Analysis Overview
SHA256
39ca8f9968b34c7262a5cd169e55959351c68a094983ea537b54e555be87d685
Threat Level: Known bad
The file 39ca8f9968b34c7262a5cd169e55959351c68a094983ea537b54e555be87d685 was found to be: Known bad.
Malicious Activity Summary
ISR Stealer
ISR Stealer Payload
NirSoft MailPassView
Nirsoft
Executes dropped EXE
UPX packed file
Reads user/profile data of web browsers
Loads dropped DLL
Accesses Microsoft Outlook accounts
Adds Run key to start application
Suspicious use of SetThreadContext
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-03-08 19:47
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2022-03-08 19:47
Reported
2022-03-08 20:07
Platform
win10v2004-en-20220112
Max time kernel
134s
Max time network
164s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3368 wrote to memory of 2428 | N/A | C:\Users\Admin\AppData\Local\Temp\39ca8f9968b34c7262a5cd169e55959351c68a094983ea537b54e555be87d685.exe | C:\Windows\SysWOW64\fondue.exe |
| PID 3368 wrote to memory of 2428 | N/A | C:\Users\Admin\AppData\Local\Temp\39ca8f9968b34c7262a5cd169e55959351c68a094983ea537b54e555be87d685.exe | C:\Windows\SysWOW64\fondue.exe |
| PID 3368 wrote to memory of 2428 | N/A | C:\Users\Admin\AppData\Local\Temp\39ca8f9968b34c7262a5cd169e55959351c68a094983ea537b54e555be87d685.exe | C:\Windows\SysWOW64\fondue.exe |
| PID 2428 wrote to memory of 464 | N/A | C:\Windows\SysWOW64\fondue.exe | C:\Windows\system32\FonDUE.EXE |
| PID 2428 wrote to memory of 464 | N/A | C:\Windows\SysWOW64\fondue.exe | C:\Windows\system32\FonDUE.EXE |
Processes
C:\Users\Admin\AppData\Local\Temp\39ca8f9968b34c7262a5cd169e55959351c68a094983ea537b54e555be87d685.exe
"C:\Users\Admin\AppData\Local\Temp\39ca8f9968b34c7262a5cd169e55959351c68a094983ea537b54e555be87d685.exe"
C:\Windows\SysWOW64\fondue.exe
"C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
C:\Windows\system32\FonDUE.EXE
"C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
Network
| Country | Destination | Domain | Proto |
| NL | 92.123.77.56:80 | tcp | |
| NL | 67.26.105.254:80 | tcp | |
| US | 13.89.179.8:443 | tcp | |
| NL | 104.80.224.57:443 | tcp | |
| US | 8.8.8.8:53 | geo.prod.do.dsp.mp.microsoft.com | udp |
| US | 52.143.87.28:443 | geo.prod.do.dsp.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | kv801.prod.do.dsp.mp.microsoft.com | udp |
| NL | 184.29.205.60:443 | kv801.prod.do.dsp.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | cp801.prod.do.dsp.mp.microsoft.com | udp |
| NL | 184.29.205.60:443 | cp801.prod.do.dsp.mp.microsoft.com | tcp |
| NL | 184.29.205.60:443 | cp801.prod.do.dsp.mp.microsoft.com | tcp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2022-03-08 19:47
Reported
2022-03-08 20:07
Platform
win7-en-20211208
Max time kernel
153s
Max time network
161s
Command Line
Signatures
ISR Stealer
ISR Stealer Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft MailPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Nirsoft
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious use of SetThreadContext
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\39ca8f9968b34c7262a5cd169e55959351c68a094983ea537b54e555be87d685.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\39ca8f9968b34c7262a5cd169e55959351c68a094983ea537b54e555be87d685.exe
"C:\Users\Admin\AppData\Local\Temp\39ca8f9968b34c7262a5cd169e55959351c68a094983ea537b54e555be87d685.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe
"C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe
"C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\S2Kn4FrzMo.ini"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\fzHcBETboj.ini"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe
"C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe
"C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\T8dA8Q8fo8.ini"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\vJ6hDCMTWg.ini"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe
"C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe
"C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\4p8sMiOdjp.ini"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\nkgPoCypxv.ini"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe
"C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe
"C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\GvqnSrhVjz.ini"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\dLTIMxWikA.ini"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe
"C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe
"C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\mP8en9o74Z.ini"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\sckAbiqwQ6.ini"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe
"C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe
"C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\5HBW3gM1lF.ini"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\k2KsCiSHrM.ini"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe
"C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe
"C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\oeW9HksJB1.ini"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\TxNRRKfb2O.ini"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe
"C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe
"C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\B4boVO3TjR.ini"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\mkmqM22rE5.ini"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe
"C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe
"C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\aKUE0ZQf7E.ini"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | loki5.info | udp |
Files
memory/1288-55-0x0000000075D61000-0x0000000075D63000-memory.dmp
memory/1288-57-0x0000000000A80000-0x0000000000A81000-memory.dmp
memory/1288-56-0x0000000074100000-0x00000000746AB000-memory.dmp
memory/1288-58-0x0000000074100000-0x00000000746AB000-memory.dmp
\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe
| MD5 | 445ceb67566b9baadce86dea15d48026 |
| SHA1 | 2ce8fccfec4a063cb153cc0d0d539612e14ba1a3 |
| SHA256 | 39ca8f9968b34c7262a5cd169e55959351c68a094983ea537b54e555be87d685 |
| SHA512 | dcc02495e096f2fd7d057e6c84c521541cc18e1756dd6599cb66a5c76076db6f2c6961395ebc08c43a876fc792a301635c6ea9b3ab9f8f082d4abb9abcbc687c |
C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe
| MD5 | 445ceb67566b9baadce86dea15d48026 |
| SHA1 | 2ce8fccfec4a063cb153cc0d0d539612e14ba1a3 |
| SHA256 | 39ca8f9968b34c7262a5cd169e55959351c68a094983ea537b54e555be87d685 |
| SHA512 | dcc02495e096f2fd7d057e6c84c521541cc18e1756dd6599cb66a5c76076db6f2c6961395ebc08c43a876fc792a301635c6ea9b3ab9f8f082d4abb9abcbc687c |
\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe
| MD5 | 445ceb67566b9baadce86dea15d48026 |
| SHA1 | 2ce8fccfec4a063cb153cc0d0d539612e14ba1a3 |
| SHA256 | 39ca8f9968b34c7262a5cd169e55959351c68a094983ea537b54e555be87d685 |
| SHA512 | dcc02495e096f2fd7d057e6c84c521541cc18e1756dd6599cb66a5c76076db6f2c6961395ebc08c43a876fc792a301635c6ea9b3ab9f8f082d4abb9abcbc687c |
C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe
| MD5 | 445ceb67566b9baadce86dea15d48026 |
| SHA1 | 2ce8fccfec4a063cb153cc0d0d539612e14ba1a3 |
| SHA256 | 39ca8f9968b34c7262a5cd169e55959351c68a094983ea537b54e555be87d685 |
| SHA512 | dcc02495e096f2fd7d057e6c84c521541cc18e1756dd6599cb66a5c76076db6f2c6961395ebc08c43a876fc792a301635c6ea9b3ab9f8f082d4abb9abcbc687c |
memory/384-65-0x0000000000700000-0x0000000000701000-memory.dmp
memory/384-64-0x0000000074100000-0x00000000746AB000-memory.dmp
memory/384-66-0x0000000074100000-0x00000000746AB000-memory.dmp
memory/1536-67-0x0000000000400000-0x0000000000442000-memory.dmp
memory/1536-69-0x0000000000400000-0x0000000000442000-memory.dmp
memory/1536-71-0x0000000000400000-0x0000000000442000-memory.dmp
memory/1536-73-0x0000000000400000-0x0000000000442000-memory.dmp
C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe
| MD5 | 445ceb67566b9baadce86dea15d48026 |
| SHA1 | 2ce8fccfec4a063cb153cc0d0d539612e14ba1a3 |
| SHA256 | 39ca8f9968b34c7262a5cd169e55959351c68a094983ea537b54e555be87d685 |
| SHA512 | dcc02495e096f2fd7d057e6c84c521541cc18e1756dd6599cb66a5c76076db6f2c6961395ebc08c43a876fc792a301635c6ea9b3ab9f8f082d4abb9abcbc687c |
memory/316-79-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe
| MD5 | 445ceb67566b9baadce86dea15d48026 |
| SHA1 | 2ce8fccfec4a063cb153cc0d0d539612e14ba1a3 |
| SHA256 | 39ca8f9968b34c7262a5cd169e55959351c68a094983ea537b54e555be87d685 |
| SHA512 | dcc02495e096f2fd7d057e6c84c521541cc18e1756dd6599cb66a5c76076db6f2c6961395ebc08c43a876fc792a301635c6ea9b3ab9f8f082d4abb9abcbc687c |
memory/316-83-0x0000000000400000-0x0000000000453000-memory.dmp
memory/316-85-0x0000000000400000-0x0000000000453000-memory.dmp
memory/316-84-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\S2Kn4FrzMo.ini
| MD5 | d1ea279fb5559c020a1b4137dc4de237 |
| SHA1 | db6f8988af46b56216a6f0daf95ab8c9bdb57400 |
| SHA256 | fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba |
| SHA512 | 720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3 |
C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe
| MD5 | 445ceb67566b9baadce86dea15d48026 |
| SHA1 | 2ce8fccfec4a063cb153cc0d0d539612e14ba1a3 |
| SHA256 | 39ca8f9968b34c7262a5cd169e55959351c68a094983ea537b54e555be87d685 |
| SHA512 | dcc02495e096f2fd7d057e6c84c521541cc18e1756dd6599cb66a5c76076db6f2c6961395ebc08c43a876fc792a301635c6ea9b3ab9f8f082d4abb9abcbc687c |
C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe
| MD5 | 445ceb67566b9baadce86dea15d48026 |
| SHA1 | 2ce8fccfec4a063cb153cc0d0d539612e14ba1a3 |
| SHA256 | 39ca8f9968b34c7262a5cd169e55959351c68a094983ea537b54e555be87d685 |
| SHA512 | dcc02495e096f2fd7d057e6c84c521541cc18e1756dd6599cb66a5c76076db6f2c6961395ebc08c43a876fc792a301635c6ea9b3ab9f8f082d4abb9abcbc687c |
C:\Users\Admin\AppData\Local\Temp\Update.txt
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe
| MD5 | 445ceb67566b9baadce86dea15d48026 |
| SHA1 | 2ce8fccfec4a063cb153cc0d0d539612e14ba1a3 |
| SHA256 | 39ca8f9968b34c7262a5cd169e55959351c68a094983ea537b54e555be87d685 |
| SHA512 | dcc02495e096f2fd7d057e6c84c521541cc18e1756dd6599cb66a5c76076db6f2c6961395ebc08c43a876fc792a301635c6ea9b3ab9f8f082d4abb9abcbc687c |
C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe
| MD5 | 445ceb67566b9baadce86dea15d48026 |
| SHA1 | 2ce8fccfec4a063cb153cc0d0d539612e14ba1a3 |
| SHA256 | 39ca8f9968b34c7262a5cd169e55959351c68a094983ea537b54e555be87d685 |
| SHA512 | dcc02495e096f2fd7d057e6c84c521541cc18e1756dd6599cb66a5c76076db6f2c6961395ebc08c43a876fc792a301635c6ea9b3ab9f8f082d4abb9abcbc687c |
memory/1960-108-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1960-109-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1960-110-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1604-112-0x0000000000470000-0x0000000000471000-memory.dmp
memory/1604-111-0x0000000074100000-0x00000000746AB000-memory.dmp
memory/1604-113-0x0000000074100000-0x00000000746AB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\T8dA8Q8fo8.ini
| MD5 | d1ea279fb5559c020a1b4137dc4de237 |
| SHA1 | db6f8988af46b56216a6f0daf95ab8c9bdb57400 |
| SHA256 | fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba |
| SHA512 | 720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3 |
memory/1076-116-0x0000000000400000-0x000000000041F000-memory.dmp
C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe
| MD5 | 445ceb67566b9baadce86dea15d48026 |
| SHA1 | 2ce8fccfec4a063cb153cc0d0d539612e14ba1a3 |
| SHA256 | 39ca8f9968b34c7262a5cd169e55959351c68a094983ea537b54e555be87d685 |
| SHA512 | dcc02495e096f2fd7d057e6c84c521541cc18e1756dd6599cb66a5c76076db6f2c6961395ebc08c43a876fc792a301635c6ea9b3ab9f8f082d4abb9abcbc687c |
memory/1076-120-0x0000000000400000-0x000000000041F000-memory.dmp
memory/1076-121-0x0000000000400000-0x000000000041F000-memory.dmp
memory/1076-122-0x0000000000400000-0x000000000041F000-memory.dmp
C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe
| MD5 | 445ceb67566b9baadce86dea15d48026 |
| SHA1 | 2ce8fccfec4a063cb153cc0d0d539612e14ba1a3 |
| SHA256 | 39ca8f9968b34c7262a5cd169e55959351c68a094983ea537b54e555be87d685 |
| SHA512 | dcc02495e096f2fd7d057e6c84c521541cc18e1756dd6599cb66a5c76076db6f2c6961395ebc08c43a876fc792a301635c6ea9b3ab9f8f082d4abb9abcbc687c |
C:\Users\Admin\AppData\Local\Temp\Update.txt
| MD5 | 7814da186e4aaf4b61099ce6873f3d4d |
| SHA1 | 1230cc163d58be77af7e34b3eea9fa8d47962809 |
| SHA256 | cc0aee7bd025217e80246da9608995bcae460c376b1bd94c9af4e1b2b00229fe |
| SHA512 | 87a155e66ba87e5cde1b83d90572426d0c766678325f25c77fbe896197a4ab690705c655de8f0259a4f3de31a6d4dd625cfe6d26741446085f5c459098f91615 |
C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe
| MD5 | 445ceb67566b9baadce86dea15d48026 |
| SHA1 | 2ce8fccfec4a063cb153cc0d0d539612e14ba1a3 |
| SHA256 | 39ca8f9968b34c7262a5cd169e55959351c68a094983ea537b54e555be87d685 |
| SHA512 | dcc02495e096f2fd7d057e6c84c521541cc18e1756dd6599cb66a5c76076db6f2c6961395ebc08c43a876fc792a301635c6ea9b3ab9f8f082d4abb9abcbc687c |
C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe
| MD5 | 445ceb67566b9baadce86dea15d48026 |
| SHA1 | 2ce8fccfec4a063cb153cc0d0d539612e14ba1a3 |
| SHA256 | 39ca8f9968b34c7262a5cd169e55959351c68a094983ea537b54e555be87d685 |
| SHA512 | dcc02495e096f2fd7d057e6c84c521541cc18e1756dd6599cb66a5c76076db6f2c6961395ebc08c43a876fc792a301635c6ea9b3ab9f8f082d4abb9abcbc687c |
memory/1468-142-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1468-144-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1468-143-0x0000000000400000-0x0000000000453000-memory.dmp
memory/920-146-0x0000000000D00000-0x0000000000D01000-memory.dmp
memory/920-145-0x0000000074100000-0x00000000746AB000-memory.dmp
memory/920-147-0x0000000074100000-0x00000000746AB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\4p8sMiOdjp.ini
| MD5 | d1ea279fb5559c020a1b4137dc4de237 |
| SHA1 | db6f8988af46b56216a6f0daf95ab8c9bdb57400 |
| SHA256 | fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba |
| SHA512 | 720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3 |
C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe
| MD5 | 445ceb67566b9baadce86dea15d48026 |
| SHA1 | 2ce8fccfec4a063cb153cc0d0d539612e14ba1a3 |
| SHA256 | 39ca8f9968b34c7262a5cd169e55959351c68a094983ea537b54e555be87d685 |
| SHA512 | dcc02495e096f2fd7d057e6c84c521541cc18e1756dd6599cb66a5c76076db6f2c6961395ebc08c43a876fc792a301635c6ea9b3ab9f8f082d4abb9abcbc687c |
memory/1940-154-0x0000000000400000-0x000000000041F000-memory.dmp
memory/1940-156-0x0000000000400000-0x000000000041F000-memory.dmp
memory/1940-155-0x0000000000400000-0x000000000041F000-memory.dmp
C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe
| MD5 | 445ceb67566b9baadce86dea15d48026 |
| SHA1 | 2ce8fccfec4a063cb153cc0d0d539612e14ba1a3 |
| SHA256 | 39ca8f9968b34c7262a5cd169e55959351c68a094983ea537b54e555be87d685 |
| SHA512 | dcc02495e096f2fd7d057e6c84c521541cc18e1756dd6599cb66a5c76076db6f2c6961395ebc08c43a876fc792a301635c6ea9b3ab9f8f082d4abb9abcbc687c |
memory/1220-160-0x00000000002B0000-0x00000000002B1000-memory.dmp
memory/1220-159-0x0000000074090000-0x000000007463B000-memory.dmp
memory/1220-161-0x0000000074090000-0x000000007463B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Update.txt
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe
| MD5 | 445ceb67566b9baadce86dea15d48026 |
| SHA1 | 2ce8fccfec4a063cb153cc0d0d539612e14ba1a3 |
| SHA256 | 39ca8f9968b34c7262a5cd169e55959351c68a094983ea537b54e555be87d685 |
| SHA512 | dcc02495e096f2fd7d057e6c84c521541cc18e1756dd6599cb66a5c76076db6f2c6961395ebc08c43a876fc792a301635c6ea9b3ab9f8f082d4abb9abcbc687c |
C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe
| MD5 | 445ceb67566b9baadce86dea15d48026 |
| SHA1 | 2ce8fccfec4a063cb153cc0d0d539612e14ba1a3 |
| SHA256 | 39ca8f9968b34c7262a5cd169e55959351c68a094983ea537b54e555be87d685 |
| SHA512 | dcc02495e096f2fd7d057e6c84c521541cc18e1756dd6599cb66a5c76076db6f2c6961395ebc08c43a876fc792a301635c6ea9b3ab9f8f082d4abb9abcbc687c |
C:\Users\Admin\AppData\Local\Temp\GvqnSrhVjz.ini
| MD5 | d1ea279fb5559c020a1b4137dc4de237 |
| SHA1 | db6f8988af46b56216a6f0daf95ab8c9bdb57400 |
| SHA256 | fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba |
| SHA512 | 720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3 |
C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe
| MD5 | 445ceb67566b9baadce86dea15d48026 |
| SHA1 | 2ce8fccfec4a063cb153cc0d0d539612e14ba1a3 |
| SHA256 | 39ca8f9968b34c7262a5cd169e55959351c68a094983ea537b54e555be87d685 |
| SHA512 | dcc02495e096f2fd7d057e6c84c521541cc18e1756dd6599cb66a5c76076db6f2c6961395ebc08c43a876fc792a301635c6ea9b3ab9f8f082d4abb9abcbc687c |
C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe
| MD5 | 445ceb67566b9baadce86dea15d48026 |
| SHA1 | 2ce8fccfec4a063cb153cc0d0d539612e14ba1a3 |
| SHA256 | 39ca8f9968b34c7262a5cd169e55959351c68a094983ea537b54e555be87d685 |
| SHA512 | dcc02495e096f2fd7d057e6c84c521541cc18e1756dd6599cb66a5c76076db6f2c6961395ebc08c43a876fc792a301635c6ea9b3ab9f8f082d4abb9abcbc687c |
C:\Users\Admin\AppData\Local\Temp\Update.txt
| MD5 | 7814da186e4aaf4b61099ce6873f3d4d |
| SHA1 | 1230cc163d58be77af7e34b3eea9fa8d47962809 |
| SHA256 | cc0aee7bd025217e80246da9608995bcae460c376b1bd94c9af4e1b2b00229fe |
| SHA512 | 87a155e66ba87e5cde1b83d90572426d0c766678325f25c77fbe896197a4ab690705c655de8f0259a4f3de31a6d4dd625cfe6d26741446085f5c459098f91615 |
C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe
| MD5 | 445ceb67566b9baadce86dea15d48026 |
| SHA1 | 2ce8fccfec4a063cb153cc0d0d539612e14ba1a3 |
| SHA256 | 39ca8f9968b34c7262a5cd169e55959351c68a094983ea537b54e555be87d685 |
| SHA512 | dcc02495e096f2fd7d057e6c84c521541cc18e1756dd6599cb66a5c76076db6f2c6961395ebc08c43a876fc792a301635c6ea9b3ab9f8f082d4abb9abcbc687c |
C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe
| MD5 | 445ceb67566b9baadce86dea15d48026 |
| SHA1 | 2ce8fccfec4a063cb153cc0d0d539612e14ba1a3 |
| SHA256 | 39ca8f9968b34c7262a5cd169e55959351c68a094983ea537b54e555be87d685 |
| SHA512 | dcc02495e096f2fd7d057e6c84c521541cc18e1756dd6599cb66a5c76076db6f2c6961395ebc08c43a876fc792a301635c6ea9b3ab9f8f082d4abb9abcbc687c |
memory/1088-213-0x0000000074090000-0x000000007463B000-memory.dmp
memory/1088-214-0x0000000000520000-0x0000000000521000-memory.dmp
memory/1088-215-0x0000000074090000-0x000000007463B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\mP8en9o74Z.ini
| MD5 | d1ea279fb5559c020a1b4137dc4de237 |
| SHA1 | db6f8988af46b56216a6f0daf95ab8c9bdb57400 |
| SHA256 | fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba |
| SHA512 | 720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3 |
C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe
| MD5 | 445ceb67566b9baadce86dea15d48026 |
| SHA1 | 2ce8fccfec4a063cb153cc0d0d539612e14ba1a3 |
| SHA256 | 39ca8f9968b34c7262a5cd169e55959351c68a094983ea537b54e555be87d685 |
| SHA512 | dcc02495e096f2fd7d057e6c84c521541cc18e1756dd6599cb66a5c76076db6f2c6961395ebc08c43a876fc792a301635c6ea9b3ab9f8f082d4abb9abcbc687c |
C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe
| MD5 | 445ceb67566b9baadce86dea15d48026 |
| SHA1 | 2ce8fccfec4a063cb153cc0d0d539612e14ba1a3 |
| SHA256 | 39ca8f9968b34c7262a5cd169e55959351c68a094983ea537b54e555be87d685 |
| SHA512 | dcc02495e096f2fd7d057e6c84c521541cc18e1756dd6599cb66a5c76076db6f2c6961395ebc08c43a876fc792a301635c6ea9b3ab9f8f082d4abb9abcbc687c |
C:\Users\Admin\AppData\Local\Temp\Update.txt
| MD5 | 7814da186e4aaf4b61099ce6873f3d4d |
| SHA1 | 1230cc163d58be77af7e34b3eea9fa8d47962809 |
| SHA256 | cc0aee7bd025217e80246da9608995bcae460c376b1bd94c9af4e1b2b00229fe |
| SHA512 | 87a155e66ba87e5cde1b83d90572426d0c766678325f25c77fbe896197a4ab690705c655de8f0259a4f3de31a6d4dd625cfe6d26741446085f5c459098f91615 |
memory/808-229-0x0000000000120000-0x0000000000160000-memory.dmp
memory/808-228-0x0000000074090000-0x000000007463B000-memory.dmp
memory/808-230-0x0000000074090000-0x000000007463B000-memory.dmp
C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe
| MD5 | 445ceb67566b9baadce86dea15d48026 |
| SHA1 | 2ce8fccfec4a063cb153cc0d0d539612e14ba1a3 |
| SHA256 | 39ca8f9968b34c7262a5cd169e55959351c68a094983ea537b54e555be87d685 |
| SHA512 | dcc02495e096f2fd7d057e6c84c521541cc18e1756dd6599cb66a5c76076db6f2c6961395ebc08c43a876fc792a301635c6ea9b3ab9f8f082d4abb9abcbc687c |
C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe
| MD5 | 445ceb67566b9baadce86dea15d48026 |
| SHA1 | 2ce8fccfec4a063cb153cc0d0d539612e14ba1a3 |
| SHA256 | 39ca8f9968b34c7262a5cd169e55959351c68a094983ea537b54e555be87d685 |
| SHA512 | dcc02495e096f2fd7d057e6c84c521541cc18e1756dd6599cb66a5c76076db6f2c6961395ebc08c43a876fc792a301635c6ea9b3ab9f8f082d4abb9abcbc687c |
C:\Users\Admin\AppData\Local\Temp\5HBW3gM1lF.ini
| MD5 | d1ea279fb5559c020a1b4137dc4de237 |
| SHA1 | db6f8988af46b56216a6f0daf95ab8c9bdb57400 |
| SHA256 | fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba |
| SHA512 | 720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3 |
C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe
| MD5 | 445ceb67566b9baadce86dea15d48026 |
| SHA1 | 2ce8fccfec4a063cb153cc0d0d539612e14ba1a3 |
| SHA256 | 39ca8f9968b34c7262a5cd169e55959351c68a094983ea537b54e555be87d685 |
| SHA512 | dcc02495e096f2fd7d057e6c84c521541cc18e1756dd6599cb66a5c76076db6f2c6961395ebc08c43a876fc792a301635c6ea9b3ab9f8f082d4abb9abcbc687c |
C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe
| MD5 | 445ceb67566b9baadce86dea15d48026 |
| SHA1 | 2ce8fccfec4a063cb153cc0d0d539612e14ba1a3 |
| SHA256 | 39ca8f9968b34c7262a5cd169e55959351c68a094983ea537b54e555be87d685 |
| SHA512 | dcc02495e096f2fd7d057e6c84c521541cc18e1756dd6599cb66a5c76076db6f2c6961395ebc08c43a876fc792a301635c6ea9b3ab9f8f082d4abb9abcbc687c |
memory/1124-262-0x0000000000280000-0x0000000000281000-memory.dmp
memory/1124-261-0x0000000073AE0000-0x000000007408B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Update.txt
| MD5 | 7814da186e4aaf4b61099ce6873f3d4d |
| SHA1 | 1230cc163d58be77af7e34b3eea9fa8d47962809 |
| SHA256 | cc0aee7bd025217e80246da9608995bcae460c376b1bd94c9af4e1b2b00229fe |
| SHA512 | 87a155e66ba87e5cde1b83d90572426d0c766678325f25c77fbe896197a4ab690705c655de8f0259a4f3de31a6d4dd625cfe6d26741446085f5c459098f91615 |
memory/1124-263-0x0000000073AE0000-0x000000007408B000-memory.dmp
C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe
| MD5 | 445ceb67566b9baadce86dea15d48026 |
| SHA1 | 2ce8fccfec4a063cb153cc0d0d539612e14ba1a3 |
| SHA256 | 39ca8f9968b34c7262a5cd169e55959351c68a094983ea537b54e555be87d685 |
| SHA512 | dcc02495e096f2fd7d057e6c84c521541cc18e1756dd6599cb66a5c76076db6f2c6961395ebc08c43a876fc792a301635c6ea9b3ab9f8f082d4abb9abcbc687c |
C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe
| MD5 | 445ceb67566b9baadce86dea15d48026 |
| SHA1 | 2ce8fccfec4a063cb153cc0d0d539612e14ba1a3 |
| SHA256 | 39ca8f9968b34c7262a5cd169e55959351c68a094983ea537b54e555be87d685 |
| SHA512 | dcc02495e096f2fd7d057e6c84c521541cc18e1756dd6599cb66a5c76076db6f2c6961395ebc08c43a876fc792a301635c6ea9b3ab9f8f082d4abb9abcbc687c |
C:\Users\Admin\AppData\Local\Temp\oeW9HksJB1.ini
| MD5 | d1ea279fb5559c020a1b4137dc4de237 |
| SHA1 | db6f8988af46b56216a6f0daf95ab8c9bdb57400 |
| SHA256 | fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba |
| SHA512 | 720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3 |
C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe
| MD5 | 445ceb67566b9baadce86dea15d48026 |
| SHA1 | 2ce8fccfec4a063cb153cc0d0d539612e14ba1a3 |
| SHA256 | 39ca8f9968b34c7262a5cd169e55959351c68a094983ea537b54e555be87d685 |
| SHA512 | dcc02495e096f2fd7d057e6c84c521541cc18e1756dd6599cb66a5c76076db6f2c6961395ebc08c43a876fc792a301635c6ea9b3ab9f8f082d4abb9abcbc687c |
C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe
| MD5 | 445ceb67566b9baadce86dea15d48026 |
| SHA1 | 2ce8fccfec4a063cb153cc0d0d539612e14ba1a3 |
| SHA256 | 39ca8f9968b34c7262a5cd169e55959351c68a094983ea537b54e555be87d685 |
| SHA512 | dcc02495e096f2fd7d057e6c84c521541cc18e1756dd6599cb66a5c76076db6f2c6961395ebc08c43a876fc792a301635c6ea9b3ab9f8f082d4abb9abcbc687c |
C:\Users\Admin\AppData\Local\Temp\Update.txt
| MD5 | 7814da186e4aaf4b61099ce6873f3d4d |
| SHA1 | 1230cc163d58be77af7e34b3eea9fa8d47962809 |
| SHA256 | cc0aee7bd025217e80246da9608995bcae460c376b1bd94c9af4e1b2b00229fe |
| SHA512 | 87a155e66ba87e5cde1b83d90572426d0c766678325f25c77fbe896197a4ab690705c655de8f0259a4f3de31a6d4dd625cfe6d26741446085f5c459098f91615 |
C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe
| MD5 | 445ceb67566b9baadce86dea15d48026 |
| SHA1 | 2ce8fccfec4a063cb153cc0d0d539612e14ba1a3 |
| SHA256 | 39ca8f9968b34c7262a5cd169e55959351c68a094983ea537b54e555be87d685 |
| SHA512 | dcc02495e096f2fd7d057e6c84c521541cc18e1756dd6599cb66a5c76076db6f2c6961395ebc08c43a876fc792a301635c6ea9b3ab9f8f082d4abb9abcbc687c |
C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe
| MD5 | 445ceb67566b9baadce86dea15d48026 |
| SHA1 | 2ce8fccfec4a063cb153cc0d0d539612e14ba1a3 |
| SHA256 | 39ca8f9968b34c7262a5cd169e55959351c68a094983ea537b54e555be87d685 |
| SHA512 | dcc02495e096f2fd7d057e6c84c521541cc18e1756dd6599cb66a5c76076db6f2c6961395ebc08c43a876fc792a301635c6ea9b3ab9f8f082d4abb9abcbc687c |
memory/1708-316-0x0000000000920000-0x0000000000921000-memory.dmp
memory/1708-315-0x0000000074100000-0x00000000746AB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\B4boVO3TjR.ini
| MD5 | d1ea279fb5559c020a1b4137dc4de237 |
| SHA1 | db6f8988af46b56216a6f0daf95ab8c9bdb57400 |
| SHA256 | fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba |
| SHA512 | 720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3 |
C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe
| MD5 | 445ceb67566b9baadce86dea15d48026 |
| SHA1 | 2ce8fccfec4a063cb153cc0d0d539612e14ba1a3 |
| SHA256 | 39ca8f9968b34c7262a5cd169e55959351c68a094983ea537b54e555be87d685 |
| SHA512 | dcc02495e096f2fd7d057e6c84c521541cc18e1756dd6599cb66a5c76076db6f2c6961395ebc08c43a876fc792a301635c6ea9b3ab9f8f082d4abb9abcbc687c |
C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe
| MD5 | 445ceb67566b9baadce86dea15d48026 |
| SHA1 | 2ce8fccfec4a063cb153cc0d0d539612e14ba1a3 |
| SHA256 | 39ca8f9968b34c7262a5cd169e55959351c68a094983ea537b54e555be87d685 |
| SHA512 | dcc02495e096f2fd7d057e6c84c521541cc18e1756dd6599cb66a5c76076db6f2c6961395ebc08c43a876fc792a301635c6ea9b3ab9f8f082d4abb9abcbc687c |
C:\Users\Admin\AppData\Local\Temp\Update.txt
| MD5 | 7814da186e4aaf4b61099ce6873f3d4d |
| SHA1 | 1230cc163d58be77af7e34b3eea9fa8d47962809 |
| SHA256 | cc0aee7bd025217e80246da9608995bcae460c376b1bd94c9af4e1b2b00229fe |
| SHA512 | 87a155e66ba87e5cde1b83d90572426d0c766678325f25c77fbe896197a4ab690705c655de8f0259a4f3de31a6d4dd625cfe6d26741446085f5c459098f91615 |
memory/1496-329-0x0000000073B50000-0x00000000740FB000-memory.dmp
memory/1496-333-0x0000000073B50000-0x00000000740FB000-memory.dmp
memory/1496-330-0x0000000000C70000-0x0000000000C71000-memory.dmp
C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe
| MD5 | 445ceb67566b9baadce86dea15d48026 |
| SHA1 | 2ce8fccfec4a063cb153cc0d0d539612e14ba1a3 |
| SHA256 | 39ca8f9968b34c7262a5cd169e55959351c68a094983ea537b54e555be87d685 |
| SHA512 | dcc02495e096f2fd7d057e6c84c521541cc18e1756dd6599cb66a5c76076db6f2c6961395ebc08c43a876fc792a301635c6ea9b3ab9f8f082d4abb9abcbc687c |
C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe
| MD5 | 445ceb67566b9baadce86dea15d48026 |
| SHA1 | 2ce8fccfec4a063cb153cc0d0d539612e14ba1a3 |
| SHA256 | 39ca8f9968b34c7262a5cd169e55959351c68a094983ea537b54e555be87d685 |
| SHA512 | dcc02495e096f2fd7d057e6c84c521541cc18e1756dd6599cb66a5c76076db6f2c6961395ebc08c43a876fc792a301635c6ea9b3ab9f8f082d4abb9abcbc687c |