Malware Analysis Report

2025-01-18 16:46

Sample ID 220308-xb5h5sddcq
Target 4a29c2b1e77adcd0dba368a4713d5089a686a0ce4857e9b6447c3503ca0fbf4d
SHA256 4a29c2b1e77adcd0dba368a4713d5089a686a0ce4857e9b6447c3503ca0fbf4d
Tags
isrstealer collection persistence spyware stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4a29c2b1e77adcd0dba368a4713d5089a686a0ce4857e9b6447c3503ca0fbf4d

Threat Level: Known bad

The file 4a29c2b1e77adcd0dba368a4713d5089a686a0ce4857e9b6447c3503ca0fbf4d was found to be: Known bad.

Malicious Activity Summary

isrstealer collection persistence spyware stealer trojan upx

ISR Stealer Payload

ISR Stealer

Nirsoft

NirSoft MailPassView

Executes dropped EXE

UPX packed file

Loads dropped DLL

Reads user/profile data of web browsers

Accesses Microsoft Outlook accounts

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-03-08 18:41

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-03-08 18:41

Reported

2022-03-08 18:59

Platform

win7-en-20211208

Max time kernel

153s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4a29c2b1e77adcd0dba368a4713d5089a686a0ce4857e9b6447c3503ca0fbf4d.exe"

Signatures

ISR Stealer

trojan stealer isrstealer

ISR Stealer Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2016 set thread context of 1432 N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe
PID 1432 set thread context of 1776 N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe
PID 1432 set thread context of 696 N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe
PID 864 set thread context of 1540 N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe
PID 1540 set thread context of 1796 N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe
PID 1540 set thread context of 1116 N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe
PID 1836 set thread context of 1700 N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe
PID 1700 set thread context of 1432 N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe
PID 1700 set thread context of 968 N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe
PID 1760 set thread context of 1776 N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe
PID 1776 set thread context of 1120 N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe
PID 1776 set thread context of 1276 N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe
PID 1088 set thread context of 624 N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe
PID 624 set thread context of 768 N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe
PID 624 set thread context of 1624 N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe
PID 1252 set thread context of 1748 N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe
PID 1748 set thread context of 760 N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe
PID 1748 set thread context of 1804 N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe
PID 1780 set thread context of 1448 N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe
PID 1448 set thread context of 1456 N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe
PID 1448 set thread context of 1976 N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe
PID 1276 set thread context of 1760 N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe
PID 1760 set thread context of 1912 N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe
PID 1760 set thread context of 1264 N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe
PID 1716 set thread context of 1708 N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a29c2b1e77adcd0dba368a4713d5089a686a0ce4857e9b6447c3503ca0fbf4d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a29c2b1e77adcd0dba368a4713d5089a686a0ce4857e9b6447c3503ca0fbf4d.exe N/A
N/A N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe N/A
N/A N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1580 wrote to memory of 580 N/A C:\Users\Admin\AppData\Local\Temp\4a29c2b1e77adcd0dba368a4713d5089a686a0ce4857e9b6447c3503ca0fbf4d.exe C:\Windows\SysWOW64\cmd.exe
PID 1580 wrote to memory of 580 N/A C:\Users\Admin\AppData\Local\Temp\4a29c2b1e77adcd0dba368a4713d5089a686a0ce4857e9b6447c3503ca0fbf4d.exe C:\Windows\SysWOW64\cmd.exe
PID 1580 wrote to memory of 580 N/A C:\Users\Admin\AppData\Local\Temp\4a29c2b1e77adcd0dba368a4713d5089a686a0ce4857e9b6447c3503ca0fbf4d.exe C:\Windows\SysWOW64\cmd.exe
PID 1580 wrote to memory of 580 N/A C:\Users\Admin\AppData\Local\Temp\4a29c2b1e77adcd0dba368a4713d5089a686a0ce4857e9b6447c3503ca0fbf4d.exe C:\Windows\SysWOW64\cmd.exe
PID 580 wrote to memory of 2016 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe
PID 580 wrote to memory of 2016 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe
PID 580 wrote to memory of 2016 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe
PID 580 wrote to memory of 2016 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe
PID 2016 wrote to memory of 1100 N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe C:\Windows\SysWOW64\cmd.exe
PID 2016 wrote to memory of 1100 N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe C:\Windows\SysWOW64\cmd.exe
PID 2016 wrote to memory of 1100 N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe C:\Windows\SysWOW64\cmd.exe
PID 2016 wrote to memory of 1100 N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe C:\Windows\SysWOW64\cmd.exe
PID 1100 wrote to memory of 1508 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1100 wrote to memory of 1508 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1100 wrote to memory of 1508 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1100 wrote to memory of 1508 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2016 wrote to memory of 1432 N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe
PID 2016 wrote to memory of 1432 N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe
PID 2016 wrote to memory of 1432 N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe
PID 2016 wrote to memory of 1432 N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe
PID 2016 wrote to memory of 1432 N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe
PID 2016 wrote to memory of 1432 N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe
PID 2016 wrote to memory of 1432 N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe
PID 2016 wrote to memory of 1432 N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe
PID 2016 wrote to memory of 1012 N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe C:\Windows\SysWOW64\cmd.exe
PID 2016 wrote to memory of 1012 N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe C:\Windows\SysWOW64\cmd.exe
PID 2016 wrote to memory of 1012 N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe C:\Windows\SysWOW64\cmd.exe
PID 2016 wrote to memory of 1012 N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe C:\Windows\SysWOW64\cmd.exe
PID 1012 wrote to memory of 1032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1012 wrote to memory of 1032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1012 wrote to memory of 1032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1012 wrote to memory of 1032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2016 wrote to memory of 1900 N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe C:\Windows\SysWOW64\cmd.exe
PID 2016 wrote to memory of 1900 N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe C:\Windows\SysWOW64\cmd.exe
PID 2016 wrote to memory of 1900 N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe C:\Windows\SysWOW64\cmd.exe
PID 2016 wrote to memory of 1900 N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe C:\Windows\SysWOW64\cmd.exe
PID 1900 wrote to memory of 1904 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1900 wrote to memory of 1904 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1900 wrote to memory of 1904 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1900 wrote to memory of 1904 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1432 wrote to memory of 1776 N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe
PID 1432 wrote to memory of 1776 N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe
PID 1432 wrote to memory of 1776 N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe
PID 1432 wrote to memory of 1776 N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe
PID 1432 wrote to memory of 1776 N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe
PID 1432 wrote to memory of 1776 N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe
PID 1432 wrote to memory of 1776 N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe
PID 1432 wrote to memory of 1776 N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe
PID 1432 wrote to memory of 1776 N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe
PID 2016 wrote to memory of 1408 N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe C:\Windows\SysWOW64\cmd.exe
PID 2016 wrote to memory of 1408 N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe C:\Windows\SysWOW64\cmd.exe
PID 2016 wrote to memory of 1408 N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe C:\Windows\SysWOW64\cmd.exe
PID 2016 wrote to memory of 1408 N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe C:\Windows\SysWOW64\cmd.exe
PID 1408 wrote to memory of 532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1408 wrote to memory of 532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1408 wrote to memory of 532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1408 wrote to memory of 532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2016 wrote to memory of 1944 N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe C:\Windows\SysWOW64\cmd.exe
PID 2016 wrote to memory of 1944 N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe C:\Windows\SysWOW64\cmd.exe
PID 2016 wrote to memory of 1944 N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe C:\Windows\SysWOW64\cmd.exe
PID 2016 wrote to memory of 1944 N/A C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe C:\Windows\SysWOW64\cmd.exe
PID 1944 wrote to memory of 1504 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1944 wrote to memory of 1504 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1944 wrote to memory of 1504 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4a29c2b1e77adcd0dba368a4713d5089a686a0ce4857e9b6447c3503ca0fbf4d.exe

"C:\Users\Admin\AppData\Local\Temp\4a29c2b1e77adcd0dba368a4713d5089a686a0ce4857e9b6447c3503ca0fbf4d.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe

"C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe

"C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe

/scomma "C:\Users\Admin\AppData\Local\Temp\IFWf0d3OIl.ini"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe

/scomma "C:\Users\Admin\AppData\Local\Temp\izwdA8AEkY.ini"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe

"C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe

"C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe

/scomma "C:\Users\Admin\AppData\Local\Temp\IqsGLEM4M9.ini"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe

/scomma "C:\Users\Admin\AppData\Local\Temp\KZxOVK36TH.ini"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe

"C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe

"C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe

/scomma "C:\Users\Admin\AppData\Local\Temp\FxhNHfTYPS.ini"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe

/scomma "C:\Users\Admin\AppData\Local\Temp\eqNMrVo7gu.ini"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe

"C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe

"C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe

/scomma "C:\Users\Admin\AppData\Local\Temp\W2ou2E8R97.ini"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe

/scomma "C:\Users\Admin\AppData\Local\Temp\rDEviCuDDp.ini"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe

"C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe

"C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe

/scomma "C:\Users\Admin\AppData\Local\Temp\1gLrZaKA5z.ini"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe

/scomma "C:\Users\Admin\AppData\Local\Temp\NrlsEY5w8i.ini"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe

"C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe

"C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe"

C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe

"C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe

/scomma "C:\Users\Admin\AppData\Local\Temp\U6cTNDBHbl.ini"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe

/scomma "C:\Users\Admin\AppData\Local\Temp\23ZITHZcu6.ini"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe

"C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe

"C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe

/scomma "C:\Users\Admin\AppData\Local\Temp\ZsLAhzgPOs.ini"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe

/scomma "C:\Users\Admin\AppData\Local\Temp\jb5FBWlGGA.ini"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe

"C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe

"C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe

/scomma "C:\Users\Admin\AppData\Local\Temp\wHVbdUGLbJ.ini"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe

/scomma "C:\Users\Admin\AppData\Local\Temp\0Xwgm2L1PV.ini"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe

"C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe

"C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"

Network

Country Destination Domain Proto
US 8.8.8.8:53 loki5.info udp

Files

memory/1580-55-0x0000000074F11000-0x0000000074F13000-memory.dmp

memory/1580-56-0x0000000074330000-0x00000000748DB000-memory.dmp

memory/1580-57-0x0000000000470000-0x0000000000471000-memory.dmp

memory/1580-58-0x0000000074330000-0x00000000748DB000-memory.dmp

\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe

MD5 688d0b8e41ec120ca2d2a43d55cd7bef
SHA1 c15c834cec66a405e32189ecfb332eb9a5013fa4
SHA256 4a29c2b1e77adcd0dba368a4713d5089a686a0ce4857e9b6447c3503ca0fbf4d
SHA512 cd5e0447935471736618d87197d65a6a329fbdc5edc1e44a83de6a51557bcf07fd097dae1657d25544f72b9fec20ae4ec2541a8cd9fce5884218e222f0683339

C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe

MD5 688d0b8e41ec120ca2d2a43d55cd7bef
SHA1 c15c834cec66a405e32189ecfb332eb9a5013fa4
SHA256 4a29c2b1e77adcd0dba368a4713d5089a686a0ce4857e9b6447c3503ca0fbf4d
SHA512 cd5e0447935471736618d87197d65a6a329fbdc5edc1e44a83de6a51557bcf07fd097dae1657d25544f72b9fec20ae4ec2541a8cd9fce5884218e222f0683339

\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe

MD5 688d0b8e41ec120ca2d2a43d55cd7bef
SHA1 c15c834cec66a405e32189ecfb332eb9a5013fa4
SHA256 4a29c2b1e77adcd0dba368a4713d5089a686a0ce4857e9b6447c3503ca0fbf4d
SHA512 cd5e0447935471736618d87197d65a6a329fbdc5edc1e44a83de6a51557bcf07fd097dae1657d25544f72b9fec20ae4ec2541a8cd9fce5884218e222f0683339

C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe

MD5 688d0b8e41ec120ca2d2a43d55cd7bef
SHA1 c15c834cec66a405e32189ecfb332eb9a5013fa4
SHA256 4a29c2b1e77adcd0dba368a4713d5089a686a0ce4857e9b6447c3503ca0fbf4d
SHA512 cd5e0447935471736618d87197d65a6a329fbdc5edc1e44a83de6a51557bcf07fd097dae1657d25544f72b9fec20ae4ec2541a8cd9fce5884218e222f0683339

memory/2016-65-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/2016-64-0x0000000074330000-0x00000000748DB000-memory.dmp

memory/2016-66-0x0000000074330000-0x00000000748DB000-memory.dmp

memory/1432-67-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1432-69-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1432-71-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1432-73-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe

MD5 688d0b8e41ec120ca2d2a43d55cd7bef
SHA1 c15c834cec66a405e32189ecfb332eb9a5013fa4
SHA256 4a29c2b1e77adcd0dba368a4713d5089a686a0ce4857e9b6447c3503ca0fbf4d
SHA512 cd5e0447935471736618d87197d65a6a329fbdc5edc1e44a83de6a51557bcf07fd097dae1657d25544f72b9fec20ae4ec2541a8cd9fce5884218e222f0683339

C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe

MD5 688d0b8e41ec120ca2d2a43d55cd7bef
SHA1 c15c834cec66a405e32189ecfb332eb9a5013fa4
SHA256 4a29c2b1e77adcd0dba368a4713d5089a686a0ce4857e9b6447c3503ca0fbf4d
SHA512 cd5e0447935471736618d87197d65a6a329fbdc5edc1e44a83de6a51557bcf07fd097dae1657d25544f72b9fec20ae4ec2541a8cd9fce5884218e222f0683339

memory/1776-79-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1776-83-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1776-85-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1776-84-0x0000000000400000-0x0000000000453000-memory.dmp

memory/696-86-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe

MD5 688d0b8e41ec120ca2d2a43d55cd7bef
SHA1 c15c834cec66a405e32189ecfb332eb9a5013fa4
SHA256 4a29c2b1e77adcd0dba368a4713d5089a686a0ce4857e9b6447c3503ca0fbf4d
SHA512 cd5e0447935471736618d87197d65a6a329fbdc5edc1e44a83de6a51557bcf07fd097dae1657d25544f72b9fec20ae4ec2541a8cd9fce5884218e222f0683339

memory/696-90-0x0000000000400000-0x000000000041F000-memory.dmp

memory/696-92-0x0000000000400000-0x000000000041F000-memory.dmp

memory/696-91-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe

MD5 688d0b8e41ec120ca2d2a43d55cd7bef
SHA1 c15c834cec66a405e32189ecfb332eb9a5013fa4
SHA256 4a29c2b1e77adcd0dba368a4713d5089a686a0ce4857e9b6447c3503ca0fbf4d
SHA512 cd5e0447935471736618d87197d65a6a329fbdc5edc1e44a83de6a51557bcf07fd097dae1657d25544f72b9fec20ae4ec2541a8cd9fce5884218e222f0683339

C:\Users\Admin\AppData\Local\Temp\Update.txt

MD5 6885952fdab875d074325dae7f83efc1
SHA1 0b2f9c7efcd7cd4375a464e2b9ef928ce36e4c0b
SHA256 2b3f1d9c48cf4072b84b9af2ac88792e20d10efb322fa6e5a0f0ce0ed73e0302
SHA512 d979228711d27e38635089c1939546006f59a9f8fa1e6445907d6ceba3d00b940045e93b0ecb67969588b47d50cc84291a9a99c05121f83b7da8de3a906ff82f

C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe

MD5 688d0b8e41ec120ca2d2a43d55cd7bef
SHA1 c15c834cec66a405e32189ecfb332eb9a5013fa4
SHA256 4a29c2b1e77adcd0dba368a4713d5089a686a0ce4857e9b6447c3503ca0fbf4d
SHA512 cd5e0447935471736618d87197d65a6a329fbdc5edc1e44a83de6a51557bcf07fd097dae1657d25544f72b9fec20ae4ec2541a8cd9fce5884218e222f0683339

C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe

MD5 688d0b8e41ec120ca2d2a43d55cd7bef
SHA1 c15c834cec66a405e32189ecfb332eb9a5013fa4
SHA256 4a29c2b1e77adcd0dba368a4713d5089a686a0ce4857e9b6447c3503ca0fbf4d
SHA512 cd5e0447935471736618d87197d65a6a329fbdc5edc1e44a83de6a51557bcf07fd097dae1657d25544f72b9fec20ae4ec2541a8cd9fce5884218e222f0683339

memory/1796-112-0x0000000000400000-0x0000000000453000-memory.dmp

memory/864-116-0x0000000000C50000-0x0000000000C51000-memory.dmp

memory/864-115-0x0000000074320000-0x00000000748CB000-memory.dmp

memory/1796-114-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1796-113-0x0000000000400000-0x0000000000453000-memory.dmp

memory/864-117-0x0000000074320000-0x00000000748CB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IqsGLEM4M9.ini

MD5 d1ea279fb5559c020a1b4137dc4de237
SHA1 db6f8988af46b56216a6f0daf95ab8c9bdb57400
SHA256 fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba
SHA512 720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3

C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe

MD5 688d0b8e41ec120ca2d2a43d55cd7bef
SHA1 c15c834cec66a405e32189ecfb332eb9a5013fa4
SHA256 4a29c2b1e77adcd0dba368a4713d5089a686a0ce4857e9b6447c3503ca0fbf4d
SHA512 cd5e0447935471736618d87197d65a6a329fbdc5edc1e44a83de6a51557bcf07fd097dae1657d25544f72b9fec20ae4ec2541a8cd9fce5884218e222f0683339

C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe

MD5 688d0b8e41ec120ca2d2a43d55cd7bef
SHA1 c15c834cec66a405e32189ecfb332eb9a5013fa4
SHA256 4a29c2b1e77adcd0dba368a4713d5089a686a0ce4857e9b6447c3503ca0fbf4d
SHA512 cd5e0447935471736618d87197d65a6a329fbdc5edc1e44a83de6a51557bcf07fd097dae1657d25544f72b9fec20ae4ec2541a8cd9fce5884218e222f0683339

C:\Users\Admin\AppData\Local\Temp\Update.txt

MD5 6885952fdab875d074325dae7f83efc1
SHA1 0b2f9c7efcd7cd4375a464e2b9ef928ce36e4c0b
SHA256 2b3f1d9c48cf4072b84b9af2ac88792e20d10efb322fa6e5a0f0ce0ed73e0302
SHA512 d979228711d27e38635089c1939546006f59a9f8fa1e6445907d6ceba3d00b940045e93b0ecb67969588b47d50cc84291a9a99c05121f83b7da8de3a906ff82f

C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe

MD5 688d0b8e41ec120ca2d2a43d55cd7bef
SHA1 c15c834cec66a405e32189ecfb332eb9a5013fa4
SHA256 4a29c2b1e77adcd0dba368a4713d5089a686a0ce4857e9b6447c3503ca0fbf4d
SHA512 cd5e0447935471736618d87197d65a6a329fbdc5edc1e44a83de6a51557bcf07fd097dae1657d25544f72b9fec20ae4ec2541a8cd9fce5884218e222f0683339

C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe

MD5 688d0b8e41ec120ca2d2a43d55cd7bef
SHA1 c15c834cec66a405e32189ecfb332eb9a5013fa4
SHA256 4a29c2b1e77adcd0dba368a4713d5089a686a0ce4857e9b6447c3503ca0fbf4d
SHA512 cd5e0447935471736618d87197d65a6a329fbdc5edc1e44a83de6a51557bcf07fd097dae1657d25544f72b9fec20ae4ec2541a8cd9fce5884218e222f0683339

memory/1432-141-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1432-142-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1432-143-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1836-145-0x0000000000C70000-0x0000000000C71000-memory.dmp

memory/1836-144-0x00000000742C0000-0x000000007486B000-memory.dmp

memory/1836-146-0x00000000742C0000-0x000000007486B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FxhNHfTYPS.ini

MD5 d1ea279fb5559c020a1b4137dc4de237
SHA1 db6f8988af46b56216a6f0daf95ab8c9bdb57400
SHA256 fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba
SHA512 720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3

C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe

MD5 688d0b8e41ec120ca2d2a43d55cd7bef
SHA1 c15c834cec66a405e32189ecfb332eb9a5013fa4
SHA256 4a29c2b1e77adcd0dba368a4713d5089a686a0ce4857e9b6447c3503ca0fbf4d
SHA512 cd5e0447935471736618d87197d65a6a329fbdc5edc1e44a83de6a51557bcf07fd097dae1657d25544f72b9fec20ae4ec2541a8cd9fce5884218e222f0683339

C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe

MD5 688d0b8e41ec120ca2d2a43d55cd7bef
SHA1 c15c834cec66a405e32189ecfb332eb9a5013fa4
SHA256 4a29c2b1e77adcd0dba368a4713d5089a686a0ce4857e9b6447c3503ca0fbf4d
SHA512 cd5e0447935471736618d87197d65a6a329fbdc5edc1e44a83de6a51557bcf07fd097dae1657d25544f72b9fec20ae4ec2541a8cd9fce5884218e222f0683339

C:\Users\Admin\AppData\Local\Temp\Update.txt

MD5 6885952fdab875d074325dae7f83efc1
SHA1 0b2f9c7efcd7cd4375a464e2b9ef928ce36e4c0b
SHA256 2b3f1d9c48cf4072b84b9af2ac88792e20d10efb322fa6e5a0f0ce0ed73e0302
SHA512 d979228711d27e38635089c1939546006f59a9f8fa1e6445907d6ceba3d00b940045e93b0ecb67969588b47d50cc84291a9a99c05121f83b7da8de3a906ff82f

C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe

MD5 688d0b8e41ec120ca2d2a43d55cd7bef
SHA1 c15c834cec66a405e32189ecfb332eb9a5013fa4
SHA256 4a29c2b1e77adcd0dba368a4713d5089a686a0ce4857e9b6447c3503ca0fbf4d
SHA512 cd5e0447935471736618d87197d65a6a329fbdc5edc1e44a83de6a51557bcf07fd097dae1657d25544f72b9fec20ae4ec2541a8cd9fce5884218e222f0683339

C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe

MD5 688d0b8e41ec120ca2d2a43d55cd7bef
SHA1 c15c834cec66a405e32189ecfb332eb9a5013fa4
SHA256 4a29c2b1e77adcd0dba368a4713d5089a686a0ce4857e9b6447c3503ca0fbf4d
SHA512 cd5e0447935471736618d87197d65a6a329fbdc5edc1e44a83de6a51557bcf07fd097dae1657d25544f72b9fec20ae4ec2541a8cd9fce5884218e222f0683339

memory/1760-174-0x0000000000140000-0x0000000000141000-memory.dmp

memory/1760-173-0x0000000074330000-0x00000000748DB000-memory.dmp

memory/1760-175-0x0000000074330000-0x00000000748DB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\W2ou2E8R97.ini

MD5 d1ea279fb5559c020a1b4137dc4de237
SHA1 db6f8988af46b56216a6f0daf95ab8c9bdb57400
SHA256 fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba
SHA512 720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3

C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe

MD5 688d0b8e41ec120ca2d2a43d55cd7bef
SHA1 c15c834cec66a405e32189ecfb332eb9a5013fa4
SHA256 4a29c2b1e77adcd0dba368a4713d5089a686a0ce4857e9b6447c3503ca0fbf4d
SHA512 cd5e0447935471736618d87197d65a6a329fbdc5edc1e44a83de6a51557bcf07fd097dae1657d25544f72b9fec20ae4ec2541a8cd9fce5884218e222f0683339

C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe

MD5 688d0b8e41ec120ca2d2a43d55cd7bef
SHA1 c15c834cec66a405e32189ecfb332eb9a5013fa4
SHA256 4a29c2b1e77adcd0dba368a4713d5089a686a0ce4857e9b6447c3503ca0fbf4d
SHA512 cd5e0447935471736618d87197d65a6a329fbdc5edc1e44a83de6a51557bcf07fd097dae1657d25544f72b9fec20ae4ec2541a8cd9fce5884218e222f0683339

C:\Users\Admin\AppData\Local\Temp\Update.txt

MD5 6885952fdab875d074325dae7f83efc1
SHA1 0b2f9c7efcd7cd4375a464e2b9ef928ce36e4c0b
SHA256 2b3f1d9c48cf4072b84b9af2ac88792e20d10efb322fa6e5a0f0ce0ed73e0302
SHA512 d979228711d27e38635089c1939546006f59a9f8fa1e6445907d6ceba3d00b940045e93b0ecb67969588b47d50cc84291a9a99c05121f83b7da8de3a906ff82f

memory/1088-188-0x0000000074330000-0x00000000748DB000-memory.dmp

memory/1088-189-0x00000000009F0000-0x00000000009F1000-memory.dmp

memory/1088-190-0x0000000074330000-0x00000000748DB000-memory.dmp

C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe

MD5 688d0b8e41ec120ca2d2a43d55cd7bef
SHA1 c15c834cec66a405e32189ecfb332eb9a5013fa4
SHA256 4a29c2b1e77adcd0dba368a4713d5089a686a0ce4857e9b6447c3503ca0fbf4d
SHA512 cd5e0447935471736618d87197d65a6a329fbdc5edc1e44a83de6a51557bcf07fd097dae1657d25544f72b9fec20ae4ec2541a8cd9fce5884218e222f0683339

C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe

MD5 688d0b8e41ec120ca2d2a43d55cd7bef
SHA1 c15c834cec66a405e32189ecfb332eb9a5013fa4
SHA256 4a29c2b1e77adcd0dba368a4713d5089a686a0ce4857e9b6447c3503ca0fbf4d
SHA512 cd5e0447935471736618d87197d65a6a329fbdc5edc1e44a83de6a51557bcf07fd097dae1657d25544f72b9fec20ae4ec2541a8cd9fce5884218e222f0683339

C:\Users\Admin\AppData\Local\Temp\1gLrZaKA5z.ini

MD5 d1ea279fb5559c020a1b4137dc4de237
SHA1 db6f8988af46b56216a6f0daf95ab8c9bdb57400
SHA256 fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba
SHA512 720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3

C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe

MD5 688d0b8e41ec120ca2d2a43d55cd7bef
SHA1 c15c834cec66a405e32189ecfb332eb9a5013fa4
SHA256 4a29c2b1e77adcd0dba368a4713d5089a686a0ce4857e9b6447c3503ca0fbf4d
SHA512 cd5e0447935471736618d87197d65a6a329fbdc5edc1e44a83de6a51557bcf07fd097dae1657d25544f72b9fec20ae4ec2541a8cd9fce5884218e222f0683339

C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe

MD5 688d0b8e41ec120ca2d2a43d55cd7bef
SHA1 c15c834cec66a405e32189ecfb332eb9a5013fa4
SHA256 4a29c2b1e77adcd0dba368a4713d5089a686a0ce4857e9b6447c3503ca0fbf4d
SHA512 cd5e0447935471736618d87197d65a6a329fbdc5edc1e44a83de6a51557bcf07fd097dae1657d25544f72b9fec20ae4ec2541a8cd9fce5884218e222f0683339

memory/1252-222-0x0000000000100000-0x0000000000101000-memory.dmp

memory/1252-221-0x0000000074330000-0x00000000748DB000-memory.dmp

memory/1252-223-0x0000000074330000-0x00000000748DB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Update.txt

MD5 6885952fdab875d074325dae7f83efc1
SHA1 0b2f9c7efcd7cd4375a464e2b9ef928ce36e4c0b
SHA256 2b3f1d9c48cf4072b84b9af2ac88792e20d10efb322fa6e5a0f0ce0ed73e0302
SHA512 d979228711d27e38635089c1939546006f59a9f8fa1e6445907d6ceba3d00b940045e93b0ecb67969588b47d50cc84291a9a99c05121f83b7da8de3a906ff82f

C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe

MD5 688d0b8e41ec120ca2d2a43d55cd7bef
SHA1 c15c834cec66a405e32189ecfb332eb9a5013fa4
SHA256 4a29c2b1e77adcd0dba368a4713d5089a686a0ce4857e9b6447c3503ca0fbf4d
SHA512 cd5e0447935471736618d87197d65a6a329fbdc5edc1e44a83de6a51557bcf07fd097dae1657d25544f72b9fec20ae4ec2541a8cd9fce5884218e222f0683339

C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe

MD5 688d0b8e41ec120ca2d2a43d55cd7bef
SHA1 c15c834cec66a405e32189ecfb332eb9a5013fa4
SHA256 4a29c2b1e77adcd0dba368a4713d5089a686a0ce4857e9b6447c3503ca0fbf4d
SHA512 cd5e0447935471736618d87197d65a6a329fbdc5edc1e44a83de6a51557bcf07fd097dae1657d25544f72b9fec20ae4ec2541a8cd9fce5884218e222f0683339

C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe

MD5 688d0b8e41ec120ca2d2a43d55cd7bef
SHA1 c15c834cec66a405e32189ecfb332eb9a5013fa4
SHA256 4a29c2b1e77adcd0dba368a4713d5089a686a0ce4857e9b6447c3503ca0fbf4d
SHA512 cd5e0447935471736618d87197d65a6a329fbdc5edc1e44a83de6a51557bcf07fd097dae1657d25544f72b9fec20ae4ec2541a8cd9fce5884218e222f0683339

C:\Users\Admin\AppData\Local\Temp\U6cTNDBHbl.ini

MD5 d1ea279fb5559c020a1b4137dc4de237
SHA1 db6f8988af46b56216a6f0daf95ab8c9bdb57400
SHA256 fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba
SHA512 720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3

C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe

MD5 688d0b8e41ec120ca2d2a43d55cd7bef
SHA1 c15c834cec66a405e32189ecfb332eb9a5013fa4
SHA256 4a29c2b1e77adcd0dba368a4713d5089a686a0ce4857e9b6447c3503ca0fbf4d
SHA512 cd5e0447935471736618d87197d65a6a329fbdc5edc1e44a83de6a51557bcf07fd097dae1657d25544f72b9fec20ae4ec2541a8cd9fce5884218e222f0683339

C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe

MD5 688d0b8e41ec120ca2d2a43d55cd7bef
SHA1 c15c834cec66a405e32189ecfb332eb9a5013fa4
SHA256 4a29c2b1e77adcd0dba368a4713d5089a686a0ce4857e9b6447c3503ca0fbf4d
SHA512 cd5e0447935471736618d87197d65a6a329fbdc5edc1e44a83de6a51557bcf07fd097dae1657d25544f72b9fec20ae4ec2541a8cd9fce5884218e222f0683339

C:\Users\Admin\AppData\Local\Temp\Update.txt

MD5 6885952fdab875d074325dae7f83efc1
SHA1 0b2f9c7efcd7cd4375a464e2b9ef928ce36e4c0b
SHA256 2b3f1d9c48cf4072b84b9af2ac88792e20d10efb322fa6e5a0f0ce0ed73e0302
SHA512 d979228711d27e38635089c1939546006f59a9f8fa1e6445907d6ceba3d00b940045e93b0ecb67969588b47d50cc84291a9a99c05121f83b7da8de3a906ff82f

C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe

MD5 688d0b8e41ec120ca2d2a43d55cd7bef
SHA1 c15c834cec66a405e32189ecfb332eb9a5013fa4
SHA256 4a29c2b1e77adcd0dba368a4713d5089a686a0ce4857e9b6447c3503ca0fbf4d
SHA512 cd5e0447935471736618d87197d65a6a329fbdc5edc1e44a83de6a51557bcf07fd097dae1657d25544f72b9fec20ae4ec2541a8cd9fce5884218e222f0683339

C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe

MD5 688d0b8e41ec120ca2d2a43d55cd7bef
SHA1 c15c834cec66a405e32189ecfb332eb9a5013fa4
SHA256 4a29c2b1e77adcd0dba368a4713d5089a686a0ce4857e9b6447c3503ca0fbf4d
SHA512 cd5e0447935471736618d87197d65a6a329fbdc5edc1e44a83de6a51557bcf07fd097dae1657d25544f72b9fec20ae4ec2541a8cd9fce5884218e222f0683339

memory/1780-281-0x00000000742F0000-0x000000007489B000-memory.dmp

memory/1780-282-0x0000000000280000-0x0000000000281000-memory.dmp

memory/1780-283-0x00000000742F0000-0x000000007489B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ZsLAhzgPOs.ini

MD5 d1ea279fb5559c020a1b4137dc4de237
SHA1 db6f8988af46b56216a6f0daf95ab8c9bdb57400
SHA256 fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba
SHA512 720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3

C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe

MD5 688d0b8e41ec120ca2d2a43d55cd7bef
SHA1 c15c834cec66a405e32189ecfb332eb9a5013fa4
SHA256 4a29c2b1e77adcd0dba368a4713d5089a686a0ce4857e9b6447c3503ca0fbf4d
SHA512 cd5e0447935471736618d87197d65a6a329fbdc5edc1e44a83de6a51557bcf07fd097dae1657d25544f72b9fec20ae4ec2541a8cd9fce5884218e222f0683339

C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe

MD5 688d0b8e41ec120ca2d2a43d55cd7bef
SHA1 c15c834cec66a405e32189ecfb332eb9a5013fa4
SHA256 4a29c2b1e77adcd0dba368a4713d5089a686a0ce4857e9b6447c3503ca0fbf4d
SHA512 cd5e0447935471736618d87197d65a6a329fbdc5edc1e44a83de6a51557bcf07fd097dae1657d25544f72b9fec20ae4ec2541a8cd9fce5884218e222f0683339

C:\Users\Admin\AppData\Local\Temp\Update.txt

MD5 6885952fdab875d074325dae7f83efc1
SHA1 0b2f9c7efcd7cd4375a464e2b9ef928ce36e4c0b
SHA256 2b3f1d9c48cf4072b84b9af2ac88792e20d10efb322fa6e5a0f0ce0ed73e0302
SHA512 d979228711d27e38635089c1939546006f59a9f8fa1e6445907d6ceba3d00b940045e93b0ecb67969588b47d50cc84291a9a99c05121f83b7da8de3a906ff82f

memory/1276-298-0x00000000742F0000-0x000000007489B000-memory.dmp

memory/1276-300-0x0000000000AA0000-0x0000000000AA1000-memory.dmp

memory/1276-302-0x00000000742F0000-0x000000007489B000-memory.dmp

C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe

MD5 688d0b8e41ec120ca2d2a43d55cd7bef
SHA1 c15c834cec66a405e32189ecfb332eb9a5013fa4
SHA256 4a29c2b1e77adcd0dba368a4713d5089a686a0ce4857e9b6447c3503ca0fbf4d
SHA512 cd5e0447935471736618d87197d65a6a329fbdc5edc1e44a83de6a51557bcf07fd097dae1657d25544f72b9fec20ae4ec2541a8cd9fce5884218e222f0683339

C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe

MD5 688d0b8e41ec120ca2d2a43d55cd7bef
SHA1 c15c834cec66a405e32189ecfb332eb9a5013fa4
SHA256 4a29c2b1e77adcd0dba368a4713d5089a686a0ce4857e9b6447c3503ca0fbf4d
SHA512 cd5e0447935471736618d87197d65a6a329fbdc5edc1e44a83de6a51557bcf07fd097dae1657d25544f72b9fec20ae4ec2541a8cd9fce5884218e222f0683339

C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe

MD5 688d0b8e41ec120ca2d2a43d55cd7bef
SHA1 c15c834cec66a405e32189ecfb332eb9a5013fa4
SHA256 4a29c2b1e77adcd0dba368a4713d5089a686a0ce4857e9b6447c3503ca0fbf4d
SHA512 cd5e0447935471736618d87197d65a6a329fbdc5edc1e44a83de6a51557bcf07fd097dae1657d25544f72b9fec20ae4ec2541a8cd9fce5884218e222f0683339

C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe

MD5 688d0b8e41ec120ca2d2a43d55cd7bef
SHA1 c15c834cec66a405e32189ecfb332eb9a5013fa4
SHA256 4a29c2b1e77adcd0dba368a4713d5089a686a0ce4857e9b6447c3503ca0fbf4d
SHA512 cd5e0447935471736618d87197d65a6a329fbdc5edc1e44a83de6a51557bcf07fd097dae1657d25544f72b9fec20ae4ec2541a8cd9fce5884218e222f0683339

C:\Users\Admin\AppData\Local\Temp\Update.txt

MD5 6885952fdab875d074325dae7f83efc1
SHA1 0b2f9c7efcd7cd4375a464e2b9ef928ce36e4c0b
SHA256 2b3f1d9c48cf4072b84b9af2ac88792e20d10efb322fa6e5a0f0ce0ed73e0302
SHA512 d979228711d27e38635089c1939546006f59a9f8fa1e6445907d6ceba3d00b940045e93b0ecb67969588b47d50cc84291a9a99c05121f83b7da8de3a906ff82f

C:\Users\Admin\Desktop\jsjajannjnjcjcj897\filename.exe

MD5 688d0b8e41ec120ca2d2a43d55cd7bef
SHA1 c15c834cec66a405e32189ecfb332eb9a5013fa4
SHA256 4a29c2b1e77adcd0dba368a4713d5089a686a0ce4857e9b6447c3503ca0fbf4d
SHA512 cd5e0447935471736618d87197d65a6a329fbdc5edc1e44a83de6a51557bcf07fd097dae1657d25544f72b9fec20ae4ec2541a8cd9fce5884218e222f0683339

memory/1716-339-0x00000000742F0000-0x000000007489B000-memory.dmp

memory/1716-340-0x0000000000500000-0x0000000000501000-memory.dmp

memory/1716-341-0x00000000742F0000-0x000000007489B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-03-08 18:41

Reported

2022-03-08 18:59

Platform

win10v2004-en-20220112

Max time kernel

56s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4a29c2b1e77adcd0dba368a4713d5089a686a0ce4857e9b6447c3503ca0fbf4d.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\4a29c2b1e77adcd0dba368a4713d5089a686a0ce4857e9b6447c3503ca0fbf4d.exe

"C:\Users\Admin\AppData\Local\Temp\4a29c2b1e77adcd0dba368a4713d5089a686a0ce4857e9b6447c3503ca0fbf4d.exe"

C:\Windows\SysWOW64\fondue.exe

"C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll

C:\Windows\system32\FonDUE.EXE

"C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll

Network

Country Destination Domain Proto
US 52.167.17.97:443 tcp
US 8.8.8.8:53 geo.prod.do.dsp.mp.microsoft.com udp
US 52.179.219.14:443 geo.prod.do.dsp.mp.microsoft.com tcp
US 8.8.8.8:53 kv801.prod.do.dsp.mp.microsoft.com udp
NL 184.29.205.60:443 kv801.prod.do.dsp.mp.microsoft.com tcp
US 8.8.8.8:53 cp801.prod.do.dsp.mp.microsoft.com udp
NL 184.29.205.60:443 cp801.prod.do.dsp.mp.microsoft.com tcp
NL 184.29.205.60:443 cp801.prod.do.dsp.mp.microsoft.com tcp

Files

N/A