookEx
                                                                                                        PID:624
                                                                                                        • C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe
                                                                                                          /scomma "C:\Users\Admin\AppData\Local\Temp\1gLrZaKA5z.ini"
                                                                                                          9⤵
                                                                                                          • Executes dropped EXE
                                                                                                          PID:768
                                                                                                        • C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe
                                                                                                          /scomma "C:\Users\Admin\AppData\Local\Temp\NrlsEY5w8i.ini"
                                                                                                          9⤵
                                                                                                          • Executes dropped EXE
                                                                                                          • Accesses Microsoft Outlook accounts
                                                                                                          PID:1624
                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                        "cmd"
                                                                                                        8⤵
                                                                                                          PID:380
                                                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                                                            reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
                                                                                                            9⤵
                                                                                                            • Adds Run key to start application
                                                                                                            PID:1432
                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                          "cmd"
                                                                                                          8⤵
                                                                                                            PID:968
                                                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                                                              reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
                                                                                                              9⤵
                                                                                                              • Adds Run key to start application
                                                                                                              PID:1028
                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                            "cmd"
                                                                                                            8⤵
                                                                                                              PID:1012
                                                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                                                reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
                                                                                                                9⤵
                                                                                                                • Adds Run key to start application
                                                                                                                PID:1700
                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                              "cmd"
                                                                                                              8⤵
                                                                                                                PID:1120
                                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                                  reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
                                                                                                                  9⤵
                                                                                                                  • Adds Run key to start application
                                                                                                                  PID:1712
                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                "cmd"
                                                                                                                8⤵
                                                                                                                  PID:688
                                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                                    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
                                                                                                                    9⤵
                                                                                                                    • Adds Run key to start application
                                                                                                                    PID:1404
                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                  "cmd"
                                                                                                                  8⤵
                                                                                                                    PID:1760
                                                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                                                      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
                                                                                                                      9⤵
                                                                                                                        PID:1644
                                                                                                                    • C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe
                                                                                                                      "C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe"
                                                                                                                      8⤵
                                                                                                                      • Executes dropped EXE
                                                                                                                      • Suspicious use of SetThreadContext
                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                      PID:1252
                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                        "cmd"
                                                                                                                        9⤵
                                                                                                                          PID:1092
                                                                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                                                                            reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
                                                                                                                            10⤵
                                                                                                                              PID:2008
                                                                                                                          • C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe
                                                                                                                            "C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe"
                                                                                                                            9⤵
                                                                                                                            • Executes dropped EXE
                                                                                                                            PID:884
                                                                                                                          • C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe
                                                                                                                            "C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe"
                                                                                                                            9⤵
                                                                                                                            • Executes dropped EXE
                                                                                                                            • Suspicious use of SetThreadContext
                                                                                                                            • Suspicious use of SetWindowsHookEx
                                                                                                                            PID:1748
                                                                                                                            • C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe
                                                                                                                              /scomma "C:\Users\Admin\AppData\Local\Temp\U6cTNDBHbl.ini"
                                                                                                                              10⤵
                                                                                                                              • Executes dropped EXE
                                                                                                                              PID:760
                                                                                                                            • C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe
                                                                                                                              /scomma "C:\Users\Admin\AppData\Local\Temp\23ZITHZcu6.ini"
                                                                                                                              10⤵
                                                                                                                              • Executes dropped EXE
                                                                                                                              • Accesses Microsoft Outlook accounts
                                                                                                                              PID:1804
                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                            "cmd"
                                                                                                                            9⤵
                                                                                                                              PID:380
                                                                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                                                                reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
                                                                                                                                10⤵
                                                                                                                                • Adds Run key to start application
                                                                                                                                PID:1448
                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                              "cmd"
                                                                                                                              9⤵
                                                                                                                                PID:1696
                                                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                                                  reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
                                                                                                                                  10⤵
                                                                                                                                  • Adds Run key to start application
                                                                                                                                  PID:1120
                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                "cmd"
                                                                                                                                9⤵
                                                                                                                                  PID:1992
                                                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                                                    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
                                                                                                                                    10⤵
                                                                                                                                    • Adds Run key to start application
                                                                                                                                    PID:688
                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                  "cmd"
                                                                                                                                  9⤵
                                                                                                                                    PID:1196
                                                                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                                                                      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
                                                                                                                                      10⤵
                                                                                                                                      • Adds Run key to start application
                                                                                                                                      PID:1416
                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                    "cmd"
                                                                                                                                    9⤵
                                                                                                                                      PID:1644
                                                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                                                        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
                                                                                                                                        10⤵
                                                                                                                                          PID:1564
                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                        "cmd"
                                                                                                                                        9⤵
                                                                                                                                          PID:1624
                                                                                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                                                                                            reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
                                                                                                                                            10⤵
                                                                                                                                            • Adds Run key to start application
                                                                                                                                            PID:2036
                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                          "cmd"
                                                                                                                                          9⤵
                                                                                                                                            PID:1100
                                                                                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                                                                                              reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
                                                                                                                                              10⤵
                                                                                                                                              • Adds Run key to start application
                                                                                                                                              PID:936
                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                            "cmd"
                                                                                                                                            9⤵
                                                                                                                                              PID:1360
                                                                                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
                                                                                                                                                10⤵
                                                                                                                                                • Adds Run key to start application
                                                                                                                                                PID:1756
                                                                                                                                            • C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe
                                                                                                                                              "C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe"
                                                                                                                                              9⤵
                                                                                                                                              • Executes dropped EXE
                                                                                                                                              • Suspicious use of SetThreadContext
                                                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                                                              PID:1780
                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                "cmd"
                                                                                                                                                10⤵
                                                                                                                                                  PID:2032
                                                                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
                                                                                                                                                    11⤵
                                                                                                                                                    • Adds Run key to start application
                                                                                                                                                    PID:1212
                                                                                                                                                • C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe
                                                                                                                                                  "C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe"
                                                                                                                                                  10⤵
                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                  • Suspicious use of SetThreadContext
                                                                                                                                                  • Suspicious use of SetWindowsHookEx
                                                                                                                                                  PID:1448
                                                                                                                                                  • C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe
                                                                                                                                                    /scomma "C:\Users\Admin\AppData\Local\Temp\ZsLAhzgPOs.ini"
                                                                                                                                                    11⤵
                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                    PID:1456
                                                                                                                                                  • C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe
                                                                                                                                                    /scomma "C:\Users\Admin\AppData\Local\Temp\jb5FBWlGGA.ini"
                                                                                                                                                    11⤵
                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                    • Accesses Microsoft Outlook accounts
                                                                                                                                                    PID:1976
                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                  "cmd"
                                                                                                                                                  10⤵
                                                                                                                                                    PID:688
                                                                                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
                                                                                                                                                      11⤵
                                                                                                                                                      • Adds Run key to start application
                                                                                                                                                      PID:1744
                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                    "cmd"
                                                                                                                                                    10⤵
                                                                                                                                                      PID:1116
                                                                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
                                                                                                                                                        11⤵
                                                                                                                                                        • Adds Run key to start application
                                                                                                                                                        PID:624
                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                      "cmd"
                                                                                                                                                      10⤵
                                                                                                                                                        PID:532
                                                                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                          reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
                                                                                                                                                          11⤵
                                                                                                                                                          • Adds Run key to start application
                                                                                                                                                          PID:1636
                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                        "cmd"
                                                                                                                                                        10⤵
                                                                                                                                                          PID:936
                                                                                                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                            reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
                                                                                                                                                            11⤵
                                                                                                                                                            • Adds Run key to start application
                                                                                                                                                            PID:888
                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                          "cmd"
                                                                                                                                                          10⤵
                                                                                                                                                            PID:1360
                                                                                                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                              reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
                                                                                                                                                              11⤵
                                                                                                                                                              • Adds Run key to start application
                                                                                                                                                              PID:760
                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                            "cmd"
                                                                                                                                                            10⤵
                                                                                                                                                              PID:544
                                                                                                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
                                                                                                                                                                11⤵
                                                                                                                                                                • Adds Run key to start application
                                                                                                                                                                PID:560
                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                              "cmd"
                                                                                                                                                              10⤵
                                                                                                                                                                PID:1252
                                                                                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                  reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
                                                                                                                                                                  11⤵
                                                                                                                                                                    PID:1028
                                                                                                                                                                • C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe
                                                                                                                                                                  "C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe"
                                                                                                                                                                  10⤵
                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                  • Suspicious use of SetThreadContext
                                                                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                  PID:1276
                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                    "cmd"
                                                                                                                                                                    11⤵
                                                                                                                                                                      PID:1776
                                                                                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
                                                                                                                                                                        12⤵
                                                                                                                                                                        • Adds Run key to start application
                                                                                                                                                                        PID:1784
                                                                                                                                                                    • C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe
                                                                                                                                                                      "C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe"
                                                                                                                                                                      11⤵
                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                      • Suspicious use of SetThreadContext
                                                                                                                                                                      • Suspicious use of SetWindowsHookEx
                                                                                                                                                                      PID:1760
                                                                                                                                                                      • C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe
                                                                                                                                                                        /scomma "C:\Users\Admin\AppData\Local\Temp\wHVbdUGLbJ.ini"
                                                                                                                                                                        12⤵
                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                        PID:1912
                                                                                                                                                                      • C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe
                                                                                                                                                                        /scomma "C:\Users\Admin\AppData\Local\Temp\0Xwgm2L1PV.ini"
                                                                                                                                                                        12⤵
                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                        • Accesses Microsoft Outlook accounts
                                                                                                                                                                        PID:1264
                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                      "cmd"
                                                                                                                                                                      11⤵
                                                                                                                                                                        PID:1744
                                                                                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                          reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
                                                                                                                                                                          12⤵
                                                                                                                                                                          • Adds Run key to start application
                                                                                                                                                                          PID:572
                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                        "cmd"
                                                                                                                                                                        11⤵
                                                                                                                                                                          PID:1636
                                                                                                                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                            reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
                                                                                                                                                                            12⤵
                                                                                                                                                                            • Adds Run key to start application
                                                                                                                                                                            PID:672
                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                          "cmd"
                                                                                                                                                                          11⤵
                                                                                                                                                                            PID:1568
                                                                                                                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                              reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
                                                                                                                                                                              12⤵
                                                                                                                                                                                PID:888
                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                              "cmd"
                                                                                                                                                                              11⤵
                                                                                                                                                                                PID:1740
                                                                                                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                  reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
                                                                                                                                                                                  12⤵
                                                                                                                                                                                  • Adds Run key to start application
                                                                                                                                                                                  PID:760
                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                "cmd"
                                                                                                                                                                                11⤵
                                                                                                                                                                                  PID:884
                                                                                                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
                                                                                                                                                                                    12⤵
                                                                                                                                                                                    • Adds Run key to start application
                                                                                                                                                                                    PID:1236
                                                                                                                                                                                • C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe
                                                                                                                                                                                  "C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe"
                                                                                                                                                                                  11⤵
                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                  • Suspicious use of SetThreadContext
                                                                                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                  PID:1716
                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                    "cmd"
                                                                                                                                                                                    12⤵
                                                                                                                                                                                      PID:1976
                                                                                                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
                                                                                                                                                                                        13⤵
                                                                                                                                                                                          PID:1936
                                                                                                                                                                                      • C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe
                                                                                                                                                                                        "C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe"
                                                                                                                                                                                        12⤵
                                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                                        PID:1708
                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                        "cmd"
                                                                                                                                                                                        12⤵
                                                                                                                                                                                          PID:1120
                                                                                                                                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                            reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
                                                                                                                                                                                            13⤵
                                                                                                                                                                                            • Adds Run key to start application
                                                                                                                                                                                            PID:1548
                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                          "cmd"
                                                                                                                                                                                          12⤵
                                                                                                                                                                                            PID:1664
                                                                                                                                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                              reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
                                                                                                                                                                                              13⤵
                                                                                                                                                                                                PID:824

                                                                                                                                                                      Network

                                                                                                                                                                      MITRE ATT&CK Enterprise v6

                                                                                                                                                                      Replay Monitor

                                                                                                                                                                      Loading Replay Monitor...

                                                                                                                                                                      Downloads

                                                                                                                                                                      • memory/696-91-0x0000000000400000-0x000000000041F000-memory.dmp

                                                                                                                                                                        Filesize

                                                                                                                                                                        124KB

                                                                                                                                                                      • memory/696-92-0x0000000000400000-0x000000000041F000-memory.dmp

                                                                                                                                                                        Filesize

                                                                                                                                                                        124KB

                                                                                                                                                                      • memory/696-90-0x0000000000400000-0x000000000041F000-memory.dmp

                                                                                                                                                                        Filesize

                                                                                                                                                                        124KB

                                                                                                                                                                      • memory/696-86-0x0000000000400000-0x000000000041F000-memory.dmp

                                                                                                                                                                        Filesize

                                                                                                                                                                        124KB

                                                                                                                                                                      • memory/864-115-0x0000000074320000-0x00000000748CB000-memory.dmp

                                                                                                                                                                        Filesize

                                                                                                                                                                        5.7MB

                                                                                                                                                                      • memory/864-117-0x0000000074320000-0x00000000748CB000-memory.dmp

                                                                                                                                                                        Filesize

                                                                                                                                                                        5.7MB

                                                                                                                                                                      • memory/864-116-0x0000000000C50000-0x0000000000C51000-memory.dmp

                                                                                                                                                                        Filesize

                                                                                                                                                                        4KB

                                                                                                                                                                      • memory/1088-189-0x00000000009F0000-0x00000000009F1000-memory.dmp

                                                                                                                                                                        Filesize

                                                                                                                                                                        4KB

                                                                                                                                                                      • memory/1088-190-0x0000000074330000-0x00000000748DB000-memory.dmp

                                                                                                                                                                        Filesize

                                                                                                                                                                        5.7MB

                                                                                                                                                                      • memory/1088-188-0x0000000074330000-0x00000000748DB000-memory.dmp

                                                                                                                                                                        Filesize

                                                                                                                                                                        5.7MB

                                                                                                                                                                      • memory/1252-221-0x0000000074330000-0x00000000748DB000-memory.dmp

                                                                                                                                                                        Filesize

                                                                                                                                                                        5.7MB

                                                                                                                                                                      • memory/1252-222-0x0000000000100000-0x0000000000101000-memory.dmp

                                                                                                                                                                        Filesize

                                                                                                                                                                        4KB

                                                                                                                                                                      • memory/1252-223-0x0000000074330000-0x00000000748DB000-memory.dmp

                                                                                                                                                                        Filesize

                                                                                                                                                                        5.7MB

                                                                                                                                                                      • memory/1276-300-0x0000000000AA0000-0x0000000000AA1000-memory.dmp

                                                                                                                                                                        Filesize

                                                                                                                                                                        4KB

                                                                                                                                                                      • memory/1276-302-0x00000000742F0000-0x000000007489B000-memory.dmp

                                                                                                                                                                        Filesize

                                                                                                                                                                        5.7MB

                                                                                                                                                                      • memory/1276-298-0x00000000742F0000-0x000000007489B000-memory.dmp

                                                                                                                                                                        Filesize

                                                                                                                                                                        5.7MB

                                                                                                                                                                      • memory/1432-141-0x0000000000400000-0x0000000000453000-memory.dmp

                                                                                                                                                                        Filesize

                                                                                                                                                                        332KB

                                                                                                                                                                      • memory/1432-71-0x0000000000400000-0x0000000000442000-memory.dmp

                                                                                                                                                                        Filesize

                                                                                                                                                                        264KB

                                                                                                                                                                      • memory/1432-69-0x0000000000400000-0x0000000000442000-memory.dmp

                                                                                                                                                                        Filesize

                                                                                                                                                                        264KB

                                                                                                                                                                      • memory/1432-67-0x0000000000400000-0x0000000000442000-memory.dmp

                                                                                                                                                                        Filesize

                                                                                                                                                                        264KB

                                                                                                                                                                      • memory/1432-142-0x0000000000400000-0x0000000000453000-memory.dmp

                                                                                                                                                                        Filesize

                                                                                                                                                                        332KB

                                                                                                                                                                      • memory/1432-73-0x0000000000400000-0x0000000000442000-memory.dmp

                                                                                                                                                                        Filesize

                                                                                                                                                                        264KB

                                                                                                                                                                      • memory/1432-143-0x0000000000400000-0x0000000000453000-memory.dmp

                                                                                                                                                                        Filesize

                                                                                                                                                                        332KB

                                                                                                                                                                      • memory/1580-55-0x0000000074F11000-0x0000000074F13000-memory.dmp

                                                                                                                                                                        Filesize

                                                                                                                                                                        8KB

                                                                                                                                                                      • memory/1580-58-0x0000000074330000-0x00000000748DB000-memory.dmp

                                                                                                                                                                        Filesize

                                                                                                                                                                        5.7MB

                                                                                                                                                                      • memory/1580-57-0x0000000000470000-0x0000000000471000-memory.dmp

                                                                                                                                                                        Filesize

                                                                                                                                                                        4KB

                                                                                                                                                                      • memory/1580-56-0x0000000074330000-0x00000000748DB000-memory.dmp

                                                                                                                                                                        Filesize

                                                                                                                                                                        5.7MB

                                                                                                                                                                      • memory/1716-339-0x00000000742F0000-0x000000007489B000-memory.dmp

                                                                                                                                                                        Filesize

                                                                                                                                                                        5.7MB

                                                                                                                                                                      • memory/1716-340-0x0000000000500000-0x0000000000501000-memory.dmp

                                                                                                                                                                        Filesize

                                                                                                                                                                        4KB

                                                                                                                                                                      • memory/1716-341-0x00000000742F0000-0x000000007489B000-memory.dmp

                                                                                                                                                                        Filesize

                                                                                                                                                                        5.7MB

                                                                                                                                                                      • memory/1760-173-0x0000000074330000-0x00000000748DB000-memory.dmp

                                                                                                                                                                        Filesize

                                                                                                                                                                        5.7MB

                                                                                                                                                                      • memory/1760-174-0x0000000000140000-0x0000000000141000-memory.dmp

                                                                                                                                                                        Filesize

                                                                                                                                                                        4KB

                                                                                                                                                                      • memory/1760-175-0x0000000074330000-0x00000000748DB000-memory.dmp

                                                                                                                                                                        Filesize

                                                                                                                                                                        5.7MB

                                                                                                                                                                      • memory/1776-79-0x0000000000400000-0x0000000000453000-memory.dmp

                                                                                                                                                                        Filesize

                                                                                                                                                                        332KB

                                                                                                                                                                      • memory/1776-83-0x0000000000400000-0x0000000000453000-memory.dmp

                                                                                                                                                                        Filesize

                                                                                                                                                                        332KB

                                                                                                                                                                      • memory/1776-84-0x0000000000400000-0x0000000000453000-memory.dmp

                                                                                                                                                                        Filesize

                                                                                                                                                                        332KB

                                                                                                                                                                      • memory/1776-85-0x0000000000400000-0x0000000000453000-memory.dmp

                                                                                                                                                                        Filesize

                                                                                                                                                                        332KB

                                                                                                                                                                      • memory/1780-282-0x0000000000280000-0x0000000000281000-memory.dmp

                                                                                                                                                                        Filesize

                                                                                                                                                                        4KB

                                                                                                                                                                      • memory/1780-283-0x00000000742F0000-0x000000007489B000-memory.dmp

                                                                                                                                                                        Filesize

                                                                                                                                                                        5.7MB

                                                                                                                                                                      • memory/1780-281-0x00000000742F0000-0x000000007489B000-memory.dmp

                                                                                                                                                                        Filesize

                                                                                                                                                                        5.7MB

                                                                                                                                                                      • memory/1796-112-0x0000000000400000-0x0000000000453000-memory.dmp

                                                                                                                                                                        Filesize

                                                                                                                                                                        332KB

                                                                                                                                                                      • memory/1796-113-0x0000000000400000-0x0000000000453000-memory.dmp

                                                                                                                                                                        Filesize

                                                                                                                                                                        332KB

                                                                                                                                                                      • memory/1796-114-0x0000000000400000-0x0000000000453000-memory.dmp

                                                                                                                                                                        Filesize

                                                                                                                                                                        332KB

                                                                                                                                                                      • memory/1836-146-0x00000000742C0000-0x000000007486B000-memory.dmp

                                                                                                                                                                        Filesize

                                                                                                                                                                        5.7MB

                                                                                                                                                                      • memory/1836-144-0x00000000742C0000-0x000000007486B000-memory.dmp

                                                                                                                                                                        Filesize

                                                                                                                                                                        5.7MB

                                                                                                                                                                      • memory/1836-145-0x0000000000C70000-0x0000000000C71000-memory.dmp

                                                                                                                                                                        Filesize

                                                                                                                                                                        4KB

                                                                                                                                                                      • memory/2016-65-0x00000000001F0000-0x00000000001F1000-memory.dmp

                                                                                                                                                                        Filesize

                                                                                                                                                                        4KB

                                                                                                                                                                      • memory/2016-64-0x0000000074330000-0x00000000748DB000-memory.dmp

                                                                                                                                                                        Filesize

                                                                                                                                                                        5.7MB

                                                                                                                                                                      • memory/2016-66-0x0000000074330000-0x00000000748DB000-memory.dmp

                                                                                                                                                                        Filesize

                                                                                                                                                                        5.7MB