Analysis Overview
SHA256
4a29c2b1e77adcd0dba368a4713d5089a686a0ce4857e9b6447c3503ca0fbf4d
Threat Level: Known bad
The file 4a29c2b1e77adcd0dba368a4713d5089a686a0ce4857e9b6447c3503ca0fbf4d was found to be: Known bad.
Malicious Activity Summary
ISR Stealer Payload
ISR Stealer
Nirsoft
NirSoft MailPassView
Executes dropped EXE
UPX packed file
Loads dropped DLL
Reads user/profile data of web browsers
Accesses Microsoft Outlook accounts
Adds Run key to start application
Suspicious use of SetThreadContext
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-03-08 18:41
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-03-08 18:41
Reported
2022-03-08 18:59
Platform
win7-en-20211208
Max time kernel
153s
Max time network
146s
Command Line
Signatures
ISR Stealer
ISR Stealer Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft MailPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Nirsoft
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious use of SetThreadContext
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\4a29c2b1e77adcd0dba368a4713d5089a686a0ce4857e9b6447c3503ca0fbf4d.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4a29c2b1e77adcd0dba368a4713d5089a686a0ce4857e9b6447c3503ca0fbf4d.exe
"C:\Users\Admin\AppData\Local\Temp\4a29c2b1e77adcd0dba368a4713d5089a686a0ce4857e9b6447c3503ca0fbf4d.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe
"C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe
"C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\IFWf0d3OIl.ini"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\izwdA8AEkY.ini"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe
"C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe
"C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\IqsGLEM4M9.ini"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\KZxOVK36TH.ini"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe
"C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe
"C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\FxhNHfTYPS.ini"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\eqNMrVo7gu.ini"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe
"C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe
"C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\W2ou2E8R97.ini"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\rDEviCuDDp.ini"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe
"C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe
"C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\1gLrZaKA5z.ini"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\NrlsEY5w8i.ini"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe
"C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe
"C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe"
C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe
"C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\U6cTNDBHbl.ini"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\23ZITHZcu6.ini"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe
"C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe
"C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\ZsLAhzgPOs.ini"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\jb5FBWlGGA.ini"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe
"C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe
"C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\wHVbdUGLbJ.ini"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\0Xwgm2L1PV.ini"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe
"C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe
"C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | loki5.info | udp |
Files
memory/1580-55-0x0000000074F11000-0x0000000074F13000-memory.dmp
memory/1580-56-0x0000000074330000-0x00000000748DB000-memory.dmp
memory/1580-57-0x0000000000470000-0x0000000000471000-memory.dmp
memory/1580-58-0x0000000074330000-0x00000000748DB000-memory.dmp
\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe
| MD5 | 688d0b8e41ec120ca2d2a43d55cd7bef |
| SHA1 | c15c834cec66a405e32189ecfb332eb9a5013fa4 |
| SHA256 | 4a29c2b1e77adcd0dba368a4713d5089a686a0ce4857e9b6447c3503ca0fbf4d |
| SHA512 | cd5e0447935471736618d87197d65a6a329fbdc5edc1e44a83de6a51557bcf07fd097dae1657d25544f72b9fec20ae4ec2541a8cd9fce5884218e222f0683339 |
C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe
| MD5 | 688d0b8e41ec120ca2d2a43d55cd7bef |
| SHA1 | c15c834cec66a405e32189ecfb332eb9a5013fa4 |
| SHA256 | 4a29c2b1e77adcd0dba368a4713d5089a686a0ce4857e9b6447c3503ca0fbf4d |
| SHA512 | cd5e0447935471736618d87197d65a6a329fbdc5edc1e44a83de6a51557bcf07fd097dae1657d25544f72b9fec20ae4ec2541a8cd9fce5884218e222f0683339 |
\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe
| MD5 | 688d0b8e41ec120ca2d2a43d55cd7bef |
| SHA1 | c15c834cec66a405e32189ecfb332eb9a5013fa4 |
| SHA256 | 4a29c2b1e77adcd0dba368a4713d5089a686a0ce4857e9b6447c3503ca0fbf4d |
| SHA512 | cd5e0447935471736618d87197d65a6a329fbdc5edc1e44a83de6a51557bcf07fd097dae1657d25544f72b9fec20ae4ec2541a8cd9fce5884218e222f0683339 |
C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe
| MD5 | 688d0b8e41ec120ca2d2a43d55cd7bef |
| SHA1 | c15c834cec66a405e32189ecfb332eb9a5013fa4 |
| SHA256 | 4a29c2b1e77adcd0dba368a4713d5089a686a0ce4857e9b6447c3503ca0fbf4d |
| SHA512 | cd5e0447935471736618d87197d65a6a329fbdc5edc1e44a83de6a51557bcf07fd097dae1657d25544f72b9fec20ae4ec2541a8cd9fce5884218e222f0683339 |
memory/2016-65-0x00000000001F0000-0x00000000001F1000-memory.dmp
memory/2016-64-0x0000000074330000-0x00000000748DB000-memory.dmp
memory/2016-66-0x0000000074330000-0x00000000748DB000-memory.dmp
memory/1432-67-0x0000000000400000-0x0000000000442000-memory.dmp
memory/1432-69-0x0000000000400000-0x0000000000442000-memory.dmp
memory/1432-71-0x0000000000400000-0x0000000000442000-memory.dmp
memory/1432-73-0x0000000000400000-0x0000000000442000-memory.dmp
C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe
| MD5 | 688d0b8e41ec120ca2d2a43d55cd7bef |
| SHA1 | c15c834cec66a405e32189ecfb332eb9a5013fa4 |
| SHA256 | 4a29c2b1e77adcd0dba368a4713d5089a686a0ce4857e9b6447c3503ca0fbf4d |
| SHA512 | cd5e0447935471736618d87197d65a6a329fbdc5edc1e44a83de6a51557bcf07fd097dae1657d25544f72b9fec20ae4ec2541a8cd9fce5884218e222f0683339 |
C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe
| MD5 | 688d0b8e41ec120ca2d2a43d55cd7bef |
| SHA1 | c15c834cec66a405e32189ecfb332eb9a5013fa4 |
| SHA256 | 4a29c2b1e77adcd0dba368a4713d5089a686a0ce4857e9b6447c3503ca0fbf4d |
| SHA512 | cd5e0447935471736618d87197d65a6a329fbdc5edc1e44a83de6a51557bcf07fd097dae1657d25544f72b9fec20ae4ec2541a8cd9fce5884218e222f0683339 |
memory/1776-79-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1776-83-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1776-85-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1776-84-0x0000000000400000-0x0000000000453000-memory.dmp
memory/696-86-0x0000000000400000-0x000000000041F000-memory.dmp
C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe
| MD5 | 688d0b8e41ec120ca2d2a43d55cd7bef |
| SHA1 | c15c834cec66a405e32189ecfb332eb9a5013fa4 |
| SHA256 | 4a29c2b1e77adcd0dba368a4713d5089a686a0ce4857e9b6447c3503ca0fbf4d |
| SHA512 | cd5e0447935471736618d87197d65a6a329fbdc5edc1e44a83de6a51557bcf07fd097dae1657d25544f72b9fec20ae4ec2541a8cd9fce5884218e222f0683339 |
memory/696-90-0x0000000000400000-0x000000000041F000-memory.dmp
memory/696-92-0x0000000000400000-0x000000000041F000-memory.dmp
memory/696-91-0x0000000000400000-0x000000000041F000-memory.dmp
C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe
| MD5 | 688d0b8e41ec120ca2d2a43d55cd7bef |
| SHA1 | c15c834cec66a405e32189ecfb332eb9a5013fa4 |
| SHA256 | 4a29c2b1e77adcd0dba368a4713d5089a686a0ce4857e9b6447c3503ca0fbf4d |
| SHA512 | cd5e0447935471736618d87197d65a6a329fbdc5edc1e44a83de6a51557bcf07fd097dae1657d25544f72b9fec20ae4ec2541a8cd9fce5884218e222f0683339 |
C:\Users\Admin\AppData\Local\Temp\Update.txt
| MD5 | 6885952fdab875d074325dae7f83efc1 |
| SHA1 | 0b2f9c7efcd7cd4375a464e2b9ef928ce36e4c0b |
| SHA256 | 2b3f1d9c48cf4072b84b9af2ac88792e20d10efb322fa6e5a0f0ce0ed73e0302 |
| SHA512 | d979228711d27e38635089c1939546006f59a9f8fa1e6445907d6ceba3d00b940045e93b0ecb67969588b47d50cc84291a9a99c05121f83b7da8de3a906ff82f |
C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe
| MD5 | 688d0b8e41ec120ca2d2a43d55cd7bef |
| SHA1 | c15c834cec66a405e32189ecfb332eb9a5013fa4 |
| SHA256 | 4a29c2b1e77adcd0dba368a4713d5089a686a0ce4857e9b6447c3503ca0fbf4d |
| SHA512 | cd5e0447935471736618d87197d65a6a329fbdc5edc1e44a83de6a51557bcf07fd097dae1657d25544f72b9fec20ae4ec2541a8cd9fce5884218e222f0683339 |
C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe
| MD5 | 688d0b8e41ec120ca2d2a43d55cd7bef |
| SHA1 | c15c834cec66a405e32189ecfb332eb9a5013fa4 |
| SHA256 | 4a29c2b1e77adcd0dba368a4713d5089a686a0ce4857e9b6447c3503ca0fbf4d |
| SHA512 | cd5e0447935471736618d87197d65a6a329fbdc5edc1e44a83de6a51557bcf07fd097dae1657d25544f72b9fec20ae4ec2541a8cd9fce5884218e222f0683339 |
memory/1796-112-0x0000000000400000-0x0000000000453000-memory.dmp
memory/864-116-0x0000000000C50000-0x0000000000C51000-memory.dmp
memory/864-115-0x0000000074320000-0x00000000748CB000-memory.dmp
memory/1796-114-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1796-113-0x0000000000400000-0x0000000000453000-memory.dmp
memory/864-117-0x0000000074320000-0x00000000748CB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IqsGLEM4M9.ini
| MD5 | d1ea279fb5559c020a1b4137dc4de237 |
| SHA1 | db6f8988af46b56216a6f0daf95ab8c9bdb57400 |
| SHA256 | fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba |
| SHA512 | 720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3 |
C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe
| MD5 | 688d0b8e41ec120ca2d2a43d55cd7bef |
| SHA1 | c15c834cec66a405e32189ecfb332eb9a5013fa4 |
| SHA256 | 4a29c2b1e77adcd0dba368a4713d5089a686a0ce4857e9b6447c3503ca0fbf4d |
| SHA512 | cd5e0447935471736618d87197d65a6a329fbdc5edc1e44a83de6a51557bcf07fd097dae1657d25544f72b9fec20ae4ec2541a8cd9fce5884218e222f0683339 |
C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe
| MD5 | 688d0b8e41ec120ca2d2a43d55cd7bef |
| SHA1 | c15c834cec66a405e32189ecfb332eb9a5013fa4 |
| SHA256 | 4a29c2b1e77adcd0dba368a4713d5089a686a0ce4857e9b6447c3503ca0fbf4d |
| SHA512 | cd5e0447935471736618d87197d65a6a329fbdc5edc1e44a83de6a51557bcf07fd097dae1657d25544f72b9fec20ae4ec2541a8cd9fce5884218e222f0683339 |
C:\Users\Admin\AppData\Local\Temp\Update.txt
| MD5 | 6885952fdab875d074325dae7f83efc1 |
| SHA1 | 0b2f9c7efcd7cd4375a464e2b9ef928ce36e4c0b |
| SHA256 | 2b3f1d9c48cf4072b84b9af2ac88792e20d10efb322fa6e5a0f0ce0ed73e0302 |
| SHA512 | d979228711d27e38635089c1939546006f59a9f8fa1e6445907d6ceba3d00b940045e93b0ecb67969588b47d50cc84291a9a99c05121f83b7da8de3a906ff82f |
C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe
| MD5 | 688d0b8e41ec120ca2d2a43d55cd7bef |
| SHA1 | c15c834cec66a405e32189ecfb332eb9a5013fa4 |
| SHA256 | 4a29c2b1e77adcd0dba368a4713d5089a686a0ce4857e9b6447c3503ca0fbf4d |
| SHA512 | cd5e0447935471736618d87197d65a6a329fbdc5edc1e44a83de6a51557bcf07fd097dae1657d25544f72b9fec20ae4ec2541a8cd9fce5884218e222f0683339 |
C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe
| MD5 | 688d0b8e41ec120ca2d2a43d55cd7bef |
| SHA1 | c15c834cec66a405e32189ecfb332eb9a5013fa4 |
| SHA256 | 4a29c2b1e77adcd0dba368a4713d5089a686a0ce4857e9b6447c3503ca0fbf4d |
| SHA512 | cd5e0447935471736618d87197d65a6a329fbdc5edc1e44a83de6a51557bcf07fd097dae1657d25544f72b9fec20ae4ec2541a8cd9fce5884218e222f0683339 |
memory/1432-141-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1432-142-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1432-143-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1836-145-0x0000000000C70000-0x0000000000C71000-memory.dmp
memory/1836-144-0x00000000742C0000-0x000000007486B000-memory.dmp
memory/1836-146-0x00000000742C0000-0x000000007486B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\FxhNHfTYPS.ini
| MD5 | d1ea279fb5559c020a1b4137dc4de237 |
| SHA1 | db6f8988af46b56216a6f0daf95ab8c9bdb57400 |
| SHA256 | fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba |
| SHA512 | 720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3 |
C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe
| MD5 | 688d0b8e41ec120ca2d2a43d55cd7bef |
| SHA1 | c15c834cec66a405e32189ecfb332eb9a5013fa4 |
| SHA256 | 4a29c2b1e77adcd0dba368a4713d5089a686a0ce4857e9b6447c3503ca0fbf4d |
| SHA512 | cd5e0447935471736618d87197d65a6a329fbdc5edc1e44a83de6a51557bcf07fd097dae1657d25544f72b9fec20ae4ec2541a8cd9fce5884218e222f0683339 |
C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe
| MD5 | 688d0b8e41ec120ca2d2a43d55cd7bef |
| SHA1 | c15c834cec66a405e32189ecfb332eb9a5013fa4 |
| SHA256 | 4a29c2b1e77adcd0dba368a4713d5089a686a0ce4857e9b6447c3503ca0fbf4d |
| SHA512 | cd5e0447935471736618d87197d65a6a329fbdc5edc1e44a83de6a51557bcf07fd097dae1657d25544f72b9fec20ae4ec2541a8cd9fce5884218e222f0683339 |
C:\Users\Admin\AppData\Local\Temp\Update.txt
| MD5 | 6885952fdab875d074325dae7f83efc1 |
| SHA1 | 0b2f9c7efcd7cd4375a464e2b9ef928ce36e4c0b |
| SHA256 | 2b3f1d9c48cf4072b84b9af2ac88792e20d10efb322fa6e5a0f0ce0ed73e0302 |
| SHA512 | d979228711d27e38635089c1939546006f59a9f8fa1e6445907d6ceba3d00b940045e93b0ecb67969588b47d50cc84291a9a99c05121f83b7da8de3a906ff82f |
C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe
| MD5 | 688d0b8e41ec120ca2d2a43d55cd7bef |
| SHA1 | c15c834cec66a405e32189ecfb332eb9a5013fa4 |
| SHA256 | 4a29c2b1e77adcd0dba368a4713d5089a686a0ce4857e9b6447c3503ca0fbf4d |
| SHA512 | cd5e0447935471736618d87197d65a6a329fbdc5edc1e44a83de6a51557bcf07fd097dae1657d25544f72b9fec20ae4ec2541a8cd9fce5884218e222f0683339 |
C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe
| MD5 | 688d0b8e41ec120ca2d2a43d55cd7bef |
| SHA1 | c15c834cec66a405e32189ecfb332eb9a5013fa4 |
| SHA256 | 4a29c2b1e77adcd0dba368a4713d5089a686a0ce4857e9b6447c3503ca0fbf4d |
| SHA512 | cd5e0447935471736618d87197d65a6a329fbdc5edc1e44a83de6a51557bcf07fd097dae1657d25544f72b9fec20ae4ec2541a8cd9fce5884218e222f0683339 |
memory/1760-174-0x0000000000140000-0x0000000000141000-memory.dmp
memory/1760-173-0x0000000074330000-0x00000000748DB000-memory.dmp
memory/1760-175-0x0000000074330000-0x00000000748DB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\W2ou2E8R97.ini
| MD5 | d1ea279fb5559c020a1b4137dc4de237 |
| SHA1 | db6f8988af46b56216a6f0daf95ab8c9bdb57400 |
| SHA256 | fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba |
| SHA512 | 720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3 |
C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe
| MD5 | 688d0b8e41ec120ca2d2a43d55cd7bef |
| SHA1 | c15c834cec66a405e32189ecfb332eb9a5013fa4 |
| SHA256 | 4a29c2b1e77adcd0dba368a4713d5089a686a0ce4857e9b6447c3503ca0fbf4d |
| SHA512 | cd5e0447935471736618d87197d65a6a329fbdc5edc1e44a83de6a51557bcf07fd097dae1657d25544f72b9fec20ae4ec2541a8cd9fce5884218e222f0683339 |
C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe
| MD5 | 688d0b8e41ec120ca2d2a43d55cd7bef |
| SHA1 | c15c834cec66a405e32189ecfb332eb9a5013fa4 |
| SHA256 | 4a29c2b1e77adcd0dba368a4713d5089a686a0ce4857e9b6447c3503ca0fbf4d |
| SHA512 | cd5e0447935471736618d87197d65a6a329fbdc5edc1e44a83de6a51557bcf07fd097dae1657d25544f72b9fec20ae4ec2541a8cd9fce5884218e222f0683339 |
C:\Users\Admin\AppData\Local\Temp\Update.txt
| MD5 | 6885952fdab875d074325dae7f83efc1 |
| SHA1 | 0b2f9c7efcd7cd4375a464e2b9ef928ce36e4c0b |
| SHA256 | 2b3f1d9c48cf4072b84b9af2ac88792e20d10efb322fa6e5a0f0ce0ed73e0302 |
| SHA512 | d979228711d27e38635089c1939546006f59a9f8fa1e6445907d6ceba3d00b940045e93b0ecb67969588b47d50cc84291a9a99c05121f83b7da8de3a906ff82f |
memory/1088-188-0x0000000074330000-0x00000000748DB000-memory.dmp
memory/1088-189-0x00000000009F0000-0x00000000009F1000-memory.dmp
memory/1088-190-0x0000000074330000-0x00000000748DB000-memory.dmp
C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe
| MD5 | 688d0b8e41ec120ca2d2a43d55cd7bef |
| SHA1 | c15c834cec66a405e32189ecfb332eb9a5013fa4 |
| SHA256 | 4a29c2b1e77adcd0dba368a4713d5089a686a0ce4857e9b6447c3503ca0fbf4d |
| SHA512 | cd5e0447935471736618d87197d65a6a329fbdc5edc1e44a83de6a51557bcf07fd097dae1657d25544f72b9fec20ae4ec2541a8cd9fce5884218e222f0683339 |
C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe
| MD5 | 688d0b8e41ec120ca2d2a43d55cd7bef |
| SHA1 | c15c834cec66a405e32189ecfb332eb9a5013fa4 |
| SHA256 | 4a29c2b1e77adcd0dba368a4713d5089a686a0ce4857e9b6447c3503ca0fbf4d |
| SHA512 | cd5e0447935471736618d87197d65a6a329fbdc5edc1e44a83de6a51557bcf07fd097dae1657d25544f72b9fec20ae4ec2541a8cd9fce5884218e222f0683339 |
C:\Users\Admin\AppData\Local\Temp\1gLrZaKA5z.ini
| MD5 | d1ea279fb5559c020a1b4137dc4de237 |
| SHA1 | db6f8988af46b56216a6f0daf95ab8c9bdb57400 |
| SHA256 | fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba |
| SHA512 | 720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3 |
C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe
| MD5 | 688d0b8e41ec120ca2d2a43d55cd7bef |
| SHA1 | c15c834cec66a405e32189ecfb332eb9a5013fa4 |
| SHA256 | 4a29c2b1e77adcd0dba368a4713d5089a686a0ce4857e9b6447c3503ca0fbf4d |
| SHA512 | cd5e0447935471736618d87197d65a6a329fbdc5edc1e44a83de6a51557bcf07fd097dae1657d25544f72b9fec20ae4ec2541a8cd9fce5884218e222f0683339 |
C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe
| MD5 | 688d0b8e41ec120ca2d2a43d55cd7bef |
| SHA1 | c15c834cec66a405e32189ecfb332eb9a5013fa4 |
| SHA256 | 4a29c2b1e77adcd0dba368a4713d5089a686a0ce4857e9b6447c3503ca0fbf4d |
| SHA512 | cd5e0447935471736618d87197d65a6a329fbdc5edc1e44a83de6a51557bcf07fd097dae1657d25544f72b9fec20ae4ec2541a8cd9fce5884218e222f0683339 |
memory/1252-222-0x0000000000100000-0x0000000000101000-memory.dmp
memory/1252-221-0x0000000074330000-0x00000000748DB000-memory.dmp
memory/1252-223-0x0000000074330000-0x00000000748DB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Update.txt
| MD5 | 6885952fdab875d074325dae7f83efc1 |
| SHA1 | 0b2f9c7efcd7cd4375a464e2b9ef928ce36e4c0b |
| SHA256 | 2b3f1d9c48cf4072b84b9af2ac88792e20d10efb322fa6e5a0f0ce0ed73e0302 |
| SHA512 | d979228711d27e38635089c1939546006f59a9f8fa1e6445907d6ceba3d00b940045e93b0ecb67969588b47d50cc84291a9a99c05121f83b7da8de3a906ff82f |
C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe
| MD5 | 688d0b8e41ec120ca2d2a43d55cd7bef |
| SHA1 | c15c834cec66a405e32189ecfb332eb9a5013fa4 |
| SHA256 | 4a29c2b1e77adcd0dba368a4713d5089a686a0ce4857e9b6447c3503ca0fbf4d |
| SHA512 | cd5e0447935471736618d87197d65a6a329fbdc5edc1e44a83de6a51557bcf07fd097dae1657d25544f72b9fec20ae4ec2541a8cd9fce5884218e222f0683339 |
C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe
| MD5 | 688d0b8e41ec120ca2d2a43d55cd7bef |
| SHA1 | c15c834cec66a405e32189ecfb332eb9a5013fa4 |
| SHA256 | 4a29c2b1e77adcd0dba368a4713d5089a686a0ce4857e9b6447c3503ca0fbf4d |
| SHA512 | cd5e0447935471736618d87197d65a6a329fbdc5edc1e44a83de6a51557bcf07fd097dae1657d25544f72b9fec20ae4ec2541a8cd9fce5884218e222f0683339 |
C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe
| MD5 | 688d0b8e41ec120ca2d2a43d55cd7bef |
| SHA1 | c15c834cec66a405e32189ecfb332eb9a5013fa4 |
| SHA256 | 4a29c2b1e77adcd0dba368a4713d5089a686a0ce4857e9b6447c3503ca0fbf4d |
| SHA512 | cd5e0447935471736618d87197d65a6a329fbdc5edc1e44a83de6a51557bcf07fd097dae1657d25544f72b9fec20ae4ec2541a8cd9fce5884218e222f0683339 |
C:\Users\Admin\AppData\Local\Temp\U6cTNDBHbl.ini
| MD5 | d1ea279fb5559c020a1b4137dc4de237 |
| SHA1 | db6f8988af46b56216a6f0daf95ab8c9bdb57400 |
| SHA256 | fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba |
| SHA512 | 720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3 |
C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe
| MD5 | 688d0b8e41ec120ca2d2a43d55cd7bef |
| SHA1 | c15c834cec66a405e32189ecfb332eb9a5013fa4 |
| SHA256 | 4a29c2b1e77adcd0dba368a4713d5089a686a0ce4857e9b6447c3503ca0fbf4d |
| SHA512 | cd5e0447935471736618d87197d65a6a329fbdc5edc1e44a83de6a51557bcf07fd097dae1657d25544f72b9fec20ae4ec2541a8cd9fce5884218e222f0683339 |
C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe
| MD5 | 688d0b8e41ec120ca2d2a43d55cd7bef |
| SHA1 | c15c834cec66a405e32189ecfb332eb9a5013fa4 |
| SHA256 | 4a29c2b1e77adcd0dba368a4713d5089a686a0ce4857e9b6447c3503ca0fbf4d |
| SHA512 | cd5e0447935471736618d87197d65a6a329fbdc5edc1e44a83de6a51557bcf07fd097dae1657d25544f72b9fec20ae4ec2541a8cd9fce5884218e222f0683339 |
C:\Users\Admin\AppData\Local\Temp\Update.txt
| MD5 | 6885952fdab875d074325dae7f83efc1 |
| SHA1 | 0b2f9c7efcd7cd4375a464e2b9ef928ce36e4c0b |
| SHA256 | 2b3f1d9c48cf4072b84b9af2ac88792e20d10efb322fa6e5a0f0ce0ed73e0302 |
| SHA512 | d979228711d27e38635089c1939546006f59a9f8fa1e6445907d6ceba3d00b940045e93b0ecb67969588b47d50cc84291a9a99c05121f83b7da8de3a906ff82f |
C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe
| MD5 | 688d0b8e41ec120ca2d2a43d55cd7bef |
| SHA1 | c15c834cec66a405e32189ecfb332eb9a5013fa4 |
| SHA256 | 4a29c2b1e77adcd0dba368a4713d5089a686a0ce4857e9b6447c3503ca0fbf4d |
| SHA512 | cd5e0447935471736618d87197d65a6a329fbdc5edc1e44a83de6a51557bcf07fd097dae1657d25544f72b9fec20ae4ec2541a8cd9fce5884218e222f0683339 |
C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe
| MD5 | 688d0b8e41ec120ca2d2a43d55cd7bef |
| SHA1 | c15c834cec66a405e32189ecfb332eb9a5013fa4 |
| SHA256 | 4a29c2b1e77adcd0dba368a4713d5089a686a0ce4857e9b6447c3503ca0fbf4d |
| SHA512 | cd5e0447935471736618d87197d65a6a329fbdc5edc1e44a83de6a51557bcf07fd097dae1657d25544f72b9fec20ae4ec2541a8cd9fce5884218e222f0683339 |
memory/1780-281-0x00000000742F0000-0x000000007489B000-memory.dmp
memory/1780-282-0x0000000000280000-0x0000000000281000-memory.dmp
memory/1780-283-0x00000000742F0000-0x000000007489B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ZsLAhzgPOs.ini
| MD5 | d1ea279fb5559c020a1b4137dc4de237 |
| SHA1 | db6f8988af46b56216a6f0daf95ab8c9bdb57400 |
| SHA256 | fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba |
| SHA512 | 720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3 |
C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe
| MD5 | 688d0b8e41ec120ca2d2a43d55cd7bef |
| SHA1 | c15c834cec66a405e32189ecfb332eb9a5013fa4 |
| SHA256 | 4a29c2b1e77adcd0dba368a4713d5089a686a0ce4857e9b6447c3503ca0fbf4d |
| SHA512 | cd5e0447935471736618d87197d65a6a329fbdc5edc1e44a83de6a51557bcf07fd097dae1657d25544f72b9fec20ae4ec2541a8cd9fce5884218e222f0683339 |
C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe
| MD5 | 688d0b8e41ec120ca2d2a43d55cd7bef |
| SHA1 | c15c834cec66a405e32189ecfb332eb9a5013fa4 |
| SHA256 | 4a29c2b1e77adcd0dba368a4713d5089a686a0ce4857e9b6447c3503ca0fbf4d |
| SHA512 | cd5e0447935471736618d87197d65a6a329fbdc5edc1e44a83de6a51557bcf07fd097dae1657d25544f72b9fec20ae4ec2541a8cd9fce5884218e222f0683339 |
C:\Users\Admin\AppData\Local\Temp\Update.txt
| MD5 | 6885952fdab875d074325dae7f83efc1 |
| SHA1 | 0b2f9c7efcd7cd4375a464e2b9ef928ce36e4c0b |
| SHA256 | 2b3f1d9c48cf4072b84b9af2ac88792e20d10efb322fa6e5a0f0ce0ed73e0302 |
| SHA512 | d979228711d27e38635089c1939546006f59a9f8fa1e6445907d6ceba3d00b940045e93b0ecb67969588b47d50cc84291a9a99c05121f83b7da8de3a906ff82f |
memory/1276-298-0x00000000742F0000-0x000000007489B000-memory.dmp
memory/1276-300-0x0000000000AA0000-0x0000000000AA1000-memory.dmp
memory/1276-302-0x00000000742F0000-0x000000007489B000-memory.dmp
C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe
| MD5 | 688d0b8e41ec120ca2d2a43d55cd7bef |
| SHA1 | c15c834cec66a405e32189ecfb332eb9a5013fa4 |
| SHA256 | 4a29c2b1e77adcd0dba368a4713d5089a686a0ce4857e9b6447c3503ca0fbf4d |
| SHA512 | cd5e0447935471736618d87197d65a6a329fbdc5edc1e44a83de6a51557bcf07fd097dae1657d25544f72b9fec20ae4ec2541a8cd9fce5884218e222f0683339 |
C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe
| MD5 | 688d0b8e41ec120ca2d2a43d55cd7bef |
| SHA1 | c15c834cec66a405e32189ecfb332eb9a5013fa4 |
| SHA256 | 4a29c2b1e77adcd0dba368a4713d5089a686a0ce4857e9b6447c3503ca0fbf4d |
| SHA512 | cd5e0447935471736618d87197d65a6a329fbdc5edc1e44a83de6a51557bcf07fd097dae1657d25544f72b9fec20ae4ec2541a8cd9fce5884218e222f0683339 |
C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe
| MD5 | 688d0b8e41ec120ca2d2a43d55cd7bef |
| SHA1 | c15c834cec66a405e32189ecfb332eb9a5013fa4 |
| SHA256 | 4a29c2b1e77adcd0dba368a4713d5089a686a0ce4857e9b6447c3503ca0fbf4d |
| SHA512 | cd5e0447935471736618d87197d65a6a329fbdc5edc1e44a83de6a51557bcf07fd097dae1657d25544f72b9fec20ae4ec2541a8cd9fce5884218e222f0683339 |
C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe
| MD5 | 688d0b8e41ec120ca2d2a43d55cd7bef |
| SHA1 | c15c834cec66a405e32189ecfb332eb9a5013fa4 |
| SHA256 | 4a29c2b1e77adcd0dba368a4713d5089a686a0ce4857e9b6447c3503ca0fbf4d |
| SHA512 | cd5e0447935471736618d87197d65a6a329fbdc5edc1e44a83de6a51557bcf07fd097dae1657d25544f72b9fec20ae4ec2541a8cd9fce5884218e222f0683339 |
C:\Users\Admin\AppData\Local\Temp\Update.txt
| MD5 | 6885952fdab875d074325dae7f83efc1 |
| SHA1 | 0b2f9c7efcd7cd4375a464e2b9ef928ce36e4c0b |
| SHA256 | 2b3f1d9c48cf4072b84b9af2ac88792e20d10efb322fa6e5a0f0ce0ed73e0302 |
| SHA512 | d979228711d27e38635089c1939546006f59a9f8fa1e6445907d6ceba3d00b940045e93b0ecb67969588b47d50cc84291a9a99c05121f83b7da8de3a906ff82f |
C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe
| MD5 | 688d0b8e41ec120ca2d2a43d55cd7bef |
| SHA1 | c15c834cec66a405e32189ecfb332eb9a5013fa4 |
| SHA256 | 4a29c2b1e77adcd0dba368a4713d5089a686a0ce4857e9b6447c3503ca0fbf4d |
| SHA512 | cd5e0447935471736618d87197d65a6a329fbdc5edc1e44a83de6a51557bcf07fd097dae1657d25544f72b9fec20ae4ec2541a8cd9fce5884218e222f0683339 |
memory/1716-339-0x00000000742F0000-0x000000007489B000-memory.dmp
memory/1716-340-0x0000000000500000-0x0000000000501000-memory.dmp
memory/1716-341-0x00000000742F0000-0x000000007489B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-03-08 18:41
Reported
2022-03-08 18:59
Platform
win10v2004-en-20220112
Max time kernel
56s
Max time network
153s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3344 wrote to memory of 3660 | N/A | C:\Users\Admin\AppData\Local\Temp\4a29c2b1e77adcd0dba368a4713d5089a686a0ce4857e9b6447c3503ca0fbf4d.exe | C:\Windows\SysWOW64\fondue.exe |
| PID 3344 wrote to memory of 3660 | N/A | C:\Users\Admin\AppData\Local\Temp\4a29c2b1e77adcd0dba368a4713d5089a686a0ce4857e9b6447c3503ca0fbf4d.exe | C:\Windows\SysWOW64\fondue.exe |
| PID 3344 wrote to memory of 3660 | N/A | C:\Users\Admin\AppData\Local\Temp\4a29c2b1e77adcd0dba368a4713d5089a686a0ce4857e9b6447c3503ca0fbf4d.exe | C:\Windows\SysWOW64\fondue.exe |
| PID 3660 wrote to memory of 3644 | N/A | C:\Windows\SysWOW64\fondue.exe | C:\Windows\system32\FonDUE.EXE |
| PID 3660 wrote to memory of 3644 | N/A | C:\Windows\SysWOW64\fondue.exe | C:\Windows\system32\FonDUE.EXE |
Processes
C:\Users\Admin\AppData\Local\Temp\4a29c2b1e77adcd0dba368a4713d5089a686a0ce4857e9b6447c3503ca0fbf4d.exe
"C:\Users\Admin\AppData\Local\Temp\4a29c2b1e77adcd0dba368a4713d5089a686a0ce4857e9b6447c3503ca0fbf4d.exe"
C:\Windows\SysWOW64\fondue.exe
"C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
C:\Windows\system32\FonDUE.EXE
"C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
Network
| Country | Destination | Domain | Proto |
| US | 52.167.17.97:443 | tcp | |
| US | 8.8.8.8:53 | geo.prod.do.dsp.mp.microsoft.com | udp |
| US | 52.179.219.14:443 | geo.prod.do.dsp.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | kv801.prod.do.dsp.mp.microsoft.com | udp |
| NL | 184.29.205.60:443 | kv801.prod.do.dsp.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | cp801.prod.do.dsp.mp.microsoft.com | udp |
| NL | 184.29.205.60:443 | cp801.prod.do.dsp.mp.microsoft.com | tcp |
| NL | 184.29.205.60:443 | cp801.prod.do.dsp.mp.microsoft.com | tcp |