isrstealer | 426855460608fcd9c1b2373a1a7190cfa7f91c9b1a4d04658af45a95053c9064

Analysis

max time kernel
4294211s
max time network
152s
platform
windows7_x64
resource
win7-20220223-en
submitted
08-03-2022 19:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

426855460608fcd9c1b2373a1a7190cfa7f91c9b1a4d04658af45a95053c9064.exe
Size

340KB
MD5

92ee38e8d9fe99d649037bafb1e9e3ce
SHA1

3713b8781411d2e0d948dfb932ac28e92bc8047b
SHA256

426855460608fcd9c1b2373a1a7190cfa7f91c9b1a4d04658af45a95053c9064
SHA512

3d026f98cdc0bbcfbdfe01c47af000f28c4a76b8c4a904ea14f52f82e617ba0c56e10f9eb7b11edf78267cd949e18d98bfd5a120f04a8650e3c680f959914d10

Score

10^/10

isrstealer collection persistence spyware stealer trojan upx

Malware Config

Signatures

ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
trojan stealer isrstealer

ISR Stealer Payload 2 IoCs

resource	yara_rule
behavioral1/memory/480-68-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral1/memory/480-70-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer

NirSoft MailPassView 6 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral1/memory/468-89-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral1/memory/468-88-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral1/memory/1816-122-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral1/memory/1816-123-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral1/memory/1332-156-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral1/memory/1332-157-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView

Nirsoft 6 IoCs

resource	yara_rule
behavioral1/memory/468-89-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral1/memory/468-88-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral1/memory/1816-122-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral1/memory/1816-123-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral1/memory/1332-156-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral1/memory/1332-157-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft

Executes dropped EXE 55 IoCs

pid	Process
2000	filename.exe
480	filename.exe
1816	filename.exe
468	filename.exe
1628	filename.exe
2016	filename.exe
636	filename.exe
1816	filename.exe
1936	filename.exe
1712	filename.exe
1044	filename.exe
1332	filename.exe
568	filename.exe
708	filename.exe
1264	filename.exe
852	filename.exe
1064	filename.exe
1992	filename.exe
1824	filename.exe
1528	filename.exe
2032	filename.exe
1072	filename.exe
1560	filename.exe
1880	filename.exe
1828	filename.exe
1232	filename.exe
1564	filename.exe
1804	filename.exe
1256	filename.exe
1528	filename.exe
1840	filename.exe
1424	filename.exe
1992	filename.exe
1700	filename.exe
480	filename.exe
932	filename.exe
1536	filename.exe
1556	filename.exe
1532	filename.exe
1564	filename.exe
1504	filename.exe
1052	filename.exe
112	filename.exe
1872	filename.exe
800	filename.exe
1536	filename.exe
1636	filename.exe
340	filename.exe
1764	filename.exe
1880	filename.exe
1828	filename.exe
896	filename.exe
1416	filename.exe
1384	filename.exe
800	filename.exe

UPX packed file 17 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/468-83-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/468-87-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/468-89-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/468-88-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/636-112-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/636-108-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/636-114-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/636-113-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/1816-121-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1816-122-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1816-123-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1044-143-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/1044-145-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/1044-144-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/1332-155-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1332-156-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1332-157-0x0000000000400000-0x000000000041F000-memory.dmp	upx

Loads dropped DLL 4 IoCs

pid	Process
1112	cmd.exe
1112	cmd.exe
2000	filename.exe
480	filename.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook accounts 1 TTPs 11 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	filename.exe
Key opened	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	filename.exe
Key opened	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	filename.exe
Key opened	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	filename.exe
Key opened	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	filename.exe
Key opened	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	filename.exe
Key opened	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	filename.exe
Key opened	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	filename.exe
Key opened	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	filename.exe
Key opened	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	filename.exe
Key opened	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	filename.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	reg.exe

Suspicious use of SetThreadContext 39 IoCs

description	pid	Process	procid_target
PID 2000 set thread context of 480	2000	filename.exe	33
PID 480 set thread context of 1816	480	filename.exe	38
PID 480 set thread context of 468	480	filename.exe	48
PID 1628 set thread context of 2016	1628	filename.exe	56
PID 2016 set thread context of 636	2016	filename.exe	59
PID 2016 set thread context of 1816	2016	filename.exe	75
PID 1936 set thread context of 1712	1936	filename.exe	86
PID 1712 set thread context of 1044	1712	filename.exe	89
PID 1712 set thread context of 1332	1712	filename.exe	100
PID 568 set thread context of 708	568	filename.exe	112
PID 708 set thread context of 1264	708	filename.exe	115
PID 708 set thread context of 852	708	filename.exe	128
PID 1064 set thread context of 1992	1064	filename.exe	139
PID 1992 set thread context of 1824	1992	filename.exe	140
PID 1992 set thread context of 1528	1992	filename.exe	153
PID 2032 set thread context of 1072	2032	filename.exe	165
PID 1072 set thread context of 1560	1072	filename.exe	168
PID 1072 set thread context of 1880	1072	filename.exe	179
PID 1828 set thread context of 1232	1828	filename.exe	191
PID 1232 set thread context of 1564	1232	filename.exe	194
PID 1232 set thread context of 1804	1232	filename.exe	205
PID 1256 set thread context of 1840	1256	filename.exe	218
PID 1840 set thread context of 1424	1840	filename.exe	221
PID 1840 set thread context of 1992	1840	filename.exe	232
PID 1700 set thread context of 480	1700	filename.exe	244
PID 480 set thread context of 932	480	filename.exe	247
PID 480 set thread context of 1536	480	filename.exe	258
PID 1556 set thread context of 1532	1556	filename.exe	270
PID 1532 set thread context of 1564	1532	filename.exe	272
PID 1532 set thread context of 1504	1532	filename.exe	284
PID 1052 set thread context of 1872	1052	filename.exe	296
PID 1872 set thread context of 800	1872	filename.exe	299
PID 1872 set thread context of 1536	1872	filename.exe	310
PID 1636 set thread context of 1764	1636	filename.exe	322
PID 1764 set thread context of 1880	1764	filename.exe	325
PID 1764 set thread context of 1828	1764	filename.exe	336
PID 896 set thread context of 1416	896	filename.exe	348
PID 1416 set thread context of 1384	1416	filename.exe	350
PID 1416 set thread context of 800	1416	filename.exe	362

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1788	426855460608fcd9c1b2373a1a7190cfa7f91c9b1a4d04658af45a95053c9064.exe
1788	426855460608fcd9c1b2373a1a7190cfa7f91c9b1a4d04658af45a95053c9064.exe
2000	filename.exe
2000	filename.exe
2000	filename.exe
2000	filename.exe
2000	filename.exe
2000	filename.exe
2000	filename.exe
2000	filename.exe
2000	filename.exe
2000	filename.exe
2000	filename.exe
2000	filename.exe
2000	filename.exe
2000	filename.exe
2000	filename.exe
2000	filename.exe
2000	filename.exe
2000	filename.exe
2000	filename.exe
2000	filename.exe
2000	filename.exe
2000	filename.exe
2000	filename.exe
2000	filename.exe
2000	filename.exe
2000	filename.exe
2000	filename.exe
2000	filename.exe
2000	filename.exe
2000	filename.exe
2000	filename.exe
2000	filename.exe
2000	filename.exe
2000	filename.exe
2000	filename.exe
2000	filename.exe
2000	filename.exe
2000	filename.exe
2000	filename.exe
2000	filename.exe
2000	filename.exe
2000	filename.exe
2000	filename.exe
2000	filename.exe
2000	filename.exe
2000	filename.exe
2000	filename.exe
2000	filename.exe
2000	filename.exe
2000	filename.exe
2000	filename.exe
2000	filename.exe
2000	filename.exe
2000	filename.exe
2000	filename.exe
2000	filename.exe
2000	filename.exe
2000	filename.exe
2000	filename.exe
2000	filename.exe
2000	filename.exe
2000	filename.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	1788	426855460608fcd9c1b2373a1a7190cfa7f91c9b1a4d04658af45a95053c9064.exe
Token: SeDebugPrivilege	2000	filename.exe
Token: SeDebugPrivilege	1628	filename.exe
Token: SeDebugPrivilege	1936	filename.exe
Token: SeDebugPrivilege	568	filename.exe
Token: SeDebugPrivilege	1064	filename.exe
Token: SeDebugPrivilege	2032	filename.exe
Token: SeDebugPrivilege	1828	filename.exe
Token: SeDebugPrivilege	1256	filename.exe
Token: SeDebugPrivilege	1700	filename.exe
Token: SeDebugPrivilege	1556	filename.exe
Token: SeDebugPrivilege	1052	filename.exe
Token: SeDebugPrivilege	1636	filename.exe
Token: SeDebugPrivilege	896	filename.exe

Suspicious use of SetWindowsHookEx 13 IoCs

pid	Process
480	filename.exe
2016	filename.exe
1712	filename.exe
708	filename.exe
1992	filename.exe
1072	filename.exe
1232	filename.exe
1840	filename.exe
480	filename.exe
1532	filename.exe
1872	filename.exe
1764	filename.exe
1416	filename.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1788 wrote to memory of 1112	1788	426855460608fcd9c1b2373a1a7190cfa7f91c9b1a4d04658af45a95053c9064.exe	27
PID 1788 wrote to memory of 1112	1788	426855460608fcd9c1b2373a1a7190cfa7f91c9b1a4d04658af45a95053c9064.exe	27
PID 1788 wrote to memory of 1112	1788	426855460608fcd9c1b2373a1a7190cfa7f91c9b1a4d04658af45a95053c9064.exe	27
PID 1788 wrote to memory of 1112	1788	426855460608fcd9c1b2373a1a7190cfa7f91c9b1a4d04658af45a95053c9064.exe	27
PID 1112 wrote to memory of 2000	1112	cmd.exe	29
PID 1112 wrote to memory of 2000	1112	cmd.exe	29
PID 1112 wrote to memory of 2000	1112	cmd.exe	29
PID 1112 wrote to memory of 2000	1112	cmd.exe	29
PID 2000 wrote to memory of 1968	2000	filename.exe	30
PID 2000 wrote to memory of 1968	2000	filename.exe	30
PID 2000 wrote to memory of 1968	2000	filename.exe	30
PID 2000 wrote to memory of 1968	2000	filename.exe	30
PID 1968 wrote to memory of 1792	1968	cmd.exe	32
PID 1968 wrote to memory of 1792	1968	cmd.exe	32
PID 1968 wrote to memory of 1792	1968	cmd.exe	32
PID 1968 wrote to memory of 1792	1968	cmd.exe	32
PID 2000 wrote to memory of 480	2000	filename.exe	33
PID 2000 wrote to memory of 480	2000	filename.exe	33
PID 2000 wrote to memory of 480	2000	filename.exe	33
PID 2000 wrote to memory of 480	2000	filename.exe	33
PID 2000 wrote to memory of 480	2000	filename.exe	33
PID 2000 wrote to memory of 480	2000	filename.exe	33
PID 2000 wrote to memory of 480	2000	filename.exe	33
PID 2000 wrote to memory of 480	2000	filename.exe	33
PID 2000 wrote to memory of 708	2000	filename.exe	35
PID 2000 wrote to memory of 708	2000	filename.exe	35
PID 2000 wrote to memory of 708	2000	filename.exe	35
PID 2000 wrote to memory of 708	2000	filename.exe	35
PID 480 wrote to memory of 1816	480	filename.exe	38
PID 480 wrote to memory of 1816	480	filename.exe	38
PID 480 wrote to memory of 1816	480	filename.exe	38
PID 480 wrote to memory of 1816	480	filename.exe	38
PID 480 wrote to memory of 1816	480	filename.exe	38
PID 480 wrote to memory of 1816	480	filename.exe	38
PID 480 wrote to memory of 1816	480	filename.exe	38
PID 480 wrote to memory of 1816	480	filename.exe	38
PID 480 wrote to memory of 1816	480	filename.exe	38
PID 708 wrote to memory of 1068	708	cmd.exe	37
PID 708 wrote to memory of 1068	708	cmd.exe	37
PID 708 wrote to memory of 1068	708	cmd.exe	37
PID 708 wrote to memory of 1068	708	cmd.exe	37
PID 2000 wrote to memory of 1176	2000	filename.exe	39
PID 2000 wrote to memory of 1176	2000	filename.exe	39
PID 2000 wrote to memory of 1176	2000	filename.exe	39
PID 2000 wrote to memory of 1176	2000	filename.exe	39
PID 1176 wrote to memory of 1932	1176	cmd.exe	41
PID 1176 wrote to memory of 1932	1176	cmd.exe	41
PID 1176 wrote to memory of 1932	1176	cmd.exe	41
PID 1176 wrote to memory of 1932	1176	cmd.exe	41
PID 2000 wrote to memory of 1928	2000	filename.exe	42
PID 2000 wrote to memory of 1928	2000	filename.exe	42
PID 2000 wrote to memory of 1928	2000	filename.exe	42
PID 2000 wrote to memory of 1928	2000	filename.exe	42
PID 1928 wrote to memory of 1416	1928	cmd.exe	44
PID 1928 wrote to memory of 1416	1928	cmd.exe	44
PID 1928 wrote to memory of 1416	1928	cmd.exe	44
PID 1928 wrote to memory of 1416	1928	cmd.exe	44
PID 2000 wrote to memory of 1764	2000	filename.exe	45
PID 2000 wrote to memory of 1764	2000	filename.exe	45
PID 2000 wrote to memory of 1764	2000	filename.exe	45
PID 2000 wrote to memory of 1764	2000	filename.exe	45
PID 1764 wrote to memory of 1656	1764	cmd.exe	47
PID 1764 wrote to memory of 1656	1764	cmd.exe	47
PID 1764 wrote to memory of 1656	1764	cmd.exe	47

C:\Users\Admin\AppData\Local\Temp\426855460608fcd9c1b2373a1a7190cfa7f91c9b1a4d04658af45a95053c9064.exe
"C:\Users\Admin\AppData\Local\Temp\426855460608fcd9c1b2373a1a7190cfa7f91c9b1a4d04658af45a95053c9064.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1788
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1112
- - C:\Users\Admin\Desktop\scscscscscscacaacacsfdf\filename.exe
    "C:\Users\Admin\Desktop\scscscscscscacaacacsfdf\filename.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2000
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1968
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        5⤵
        Adds Run key to start application
        
        PID:1792
  - - C:\Users\Admin\Desktop\scscscscscscacaacacsfdf\filename.exe
      "C:\Users\Admin\Desktop\scscscscscscacaacacsfdf\filename.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:480
    - - C:\Users\Admin\Desktop\scscscscscscacaacacsfdf\filename.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\9LIGWGhqgF.ini"
        5⤵
        Executes dropped EXE
        
        PID:1816
    - - C:\Users\Admin\Desktop\scscscscscscacaacacsfdf\filename.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\VR3tc89Oze.ini"
        5⤵
        Executes dropped EXE
        Accesses Microsoft Outlook accounts
        
        PID:468
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:708
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        5⤵
        Adds Run key to start application
        
        PID:1068
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1176
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        5⤵
        
        PID:1932
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1928
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        5⤵
        
        PID:1416
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1764
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        5⤵
        Adds Run key to start application
        
        PID:1656
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:364
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        5⤵
        Adds Run key to start application
        
        PID:1760
  - - C:\Users\Admin\Desktop\scscscscscscacaacacsfdf\filename.exe
      "C:\Users\Admin\Desktop\scscscscscscacaacacsfdf\filename.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      PID:1628
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:1504
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        6⤵
        Adds Run key to start application
        
        PID:1112
    - - C:\Users\Admin\Desktop\scscscscscscacaacacsfdf\filename.exe
        
        "C:\Users\Admin\Desktop\scscscscscscacaacacsfdf\filename.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2016
      - C:\Users\Admin\Desktop\scscscscscscacaacacsfdf\filename.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\D7xHSS5fDc.ini"
        6⤵
        Executes dropped EXE
        
        PID:636
      - C:\Users\Admin\Desktop\scscscscscscacaacacsfdf\filename.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\tqFFnvruQP.ini"
        6⤵
        Executes dropped EXE
        Accesses Microsoft Outlook accounts
        
        PID:1816
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:1644
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        6⤵
        Adds Run key to start application
        
        PID:1256
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:1916
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        6⤵
        
        PID:932
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:1688
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        6⤵
        Adds Run key to start application
        
        PID:1484
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:1796
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        6⤵
        Adds Run key to start application
        
        PID:1900
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:1264
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        6⤵
        Adds Run key to start application
        
        PID:1176
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:1788
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        6⤵
        
        PID:1408
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:2000
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        6⤵
        Adds Run key to start application
        
        PID:2008
    - - C:\Users\Admin\Desktop\scscscscscscacaacacsfdf\filename.exe
        
        "C:\Users\Admin\Desktop\scscscscscscacaacacsfdf\filename.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:1936
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        7⤵
        
        PID:944
      - C:\Users\Admin\Desktop\scscscscscscacaacacsfdf\filename.exe
        
        "C:\Users\Admin\Desktop\scscscscscscacaacacsfdf\filename.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1712
        
        C:\Users\Admin\Desktop\scscscscscscacaacacsfdf\filename.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\RTrhmkSxCE.ini"
        7⤵
        Executes dropped EXE
        
        PID:1044
        
        C:\Users\Admin\Desktop\scscscscscscacaacacsfdf\filename.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\79QQ4XelD1.ini"
        7⤵
        Executes dropped EXE
        Accesses Microsoft Outlook accounts
        
        PID:1332
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        7⤵
        
        PID:592
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        7⤵
        
        PID:2028
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        7⤵
        
        PID:1648
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        7⤵
        Adds Run key to start application
        
        PID:512
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        7⤵
        Adds Run key to start application
        
        PID:1476
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        7⤵
        
        PID:1696
      - C:\Users\Admin\Desktop\scscscscscscacaacacsfdf\filename.exe
        
        "C:\Users\Admin\Desktop\scscscscscscacaacacsfdf\filename.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:568
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        7⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        8⤵
        Adds Run key to start application
        
        PID:1532
        
        C:\Users\Admin\Desktop\scscscscscscacaacacsfdf\filename.exe
        
        "C:\Users\Admin\Desktop\scscscscscscacaacacsfdf\filename.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:708
        
        C:\Users\Admin\Desktop\scscscscscscacaacacsfdf\filename.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\MdfS3JVUcr.ini"
        8⤵
        Executes dropped EXE
        
        PID:1264
        
        C:\Users\Admin\Desktop\scscscscscscacaacacsfdf\filename.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\XmlgPCdrlk.ini"
        8⤵
        Executes dropped EXE
        Accesses Microsoft Outlook accounts
        
        PID:852
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        7⤵
        
        PID:868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        8⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        7⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        8⤵
        Adds Run key to start application
        
        PID:676
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        7⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        8⤵
        Adds Run key to start application
        
        PID:1568
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        7⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        8⤵
        
        PID:832
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        7⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        8⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        7⤵
        
        PID:592
        
        C:\Users\Admin\Desktop\scscscscscscacaacacsfdf\filename.exe
        
        "C:\Users\Admin\Desktop\scscscscscscacaacacsfdf\filename.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:1064
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        8⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        9⤵
        
        PID:1976
        
        C:\Users\Admin\Desktop\scscscscscscacaacacsfdf\filename.exe
        
        "C:\Users\Admin\Desktop\scscscscscscacaacacsfdf\filename.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1992
        
        C:\Users\Admin\Desktop\scscscscscscacaacacsfdf\filename.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\Rm3pM2RQXz.ini"
        9⤵
        Executes dropped EXE
        
        PID:1824
        
        C:\Users\Admin\Desktop\scscscscscscacaacacsfdf\filename.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\ItHVqGKAjE.ini"
        9⤵
        Executes dropped EXE
        Accesses Microsoft Outlook accounts
        
        PID:1528
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        8⤵
        
        PID:676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        9⤵
        Adds Run key to start application
        
        PID:1712
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        8⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        9⤵
        Adds Run key to start application
        
        PID:1932
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        8⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        9⤵
        Adds Run key to start application
        
        PID:1408
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        8⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        9⤵
        Adds Run key to start application
        
        PID:1232
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        8⤵
        
        PID:568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        9⤵
        Adds Run key to start application
        
        PID:1628
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        8⤵
        
        PID:1880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        9⤵
        
        PID:1344
        
        C:\Users\Admin\Desktop\scscscscscscacaacacsfdf\filename.exe
        
        "C:\Users\Admin\Desktop\scscscscscscacaacacsfdf\filename.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:2032
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        9⤵
        
        PID:1780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        10⤵
        
        PID:1396
        
        C:\Users\Admin\Desktop\scscscscscscacaacacsfdf\filename.exe
        
        "C:\Users\Admin\Desktop\scscscscscscacaacacsfdf\filename.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1072
        
        C:\Users\Admin\Desktop\scscscscscscacaacacsfdf\filename.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\XOSl7Bl7U3.ini"
        10⤵
        Executes dropped EXE
        
        PID:1560
        
        C:\Users\Admin\Desktop\scscscscscscacaacacsfdf\filename.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\Ox4FJjNca2.ini"
        10⤵
        Executes dropped EXE
        Accesses Microsoft Outlook accounts
        
        PID:1880
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        9⤵
        
        PID:1332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        10⤵
        Adds Run key to start application
        
        PID:1136
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        9⤵
        
        PID:944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        10⤵
        
        PID:580
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        9⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        10⤵
        Adds Run key to start application
        
        PID:1260
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        9⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        10⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        9⤵
        
        PID:1220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        10⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        9⤵
        
        PID:980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        10⤵
        Adds Run key to start application
        
        PID:1536
        
        C:\Users\Admin\Desktop\scscscscscscacaacacsfdf\filename.exe
        
        "C:\Users\Admin\Desktop\scscscscscscacaacacsfdf\filename.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:1828
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        10⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        11⤵
        Adds Run key to start application
        
        PID:2016
        
        C:\Users\Admin\Desktop\scscscscscscacaacacsfdf\filename.exe
        
        "C:\Users\Admin\Desktop\scscscscscscacaacacsfdf\filename.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1232
        
        C:\Users\Admin\Desktop\scscscscscscacaacacsfdf\filename.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\4p4DtNZT4J.ini"
        11⤵
        Executes dropped EXE
        
        PID:1564
        
        C:\Users\Admin\Desktop\scscscscscscacaacacsfdf\filename.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\qQAPSMHaYT.ini"
        11⤵
        Executes dropped EXE
        Accesses Microsoft Outlook accounts
        
        PID:1804
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        10⤵
        
        PID:568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        11⤵
        Adds Run key to start application
        
        PID:1628
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        10⤵
        
        PID:364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        11⤵
        Adds Run key to start application
        
        PID:2008
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        10⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        11⤵
        
        PID:896
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        10⤵
        
        PID:752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        11⤵
        Adds Run key to start application
        
        PID:1680
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        10⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        11⤵
        Adds Run key to start application
        
        PID:1932
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        10⤵
        
        PID:636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        11⤵
        
        PID:1504
        
        C:\Users\Admin\Desktop\scscscscscscacaacacsfdf\filename.exe
        
        "C:\Users\Admin\Desktop\scscscscscscacaacacsfdf\filename.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:1256
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        11⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        12⤵
        Adds Run key to start application
        
        PID:1052
        
        C:\Users\Admin\Desktop\scscscscscscacaacacsfdf\filename.exe
        
        "C:\Users\Admin\Desktop\scscscscscscacaacacsfdf\filename.exe"
        11⤵
        Executes dropped EXE
        
        PID:1528
        
        C:\Users\Admin\Desktop\scscscscscscacaacacsfdf\filename.exe
        
        "C:\Users\Admin\Desktop\scscscscscscacaacacsfdf\filename.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1840
        
        C:\Users\Admin\Desktop\scscscscscscacaacacsfdf\filename.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\GJSa8kIrEt.ini"
        12⤵
        Executes dropped EXE
        
        PID:1424
        
        C:\Users\Admin\Desktop\scscscscscscacaacacsfdf\filename.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\2tahv09ZvN.ini"
        12⤵
        Executes dropped EXE
        
        PID:1992
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        11⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        12⤵
        Adds Run key to start application
        
        PID:1384
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        11⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        12⤵
        Adds Run key to start application
        
        PID:1856
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        11⤵
        
        PID:800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        12⤵
        
        PID:304
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        11⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        12⤵
        Adds Run key to start application
        
        PID:1568
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        11⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        12⤵
        Adds Run key to start application
        
        PID:1668
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        11⤵
        
        PID:1136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        12⤵
        Adds Run key to start application
        
        PID:868
        
        C:\Users\Admin\Desktop\scscscscscscacaacacsfdf\filename.exe
        
        "C:\Users\Admin\Desktop\scscscscscscacaacacsfdf\filename.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:1700
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        12⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        13⤵
        Adds Run key to start application
        
        PID:1820
        
        C:\Users\Admin\Desktop\scscscscscscacaacacsfdf\filename.exe
        
        "C:\Users\Admin\Desktop\scscscscscscacaacacsfdf\filename.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:480
        
        C:\Users\Admin\Desktop\scscscscscscacaacacsfdf\filename.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\q1xA7UxD97.ini"
        13⤵
        Executes dropped EXE
        
        PID:932
        
        C:\Users\Admin\Desktop\scscscscscscacaacacsfdf\filename.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\fGjXe5AmZj.ini"
        13⤵
        Executes dropped EXE
        Accesses Microsoft Outlook accounts
        
        PID:1536
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        12⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        13⤵
        Adds Run key to start application
        
        PID:1680
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        12⤵
        
        PID:1268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        13⤵
        
        PID:980
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        12⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        13⤵
        Adds Run key to start application
        
        PID:976
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        12⤵
        
        PID:848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        13⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        12⤵
        
        PID:1232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        13⤵
        Adds Run key to start application
        
        PID:1628
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        12⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        13⤵
        Adds Run key to start application
        
        PID:804
        
        C:\Users\Admin\Desktop\scscscscscscacaacacsfdf\filename.exe
        
        "C:\Users\Admin\Desktop\scscscscscscacaacacsfdf\filename.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:1556
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        13⤵
        
        PID:1864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        14⤵
        
        PID:1432
        
        C:\Users\Admin\Desktop\scscscscscscacaacacsfdf\filename.exe
        
        "C:\Users\Admin\Desktop\scscscscscscacaacacsfdf\filename.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1532
        
        C:\Users\Admin\Desktop\scscscscscscacaacacsfdf\filename.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\TO61qZyQmS.ini"
        14⤵
        Executes dropped EXE
        
        PID:1564
        
        C:\Users\Admin\Desktop\scscscscscscacaacacsfdf\filename.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\n8MssfgUha.ini"
        14⤵
        Executes dropped EXE
        
        PID:1504
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        13⤵
        
        PID:800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        14⤵
        Adds Run key to start application
        
        PID:1416
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        13⤵
        
        PID:980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        14⤵
        Adds Run key to start application
        
        PID:1424
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        13⤵
        
        PID:852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        14⤵
        Adds Run key to start application
        
        PID:1408
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        13⤵
        
        PID:840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        14⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        13⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        14⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        13⤵
        
        PID:1688
        
        C:\Users\Admin\Desktop\scscscscscscacaacacsfdf\filename.exe
        
        "C:\Users\Admin\Desktop\scscscscscscacaacacsfdf\filename.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:1052
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        14⤵
        
        PID:1880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        15⤵
        Adds Run key to start application
        
        PID:908
        
        C:\Users\Admin\Desktop\scscscscscscacaacacsfdf\filename.exe
        
        "C:\Users\Admin\Desktop\scscscscscscacaacacsfdf\filename.exe"
        14⤵
        Executes dropped EXE
        
        PID:112
        
        C:\Users\Admin\Desktop\scscscscscscacaacacsfdf\filename.exe
        
        "C:\Users\Admin\Desktop\scscscscscscacaacacsfdf\filename.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1872
        
        C:\Users\Admin\Desktop\scscscscscscacaacacsfdf\filename.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\wCzI5YqIne.ini"
        15⤵
        Executes dropped EXE
        
        PID:800
        
        C:\Users\Admin\Desktop\scscscscscscacaacacsfdf\filename.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\DmdNVSFnbJ.ini"
        15⤵
        Executes dropped EXE
        Accesses Microsoft Outlook accounts
        
        PID:1536
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        14⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        15⤵
        Adds Run key to start application
        
        PID:1500
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        14⤵
        
        PID:944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        15⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        14⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        15⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        14⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        15⤵
        Adds Run key to start application
        
        PID:1140
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        14⤵
        
        PID:280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        15⤵
        Adds Run key to start application
        
        PID:1136
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        14⤵
        
        PID:968
        
        C:\Users\Admin\Desktop\scscscscscscacaacacsfdf\filename.exe
        
        "C:\Users\Admin\Desktop\scscscscscscacaacacsfdf\filename.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:1636
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        15⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        16⤵
        Adds Run key to start application
        
        PID:1548
        
        C:\Users\Admin\Desktop\scscscscscscacaacacsfdf\filename.exe
        
        "C:\Users\Admin\Desktop\scscscscscscacaacacsfdf\filename.exe"
        15⤵
        Executes dropped EXE
        
        PID:340
        
        C:\Users\Admin\Desktop\scscscscscscacaacacsfdf\filename.exe
        
        "C:\Users\Admin\Desktop\scscscscscscacaacacsfdf\filename.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1764
        
        C:\Users\Admin\Desktop\scscscscscscacaacacsfdf\filename.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\xhlBnDO504.ini"
        16⤵
        Executes dropped EXE
        
        PID:1880
        
        C:\Users\Admin\Desktop\scscscscscscacaacacsfdf\filename.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\LdLTRuAHOA.ini"
        16⤵
        Executes dropped EXE
        Accesses Microsoft Outlook accounts
        
        PID:1828
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        15⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        16⤵
        Adds Run key to start application
        
        PID:2000
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        15⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        16⤵
        Adds Run key to start application
        
        PID:1008
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        15⤵
        
        PID:1264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        16⤵
        Adds Run key to start application
        
        PID:1664
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        15⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        16⤵
        Adds Run key to start application
        
        PID:1448
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        15⤵
        
        PID:1864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        16⤵
        Adds Run key to start application
        
        PID:1512
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        15⤵
        
        PID:1308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        16⤵
        Adds Run key to start application
        
        PID:1368
        
        C:\Users\Admin\Desktop\scscscscscscacaacacsfdf\filename.exe
        
        "C:\Users\Admin\Desktop\scscscscscscacaacacsfdf\filename.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:896
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        16⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        17⤵
        Adds Run key to start application
        
        PID:652
        
        C:\Users\Admin\Desktop\scscscscscscacaacacsfdf\filename.exe
        
        "C:\Users\Admin\Desktop\scscscscscscacaacacsfdf\filename.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1416
        
        C:\Users\Admin\Desktop\scscscscscscacaacacsfdf\filename.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\PGSyo4CX3o.ini"
        17⤵
        Executes dropped EXE
        
        PID:1384
        
        C:\Users\Admin\Desktop\scscscscscscacaacacsfdf\filename.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\Idv3ljHIRp.ini"
        17⤵
        Executes dropped EXE
        Accesses Microsoft Outlook accounts
        
        PID:800
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        16⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        17⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        16⤵
        
        PID:676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        17⤵
        Adds Run key to start application
        
        PID:980
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        16⤵
        
        PID:852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        17⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        16⤵
        
        PID:1004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        17⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        16⤵
        
        PID:952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        17⤵
        Adds Run key to start application
        
        PID:1668

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/468-89-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/468-88-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/468-83-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/468-87-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/480-70-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/480-68-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/480-66-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/480-64-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/568-162-0x00000000741A0000-0x000000007474B000-memory.dmp

Filesize
5.7MB

Download
memory/568-161-0x0000000000820000-0x0000000000821000-memory.dmp

Filesize
4KB

Download
memory/568-160-0x00000000741A0000-0x000000007474B000-memory.dmp

Filesize
5.7MB

Download
memory/636-112-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/636-108-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/636-113-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/636-114-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/896-462-0x00000000741A0000-0x000000007474B000-memory.dmp

Filesize
5.7MB

Download
memory/896-461-0x0000000000950000-0x0000000000951000-memory.dmp

Filesize
4KB

Download
memory/896-460-0x00000000741A0000-0x000000007474B000-memory.dmp

Filesize
5.7MB

Download
memory/1044-144-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1044-143-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1044-145-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1052-389-0x00000000741A0000-0x000000007474B000-memory.dmp

Filesize
5.7MB

Download
memory/1052-388-0x0000000000A20000-0x0000000000A21000-memory.dmp

Filesize
4KB

Download
memory/1052-387-0x00000000741A0000-0x000000007474B000-memory.dmp

Filesize
5.7MB

Download
memory/1064-215-0x0000000000A10000-0x0000000000A11000-memory.dmp

Filesize
4KB

Download
memory/1064-216-0x00000000741A0000-0x000000007474B000-memory.dmp

Filesize
5.7MB

Download
memory/1064-214-0x00000000741A0000-0x000000007474B000-memory.dmp

Filesize
5.7MB

Download
memory/1256-315-0x0000000073BF0000-0x000000007419B000-memory.dmp

Filesize
5.7MB

Download
memory/1256-317-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/1256-318-0x0000000073BF0000-0x000000007419B000-memory.dmp

Filesize
5.7MB

Download
memory/1332-156-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1332-155-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1332-157-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1556-380-0x0000000000480000-0x0000000000481000-memory.dmp

Filesize
4KB

Download
memory/1556-379-0x00000000741A0000-0x000000007474B000-memory.dmp

Filesize
5.7MB

Download
memory/1556-381-0x00000000741A0000-0x000000007474B000-memory.dmp

Filesize
5.7MB

Download
memory/1628-94-0x0000000073BF0000-0x000000007419B000-memory.dmp

Filesize
5.7MB

Download
memory/1628-92-0x0000000073BF0000-0x000000007419B000-memory.dmp

Filesize
5.7MB

Download
memory/1628-93-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/1636-415-0x00000000741A0000-0x000000007474B000-memory.dmp

Filesize
5.7MB

Download
memory/1636-417-0x00000000741A0000-0x000000007474B000-memory.dmp

Filesize
5.7MB

Download
memory/1636-416-0x0000000000CD0000-0x0000000000CD1000-memory.dmp

Filesize
4KB

Download
memory/1700-346-0x0000000000A30000-0x0000000000A31000-memory.dmp

Filesize
4KB

Download
memory/1700-345-0x0000000073BF0000-0x000000007419B000-memory.dmp

Filesize
5.7MB

Download
memory/1700-347-0x0000000073BF0000-0x000000007419B000-memory.dmp

Filesize
5.7MB

Download
memory/1788-57-0x00000000741A0000-0x000000007474B000-memory.dmp

Filesize
5.7MB

Download
memory/1788-56-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1788-54-0x0000000075251000-0x0000000075253000-memory.dmp

Filesize
8KB

Download
memory/1788-55-0x00000000741A0000-0x000000007474B000-memory.dmp

Filesize
5.7MB

Download
memory/1816-123-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1816-122-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1816-121-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1828-283-0x00000000741A0000-0x000000007474B000-memory.dmp

Filesize
5.7MB

Download
memory/1828-281-0x00000000741A0000-0x000000007474B000-memory.dmp

Filesize
5.7MB

Download
memory/1828-282-0x0000000000B90000-0x0000000000B91000-memory.dmp

Filesize
4KB

Download
memory/1936-146-0x0000000073BF0000-0x000000007419B000-memory.dmp

Filesize
5.7MB

Download
memory/1936-147-0x0000000000BB0000-0x0000000000BB1000-memory.dmp

Filesize
4KB

Download
memory/1936-148-0x0000000073BF0000-0x000000007419B000-memory.dmp

Filesize
5.7MB

Download
memory/2000-79-0x0000000073BF0000-0x000000007419B000-memory.dmp

Filesize
5.7MB

Download
memory/2000-82-0x0000000073BF0000-0x000000007419B000-memory.dmp

Filesize
5.7MB

Download
memory/2000-81-0x0000000073BF0000-0x000000007419B000-memory.dmp

Filesize
5.7MB

Download
memory/2000-80-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2032-249-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2032-248-0x00000000741A0000-0x000000007474B000-memory.dmp

Filesize
5.7MB

Download