isrstealer | 53fba2b982786f4089a9b25645858bc9d57fd6a0611e64e5b21567a4fc6713d5

Analysis

max time kernel
59s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
10/04/2025, 13:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_aa55a896d27c573c44b0f6b36529a19f.exe
Size

584KB
MD5

aa55a896d27c573c44b0f6b36529a19f
SHA1

4b08027845296f05bb8251a70aa054ff16aabdfd
SHA256

53fba2b982786f4089a9b25645858bc9d57fd6a0611e64e5b21567a4fc6713d5
SHA512

2e4df771683a664945ee6876980dafd188ce77ae53aa72f7166da5365e73952ec9183ab4eac5b469b1b629f19f30b155a889679ea699c19101a37a5391446b57
SSDEEP

12288:koB7Xn+tZe3Ai7fbVYhaJqGMeK4ZN6Y3SoJCzVXV49z/:kKKToSF49z

Score

10^/10

isrstealer collection discovery persistence stealer trojan upx

Malware Config

Signatures

ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
trojan stealer isrstealer

ISR Stealer payload 4 IoCs

resource	yara_rule
behavioral1/memory/3396-4-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral1/memory/3396-7-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral1/memory/3396-161-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral1/memory/3396-804-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer

Isrstealer family
isrstealer

Detected Nirsoft tools 25 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral1/memory/6740-592-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral1/memory/6788-599-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral1/memory/6988-612-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral1/memory/7324-609-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral1/memory/7012-614-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral1/memory/7324-603-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral1/memory/6972-601-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral1/memory/7020-590-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral1/memory/6932-587-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral1/memory/7024-583-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral1/memory/7024-576-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral1/memory/6932-567-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral1/memory/6788-566-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral1/memory/6740-565-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral1/memory/8044-650-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral1/memory/8044-655-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral1/memory/7380-675-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral1/memory/8160-731-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral1/memory/8160-741-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral1/memory/8408-777-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral1/memory/8728-822-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral1/memory/6076-1062-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral1/memory/8704-1061-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral1/memory/6256-1060-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral1/memory/7556-1059-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft

NirSoft MailPassView 25 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral1/memory/6740-592-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral1/memory/6788-599-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral1/memory/6988-612-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral1/memory/7324-609-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral1/memory/7012-614-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral1/memory/7324-603-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral1/memory/6972-601-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral1/memory/7020-590-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral1/memory/6932-587-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral1/memory/7024-583-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral1/memory/7024-576-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral1/memory/6932-567-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral1/memory/6788-566-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral1/memory/6740-565-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral1/memory/8044-650-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral1/memory/8044-655-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral1/memory/7380-675-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral1/memory/8160-731-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral1/memory/8160-741-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral1/memory/8408-777-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral1/memory/8728-822-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral1/memory/6076-1062-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral1/memory/8704-1061-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral1/memory/6256-1060-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral1/memory/7556-1059-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	FUD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	FUD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	FUD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	JaffaCakes118_aa55a896d27c573c44b0f6b36529a19f.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	FUD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	FUD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	FUD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	FUD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	FUD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	FUD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	FUD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	FUD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	FUD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	FUD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	FUD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	FUD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	FUD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	FUD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	FUD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	FUD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	FUD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	FUD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	FUD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	FUD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	FUD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	FUD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	FUD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	FUD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	FUD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	FUD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	FUD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	FUD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	FUD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	FUD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	FUD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	FUD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	FUD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	FUD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	FUD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	FUD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	FUD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	FUD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	FUD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	FUD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	FUD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	JaffaCakes118_aa55a896d27c573c44b0f6b36529a19f.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	FUD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	FUD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	FUD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	FUD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	FUD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	FUD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	FUD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	FUD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	FUD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	FUD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	FUD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	FUD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	FUD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	FUD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	FUD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	FUD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	FUD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	FUD.exe

Executes dropped EXE 64 IoCs

pid	Process
4216	zYznmstQsD.exe
1204	FUD.exe
4064	zYznmstQsD.exe
3292	FUD.exe
3236	zYznmstQsD.exe
812	FUD.exe
5000	zYznmstQsD.exe
3884	FUD.exe
760	zYznmstQsD.exe
4156	FUD.exe
1628	zYznmstQsD.exe
4836	FUD.exe
3452	zYznmstQsD.exe
4312	FUD.exe
1020	zYznmstQsD.exe
3008	FUD.exe
760	zYznmstQsD.exe
3980	FUD.exe
5232	zYznmstQsD.exe
5404	FUD.exe
5592	zYznmstQsD.exe
5684	FUD.exe
5868	zYznmstQsD.exe
5952	FUD.exe
5152	zYznmstQsD.exe
5460	FUD.exe
5840	zYznmstQsD.exe
3740	FUD.exe
5624	zYznmstQsD.exe
1548	FUD.exe
3816	zYznmstQsD.exe
6204	FUD.exe
6416	zYznmstQsD.exe
6552	FUD.exe
6732	zYznmstQsD.exe
6856	FUD.exe
7040	zYznmstQsD.exe
7148	FUD.exe
6424	zYznmstQsD.exe
6692	FUD.exe
7032	zYznmstQsD.exe
6332	FUD.exe
7048	zYznmstQsD.exe
7580	FUD.exe
7852	zYznmstQsD.exe
7972	FUD.exe
7204	zYznmstQsD.exe
7340	FUD.exe
7732	zYznmstQsD.exe
7864	FUD.exe
7224	zYznmstQsD.exe
7784	FUD.exe
7368	zYznmstQsD.exe
7280	FUD.exe
8364	zYznmstQsD.exe
8484	FUD.exe
8784	zYznmstQsD.exe
8896	FUD.exe
9092	zYznmstQsD.exe
9184	FUD.exe
7128	zYznmstQsD.exe
8568	FUD.exe
5988	zYznmstQsD.exe
5996	FUD.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Accesses Microsoft Outlook accounts 1 TTPs 64 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java = "C:\\Users\\Admin\\AppData\\Roaming\\FUD.exe"	zYznmstQsD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java = "C:\\Users\\Admin\\AppData\\Roaming\\FUD.exe"	zYznmstQsD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java = "C:\\Users\\Admin\\AppData\\Roaming\\FUD.exe"	zYznmstQsD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java = "C:\\Users\\Admin\\AppData\\Roaming\\FUD.exe"	zYznmstQsD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java = "C:\\Users\\Admin\\AppData\\Roaming\\FUD.exe"	zYznmstQsD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java = "C:\\Users\\Admin\\AppData\\Roaming\\FUD.exe"	zYznmstQsD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java = "C:\\Users\\Admin\\AppData\\Roaming\\FUD.exe"	zYznmstQsD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java = "C:\\Users\\Admin\\AppData\\Roaming\\FUD.exe"	zYznmstQsD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java = "C:\\Users\\Admin\\AppData\\Roaming\\FUD.exe"	zYznmstQsD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java = "C:\\Users\\Admin\\AppData\\Roaming\\FUD.exe"	zYznmstQsD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java = "C:\\Users\\Admin\\AppData\\Roaming\\FUD.exe"	zYznmstQsD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java = "C:\\Users\\Admin\\AppData\\Roaming\\FUD.exe"	zYznmstQsD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java = "C:\\Users\\Admin\\AppData\\Roaming\\FUD.exe"	zYznmstQsD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java = "C:\\Users\\Admin\\AppData\\Roaming\\FUD.exe"	zYznmstQsD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java = "C:\\Users\\Admin\\AppData\\Roaming\\FUD.exe"	zYznmstQsD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java = "C:\\Users\\Admin\\AppData\\Roaming\\FUD.exe"	zYznmstQsD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java = "C:\\Users\\Admin\\AppData\\Roaming\\FUD.exe"	zYznmstQsD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java = "C:\\Users\\Admin\\AppData\\Roaming\\FUD.exe"	zYznmstQsD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java = "C:\\Users\\Admin\\AppData\\Roaming\\FUD.exe"	zYznmstQsD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java = "C:\\Users\\Admin\\AppData\\Roaming\\FUD.exe"	zYznmstQsD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java = "C:\\Users\\Admin\\AppData\\Roaming\\FUD.exe"	zYznmstQsD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java = "C:\\Users\\Admin\\AppData\\Roaming\\FUD.exe"	zYznmstQsD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java = "C:\\Users\\Admin\\AppData\\Roaming\\FUD.exe"	zYznmstQsD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java = "C:\\Users\\Admin\\AppData\\Roaming\\FUD.exe"	zYznmstQsD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java = "C:\\Users\\Admin\\AppData\\Roaming\\FUD.exe"	zYznmstQsD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java = "C:\\Users\\Admin\\AppData\\Roaming\\FUD.exe"	zYznmstQsD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java = "C:\\Users\\Admin\\AppData\\Roaming\\FUD.exe"	zYznmstQsD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java = "C:\\Users\\Admin\\AppData\\Roaming\\FUD.exe"	zYznmstQsD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java = "C:\\Users\\Admin\\AppData\\Roaming\\FUD.exe"	zYznmstQsD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java = "C:\\Users\\Admin\\AppData\\Roaming\\FUD.exe"	zYznmstQsD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java = "C:\\Users\\Admin\\AppData\\Roaming\\FUD.exe"	zYznmstQsD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java = "C:\\Users\\Admin\\AppData\\Roaming\\FUD.exe"	zYznmstQsD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java = "C:\\Users\\Admin\\AppData\\Roaming\\FUD.exe"	zYznmstQsD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java = "C:\\Users\\Admin\\AppData\\Roaming\\FUD.exe"	zYznmstQsD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java = "C:\\Users\\Admin\\AppData\\Roaming\\FUD.exe"	zYznmstQsD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java = "C:\\Users\\Admin\\AppData\\Roaming\\FUD.exe"	zYznmstQsD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java = "C:\\Users\\Admin\\AppData\\Roaming\\FUD.exe"	zYznmstQsD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java = "C:\\Users\\Admin\\AppData\\Roaming\\FUD.exe"	zYznmstQsD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java = "C:\\Users\\Admin\\AppData\\Roaming\\FUD.exe"	zYznmstQsD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java = "C:\\Users\\Admin\\AppData\\Roaming\\FUD.exe"	zYznmstQsD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java = "C:\\Users\\Admin\\AppData\\Roaming\\FUD.exe"	zYznmstQsD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java = "C:\\Users\\Admin\\AppData\\Roaming\\FUD.exe"	zYznmstQsD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java = "C:\\Users\\Admin\\AppData\\Roaming\\FUD.exe"	zYznmstQsD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java = "C:\\Users\\Admin\\AppData\\Roaming\\FUD.exe"	zYznmstQsD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java = "C:\\Users\\Admin\\AppData\\Roaming\\FUD.exe"	zYznmstQsD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java = "C:\\Users\\Admin\\AppData\\Roaming\\FUD.exe"	zYznmstQsD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java = "C:\\Users\\Admin\\AppData\\Roaming\\FUD.exe"	zYznmstQsD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java = "C:\\Users\\Admin\\AppData\\Roaming\\FUD.exe"	zYznmstQsD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java = "C:\\Users\\Admin\\AppData\\Roaming\\FUD.exe"	zYznmstQsD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java = "C:\\Users\\Admin\\AppData\\Roaming\\FUD.exe"	zYznmstQsD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java = "C:\\Users\\Admin\\AppData\\Roaming\\FUD.exe"	zYznmstQsD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java = "C:\\Users\\Admin\\AppData\\Roaming\\FUD.exe"	zYznmstQsD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java = "C:\\Users\\Admin\\AppData\\Roaming\\FUD.exe"	zYznmstQsD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java = "C:\\Users\\Admin\\AppData\\Roaming\\FUD.exe"	zYznmstQsD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java = "C:\\Users\\Admin\\AppData\\Roaming\\FUD.exe"	zYznmstQsD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java = "C:\\Users\\Admin\\AppData\\Roaming\\FUD.exe"	zYznmstQsD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java = "C:\\Users\\Admin\\AppData\\Roaming\\FUD.exe"	zYznmstQsD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java = "C:\\Users\\Admin\\AppData\\Roaming\\FUD.exe"	zYznmstQsD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java = "C:\\Users\\Admin\\AppData\\Roaming\\FUD.exe"	zYznmstQsD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java = "C:\\Users\\Admin\\AppData\\Roaming\\FUD.exe"	zYznmstQsD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java = "C:\\Users\\Admin\\AppData\\Roaming\\FUD.exe"	zYznmstQsD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java = "C:\\Users\\Admin\\AppData\\Roaming\\FUD.exe"	zYznmstQsD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java = "C:\\Users\\Admin\\AppData\\Roaming\\FUD.exe"	zYznmstQsD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java = "C:\\Users\\Admin\\AppData\\Roaming\\FUD.exe"	zYznmstQsD.exe

Suspicious use of SetThreadContext 64 IoCs

description	pid	Process	procid_target
PID 4980 set thread context of 3396	4980	JaffaCakes118_aa55a896d27c573c44b0f6b36529a19f.exe	87
PID 3396 set thread context of 4056	3396	vbc.exe	88
PID 4052 set thread context of 2032	4052	JaffaCakes118_aa55a896d27c573c44b0f6b36529a19f.exe	93
PID 2032 set thread context of 4416	2032	vbc.exe	95
PID 1204 set thread context of 3968	1204	FUD.exe	98
PID 3968 set thread context of 1440	3968	vbc.exe	100
PID 3292 set thread context of 1724	3292	FUD.exe	104
PID 1724 set thread context of 1528	1724	vbc.exe	106
PID 812 set thread context of 2572	812	FUD.exe	112
PID 2572 set thread context of 3500	2572	vbc.exe	113
PID 3884 set thread context of 4824	3884	FUD.exe	119
PID 4824 set thread context of 4736	4824	vbc.exe	120
PID 4156 set thread context of 5104	4156	FUD.exe	125
PID 5104 set thread context of 4468	5104	vbc.exe	126
PID 4836 set thread context of 5056	4836	FUD.exe	131
PID 5056 set thread context of 4712	5056	vbc.exe	132
PID 4312 set thread context of 4448	4312	FUD.exe	139
PID 4448 set thread context of 772	4448	vbc.exe	140
PID 3008 set thread context of 4976	3008	FUD.exe	145
PID 4976 set thread context of 2380	4976	vbc.exe	146
PID 3980 set thread context of 4160	3980	FUD.exe	152
PID 4160 set thread context of 5016	4160	vbc.exe	153
PID 5404 set thread context of 5436	5404	FUD.exe	159
PID 5436 set thread context of 5488	5436	vbc.exe	160
PID 5684 set thread context of 5716	5684	FUD.exe	165
PID 5716 set thread context of 5768	5716	vbc.exe	166
PID 5952 set thread context of 6020	5952	FUD.exe	171
PID 6020 set thread context of 6072	6020	vbc.exe	172
PID 5460 set thread context of 5520	5460	FUD.exe	177
PID 5520 set thread context of 5604	5520	vbc.exe	178
PID 3740 set thread context of 6068	3740	FUD.exe	183
PID 6068 set thread context of 3124	6068	vbc.exe	184
PID 1548 set thread context of 5184	1548	FUD.exe	190
PID 5184 set thread context of 5140	5184	vbc.exe	191
PID 6204 set thread context of 6268	6204	FUD.exe	197
PID 6268 set thread context of 6316	6268	vbc.exe	198
PID 6552 set thread context of 6588	6552	FUD.exe	203
PID 6588 set thread context of 6640	6588	vbc.exe	204
PID 6856 set thread context of 6896	6856	FUD.exe	209
PID 6896 set thread context of 6944	6896	vbc.exe	210
PID 7148 set thread context of 5168	7148	FUD.exe	215
PID 5168 set thread context of 6288	5168	vbc.exe	216
PID 6692 set thread context of 6724	6692	FUD.exe	221
PID 6724 set thread context of 6820	6724	vbc.exe	222
PID 6332 set thread context of 6396	6332	FUD.exe	227
PID 6396 set thread context of 6344	6396	vbc.exe	228
PID 4448 set thread context of 6740	4448	vbc.exe	232
PID 5056 set thread context of 6788	5056	vbc.exe	233
PID 5104 set thread context of 6932	5104	vbc.exe	234
PID 1724 set thread context of 6972	1724	vbc.exe	237
PID 2572 set thread context of 7020	2572	vbc.exe	238
PID 3968 set thread context of 7012	3968	vbc.exe	239
PID 3396 set thread context of 7024	3396	vbc.exe	236
PID 2032 set thread context of 6988	2032	vbc.exe	235
PID 4824 set thread context of 7044	4824	vbc.exe	333
PID 4976 set thread context of 7324	4976	vbc.exe	242
PID 7580 set thread context of 7684	7580	FUD.exe	245
PID 7684 set thread context of 7744	7684	vbc.exe	246
PID 7972 set thread context of 8004	7972	FUD.exe	251
PID 4160 set thread context of 8044	4160	vbc.exe	252
PID 8004 set thread context of 8060	8004	vbc.exe	253
PID 5436 set thread context of 8148	5436	vbc.exe	254
PID 5716 set thread context of 7380	5716	vbc.exe	259
PID 7340 set thread context of 7416	7340	FUD.exe	260

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/4056-10-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/4056-13-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/4056-15-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/4056-24-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/4056-26-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/4416-43-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/4416-49-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/1440-71-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/1528-84-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/1528-83-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/1528-87-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/1528-91-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/3500-116-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/4736-139-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/4468-164-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/4712-186-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/772-207-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/772-211-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/2380-234-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/5016-255-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/5016-259-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/5488-281-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/5768-302-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/5768-306-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/6072-327-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/6072-331-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/5604-353-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/5604-356-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/3124-382-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/3124-378-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/5140-403-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/5140-408-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/6316-429-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/6316-433-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/6640-464-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/6944-482-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/6288-502-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/6820-522-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/6344-544-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/6740-592-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/6788-599-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/6988-612-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/7324-609-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/7012-614-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/7324-603-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/6972-601-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/7020-590-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/6932-587-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/7024-583-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/7024-576-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/7020-568-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/6932-567-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/6788-566-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/6740-565-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/7744-623-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/7744-627-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/8060-651-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/8044-650-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/8044-655-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/7380-671-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/7380-675-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/6428-688-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/8132-707-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/8172-737-0x0000000000400000-0x0000000000453000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FUD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zYznmstQsD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zYznmstQsD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zYznmstQsD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zYznmstQsD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FUD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zYznmstQsD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FUD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zYznmstQsD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FUD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zYznmstQsD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zYznmstQsD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FUD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zYznmstQsD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zYznmstQsD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zYznmstQsD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_aa55a896d27c573c44b0f6b36529a19f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_aa55a896d27c573c44b0f6b36529a19f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FUD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FUD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FUD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zYznmstQsD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zYznmstQsD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zYznmstQsD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FUD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FUD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FUD.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4980	JaffaCakes118_aa55a896d27c573c44b0f6b36529a19f.exe
4980	JaffaCakes118_aa55a896d27c573c44b0f6b36529a19f.exe
4980	JaffaCakes118_aa55a896d27c573c44b0f6b36529a19f.exe
4052	JaffaCakes118_aa55a896d27c573c44b0f6b36529a19f.exe
4052	JaffaCakes118_aa55a896d27c573c44b0f6b36529a19f.exe
4980	JaffaCakes118_aa55a896d27c573c44b0f6b36529a19f.exe
4980	JaffaCakes118_aa55a896d27c573c44b0f6b36529a19f.exe
4052	JaffaCakes118_aa55a896d27c573c44b0f6b36529a19f.exe
4052	JaffaCakes118_aa55a896d27c573c44b0f6b36529a19f.exe
1204	FUD.exe
1204	FUD.exe
1204	FUD.exe
4980	JaffaCakes118_aa55a896d27c573c44b0f6b36529a19f.exe
4980	JaffaCakes118_aa55a896d27c573c44b0f6b36529a19f.exe
4980	JaffaCakes118_aa55a896d27c573c44b0f6b36529a19f.exe
4980	JaffaCakes118_aa55a896d27c573c44b0f6b36529a19f.exe
4052	JaffaCakes118_aa55a896d27c573c44b0f6b36529a19f.exe
4052	JaffaCakes118_aa55a896d27c573c44b0f6b36529a19f.exe
3292	FUD.exe
3292	FUD.exe
4980	JaffaCakes118_aa55a896d27c573c44b0f6b36529a19f.exe
4980	JaffaCakes118_aa55a896d27c573c44b0f6b36529a19f.exe
4980	JaffaCakes118_aa55a896d27c573c44b0f6b36529a19f.exe
4980	JaffaCakes118_aa55a896d27c573c44b0f6b36529a19f.exe
4052	JaffaCakes118_aa55a896d27c573c44b0f6b36529a19f.exe
4052	JaffaCakes118_aa55a896d27c573c44b0f6b36529a19f.exe
4052	JaffaCakes118_aa55a896d27c573c44b0f6b36529a19f.exe
4052	JaffaCakes118_aa55a896d27c573c44b0f6b36529a19f.exe
3292	FUD.exe
3292	FUD.exe
3292	FUD.exe
3292	FUD.exe
812	FUD.exe
812	FUD.exe
812	FUD.exe
812	FUD.exe
4980	JaffaCakes118_aa55a896d27c573c44b0f6b36529a19f.exe
4980	JaffaCakes118_aa55a896d27c573c44b0f6b36529a19f.exe
4980	JaffaCakes118_aa55a896d27c573c44b0f6b36529a19f.exe
4980	JaffaCakes118_aa55a896d27c573c44b0f6b36529a19f.exe
4052	JaffaCakes118_aa55a896d27c573c44b0f6b36529a19f.exe
4052	JaffaCakes118_aa55a896d27c573c44b0f6b36529a19f.exe
4052	JaffaCakes118_aa55a896d27c573c44b0f6b36529a19f.exe
4052	JaffaCakes118_aa55a896d27c573c44b0f6b36529a19f.exe
3884	FUD.exe
3884	FUD.exe
3884	FUD.exe
3884	FUD.exe
3292	FUD.exe
3292	FUD.exe
3292	FUD.exe
3292	FUD.exe
812	FUD.exe
812	FUD.exe
812	FUD.exe
812	FUD.exe
4980	JaffaCakes118_aa55a896d27c573c44b0f6b36529a19f.exe
4980	JaffaCakes118_aa55a896d27c573c44b0f6b36529a19f.exe
4980	JaffaCakes118_aa55a896d27c573c44b0f6b36529a19f.exe
4980	JaffaCakes118_aa55a896d27c573c44b0f6b36529a19f.exe
4052	JaffaCakes118_aa55a896d27c573c44b0f6b36529a19f.exe
4052	JaffaCakes118_aa55a896d27c573c44b0f6b36529a19f.exe
4052	JaffaCakes118_aa55a896d27c573c44b0f6b36529a19f.exe
4052	JaffaCakes118_aa55a896d27c573c44b0f6b36529a19f.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4980	JaffaCakes118_aa55a896d27c573c44b0f6b36529a19f.exe
Token: SeDebugPrivilege	4052	JaffaCakes118_aa55a896d27c573c44b0f6b36529a19f.exe
Token: SeDebugPrivilege	1204	FUD.exe
Token: SeRestorePrivilege	4832	dw20.exe
Token: SeBackupPrivilege	4832	dw20.exe
Token: SeBackupPrivilege	4832	dw20.exe
Token: SeBackupPrivilege	4832	dw20.exe
Token: SeDebugPrivilege	3292	FUD.exe
Token: SeDebugPrivilege	812	FUD.exe
Token: SeDebugPrivilege	3884	FUD.exe
Token: SeDebugPrivilege	4156	FUD.exe
Token: SeDebugPrivilege	4836	FUD.exe
Token: SeDebugPrivilege	4312	FUD.exe
Token: SeDebugPrivilege	3008	FUD.exe
Token: SeDebugPrivilege	3980	FUD.exe
Token: SeDebugPrivilege	5404	FUD.exe
Token: SeDebugPrivilege	5684	FUD.exe
Token: SeDebugPrivilege	5952	FUD.exe
Token: SeDebugPrivilege	5460	FUD.exe
Token: SeDebugPrivilege	3740	FUD.exe
Token: SeDebugPrivilege	1548	FUD.exe
Token: SeDebugPrivilege	6204	FUD.exe
Token: SeDebugPrivilege	6552	FUD.exe
Token: SeDebugPrivilege	6856	FUD.exe
Token: SeDebugPrivilege	7148	FUD.exe
Token: SeDebugPrivilege	6692	FUD.exe
Token: SeDebugPrivilege	6332	FUD.exe
Token: SeDebugPrivilege	7580	FUD.exe
Token: SeDebugPrivilege	7972	FUD.exe
Token: SeDebugPrivilege	7340	FUD.exe
Token: SeDebugPrivilege	7864	FUD.exe
Token: SeDebugPrivilege	7784	FUD.exe
Token: SeDebugPrivilege	7280	FUD.exe
Token: SeDebugPrivilege	8484	FUD.exe
Token: SeDebugPrivilege	8896	FUD.exe
Token: SeDebugPrivilege	9184	FUD.exe
Token: SeDebugPrivilege	8568	FUD.exe
Token: SeDebugPrivilege	5996	FUD.exe
Token: SeDebugPrivilege	4240	FUD.exe
Token: SeDebugPrivilege	8472	FUD.exe
Token: SeDebugPrivilege	5772	FUD.exe
Token: SeDebugPrivilege	9096	FUD.exe
Token: SeDebugPrivilege	7768	FUD.exe
Token: SeDebugPrivilege	8100	FUD.exe
Token: SeDebugPrivilege	4996	FUD.exe
Token: SeDebugPrivilege	9848	FUD.exe
Token: SeDebugPrivilege	10196	FUD.exe
Token: SeDebugPrivilege	9480	FUD.exe
Token: SeDebugPrivilege	10180	FUD.exe
Token: SeDebugPrivilege	9712	FUD.exe
Token: SeDebugPrivilege	5568	FUD.exe
Token: SeDebugPrivilege	6320	FUD.exe
Token: SeDebugPrivilege	8084	FUD.exe
Token: SeDebugPrivilege	8088	FUD.exe
Token: SeDebugPrivilege	10440	FUD.exe
Token: SeDebugPrivilege	10740	FUD.exe
Token: SeDebugPrivilege	11032	FUD.exe
Token: SeDebugPrivilege	10388	FUD.exe
Token: SeDebugPrivilege	6868	FUD.exe
Token: SeDebugPrivilege	8956	FUD.exe
Token: SeDebugPrivilege	11240	FUD.exe
Token: SeDebugPrivilege	11476	FUD.exe
Token: SeDebugPrivilege	11816	FUD.exe
Token: SeDebugPrivilege	12220	FUD.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
3396	vbc.exe
2032	vbc.exe
3968	vbc.exe
1724	vbc.exe
2572	vbc.exe
4824	vbc.exe
5104	vbc.exe
5056	vbc.exe
4448	vbc.exe
4976	vbc.exe
4160	vbc.exe
5436	vbc.exe
5716	vbc.exe
6020	vbc.exe
5520	vbc.exe
6068	vbc.exe
5184	vbc.exe
6268	vbc.exe
6588	vbc.exe
6896	vbc.exe
5168	vbc.exe
6724	vbc.exe
6396	vbc.exe
7684	vbc.exe
8004	vbc.exe
7416	vbc.exe
8104	vbc.exe
6712	vbc.exe
7228	vbc.exe
8532	vbc.exe
8924	vbc.exe
9212	vbc.exe
6704	vbc.exe
3504	vbc.exe
2180	vbc.exe
7456	vbc.exe
8632	vbc.exe
8208	vbc.exe
7372	vbc.exe
8152	vbc.exe
9272	vbc.exe
9880	vbc.exe
10236	vbc.exe
9492	vbc.exe
9236	vbc.exe
9736	vbc.exe
6296	vbc.exe
6548	vbc.exe
9552	vbc.exe
8608	vbc.exe
10468	vbc.exe
10768	vbc.exe
11072	vbc.exe
8980	vbc.exe
9296	vbc.exe
10980	vbc.exe
8048	vbc.exe
11512	vbc.exe
11848	vbc.exe
12256	vbc.exe
11556	vbc.exe
12088	vbc.exe
12116	vbc.exe
2104	vbc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4980 wrote to memory of 3396	4980	JaffaCakes118_aa55a896d27c573c44b0f6b36529a19f.exe	87
PID 4980 wrote to memory of 3396	4980	JaffaCakes118_aa55a896d27c573c44b0f6b36529a19f.exe	87
PID 4980 wrote to memory of 3396	4980	JaffaCakes118_aa55a896d27c573c44b0f6b36529a19f.exe	87
PID 4980 wrote to memory of 3396	4980	JaffaCakes118_aa55a896d27c573c44b0f6b36529a19f.exe	87
PID 4980 wrote to memory of 3396	4980	JaffaCakes118_aa55a896d27c573c44b0f6b36529a19f.exe	87
PID 4980 wrote to memory of 3396	4980	JaffaCakes118_aa55a896d27c573c44b0f6b36529a19f.exe	87
PID 4980 wrote to memory of 3396	4980	JaffaCakes118_aa55a896d27c573c44b0f6b36529a19f.exe	87
PID 4980 wrote to memory of 3396	4980	JaffaCakes118_aa55a896d27c573c44b0f6b36529a19f.exe	87
PID 3396 wrote to memory of 4056	3396	vbc.exe	88
PID 3396 wrote to memory of 4056	3396	vbc.exe	88
PID 3396 wrote to memory of 4056	3396	vbc.exe	88
PID 3396 wrote to memory of 4056	3396	vbc.exe	88
PID 3396 wrote to memory of 4056	3396	vbc.exe	88
PID 3396 wrote to memory of 4056	3396	vbc.exe	88
PID 3396 wrote to memory of 4056	3396	vbc.exe	88
PID 3396 wrote to memory of 4056	3396	vbc.exe	88
PID 4980 wrote to memory of 4052	4980	JaffaCakes118_aa55a896d27c573c44b0f6b36529a19f.exe	89
PID 4980 wrote to memory of 4052	4980	JaffaCakes118_aa55a896d27c573c44b0f6b36529a19f.exe	89
PID 4980 wrote to memory of 4052	4980	JaffaCakes118_aa55a896d27c573c44b0f6b36529a19f.exe	89
PID 4980 wrote to memory of 4216	4980	JaffaCakes118_aa55a896d27c573c44b0f6b36529a19f.exe	90
PID 4980 wrote to memory of 4216	4980	JaffaCakes118_aa55a896d27c573c44b0f6b36529a19f.exe	90
PID 4980 wrote to memory of 4216	4980	JaffaCakes118_aa55a896d27c573c44b0f6b36529a19f.exe	90
PID 4052 wrote to memory of 2032	4052	JaffaCakes118_aa55a896d27c573c44b0f6b36529a19f.exe	93
PID 4052 wrote to memory of 2032	4052	JaffaCakes118_aa55a896d27c573c44b0f6b36529a19f.exe	93
PID 4052 wrote to memory of 2032	4052	JaffaCakes118_aa55a896d27c573c44b0f6b36529a19f.exe	93
PID 4052 wrote to memory of 2032	4052	JaffaCakes118_aa55a896d27c573c44b0f6b36529a19f.exe	93
PID 4052 wrote to memory of 2032	4052	JaffaCakes118_aa55a896d27c573c44b0f6b36529a19f.exe	93
PID 4052 wrote to memory of 2032	4052	JaffaCakes118_aa55a896d27c573c44b0f6b36529a19f.exe	93
PID 4052 wrote to memory of 2032	4052	JaffaCakes118_aa55a896d27c573c44b0f6b36529a19f.exe	93
PID 4052 wrote to memory of 2032	4052	JaffaCakes118_aa55a896d27c573c44b0f6b36529a19f.exe	93
PID 2032 wrote to memory of 4416	2032	vbc.exe	95
PID 2032 wrote to memory of 4416	2032	vbc.exe	95
PID 2032 wrote to memory of 4416	2032	vbc.exe	95
PID 2032 wrote to memory of 4416	2032	vbc.exe	95
PID 2032 wrote to memory of 4416	2032	vbc.exe	95
PID 2032 wrote to memory of 4416	2032	vbc.exe	95
PID 2032 wrote to memory of 4416	2032	vbc.exe	95
PID 2032 wrote to memory of 4416	2032	vbc.exe	95
PID 244 wrote to memory of 1204	244	cmd.exe	96
PID 244 wrote to memory of 1204	244	cmd.exe	96
PID 244 wrote to memory of 1204	244	cmd.exe	96
PID 4052 wrote to memory of 4064	4052	JaffaCakes118_aa55a896d27c573c44b0f6b36529a19f.exe	97
PID 4052 wrote to memory of 4064	4052	JaffaCakes118_aa55a896d27c573c44b0f6b36529a19f.exe	97
PID 4052 wrote to memory of 4064	4052	JaffaCakes118_aa55a896d27c573c44b0f6b36529a19f.exe	97
PID 1204 wrote to memory of 3968	1204	FUD.exe	98
PID 1204 wrote to memory of 3968	1204	FUD.exe	98
PID 1204 wrote to memory of 3968	1204	FUD.exe	98
PID 1204 wrote to memory of 3968	1204	FUD.exe	98
PID 1204 wrote to memory of 3968	1204	FUD.exe	98
PID 1204 wrote to memory of 3968	1204	FUD.exe	98
PID 1204 wrote to memory of 3968	1204	FUD.exe	98
PID 1204 wrote to memory of 3968	1204	FUD.exe	98
PID 1204 wrote to memory of 4832	1204	FUD.exe	142
PID 1204 wrote to memory of 4832	1204	FUD.exe	142
PID 1204 wrote to memory of 4832	1204	FUD.exe	142
PID 3968 wrote to memory of 1440	3968	vbc.exe	100
PID 3968 wrote to memory of 1440	3968	vbc.exe	100
PID 3968 wrote to memory of 1440	3968	vbc.exe	100
PID 3968 wrote to memory of 1440	3968	vbc.exe	100
PID 3968 wrote to memory of 1440	3968	vbc.exe	100
PID 3968 wrote to memory of 1440	3968	vbc.exe	100
PID 3968 wrote to memory of 1440	3968	vbc.exe	100
PID 3968 wrote to memory of 1440	3968	vbc.exe	100
PID 2976 wrote to memory of 3292	2976	cmd.exe	103

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_aa55a896d27c573c44b0f6b36529a19f.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_aa55a896d27c573c44b0f6b36529a19f.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4980
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3396
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    /scomma "C:\Users\Admin\AppData\Local\Temp\HrzUxagwGv.ini"
    3⤵
    PID:4056
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    /scomma "C:\Users\Admin\AppData\Local\Temp\XlrG7oaceb.ini"
    3⤵
    - Accesses Microsoft Outlook accounts
    PID:7024
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_aa55a896d27c573c44b0f6b36529a19f.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_aa55a896d27c573c44b0f6b36529a19f.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4052
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2032
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\JjVX3VKq4w.ini"
      4⤵
      PID:4416
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\XlrG7oaceb.ini"
      4⤵
      Accesses Microsoft Outlook accounts
      PID:6988
- - C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe
    "C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    PID:4064
- C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe
  "C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\FUD.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:244
- C:\Users\Admin\AppData\Roaming\FUD.exe
  C:\Users\Admin\AppData\Roaming\FUD.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1204
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3968
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\R0e7AbmGQ4.ini"
      4⤵
      PID:1440
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\XlrG7oaceb.ini"
      4⤵
      Accesses Microsoft Outlook accounts
      PID:7012
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 1048
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious use of AdjustPrivilegeToken
    PID:4832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\FUD.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2976
- C:\Users\Admin\AppData\Roaming\FUD.exe
  C:\Users\Admin\AppData\Roaming\FUD.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3292
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    PID:1724
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\zemZNIkBEx.ini"
      4⤵
      PID:1528
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\XlrG7oaceb.ini"
      4⤵
      Accesses Microsoft Outlook accounts
      PID:6972
- - C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe
    "C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    PID:3236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\FUD.exe
1⤵
PID:5112
- C:\Users\Admin\AppData\Roaming\FUD.exe
  C:\Users\Admin\AppData\Roaming\FUD.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:812
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    PID:2572
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\ysf8tAzxLG.ini"
      4⤵
      PID:3500
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\XlrG7oaceb.ini"
      4⤵
      Accesses Microsoft Outlook accounts
      System Location Discovery: System Language Discovery
      PID:7020
- - C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe
    "C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    PID:5000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\FUD.exe
1⤵
PID:440
- C:\Users\Admin\AppData\Roaming\FUD.exe
  C:\Users\Admin\AppData\Roaming\FUD.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3884
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    PID:4824
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\elDwAHprJH.ini"
      4⤵
      PID:4736
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\XlrG7oaceb.ini"
      4⤵
      Accesses Microsoft Outlook accounts
      PID:7044
- - C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe
    "C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    PID:760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\FUD.exe
1⤵
PID:1480
- C:\Users\Admin\AppData\Roaming\FUD.exe
  C:\Users\Admin\AppData\Roaming\FUD.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:4156
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    PID:5104
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\1Z2mkB67RJ.ini"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4468
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\XlrG7oaceb.ini"
      4⤵
      Accesses Microsoft Outlook accounts
      PID:6932
- - C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe
    "C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:1628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\FUD.exe
1⤵
PID:3424
- C:\Users\Admin\AppData\Roaming\FUD.exe
  C:\Users\Admin\AppData\Roaming\FUD.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:4836
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    PID:5056
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\fjKd6QNECc.ini"
      4⤵
      PID:4712
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\XlrG7oaceb.ini"
      4⤵
      Accesses Microsoft Outlook accounts
      PID:6788
- - C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe
    "C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    PID:3452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\FUD.exe
1⤵
PID:4396
- C:\Users\Admin\AppData\Roaming\FUD.exe
  C:\Users\Admin\AppData\Roaming\FUD.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:4312
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    PID:4448
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\2UOJQMvSvK.ini"
      4⤵
      PID:772
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\LyNCq0wnQP.ini"
      4⤵
      Accesses Microsoft Outlook accounts
      PID:6740
- - C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe
    "C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe"
    3⤵
    - Executes dropped EXE
    PID:1020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\FUD.exe
1⤵
PID:4832
- C:\Users\Admin\AppData\Roaming\FUD.exe
  C:\Users\Admin\AppData\Roaming\FUD.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3008
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    PID:4976
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\AnU33s7gpm.ini"
      4⤵
      PID:2380
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\rv1le5BYdF.ini"
      4⤵
      Accesses Microsoft Outlook accounts
      PID:7324
- - C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe
    "C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    PID:760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\FUD.exe
1⤵
PID:2520
- C:\Users\Admin\AppData\Roaming\FUD.exe
  C:\Users\Admin\AppData\Roaming\FUD.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:3980
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    PID:4160
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\AirVxM5dX7.ini"
      4⤵
      PID:5016
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\f4sE2TM5t3.ini"
      4⤵
      PID:8044
- - C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe
    "C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:5232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\FUD.exe
1⤵
PID:5280
- C:\Users\Admin\AppData\Roaming\FUD.exe
  C:\Users\Admin\AppData\Roaming\FUD.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:5404
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    PID:5436
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\VlV9LGBs7R.ini"
      4⤵
      PID:5488
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\B1Yj5qkQKE.ini"
      4⤵
      Accesses Microsoft Outlook accounts
      PID:8148
- - C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe
    "C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe"
    3⤵
    - Executes dropped EXE
    PID:5592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\FUD.exe
1⤵
PID:5632
- C:\Users\Admin\AppData\Roaming\FUD.exe
  C:\Users\Admin\AppData\Roaming\FUD.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:5684
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    3⤵
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:5716
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\Us11UdgZWl.ini"
      4⤵
      PID:5768
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\3m9IFi02OR.ini"
      4⤵
      Accesses Microsoft Outlook accounts
      PID:7380
- - C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe
    "C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    PID:5868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\FUD.exe
1⤵
PID:5908
- C:\Users\Admin\AppData\Roaming\FUD.exe
  C:\Users\Admin\AppData\Roaming\FUD.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:5952
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    PID:6020
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\hcfbCA9w5y.ini"
      4⤵
      PID:6072
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\f2zvzcuSmO.ini"
      4⤵
      Accesses Microsoft Outlook accounts
      PID:6924
- - C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe
    "C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    PID:5152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\FUD.exe
1⤵
PID:5228
- C:\Users\Admin\AppData\Roaming\FUD.exe
  C:\Users\Admin\AppData\Roaming\FUD.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:5460
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    PID:5520
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\Uq8hRmEwP6.ini"
      4⤵
      PID:5604
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\Ct4mBkOK8F.ini"
      4⤵
      System Location Discovery: System Language Discovery
      PID:8160
- - C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe
    "C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    PID:5840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\FUD.exe
1⤵
PID:5884
- C:\Users\Admin\AppData\Roaming\FUD.exe
  C:\Users\Admin\AppData\Roaming\FUD.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:3740
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    PID:6068
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\1daqSOVsHN.ini"
      4⤵
      PID:3124
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\14iK5OQT1j.ini"
      4⤵
      Accesses Microsoft Outlook accounts
      PID:8408
- - C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe
    "C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\FUD.exe
1⤵
PID:5764
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5592
- C:\Users\Admin\AppData\Roaming\FUD.exe
  C:\Users\Admin\AppData\Roaming\FUD.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1548
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    PID:5184
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\VlZpkpIBMB.ini"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5140
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\PkCJmNDotR.ini"
      4⤵
      Accesses Microsoft Outlook accounts
      PID:8728
- - C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe
    "C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    PID:3816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\FUD.exe
1⤵
PID:6156
- C:\Users\Admin\AppData\Roaming\FUD.exe
  C:\Users\Admin\AppData\Roaming\FUD.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:6204
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    3⤵
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:6268
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\iUDPRMkYvO.ini"
      4⤵
      PID:6316
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\uNxBnTYvBf.ini"
      4⤵
      System Location Discovery: System Language Discovery
      PID:8412
- - C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe
    "C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:6416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\FUD.exe
1⤵
PID:6460
- C:\Users\Admin\AppData\Roaming\FUD.exe
  C:\Users\Admin\AppData\Roaming\FUD.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:6552
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    PID:6588
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\Ll22BHeyJM.ini"
      4⤵
      PID:6640
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\uNxBnTYvBf.ini"
      4⤵
      PID:7112
- - C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe
    "C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    PID:6732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\FUD.exe
1⤵
PID:6772
- C:\Users\Admin\AppData\Roaming\FUD.exe
  C:\Users\Admin\AppData\Roaming\FUD.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:6856
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    PID:6896
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\jSJ6OWIwok.ini"
      4⤵
      PID:6944
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\uNxBnTYvBf.ini"
      4⤵
      Accesses Microsoft Outlook accounts
      PID:6168
- - C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe
    "C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    PID:7040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\FUD.exe
1⤵
PID:7076
- C:\Users\Admin\AppData\Roaming\FUD.exe
  C:\Users\Admin\AppData\Roaming\FUD.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:7148
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    PID:5168
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\qoGJbJfcNB.ini"
      4⤵
      System Location Discovery: System Language Discovery
      PID:6288
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\x0dR5OMpYO.ini"
      4⤵
      Accesses Microsoft Outlook accounts
      PID:8704
- - C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe
    "C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    PID:6424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\FUD.exe
1⤵
PID:6480
- C:\Users\Admin\AppData\Roaming\FUD.exe
  C:\Users\Admin\AppData\Roaming\FUD.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:6692
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    PID:6724
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\NfKAnR9Uk2.ini"
      4⤵
      PID:6820
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\x0dR5OMpYO.ini"
      4⤵
      Accesses Microsoft Outlook accounts
      PID:6076
- - C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe
    "C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:7032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\FUD.exe
1⤵
PID:7068
- C:\Users\Admin\AppData\Roaming\FUD.exe
  C:\Users\Admin\AppData\Roaming\FUD.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:6332
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    PID:6396
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\kQOr6NhiTk.ini"
      4⤵
      PID:6344
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\x0dR5OMpYO.ini"
      4⤵
      Accesses Microsoft Outlook accounts
      PID:6256
- - C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe
    "C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:7048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\FUD.exe
1⤵
PID:6612
- C:\Users\Admin\AppData\Roaming\FUD.exe
  C:\Users\Admin\AppData\Roaming\FUD.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:7580
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    PID:7684
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\tdvt7x74WD.ini"
      4⤵
      System Location Discovery: System Language Discovery
      PID:7744
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\uNxBnTYvBf.ini"
      4⤵
      Accesses Microsoft Outlook accounts
      PID:7008
- - C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe
    "C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:7852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\FUD.exe
1⤵
PID:7888
- C:\Users\Admin\AppData\Roaming\FUD.exe
  C:\Users\Admin\AppData\Roaming\FUD.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:7972
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    PID:8004
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\FPzaRtgHFv.ini"
      4⤵
      PID:8060
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\x0dR5OMpYO.ini"
      4⤵
      Accesses Microsoft Outlook accounts
      PID:7556
- - C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe
    "C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    PID:7204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\FUD.exe
1⤵
PID:7208
- C:\Users\Admin\AppData\Roaming\FUD.exe
  C:\Users\Admin\AppData\Roaming\FUD.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:7340
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:7416
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\lREm5DpWX5.ini"
      4⤵
      PID:6428
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\x0dR5OMpYO.ini"
      4⤵
      Accesses Microsoft Outlook accounts
      PID:7052
- - C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe
    "C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    PID:7732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\FUD.exe
1⤵
PID:7824
- C:\Users\Admin\AppData\Roaming\FUD.exe
  C:\Users\Admin\AppData\Roaming\FUD.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:7864
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:8104
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\Ni2UapaKih.ini"
      4⤵
      PID:8132
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\x0bVr6DEK3.ini"
      4⤵
      Accesses Microsoft Outlook accounts
      PID:9396
- - C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe
    "C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    PID:7224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\FUD.exe
1⤵
PID:7460
- C:\Users\Admin\AppData\Roaming\FUD.exe
  C:\Users\Admin\AppData\Roaming\FUD.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:7784
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:6712
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\GPpVQin5JF.ini"
      4⤵
      PID:8172
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\S3pmH8ErPt.ini"
      4⤵
      Accesses Microsoft Outlook accounts
      PID:10060
- - C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe
    "C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    PID:7368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\FUD.exe
1⤵
PID:6408
- C:\Users\Admin\AppData\Roaming\FUD.exe
  C:\Users\Admin\AppData\Roaming\FUD.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:7280
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:7228
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\PaZSv2Npk3.ini"
      4⤵
      PID:8252
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\H69TIrm613.ini"
      4⤵
      Accesses Microsoft Outlook accounts
      System Location Discovery: System Language Discovery
      PID:10160
- - C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe
    "C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:8364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\FUD.exe
1⤵
PID:8400
- C:\Users\Admin\AppData\Roaming\FUD.exe
  C:\Users\Admin\AppData\Roaming\FUD.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:8484
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:8532
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\5VsPT7vl7P.ini"
      4⤵
      System Location Discovery: System Language Discovery
      PID:8604
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\vIBTv4lGBg.ini"
      4⤵
      Accesses Microsoft Outlook accounts
      PID:9524
- - C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe
    "C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:8784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\FUD.exe
1⤵
PID:8828
- C:\Users\Admin\AppData\Roaming\FUD.exe
  C:\Users\Admin\AppData\Roaming\FUD.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:8896
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:8924
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\PYf9sBuCdO.ini"
      4⤵
      PID:8976
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\I4DE0iBsg3.ini"
      4⤵
      Accesses Microsoft Outlook accounts
      PID:7700
- - C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe
    "C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:9092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\FUD.exe
1⤵
PID:9128
- C:\Users\Admin\AppData\Roaming\FUD.exe
  C:\Users\Admin\AppData\Roaming\FUD.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:9184
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:9212
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\ImPh1Lbbzg.ini"
      4⤵
      PID:8272
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\QMLtsWVioq.ini"
      4⤵
      Accesses Microsoft Outlook accounts
      PID:9540
- - C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe
    "C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    PID:7128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\FUD.exe
1⤵
PID:7156
- C:\Users\Admin\AppData\Roaming\FUD.exe
  C:\Users\Admin\AppData\Roaming\FUD.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:8568
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:6704
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\bupyWwd6nK.ini"
      4⤵
      System Location Discovery: System Language Discovery
      PID:8612
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\EUI8zl60je.ini"
      4⤵
      Accesses Microsoft Outlook accounts
      PID:9740
- - C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe
    "C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    PID:5988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\FUD.exe
1⤵
PID:6136
- C:\Users\Admin\AppData\Roaming\FUD.exe
  C:\Users\Admin\AppData\Roaming\FUD.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5996
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:3504
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\8luph56zAB.ini"
      4⤵
      PID:6536
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\wlLM9dLdi6.ini"
      4⤵
      System Location Discovery: System Language Discovery
      PID:9960
- - C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe
    "C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe"
    3⤵
    PID:8812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\FUD.exe
1⤵
PID:1512
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:7040
- C:\Users\Admin\AppData\Roaming\FUD.exe
  C:\Users\Admin\AppData\Roaming\FUD.exe
  2⤵
  - Checks computer location settings
  - Suspicious use of AdjustPrivilegeToken
  PID:4240
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:2180
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\IkTSjD1Neg.ini"
      4⤵
      PID:8932
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\FsnZsWVjj4.ini"
      4⤵
      System Location Discovery: System Language Discovery
      PID:9972
- - C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe
    "C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe"
    3⤵
    - Adds Run key to start application
    PID:8268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\FUD.exe
1⤵
PID:8332
- C:\Users\Admin\AppData\Roaming\FUD.exe
  C:\Users\Admin\AppData\Roaming\FUD.exe
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:8472
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:7456
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\Rx0UlmRjh9.ini"
      4⤵
      PID:4392
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\JWQyhs2Se8.ini"
      4⤵
      System Location Discovery: System Language Discovery
      PID:9088
- - C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe
    "C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe"
    3⤵
    - Adds Run key to start application
    PID:6256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\FUD.exe
1⤵
PID:6244
- C:\Users\Admin\AppData\Roaming\FUD.exe
  C:\Users\Admin\AppData\Roaming\FUD.exe
  2⤵
  - Checks computer location settings
  - Suspicious use of AdjustPrivilegeToken
  PID:5772
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:8632
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\dp4FeXqRnL.ini"
      4⤵
      PID:7044
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\OERXJGGcgW.ini"
      4⤵
      Accesses Microsoft Outlook accounts
      System Location Discovery: System Language Discovery
      PID:10872
- - C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe
    "C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe"
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:7444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\FUD.exe
1⤵
PID:8120
- C:\Users\Admin\AppData\Roaming\FUD.exe
  C:\Users\Admin\AppData\Roaming\FUD.exe
  2⤵
  - Checks computer location settings
  - Suspicious use of AdjustPrivilegeToken
  PID:9096
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:8208
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\pcVTSlE4Zs.ini"
      4⤵
      PID:5616
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\OERXJGGcgW.ini"
      4⤵
      Accesses Microsoft Outlook accounts
      PID:10884
- - C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe
    "C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe"
    3⤵
    - Adds Run key to start application
    PID:6240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\FUD.exe
1⤵
PID:8644
- C:\Users\Admin\AppData\Roaming\FUD.exe
  C:\Users\Admin\AppData\Roaming\FUD.exe
  2⤵
  - Checks computer location settings
  - Suspicious use of AdjustPrivilegeToken
  PID:7768
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:7372
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\qZfzsV2dus.ini"
      4⤵
      PID:8768
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\BSxT1RbnRJ.ini"
      4⤵
      Accesses Microsoft Outlook accounts
      PID:9912
- - C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe
    "C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe"
    3⤵
    - Adds Run key to start application
    PID:4996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\FUD.exe
1⤵
PID:8952
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:7444
- C:\Users\Admin\AppData\Roaming\FUD.exe
  C:\Users\Admin\AppData\Roaming\FUD.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:8100
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:8152
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\l3UbixjQxT.ini"
      4⤵
      PID:5208
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\BSxT1RbnRJ.ini"
      4⤵
      Accesses Microsoft Outlook accounts
      PID:10864
- - C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe
    "C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe"
    3⤵
    PID:7176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\FUD.exe
1⤵
PID:8812
- C:\Users\Admin\AppData\Roaming\FUD.exe
  C:\Users\Admin\AppData\Roaming\FUD.exe
  2⤵
  - Checks computer location settings
  - Suspicious use of AdjustPrivilegeToken
  PID:4996
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:9272
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\LYCsjQk1EO.ini"
      4⤵
      PID:9640
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\BSxT1RbnRJ.ini"
      4⤵
      PID:10832
- - C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe
    "C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe"
    3⤵
    - Adds Run key to start application
    PID:9760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\FUD.exe
1⤵
PID:9796
- C:\Users\Admin\AppData\Roaming\FUD.exe
  C:\Users\Admin\AppData\Roaming\FUD.exe
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:9848
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:9880
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\TrIcMwvF9q.ini"
      4⤵
      PID:9932
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\BSxT1RbnRJ.ini"
      4⤵
      Accesses Microsoft Outlook accounts
      PID:6828
- - C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe
    "C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe"
    3⤵
    - Adds Run key to start application
    PID:10020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\FUD.exe
1⤵
PID:10052
- C:\Users\Admin\AppData\Roaming\FUD.exe
  C:\Users\Admin\AppData\Roaming\FUD.exe
  2⤵
  - Checks computer location settings
  - Suspicious use of AdjustPrivilegeToken
  PID:10196
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:10236
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\Umg4HQtBqB.ini"
      4⤵
      PID:9264
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\VUo2t6rPOy.ini"
      4⤵
      Accesses Microsoft Outlook accounts
      System Location Discovery: System Language Discovery
      PID:9728
- - C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe
    "C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe"
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:9368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\FUD.exe
1⤵
PID:9424
- C:\Users\Admin\AppData\Roaming\FUD.exe
  C:\Users\Admin\AppData\Roaming\FUD.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:9480
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:9492
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\IwLXQL4vwz.ini"
      4⤵
      PID:9672
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\BSxT1RbnRJ.ini"
      4⤵
      Accesses Microsoft Outlook accounts
      PID:10788
- - C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe
    "C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe"
    3⤵
    - Adds Run key to start application
    PID:10016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\FUD.exe
1⤵
PID:10032
- C:\Users\Admin\AppData\Roaming\FUD.exe
  C:\Users\Admin\AppData\Roaming\FUD.exe
  2⤵
  - Checks computer location settings
  - Suspicious use of AdjustPrivilegeToken
  PID:10180
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:9236
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\JuSDNUbIpK.ini"
      4⤵
      PID:9372
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\CQ2EjJ1Z7K.ini"
      4⤵
      Accesses Microsoft Outlook accounts
      PID:9580
- - C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe
    "C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe"
    3⤵
    - Adds Run key to start application
    PID:9960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\FUD.exe
1⤵
PID:6116
- C:\Users\Admin\AppData\Roaming\FUD.exe
  C:\Users\Admin\AppData\Roaming\FUD.exe
  2⤵
  - Checks computer location settings
  - Suspicious use of AdjustPrivilegeToken
  PID:9712
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:9736
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\CZSAg8xQoD.ini"
      4⤵
      PID:8236
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\sJY7m8jsr0.ini"
      4⤵
      Accesses Microsoft Outlook accounts
      PID:11128
- - C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe
    "C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe"
    3⤵
    - Adds Run key to start application
    PID:8040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\FUD.exe
1⤵
PID:8028
- C:\Users\Admin\AppData\Roaming\FUD.exe
  C:\Users\Admin\AppData\Roaming\FUD.exe
  2⤵
  - Checks computer location settings
  - Suspicious use of AdjustPrivilegeToken
  PID:5568
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:6296
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\JJuongjpO5.ini"
      4⤵
      System Location Discovery: System Language Discovery
      PID:8064
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\DIXIpEfTvL.ini"
      4⤵
      Accesses Microsoft Outlook accounts
      System Location Discovery: System Language Discovery
      PID:11200
- - C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe
    "C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe"
    3⤵
    PID:7488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\FUD.exe
1⤵
PID:7348
- C:\Users\Admin\AppData\Roaming\FUD.exe
  C:\Users\Admin\AppData\Roaming\FUD.exe
  2⤵
  - Checks computer location settings
  - Suspicious use of AdjustPrivilegeToken
  PID:6320
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:6548
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\g41LZCYEZS.ini"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4236
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\LYunQ4GGen.ini"
      4⤵
      Accesses Microsoft Outlook accounts
      PID:11440
- - C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe
    "C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe"
    3⤵
    - Adds Run key to start application
    PID:6524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\FUD.exe
1⤵
PID:7488
- C:\Users\Admin\AppData\Roaming\FUD.exe
  C:\Users\Admin\AppData\Roaming\FUD.exe
  2⤵
  - Checks computer location settings
  - Suspicious use of AdjustPrivilegeToken
  PID:8084
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:9552
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\qByfyoDilw.ini"
      4⤵
      PID:7180
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\rwvCwTEnlO.ini"
      4⤵
      PID:11572
- - C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe
    "C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe"
    3⤵
    PID:9648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\FUD.exe
1⤵
PID:9356
- C:\Users\Admin\AppData\Roaming\FUD.exe
  C:\Users\Admin\AppData\Roaming\FUD.exe
  2⤵
  - Checks computer location settings
  - Suspicious use of AdjustPrivilegeToken
  PID:8088
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:8608
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\iwYJuOLjbo.ini"
      4⤵
      PID:8068
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\ho2dFiz5Eu.ini"
      4⤵
      PID:11980
- - C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe
    "C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe"
    3⤵
    - Adds Run key to start application
    PID:10344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\FUD.exe
1⤵
PID:10376
- C:\Users\Admin\AppData\Roaming\FUD.exe
  C:\Users\Admin\AppData\Roaming\FUD.exe
  2⤵
  - Checks computer location settings
  - Suspicious use of AdjustPrivilegeToken
  PID:10440
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:10468
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\X7Cro1NsTH.ini"
      4⤵
      PID:10520
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\q1Yk20Hr33.ini"
      4⤵
      Accesses Microsoft Outlook accounts
      PID:4228
- - C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe
    "C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe"
    3⤵
    - Adds Run key to start application
    PID:10608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\FUD.exe
1⤵
PID:10652
- C:\Users\Admin\AppData\Roaming\FUD.exe
  C:\Users\Admin\AppData\Roaming\FUD.exe
  2⤵
  - Checks computer location settings
  - Suspicious use of AdjustPrivilegeToken
  PID:10740
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:10768
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\FrIZfd8rhz.ini"
      4⤵
      PID:10848
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\nUBm2YtDMy.ini"
      4⤵
      PID:2320
- - C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe
    "C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe"
    3⤵
    - Adds Run key to start application
    PID:10936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\FUD.exe
1⤵
PID:10968
- C:\Users\Admin\AppData\Roaming\FUD.exe
  C:\Users\Admin\AppData\Roaming\FUD.exe
  2⤵
  - Checks computer location settings
  - Suspicious use of AdjustPrivilegeToken
  PID:11032
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:11072
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\ZwrRLfpKcJ.ini"
      4⤵
      PID:11140
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\nUBm2YtDMy.ini"
      4⤵
      Accesses Microsoft Outlook accounts
      System Location Discovery: System Language Discovery
      PID:5444
- - C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe
    "C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe"
    3⤵
    - Adds Run key to start application
    PID:11244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\FUD.exe
1⤵
PID:10276
- C:\Users\Admin\AppData\Roaming\FUD.exe
  C:\Users\Admin\AppData\Roaming\FUD.exe
  2⤵
  - Checks computer location settings
  - Suspicious use of AdjustPrivilegeToken
  PID:10388
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:8980
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\33tH6gto8n.ini"
      4⤵
      PID:10540
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\nUBm2YtDMy.ini"
      4⤵
      PID:11564
- - C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe
    "C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe"
    3⤵
    - Adds Run key to start application
    PID:10628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\FUD.exe
1⤵
PID:10000
- C:\Users\Admin\AppData\Roaming\FUD.exe
  C:\Users\Admin\AppData\Roaming\FUD.exe
  2⤵
  - Checks computer location settings
  - Suspicious use of AdjustPrivilegeToken
  PID:6868
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:9296
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\JWi30EVCFi.ini"
      4⤵
      PID:11256
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\nUBm2YtDMy.ini"
      4⤵
      Accesses Microsoft Outlook accounts
      PID:9896
- - C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe
    "C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe"
    3⤵
    - Adds Run key to start application
    PID:9004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\FUD.exe
1⤵
PID:516
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:10628
- C:\Users\Admin\AppData\Roaming\FUD.exe
  C:\Users\Admin\AppData\Roaming\FUD.exe
  2⤵
  - Checks computer location settings
  - Suspicious use of AdjustPrivilegeToken
  PID:8956
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:10980
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\i7RKpoWs7S.ini"
      4⤵
      System Location Discovery: System Language Discovery
      PID:9292
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\nUBm2YtDMy.ini"
      4⤵
      Accesses Microsoft Outlook accounts
      PID:2188
- - C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe
    "C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe"
    3⤵
    - Adds Run key to start application
    PID:232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\FUD.exe
1⤵
PID:9840
- C:\Users\Admin\AppData\Roaming\FUD.exe
  C:\Users\Admin\AppData\Roaming\FUD.exe
  2⤵
  - Checks computer location settings
  - Suspicious use of AdjustPrivilegeToken
  PID:11240
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:8048
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\j5av1GCqD8.ini"
      4⤵
      PID:2516
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\nUBm2YtDMy.ini"
      4⤵
      Accesses Microsoft Outlook accounts
      PID:9380
- - C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe
    "C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe"
    3⤵
    - Adds Run key to start application
    PID:11332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\FUD.exe
1⤵
PID:11372
- C:\Users\Admin\AppData\Roaming\FUD.exe
  C:\Users\Admin\AppData\Roaming\FUD.exe
  2⤵
  - Checks computer location settings
  - Suspicious use of AdjustPrivilegeToken
  PID:11476
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:11512
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\FUXT35tBt3.ini"
      4⤵
      PID:11580
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\vnEgCUoGpk.ini"
      4⤵
      Accesses Microsoft Outlook accounts
      PID:12332
- - C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe
    "C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe"
    3⤵
    PID:11724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\FUD.exe
1⤵
PID:11756
- C:\Users\Admin\AppData\Roaming\FUD.exe
  C:\Users\Admin\AppData\Roaming\FUD.exe
  2⤵
  - Checks computer location settings
  - Suspicious use of AdjustPrivilegeToken
  PID:11816
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:11848
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\kV0bC9CmYY.ini"
      4⤵
      PID:11900
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\JSmVN3rn89.ini"
      4⤵
      Accesses Microsoft Outlook accounts
      PID:12544
- - C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe
    "C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe"
    3⤵
    PID:12068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\FUD.exe
1⤵
PID:12156
- C:\Users\Admin\AppData\Roaming\FUD.exe
  C:\Users\Admin\AppData\Roaming\FUD.exe
  2⤵
  - Checks computer location settings
  - Suspicious use of AdjustPrivilegeToken
  PID:12220
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:12256
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\vQlftI3KbO.ini"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1508
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\3R6cg5onYd.ini"
      4⤵
      Accesses Microsoft Outlook accounts
      PID:12808
- - C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe
    "C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe"
    3⤵
    PID:2148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\FUD.exe
1⤵
PID:1984
- C:\Users\Admin\AppData\Roaming\FUD.exe
  C:\Users\Admin\AppData\Roaming\FUD.exe
  2⤵
  - Checks computer location settings
  PID:11456
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:11556
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\wL87om1GJk.ini"
      4⤵
      PID:9956
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\QD9OlkEQ30.ini"
      4⤵
      Accesses Microsoft Outlook accounts
      PID:12960
- - C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe
    "C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe"
    3⤵
    PID:11724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\FUD.exe
1⤵
PID:11988
- C:\Users\Admin\AppData\Roaming\FUD.exe
  C:\Users\Admin\AppData\Roaming\FUD.exe
  2⤵
  - Checks computer location settings
  PID:11068
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:12088
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\RONJS6AUbu.ini"
      4⤵
      PID:9936
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\S5hIKE9VJh.ini"
      4⤵
      Accesses Microsoft Outlook accounts
      PID:13256
- - C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe
    "C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe"
    3⤵
    - Adds Run key to start application
    PID:9268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\FUD.exe
1⤵
PID:9308
- C:\Users\Admin\AppData\Roaming\FUD.exe
  C:\Users\Admin\AppData\Roaming\FUD.exe
  2⤵
  PID:10636
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:12116
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\TGuInIwzdG.ini"
      4⤵
      PID:8140
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\GDcbCBbD0B.ini"
      4⤵
      Accesses Microsoft Outlook accounts
      PID:12416
- - C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe
    "C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe"
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:12200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\FUD.exe
1⤵
PID:11272
- C:\Users\Admin\AppData\Roaming\FUD.exe
  C:\Users\Admin\AppData\Roaming\FUD.exe
  2⤵
  - Checks computer location settings
  PID:11352
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:2104
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\e9vDDU5VHm.ini"
      4⤵
      PID:9908
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\J8ijZt4wIr.ini"
      4⤵
      Accesses Microsoft Outlook accounts
      System Location Discovery: System Language Discovery
      PID:4668
- - C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe
    "C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe"
    3⤵
    - Adds Run key to start application
    PID:11920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\FUD.exe
1⤵
PID:9572
- C:\Users\Admin\AppData\Roaming\FUD.exe
  C:\Users\Admin\AppData\Roaming\FUD.exe
  2⤵
  - Checks computer location settings
  PID:10392
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    3⤵
    PID:10796
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\f64kdDt4bm.ini"
      4⤵
      PID:10296
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\p4ODbGSIj2.ini"
      4⤵
      Accesses Microsoft Outlook accounts
      PID:8416
- - C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe
    "C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe"
    3⤵
    - Adds Run key to start application
    PID:6748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\FUD.exe
1⤵
PID:12180
- C:\Users\Admin\AppData\Roaming\FUD.exe
  C:\Users\Admin\AppData\Roaming\FUD.exe
  2⤵
  - Checks computer location settings
  PID:11248
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    3⤵
    PID:11444
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\UB7fhb1jPw.ini"
      4⤵
      PID:11412
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\p4ODbGSIj2.ini"
      4⤵
      Accesses Microsoft Outlook accounts
      PID:6196
- - C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe
    "C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe"
    3⤵
    - Adds Run key to start application
    PID:9380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\FUD.exe
1⤵
PID:9328
- C:\Users\Admin\AppData\Roaming\FUD.exe
  C:\Users\Admin\AppData\Roaming\FUD.exe
  2⤵
  - Checks computer location settings
  PID:11920
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:11668
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\HQalwD6ij4.ini"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5676
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\p4ODbGSIj2.ini"
      4⤵
      Accesses Microsoft Outlook accounts
      PID:13280
- - C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe
    "C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe"
    3⤵
    PID:12136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\FUD.exe
1⤵
PID:11688
- C:\Users\Admin\AppData\Roaming\FUD.exe
  C:\Users\Admin\AppData\Roaming\FUD.exe
  2⤵
  - Checks computer location settings
  PID:11112
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    3⤵
    PID:3568
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\A7Nml6JTLc.ini"
      4⤵
      PID:11748
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\p4ODbGSIj2.ini"
      4⤵
      Accesses Microsoft Outlook accounts
      PID:12276
- - C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe
    "C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe"
    3⤵
    - Adds Run key to start application
    PID:11592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\FUD.exe
1⤵
PID:5260
- C:\Users\Admin\AppData\Roaming\FUD.exe
  C:\Users\Admin\AppData\Roaming\FUD.exe
  2⤵
  - Checks computer location settings
  PID:11548
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    3⤵
    PID:11776
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\Qd4xUDGtLr.ini"
      4⤵
      PID:12308
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\p4ODbGSIj2.ini"
      4⤵
      Accesses Microsoft Outlook accounts
      PID:12572
- - C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe
    "C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe"
    3⤵
    - Adds Run key to start application
    PID:12444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\FUD.exe
1⤵
PID:12480
- C:\Users\Admin\AppData\Roaming\FUD.exe
  C:\Users\Admin\AppData\Roaming\FUD.exe
  2⤵
  - Checks computer location settings
  PID:12604
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:12632
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\8O8j6XsILE.ini"
      4⤵
      PID:12680
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\p4ODbGSIj2.ini"
      4⤵
      Accesses Microsoft Outlook accounts
      PID:12532
- - C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe
    "C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe"
    3⤵
    - Adds Run key to start application
    PID:12856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\FUD.exe
1⤵
PID:12888
- C:\Users\Admin\AppData\Roaming\FUD.exe
  C:\Users\Admin\AppData\Roaming\FUD.exe
  2⤵
  - Checks computer location settings
  PID:13028
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    3⤵
    PID:13084
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\WaUvoUgrh2.ini"
      4⤵
      System Location Discovery: System Language Discovery
      PID:13152
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\yecgl3IAwv.ini"
      4⤵
      Accesses Microsoft Outlook accounts
      PID:8344
- - C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe
    "C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe"
    3⤵
    - Adds Run key to start application
    PID:13240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\FUD.exe
1⤵
PID:13296
- C:\Users\Admin\AppData\Roaming\FUD.exe
  C:\Users\Admin\AppData\Roaming\FUD.exe
  2⤵
  - Checks computer location settings
  PID:12500
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:11592
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\UpLeqlfSNe.ini"
      4⤵
      PID:12672
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\AXVNeepg5S.ini"
      4⤵
      Accesses Microsoft Outlook accounts
      PID:7576
- - C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe
    "C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe"
    3⤵
    - Adds Run key to start application
    PID:12876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\FUD.exe
1⤵
PID:12648
- C:\Users\Admin\AppData\Roaming\FUD.exe
  C:\Users\Admin\AppData\Roaming\FUD.exe
  2⤵
  PID:13212
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    3⤵
    PID:13268
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\zqdgzf5r7U.ini"
      4⤵
      System Location Discovery: System Language Discovery
      PID:13284
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\Z99slMRZIB.ini"
      4⤵
      Accesses Microsoft Outlook accounts
      PID:4444
- - C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe
    "C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe"
    3⤵
    - Adds Run key to start application
    PID:11084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\FUD.exe
1⤵
PID:12372
- C:\Users\Admin\AppData\Roaming\FUD.exe
  C:\Users\Admin\AppData\Roaming\FUD.exe
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2900
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:12396
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\WiehhEIZ2g.ini"
      4⤵
      System Location Discovery: System Language Discovery
      PID:13112
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\QeX8hL5mA5.ini"
      4⤵
      Accesses Microsoft Outlook accounts
      PID:5492
- - C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe
    "C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe"
    3⤵
    PID:11528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\FUD.exe
1⤵
PID:12896
- C:\Users\Admin\AppData\Roaming\FUD.exe
  C:\Users\Admin\AppData\Roaming\FUD.exe
  2⤵
  - Checks computer location settings
  PID:4512
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    3⤵
    PID:13244
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\aM9xkg5gFP.ini"
      4⤵
      PID:12816
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\QeX8hL5mA5.ini"
      4⤵
      Accesses Microsoft Outlook accounts
      PID:11224
- - C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe
    "C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe"
    3⤵
    - Adds Run key to start application
    PID:9968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\FUD.exe
1⤵
PID:9176
- C:\Users\Admin\AppData\Roaming\FUD.exe
  C:\Users\Admin\AppData\Roaming\FUD.exe
  2⤵
  PID:12304
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    3⤵
    PID:11528
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\NC5o6nDxMG.ini"
      4⤵
      PID:12384
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\D33KtYE6wW.ini"
      4⤵
      Accesses Microsoft Outlook accounts
      PID:13224
- - C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe
    "C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe"
    3⤵
    PID:12708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\FUD.exe
1⤵
PID:8288
- C:\Users\Admin\AppData\Roaming\FUD.exe
  C:\Users\Admin\AppData\Roaming\FUD.exe
  2⤵
  - Checks computer location settings
  PID:8116
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    3⤵
    PID:1684
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\ImK2Y1nQKA.ini"
      4⤵
      PID:2148
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\vrqQIGILuY.ini"
      4⤵
      PID:13476
- - C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe
    "C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe"
    3⤵
    - Adds Run key to start application
    PID:12812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\FUD.exe
1⤵
PID:11312
- C:\Users\Admin\AppData\Roaming\FUD.exe
  C:\Users\Admin\AppData\Roaming\FUD.exe
  2⤵
  - Checks computer location settings
  PID:8096
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    3⤵
    PID:11940
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\P3eigH82cw.ini"
      4⤵
      PID:7776
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\6ksGxjZSlP.ini"
      4⤵
      PID:13568
- - C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe
    "C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe"
    3⤵
    - Adds Run key to start application
    PID:9636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\FUD.exe
1⤵
PID:9224
- C:\Users\Admin\AppData\Roaming\FUD.exe
  C:\Users\Admin\AppData\Roaming\FUD.exe
  2⤵
  - Checks computer location settings
  PID:13180
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    3⤵
    PID:12652
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\P7K6FNRHMH.ini"
      4⤵
      PID:13036
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\qtJJgvry4s.ini"
      4⤵
      PID:13412
- - C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe
    "C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe"
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:5896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\FUD.exe
1⤵
PID:10188
- C:\Users\Admin\AppData\Roaming\FUD.exe
  C:\Users\Admin\AppData\Roaming\FUD.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:13108
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    3⤵
    PID:6132
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\kZTAW2xGw1.ini"
      4⤵
      PID:12964
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\qtJJgvry4s.ini"
      4⤵
      PID:13460
- - C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe
    "C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe"
    3⤵
    - Adds Run key to start application
    PID:13064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\FUD.exe
1⤵
PID:13240
- C:\Users\Admin\AppData\Roaming\FUD.exe
  C:\Users\Admin\AppData\Roaming\FUD.exe
  2⤵
  PID:12564
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    3⤵
    PID:13344
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\L5xW3moTqb.ini"
      4⤵
      PID:13396
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\JBNJ8FqDoK.ini"
      4⤵
      PID:13264
- - C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe
    "C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe"
    3⤵
    PID:13552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\FUD.exe
1⤵
PID:13628
- C:\Users\Admin\AppData\Roaming\FUD.exe
  C:\Users\Admin\AppData\Roaming\FUD.exe
  2⤵
  PID:13728
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    3⤵
    PID:13760
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\D1e6OWG0ZS.ini"
      4⤵
      PID:13816
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\PmulkXXOSo.ini"
      4⤵
      PID:13572
- - C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe
    "C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe"
    3⤵
    PID:13944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\FUD.exe
1⤵
PID:13976
- C:\Users\Admin\AppData\Roaming\FUD.exe
  C:\Users\Admin\AppData\Roaming\FUD.exe
  2⤵
  PID:14052
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    3⤵
    PID:14080
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\fpgXPPsTHy.ini"
      4⤵
      PID:14144
- - C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe
    "C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe"
    3⤵
    PID:14248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\FUD.exe
1⤵
PID:14280
- C:\Users\Admin\AppData\Roaming\FUD.exe
  C:\Users\Admin\AppData\Roaming\FUD.exe
  2⤵
  PID:10568
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    3⤵
    PID:3708
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\3ZqvfUy4t1.ini"
      4⤵
      PID:12448
- - C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe
    "C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe"
    3⤵
    PID:10488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\FUD.exe
1⤵
PID:4784
- C:\Users\Admin\AppData\Roaming\FUD.exe
  C:\Users\Admin\AppData\Roaming\FUD.exe
  2⤵
  PID:372
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    3⤵
    PID:13828
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\ieL8v3KwQ0.ini"
      4⤵
      PID:13924
- - C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe
    "C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe"
    3⤵
    PID:4864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\FUD.exe
1⤵
PID:4344
- C:\Users\Admin\AppData\Roaming\FUD.exe
  C:\Users\Admin\AppData\Roaming\FUD.exe
  2⤵
  PID:13864

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\zYznmstQsD.exe.log

Filesize
20B

MD5
b3ac9d09e3a47d5fd00c37e075a70ecb

SHA1
ad14e6d0e07b00bd10d77a06d68841b20675680b

SHA256
7a23c6e7ccd8811ecdf038d3a89d5c7d68ed37324bae2d4954125d9128fa9432

SHA512
09b609ee1061205aa45b3c954efc6c1a03c8fd6b3011ff88cf2c060e19b1d7fd51ee0cb9d02a39310125f3a66aa0146261bdee3d804f472034df711bc942e316

Download Submit
C:\Users\Admin\AppData\Local\Temp\ysf8tAzxLG.ini

Filesize
5B

MD5
d1ea279fb5559c020a1b4137dc4de237

SHA1
db6f8988af46b56216a6f0daf95ab8c9bdb57400

SHA256
fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba

SHA512
720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3

Download Submit
C:\Users\Admin\AppData\Roaming\FUD.exe

Filesize
584KB

MD5
aa55a896d27c573c44b0f6b36529a19f

SHA1
4b08027845296f05bb8251a70aa054ff16aabdfd

SHA256
53fba2b982786f4089a9b25645858bc9d57fd6a0611e64e5b21567a4fc6713d5

SHA512
2e4df771683a664945ee6876980dafd188ce77ae53aa72f7166da5365e73952ec9183ab4eac5b469b1b629f19f30b155a889679ea699c19101a37a5391446b57

Download Submit
C:\Users\Admin\AppData\Roaming\zYznmstQsD.exe

Filesize
4KB

MD5
e36e589c7cc7a29177a51d46b4afd7b2

SHA1
ff08476472f87f1ef9e9a661dc4488a13b03f61c

SHA256
f10a75bb475cc045c15fabc28b17a8c9e72173ada616b2c2c0374122ec961302

SHA512
9d29169fc795b76479bbc63c802628cb14d8b3cdbd89526670e7b020bd6a9661c47b1202a930278579d03c402d62c679f324df224b568dafcf869847d8030b46

Download Submit
memory/772-207-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/772-211-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1440-71-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1528-91-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1528-87-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1528-83-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1528-84-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2380-234-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3124-378-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3124-382-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3396-804-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3396-161-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3396-7-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3396-4-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3500-116-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3500-351-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4052-236-0x0000000074E70000-0x0000000075421000-memory.dmp

Filesize
5.7MB

Download
memory/4052-34-0x0000000074E70000-0x0000000075421000-memory.dmp

Filesize
5.7MB

Download
memory/4056-26-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4056-24-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4056-15-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4056-13-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4056-10-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4216-30-0x0000000074E72000-0x0000000074E73000-memory.dmp

Filesize
4KB

Download
memory/4216-33-0x0000000074E70000-0x0000000075421000-memory.dmp

Filesize
5.7MB

Download
memory/4216-32-0x0000000074E70000-0x0000000075421000-memory.dmp

Filesize
5.7MB

Download
memory/4392-950-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4416-43-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4416-46-0x0000000000460000-0x0000000000529000-memory.dmp

Filesize
804KB

Download
memory/4416-49-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4468-164-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4468-402-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4712-186-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4736-139-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4980-138-0x0000000074E70000-0x0000000075421000-memory.dmp

Filesize
5.7MB

Download
memory/4980-86-0x0000000074E70000-0x0000000075421000-memory.dmp

Filesize
5.7MB

Download
memory/4980-0-0x0000000074E72000-0x0000000074E73000-memory.dmp

Filesize
4KB

Download
memory/4980-85-0x0000000074E72000-0x0000000074E73000-memory.dmp

Filesize
4KB

Download
memory/4980-2-0x0000000074E70000-0x0000000075421000-memory.dmp

Filesize
5.7MB

Download
memory/4980-1-0x0000000074E70000-0x0000000075421000-memory.dmp

Filesize
5.7MB

Download
memory/5016-255-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5016-259-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5140-408-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5140-403-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5208-1037-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5488-281-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5604-356-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5604-353-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5616-994-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5768-306-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5768-302-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/6072-331-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/6072-327-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/6076-1062-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/6256-1060-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/6288-502-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/6316-433-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/6316-429-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/6344-544-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/6428-688-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/6536-903-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/6536-907-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/6640-464-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/6740-592-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/6740-565-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/6788-599-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/6788-566-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/6820-522-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/6932-587-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/6932-567-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/6944-482-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/6972-601-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/6988-612-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/7012-614-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/7020-590-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/7020-568-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/7024-576-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/7024-583-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/7044-971-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/7324-603-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/7324-609-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/7380-671-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/7380-675-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/7556-1059-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/7744-627-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/7744-623-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/8044-650-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/8044-655-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/8060-651-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/8132-707-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/8160-741-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/8160-731-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/8172-737-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/8252-762-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/8272-857-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/8408-777-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/8604-800-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/8612-882-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/8704-1061-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/8728-822-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/8768-1017-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/8932-928-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/8976-836-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download