isrstealer | 39ca8f9968b34c7262a5cd169e55959351c68a094983ea537b54e555be87d685

Analysis

max time kernel
153s
max time network
161s
platform
windows7_x64
resource
win7-en-20211208
submitted
08-03-2022 19:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

39ca8f9968b34c7262a5cd169e55959351c68a094983ea537b54e555be87d685.exe
Size

340KB
MD5

445ceb67566b9baadce86dea15d48026
SHA1

2ce8fccfec4a063cb153cc0d0d539612e14ba1a3
SHA256

39ca8f9968b34c7262a5cd169e55959351c68a094983ea537b54e555be87d685
SHA512

dcc02495e096f2fd7d057e6c84c521541cc18e1756dd6599cb66a5c76076db6f2c6961395ebc08c43a876fc792a301635c6ea9b3ab9f8f082d4abb9abcbc687c

Score

10^/10

isrstealer collection persistence spyware stealer trojan upx

Malware Config

Signatures

ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
trojan stealer isrstealer

ISR Stealer Payload 2 IoCs

resource	yara_rule
behavioral1/memory/1536-71-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral1/memory/1536-73-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer

NirSoft MailPassView 4 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral1/memory/1076-121-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral1/memory/1076-122-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral1/memory/1940-156-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral1/memory/1940-155-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView

Nirsoft 4 IoCs

resource	yara_rule
behavioral1/memory/1076-121-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral1/memory/1076-122-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral1/memory/1940-156-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral1/memory/1940-155-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft

Executes dropped EXE 35 IoCs

pid	Process
384	filename.exe
1536	filename.exe
316	filename.exe
1532	filename.exe
1604	filename.exe
300	filename.exe
1960	filename.exe
1076	filename.exe
920	filename.exe
484	filename.exe
1468	filename.exe
1940	filename.exe
1220	filename.exe
1708	filename.exe
1724	filename.exe
484	filename.exe
1088	filename.exe
1280	filename.exe
2044	filename.exe
1284	filename.exe
808	filename.exe
1548	filename.exe
1720	filename.exe
864	filename.exe
1124	filename.exe
1736	filename.exe
1824	filename.exe
888	filename.exe
1708	filename.exe
1284	filename.exe
1688	filename.exe
1500	filename.exe
1496	filename.exe
2020	filename.exe
1220	filename.exe

UPX packed file 17 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/316-79-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/316-83-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/316-85-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/316-84-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/1960-108-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/1960-109-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/1960-110-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/1076-116-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1076-120-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1076-121-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1076-122-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1468-142-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/1468-144-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/1468-143-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/1940-154-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1940-156-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1940-155-0x0000000000400000-0x000000000041F000-memory.dmp	upx

Loads dropped DLL 2 IoCs

pid	Process
300	cmd.exe
300	cmd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook accounts 1 TTPs 7 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	filename.exe
Key opened	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	filename.exe
Key opened	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	filename.exe
Key opened	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	filename.exe
Key opened	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	filename.exe
Key opened	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	filename.exe
Key opened	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	filename.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	reg.exe

Suspicious use of SetThreadContext 26 IoCs

description	pid	Process	procid_target
PID 384 set thread context of 1536	384	filename.exe	34
PID 1536 set thread context of 316	1536	filename.exe	38
PID 1536 set thread context of 1532	1536	filename.exe	51
PID 1604 set thread context of 300	1604	filename.exe	59
PID 300 set thread context of 1960	300	filename.exe	62
PID 300 set thread context of 1076	300	filename.exe	92
PID 920 set thread context of 484	920	filename.exe	103
PID 484 set thread context of 1468	484	filename.exe	106
PID 484 set thread context of 1940	484	filename.exe	121
PID 1220 set thread context of 1708	1220	filename.exe	129
PID 1708 set thread context of 1724	1708	filename.exe	132
PID 1708 set thread context of 484	1708	filename.exe	147
PID 1088 set thread context of 1280	1088	filename.exe	158
PID 1280 set thread context of 2044	1280	filename.exe	161
PID 1280 set thread context of 1284	1280	filename.exe	176
PID 808 set thread context of 1548	808	filename.exe	187
PID 1548 set thread context of 1720	1548	filename.exe	191
PID 1548 set thread context of 864	1548	filename.exe	205
PID 1124 set thread context of 1736	1124	filename.exe	216
PID 1736 set thread context of 1824	1736	filename.exe	219
PID 1736 set thread context of 888	1736	filename.exe	234
PID 1708 set thread context of 1284	1708	filename.exe	245
PID 1284 set thread context of 1688	1284	filename.exe	249
PID 1284 set thread context of 1500	1284	filename.exe	263
PID 1496 set thread context of 2020	1496	filename.exe	274
PID 2020 set thread context of 1220	2020	filename.exe	278

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1288	39ca8f9968b34c7262a5cd169e55959351c68a094983ea537b54e555be87d685.exe
1288	39ca8f9968b34c7262a5cd169e55959351c68a094983ea537b54e555be87d685.exe
384	filename.exe
384	filename.exe
384	filename.exe
384	filename.exe
384	filename.exe
384	filename.exe
384	filename.exe
384	filename.exe
384	filename.exe
384	filename.exe
384	filename.exe
384	filename.exe
384	filename.exe
384	filename.exe
384	filename.exe
384	filename.exe
384	filename.exe
384	filename.exe
384	filename.exe
384	filename.exe
384	filename.exe
384	filename.exe
384	filename.exe
384	filename.exe
384	filename.exe
384	filename.exe
384	filename.exe
384	filename.exe
384	filename.exe
384	filename.exe
384	filename.exe
384	filename.exe
384	filename.exe
384	filename.exe
384	filename.exe
384	filename.exe
384	filename.exe
384	filename.exe
384	filename.exe
384	filename.exe
384	filename.exe
384	filename.exe
384	filename.exe
384	filename.exe
384	filename.exe
384	filename.exe
384	filename.exe
384	filename.exe
384	filename.exe
384	filename.exe
384	filename.exe
384	filename.exe
384	filename.exe
384	filename.exe
384	filename.exe
384	filename.exe
384	filename.exe
384	filename.exe
384	filename.exe
384	filename.exe
384	filename.exe
384	filename.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	1288	39ca8f9968b34c7262a5cd169e55959351c68a094983ea537b54e555be87d685.exe
Token: SeDebugPrivilege	384	filename.exe
Token: SeDebugPrivilege	1604	filename.exe
Token: SeDebugPrivilege	920	filename.exe
Token: SeDebugPrivilege	1220	filename.exe
Token: SeDebugPrivilege	1088	filename.exe
Token: SeDebugPrivilege	808	filename.exe
Token: SeDebugPrivilege	1124	filename.exe
Token: SeDebugPrivilege	1708	filename.exe
Token: SeDebugPrivilege	1496	filename.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
1536	filename.exe
300	filename.exe
484	filename.exe
1708	filename.exe
1280	filename.exe
1548	filename.exe
1736	filename.exe
1284	filename.exe
2020	filename.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1288 wrote to memory of 300	1288	39ca8f9968b34c7262a5cd169e55959351c68a094983ea537b54e555be87d685.exe	27
PID 1288 wrote to memory of 300	1288	39ca8f9968b34c7262a5cd169e55959351c68a094983ea537b54e555be87d685.exe	27
PID 1288 wrote to memory of 300	1288	39ca8f9968b34c7262a5cd169e55959351c68a094983ea537b54e555be87d685.exe	27
PID 1288 wrote to memory of 300	1288	39ca8f9968b34c7262a5cd169e55959351c68a094983ea537b54e555be87d685.exe	27
PID 300 wrote to memory of 384	300	cmd.exe	30
PID 300 wrote to memory of 384	300	cmd.exe	30
PID 300 wrote to memory of 384	300	cmd.exe	30
PID 300 wrote to memory of 384	300	cmd.exe	30
PID 384 wrote to memory of 432	384	filename.exe	31
PID 384 wrote to memory of 432	384	filename.exe	31
PID 384 wrote to memory of 432	384	filename.exe	31
PID 384 wrote to memory of 432	384	filename.exe	31
PID 432 wrote to memory of 1292	432	cmd.exe	33
PID 432 wrote to memory of 1292	432	cmd.exe	33
PID 432 wrote to memory of 1292	432	cmd.exe	33
PID 432 wrote to memory of 1292	432	cmd.exe	33
PID 384 wrote to memory of 1536	384	filename.exe	34
PID 384 wrote to memory of 1536	384	filename.exe	34
PID 384 wrote to memory of 1536	384	filename.exe	34
PID 384 wrote to memory of 1536	384	filename.exe	34
PID 384 wrote to memory of 1536	384	filename.exe	34
PID 384 wrote to memory of 1536	384	filename.exe	34
PID 384 wrote to memory of 1536	384	filename.exe	34
PID 384 wrote to memory of 1536	384	filename.exe	34
PID 384 wrote to memory of 996	384	filename.exe	35
PID 384 wrote to memory of 996	384	filename.exe	35
PID 384 wrote to memory of 996	384	filename.exe	35
PID 384 wrote to memory of 996	384	filename.exe	35
PID 996 wrote to memory of 1176	996	cmd.exe	37
PID 996 wrote to memory of 1176	996	cmd.exe	37
PID 996 wrote to memory of 1176	996	cmd.exe	37
PID 996 wrote to memory of 1176	996	cmd.exe	37
PID 1536 wrote to memory of 316	1536	filename.exe	38
PID 1536 wrote to memory of 316	1536	filename.exe	38
PID 1536 wrote to memory of 316	1536	filename.exe	38
PID 1536 wrote to memory of 316	1536	filename.exe	38
PID 1536 wrote to memory of 316	1536	filename.exe	38
PID 1536 wrote to memory of 316	1536	filename.exe	38
PID 1536 wrote to memory of 316	1536	filename.exe	38
PID 1536 wrote to memory of 316	1536	filename.exe	38
PID 1536 wrote to memory of 316	1536	filename.exe	38
PID 384 wrote to memory of 2044	384	filename.exe	39
PID 384 wrote to memory of 2044	384	filename.exe	39
PID 384 wrote to memory of 2044	384	filename.exe	39
PID 384 wrote to memory of 2044	384	filename.exe	39
PID 2044 wrote to memory of 1936	2044	cmd.exe	41
PID 2044 wrote to memory of 1936	2044	cmd.exe	41
PID 2044 wrote to memory of 1936	2044	cmd.exe	41
PID 2044 wrote to memory of 1936	2044	cmd.exe	41
PID 384 wrote to memory of 1968	384	filename.exe	42
PID 384 wrote to memory of 1968	384	filename.exe	42
PID 384 wrote to memory of 1968	384	filename.exe	42
PID 384 wrote to memory of 1968	384	filename.exe	42
PID 1968 wrote to memory of 1492	1968	cmd.exe	44
PID 1968 wrote to memory of 1492	1968	cmd.exe	44
PID 1968 wrote to memory of 1492	1968	cmd.exe	44
PID 1968 wrote to memory of 1492	1968	cmd.exe	44
PID 384 wrote to memory of 1580	384	filename.exe	45
PID 384 wrote to memory of 1580	384	filename.exe	45
PID 384 wrote to memory of 1580	384	filename.exe	45
PID 384 wrote to memory of 1580	384	filename.exe	45
PID 1580 wrote to memory of 1996	1580	cmd.exe	47
PID 1580 wrote to memory of 1996	1580	cmd.exe	47
PID 1580 wrote to memory of 1996	1580	cmd.exe	47

C:\Users\Admin\AppData\Local\Temp\39ca8f9968b34c7262a5cd169e55959351c68a094983ea537b54e555be87d685.exe
"C:\Users\Admin\AppData\Local\Temp\39ca8f9968b34c7262a5cd169e55959351c68a094983ea537b54e555be87d685.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1288
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:300
- - C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe
    "C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:384
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:432
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        5⤵
        Adds Run key to start application
        
        PID:1292
  - - C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe
      "C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1536
    - - C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\S2Kn4FrzMo.ini"
        5⤵
        Executes dropped EXE
        
        PID:316
    - - C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\fzHcBETboj.ini"
        5⤵
        Executes dropped EXE
        
        PID:1532
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:996
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        5⤵
        
        PID:1176
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2044
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        5⤵
        
        PID:1936
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1968
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        5⤵
        Adds Run key to start application
        
        PID:1492
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1580
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        5⤵
        Adds Run key to start application
        
        PID:1996
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:672
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        5⤵
        
        PID:1744
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:2032
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        5⤵
        Adds Run key to start application
        
        PID:1728
  - - C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe
      "C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      PID:1604
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:1628
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        6⤵
        
        PID:1984
    - - C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe
        
        "C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:300
      - C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\T8dA8Q8fo8.ini"
        6⤵
        Executes dropped EXE
        
        PID:1960
      - C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\vJ6hDCMTWg.ini"
        6⤵
        Executes dropped EXE
        Accesses Microsoft Outlook accounts
        
        PID:1076
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:1780
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        6⤵
        
        PID:1088
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:1616
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        6⤵
        Adds Run key to start application
        
        PID:632
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:1648
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        6⤵
        
        PID:1176
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:1316
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        6⤵
        
        PID:1676
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:1312
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        6⤵
        Adds Run key to start application
        
        PID:2044
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:1656
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        6⤵
        
        PID:1580
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:1116
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        6⤵
        Adds Run key to start application
        
        PID:1048
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:576
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        6⤵
        Adds Run key to start application
        
        PID:528
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:652
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        6⤵
        Adds Run key to start application
        
        PID:1760
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:1148
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        6⤵
        Adds Run key to start application
        
        PID:1628
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:996
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        6⤵
        
        PID:1176
    - - C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe
        
        "C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:920
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:1312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        7⤵
        Adds Run key to start application
        
        PID:1580
      - C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe
        
        "C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:484
        
        C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\4p8sMiOdjp.ini"
        7⤵
        Executes dropped EXE
        
        PID:1468
        
        C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\nkgPoCypxv.ini"
        7⤵
        Executes dropped EXE
        Accesses Microsoft Outlook accounts
        
        PID:1940
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        7⤵
        Adds Run key to start application
        
        PID:1472
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        7⤵
        Adds Run key to start application
        
        PID:652
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        7⤵
        
        PID:1984
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        7⤵
        Adds Run key to start application
        
        PID:1068
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        7⤵
        Adds Run key to start application
        
        PID:1176
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        7⤵
        Adds Run key to start application
        
        PID:1288
      - C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe
        
        "C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:1220
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        7⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        8⤵
        
        PID:1472
        
        C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe
        
        "C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1708
        
        C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\GvqnSrhVjz.ini"
        8⤵
        Executes dropped EXE
        
        PID:1724
        
        C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\dLTIMxWikA.ini"
        8⤵
        Executes dropped EXE
        Accesses Microsoft Outlook accounts
        
        PID:484
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        7⤵
        
        PID:572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        8⤵
        Adds Run key to start application
        
        PID:1960
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        7⤵
        
        PID:744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        8⤵
        Adds Run key to start application
        
        PID:888
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        7⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        8⤵
        Adds Run key to start application
        
        PID:1936
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        7⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        8⤵
        Adds Run key to start application
        
        PID:708
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        7⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        8⤵
        Adds Run key to start application
        
        PID:1744
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        7⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        8⤵
        Adds Run key to start application
        
        PID:856
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        7⤵
        
        PID:1108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        8⤵
        Adds Run key to start application
        
        PID:1692
        
        C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe
        
        "C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:1088
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        8⤵
        
        PID:1208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        9⤵
        Adds Run key to start application
        
        PID:1516
        
        C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe
        
        "C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1280
        
        C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\mP8en9o74Z.ini"
        9⤵
        Executes dropped EXE
        
        PID:2044
        
        C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\sckAbiqwQ6.ini"
        9⤵
        Executes dropped EXE
        Accesses Microsoft Outlook accounts
        
        PID:1284
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        8⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        9⤵
        
        PID:1124
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        8⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        9⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        8⤵
        
        PID:1020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        9⤵
        Adds Run key to start application
        
        PID:1760
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        8⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        9⤵
        
        PID:1048
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        8⤵
        
        PID:592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        9⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        8⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        9⤵
        Adds Run key to start application
        
        PID:756
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        8⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        9⤵
        Adds Run key to start application
        
        PID:1092
        
        C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe
        
        "C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:808
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        9⤵
        
        PID:1136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        10⤵
        Adds Run key to start application
        
        PID:1316
        
        C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe
        
        "C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1548
        
        C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\5HBW3gM1lF.ini"
        10⤵
        Executes dropped EXE
        
        PID:1720
        
        C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\k2KsCiSHrM.ini"
        10⤵
        Executes dropped EXE
        Accesses Microsoft Outlook accounts
        
        PID:864
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        9⤵
        
        PID:688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        10⤵
        
        PID:960
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        9⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        10⤵
        Adds Run key to start application
        
        PID:976
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        9⤵
        
        PID:592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        10⤵
        Adds Run key to start application
        
        PID:1988
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        9⤵
        
        PID:652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        10⤵
        
        PID:856
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        9⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        10⤵
        Adds Run key to start application
        
        PID:1204
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        9⤵
        
        PID:708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        10⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        9⤵
        
        PID:1100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        10⤵
        Adds Run key to start application
        
        PID:1400
        
        C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe
        
        "C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:1124
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        10⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        11⤵
        Adds Run key to start application
        
        PID:1816
        
        C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe
        
        "C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1736
        
        C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\oeW9HksJB1.ini"
        11⤵
        Executes dropped EXE
        
        PID:1824
        
        C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\TxNRRKfb2O.ini"
        11⤵
        Executes dropped EXE
        Accesses Microsoft Outlook accounts
        
        PID:888
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        10⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        11⤵
        Adds Run key to start application
        
        PID:1988
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        10⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        11⤵
        Adds Run key to start application
        
        PID:1084
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        10⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        11⤵
        Adds Run key to start application
        
        PID:1560
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        10⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        11⤵
        Adds Run key to start application
        
        PID:1528
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        10⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        11⤵
        Adds Run key to start application
        
        PID:1992
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        10⤵
        
        PID:920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        11⤵
        Adds Run key to start application
        
        PID:1128
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        10⤵
        
        PID:1048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        11⤵
        
        PID:996
        
        C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe
        
        "C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:1708
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        11⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        12⤵
        Adds Run key to start application
        
        PID:1424
        
        C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe
        
        "C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1284
        
        C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\B4boVO3TjR.ini"
        12⤵
        Executes dropped EXE
        
        PID:1688
        
        C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\mkmqM22rE5.ini"
        12⤵
        Executes dropped EXE
        Accesses Microsoft Outlook accounts
        
        PID:1500
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        11⤵
        
        PID:652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        12⤵
        Adds Run key to start application
        
        PID:940
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        11⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        12⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        11⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        12⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        11⤵
        
        PID:1396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        12⤵
        Adds Run key to start application
        
        PID:992
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        11⤵
        
        PID:1248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        12⤵
        Adds Run key to start application
        
        PID:1696
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        11⤵
        
        PID:1288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        12⤵
        Adds Run key to start application
        
        PID:1120
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        11⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        12⤵
        Adds Run key to start application
        
        PID:1292
        
        C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe
        
        "C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:1496
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        12⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        13⤵
        
        PID:668
        
        C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe
        
        "C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2020
        
        C:\Users\Admin\Desktop\sgdshfjgfgdsvgr\filename.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\aKUE0ZQf7E.ini"
        13⤵
        Executes dropped EXE
        
        PID:1220
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        12⤵
        
        PID:432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        13⤵
        Adds Run key to start application
        
        PID:652

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/316-84-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/316-79-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/316-83-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/316-85-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/384-66-0x0000000074100000-0x00000000746AB000-memory.dmp

Filesize
5.7MB

Download
memory/384-65-0x0000000000700000-0x0000000000701000-memory.dmp

Filesize
4KB

Download
memory/384-64-0x0000000074100000-0x00000000746AB000-memory.dmp

Filesize
5.7MB

Download
memory/808-230-0x0000000074090000-0x000000007463B000-memory.dmp

Filesize
5.7MB

Download
memory/808-228-0x0000000074090000-0x000000007463B000-memory.dmp

Filesize
5.7MB

Download
memory/808-229-0x0000000000120000-0x0000000000160000-memory.dmp

Filesize
256KB

Download
memory/920-147-0x0000000074100000-0x00000000746AB000-memory.dmp

Filesize
5.7MB

Download
memory/920-145-0x0000000074100000-0x00000000746AB000-memory.dmp

Filesize
5.7MB

Download
memory/920-146-0x0000000000D00000-0x0000000000D01000-memory.dmp

Filesize
4KB

Download
memory/1076-116-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1076-120-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1076-121-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1076-122-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1088-215-0x0000000074090000-0x000000007463B000-memory.dmp

Filesize
5.7MB

Download
memory/1088-213-0x0000000074090000-0x000000007463B000-memory.dmp

Filesize
5.7MB

Download
memory/1088-214-0x0000000000520000-0x0000000000521000-memory.dmp

Filesize
4KB

Download
memory/1124-263-0x0000000073AE0000-0x000000007408B000-memory.dmp

Filesize
5.7MB

Download
memory/1124-261-0x0000000073AE0000-0x000000007408B000-memory.dmp

Filesize
5.7MB

Download
memory/1124-262-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/1220-161-0x0000000074090000-0x000000007463B000-memory.dmp

Filesize
5.7MB

Download
memory/1220-160-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/1220-159-0x0000000074090000-0x000000007463B000-memory.dmp

Filesize
5.7MB

Download
memory/1288-56-0x0000000074100000-0x00000000746AB000-memory.dmp

Filesize
5.7MB

Download
memory/1288-55-0x0000000075D61000-0x0000000075D63000-memory.dmp

Filesize
8KB

Download
memory/1288-58-0x0000000074100000-0x00000000746AB000-memory.dmp

Filesize
5.7MB

Download
memory/1288-57-0x0000000000A80000-0x0000000000A81000-memory.dmp

Filesize
4KB

Download
memory/1468-142-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1468-143-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1468-144-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1496-329-0x0000000073B50000-0x00000000740FB000-memory.dmp

Filesize
5.7MB

Download
memory/1496-333-0x0000000073B50000-0x00000000740FB000-memory.dmp

Filesize
5.7MB

Download
memory/1496-330-0x0000000000C70000-0x0000000000C71000-memory.dmp

Filesize
4KB

Download
memory/1536-69-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1536-71-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1536-67-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1536-73-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1604-112-0x0000000000470000-0x0000000000471000-memory.dmp

Filesize
4KB

Download
memory/1604-113-0x0000000074100000-0x00000000746AB000-memory.dmp

Filesize
5.7MB

Download
memory/1604-111-0x0000000074100000-0x00000000746AB000-memory.dmp

Filesize
5.7MB

Download
memory/1708-316-0x0000000000920000-0x0000000000921000-memory.dmp

Filesize
4KB

Download
memory/1708-315-0x0000000074100000-0x00000000746AB000-memory.dmp

Filesize
5.7MB

Download
memory/1940-156-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1940-154-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1940-155-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1960-109-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1960-110-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1960-108-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download