isrstealer | 0a3611b8e640f07b495d536318bc34eccec79552d2591d05a0015227ec1e62d8

Analysis

max time kernel
173s
max time network
176s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
30-10-2022 17:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0a3611b8e640f07b495d536318bc34eccec79552d2591d05a0015227ec1e62d8.exe
Size

368KB
MD5

88ce30bc2d9e7da8d46f6bf7895d8dde
SHA1

eaba322eeddf41ca8ce013a1f7a38e658f464b40
SHA256

0a3611b8e640f07b495d536318bc34eccec79552d2591d05a0015227ec1e62d8
SHA512

0f0410c2c97757c6b1e1c9d51343db22d7fe7688b5424fde5bbcc7845eafd2302a25e289da167916aeb4e1ca85fce887b16564552965f9c35c6f64e3fe4e16d4
SSDEEP

6144:yBljsvTdniPKRIQSk6wdKs+Gp1d/TtuxLFzOfNyM48JhJfJeY8Cvv4bNmgUXx:8jsv5cKEk6wdKq1uj8p9HzoPOx

Score

10^/10

isrstealer collection stealer trojan upx

Malware Config

Signatures

ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
trojan stealer isrstealer

ISR Stealer payload 18 IoCs

resource	yara_rule
behavioral2/memory/224-135-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral2/memory/224-145-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral2/memory/1148-162-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral2/memory/224-196-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral2/memory/1148-197-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral2/memory/1148-198-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral2/memory/1468-210-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral2/memory/1468-220-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral2/memory/1468-221-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral2/memory/4896-232-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral2/memory/4896-241-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral2/memory/4896-242-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral2/memory/2600-254-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral2/memory/2600-263-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral2/memory/2600-264-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral2/memory/428-275-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral2/memory/428-284-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral2/memory/1512-296-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer

NirSoft MailPassView 8 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral2/memory/2044-180-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral2/memory/2044-181-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral2/memory/1548-195-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral2/memory/2180-218-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral2/memory/2180-219-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral2/memory/3176-240-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral2/memory/3364-262-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral2/memory/4656-283-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView

Nirsoft 8 IoCs

resource	yara_rule
behavioral2/memory/2044-180-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral2/memory/2044-181-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral2/memory/1548-195-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral2/memory/2180-218-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral2/memory/2180-219-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral2/memory/3176-240-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral2/memory/3364-262-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral2/memory/4656-283-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft

Executes dropped EXE 3 IoCs

pid	Process
3496	NcbService.exe
1480	CertPropSvc.exe
4132	NcbService.exe

UPX packed file 23 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4372-140-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/4372-142-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/4372-143-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/4372-144-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/3688-169-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/3688-168-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/3688-170-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/2044-177-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2044-179-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2044-180-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2044-181-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1548-195-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2516-207-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/2516-208-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/2516-209-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/2180-217-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2180-218-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2180-219-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3176-240-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3356-253-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/3364-262-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4656-283-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3384-295-0x0000000000400000-0x0000000000453000-memory.dmp	upx

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	0a3611b8e640f07b495d536318bc34eccec79552d2591d05a0015227ec1e62d8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	CertPropSvc.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook accounts 1 TTPs 6 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Suspicious use of SetThreadContext 21 IoCs

description	pid	Process	procid_target
PID 1584 set thread context of 224	1584	0a3611b8e640f07b495d536318bc34eccec79552d2591d05a0015227ec1e62d8.exe	86
PID 224 set thread context of 4372	224	vbc.exe	87
PID 1480 set thread context of 1148	1480	CertPropSvc.exe	93
PID 1148 set thread context of 3688	1148	vbc.exe	94
PID 224 set thread context of 2044	224	vbc.exe	96
PID 1148 set thread context of 1548	1148	vbc.exe	97
PID 1480 set thread context of 1468	1480	CertPropSvc.exe	98
PID 1468 set thread context of 2516	1468	vbc.exe	99
PID 1468 set thread context of 2180	1468	vbc.exe	100
PID 1480 set thread context of 4896	1480	CertPropSvc.exe	101
PID 4896 set thread context of 4812	4896	vbc.exe	102
PID 4896 set thread context of 3176	4896	vbc.exe	103
PID 1480 set thread context of 2600	1480	CertPropSvc.exe	104
PID 2600 set thread context of 3356	2600	vbc.exe	105
PID 2600 set thread context of 3364	2600	vbc.exe	106
PID 1480 set thread context of 428	1480	CertPropSvc.exe	107
PID 428 set thread context of 4404	428	vbc.exe	108
PID 428 set thread context of 4656	428	vbc.exe	109
PID 1480 set thread context of 1512	1480	CertPropSvc.exe	110
PID 1512 set thread context of 3384	1512	vbc.exe	111
PID 1512 set thread context of 4768	1512	vbc.exe	112

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1584	0a3611b8e640f07b495d536318bc34eccec79552d2591d05a0015227ec1e62d8.exe
1584	0a3611b8e640f07b495d536318bc34eccec79552d2591d05a0015227ec1e62d8.exe
1584	0a3611b8e640f07b495d536318bc34eccec79552d2591d05a0015227ec1e62d8.exe
1584	0a3611b8e640f07b495d536318bc34eccec79552d2591d05a0015227ec1e62d8.exe
1584	0a3611b8e640f07b495d536318bc34eccec79552d2591d05a0015227ec1e62d8.exe
1584	0a3611b8e640f07b495d536318bc34eccec79552d2591d05a0015227ec1e62d8.exe
1584	0a3611b8e640f07b495d536318bc34eccec79552d2591d05a0015227ec1e62d8.exe
1584	0a3611b8e640f07b495d536318bc34eccec79552d2591d05a0015227ec1e62d8.exe
1584	0a3611b8e640f07b495d536318bc34eccec79552d2591d05a0015227ec1e62d8.exe
1584	0a3611b8e640f07b495d536318bc34eccec79552d2591d05a0015227ec1e62d8.exe
1584	0a3611b8e640f07b495d536318bc34eccec79552d2591d05a0015227ec1e62d8.exe
1584	0a3611b8e640f07b495d536318bc34eccec79552d2591d05a0015227ec1e62d8.exe
1584	0a3611b8e640f07b495d536318bc34eccec79552d2591d05a0015227ec1e62d8.exe
1584	0a3611b8e640f07b495d536318bc34eccec79552d2591d05a0015227ec1e62d8.exe
1584	0a3611b8e640f07b495d536318bc34eccec79552d2591d05a0015227ec1e62d8.exe
1584	0a3611b8e640f07b495d536318bc34eccec79552d2591d05a0015227ec1e62d8.exe
1584	0a3611b8e640f07b495d536318bc34eccec79552d2591d05a0015227ec1e62d8.exe
1584	0a3611b8e640f07b495d536318bc34eccec79552d2591d05a0015227ec1e62d8.exe
1584	0a3611b8e640f07b495d536318bc34eccec79552d2591d05a0015227ec1e62d8.exe
1584	0a3611b8e640f07b495d536318bc34eccec79552d2591d05a0015227ec1e62d8.exe
1584	0a3611b8e640f07b495d536318bc34eccec79552d2591d05a0015227ec1e62d8.exe
1584	0a3611b8e640f07b495d536318bc34eccec79552d2591d05a0015227ec1e62d8.exe
1584	0a3611b8e640f07b495d536318bc34eccec79552d2591d05a0015227ec1e62d8.exe
1584	0a3611b8e640f07b495d536318bc34eccec79552d2591d05a0015227ec1e62d8.exe
1584	0a3611b8e640f07b495d536318bc34eccec79552d2591d05a0015227ec1e62d8.exe
1584	0a3611b8e640f07b495d536318bc34eccec79552d2591d05a0015227ec1e62d8.exe
1584	0a3611b8e640f07b495d536318bc34eccec79552d2591d05a0015227ec1e62d8.exe
1584	0a3611b8e640f07b495d536318bc34eccec79552d2591d05a0015227ec1e62d8.exe
1584	0a3611b8e640f07b495d536318bc34eccec79552d2591d05a0015227ec1e62d8.exe
1584	0a3611b8e640f07b495d536318bc34eccec79552d2591d05a0015227ec1e62d8.exe
1584	0a3611b8e640f07b495d536318bc34eccec79552d2591d05a0015227ec1e62d8.exe
3496	NcbService.exe
1584	0a3611b8e640f07b495d536318bc34eccec79552d2591d05a0015227ec1e62d8.exe
1584	0a3611b8e640f07b495d536318bc34eccec79552d2591d05a0015227ec1e62d8.exe
1584	0a3611b8e640f07b495d536318bc34eccec79552d2591d05a0015227ec1e62d8.exe
1584	0a3611b8e640f07b495d536318bc34eccec79552d2591d05a0015227ec1e62d8.exe
1584	0a3611b8e640f07b495d536318bc34eccec79552d2591d05a0015227ec1e62d8.exe
1584	0a3611b8e640f07b495d536318bc34eccec79552d2591d05a0015227ec1e62d8.exe
1584	0a3611b8e640f07b495d536318bc34eccec79552d2591d05a0015227ec1e62d8.exe
1584	0a3611b8e640f07b495d536318bc34eccec79552d2591d05a0015227ec1e62d8.exe
1584	0a3611b8e640f07b495d536318bc34eccec79552d2591d05a0015227ec1e62d8.exe
1584	0a3611b8e640f07b495d536318bc34eccec79552d2591d05a0015227ec1e62d8.exe
1584	0a3611b8e640f07b495d536318bc34eccec79552d2591d05a0015227ec1e62d8.exe
1584	0a3611b8e640f07b495d536318bc34eccec79552d2591d05a0015227ec1e62d8.exe
1584	0a3611b8e640f07b495d536318bc34eccec79552d2591d05a0015227ec1e62d8.exe
1584	0a3611b8e640f07b495d536318bc34eccec79552d2591d05a0015227ec1e62d8.exe
1584	0a3611b8e640f07b495d536318bc34eccec79552d2591d05a0015227ec1e62d8.exe
1584	0a3611b8e640f07b495d536318bc34eccec79552d2591d05a0015227ec1e62d8.exe
1584	0a3611b8e640f07b495d536318bc34eccec79552d2591d05a0015227ec1e62d8.exe
1584	0a3611b8e640f07b495d536318bc34eccec79552d2591d05a0015227ec1e62d8.exe
1584	0a3611b8e640f07b495d536318bc34eccec79552d2591d05a0015227ec1e62d8.exe
1584	0a3611b8e640f07b495d536318bc34eccec79552d2591d05a0015227ec1e62d8.exe
1584	0a3611b8e640f07b495d536318bc34eccec79552d2591d05a0015227ec1e62d8.exe
3496	NcbService.exe
1584	0a3611b8e640f07b495d536318bc34eccec79552d2591d05a0015227ec1e62d8.exe
1584	0a3611b8e640f07b495d536318bc34eccec79552d2591d05a0015227ec1e62d8.exe
1584	0a3611b8e640f07b495d536318bc34eccec79552d2591d05a0015227ec1e62d8.exe
1584	0a3611b8e640f07b495d536318bc34eccec79552d2591d05a0015227ec1e62d8.exe
1584	0a3611b8e640f07b495d536318bc34eccec79552d2591d05a0015227ec1e62d8.exe
1584	0a3611b8e640f07b495d536318bc34eccec79552d2591d05a0015227ec1e62d8.exe
1584	0a3611b8e640f07b495d536318bc34eccec79552d2591d05a0015227ec1e62d8.exe
1584	0a3611b8e640f07b495d536318bc34eccec79552d2591d05a0015227ec1e62d8.exe
1584	0a3611b8e640f07b495d536318bc34eccec79552d2591d05a0015227ec1e62d8.exe
1584	0a3611b8e640f07b495d536318bc34eccec79552d2591d05a0015227ec1e62d8.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1584	0a3611b8e640f07b495d536318bc34eccec79552d2591d05a0015227ec1e62d8.exe
Token: SeDebugPrivilege	3496	NcbService.exe
Token: SeDebugPrivilege	1480	CertPropSvc.exe
Token: SeDebugPrivilege	4132	NcbService.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
224	vbc.exe
1148	vbc.exe
1468	vbc.exe
4896	vbc.exe
2600	vbc.exe
428	vbc.exe
1512	vbc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1584 wrote to memory of 224	1584	0a3611b8e640f07b495d536318bc34eccec79552d2591d05a0015227ec1e62d8.exe	86
PID 1584 wrote to memory of 224	1584	0a3611b8e640f07b495d536318bc34eccec79552d2591d05a0015227ec1e62d8.exe	86
PID 1584 wrote to memory of 224	1584	0a3611b8e640f07b495d536318bc34eccec79552d2591d05a0015227ec1e62d8.exe	86
PID 1584 wrote to memory of 224	1584	0a3611b8e640f07b495d536318bc34eccec79552d2591d05a0015227ec1e62d8.exe	86
PID 1584 wrote to memory of 224	1584	0a3611b8e640f07b495d536318bc34eccec79552d2591d05a0015227ec1e62d8.exe	86
PID 1584 wrote to memory of 224	1584	0a3611b8e640f07b495d536318bc34eccec79552d2591d05a0015227ec1e62d8.exe	86
PID 1584 wrote to memory of 224	1584	0a3611b8e640f07b495d536318bc34eccec79552d2591d05a0015227ec1e62d8.exe	86
PID 224 wrote to memory of 4372	224	vbc.exe	87
PID 224 wrote to memory of 4372	224	vbc.exe	87
PID 224 wrote to memory of 4372	224	vbc.exe	87
PID 224 wrote to memory of 4372	224	vbc.exe	87
PID 224 wrote to memory of 4372	224	vbc.exe	87
PID 224 wrote to memory of 4372	224	vbc.exe	87
PID 224 wrote to memory of 4372	224	vbc.exe	87
PID 224 wrote to memory of 4372	224	vbc.exe	87
PID 1584 wrote to memory of 3496	1584	0a3611b8e640f07b495d536318bc34eccec79552d2591d05a0015227ec1e62d8.exe	89
PID 1584 wrote to memory of 3496	1584	0a3611b8e640f07b495d536318bc34eccec79552d2591d05a0015227ec1e62d8.exe	89
PID 1584 wrote to memory of 3496	1584	0a3611b8e640f07b495d536318bc34eccec79552d2591d05a0015227ec1e62d8.exe	89
PID 3496 wrote to memory of 1480	3496	NcbService.exe	92
PID 3496 wrote to memory of 1480	3496	NcbService.exe	92
PID 3496 wrote to memory of 1480	3496	NcbService.exe	92
PID 1480 wrote to memory of 1148	1480	CertPropSvc.exe	93
PID 1480 wrote to memory of 1148	1480	CertPropSvc.exe	93
PID 1480 wrote to memory of 1148	1480	CertPropSvc.exe	93
PID 1480 wrote to memory of 1148	1480	CertPropSvc.exe	93
PID 1480 wrote to memory of 1148	1480	CertPropSvc.exe	93
PID 1480 wrote to memory of 1148	1480	CertPropSvc.exe	93
PID 1480 wrote to memory of 1148	1480	CertPropSvc.exe	93
PID 1148 wrote to memory of 3688	1148	vbc.exe	94
PID 1148 wrote to memory of 3688	1148	vbc.exe	94
PID 1148 wrote to memory of 3688	1148	vbc.exe	94
PID 1148 wrote to memory of 3688	1148	vbc.exe	94
PID 1148 wrote to memory of 3688	1148	vbc.exe	94
PID 1148 wrote to memory of 3688	1148	vbc.exe	94
PID 1148 wrote to memory of 3688	1148	vbc.exe	94
PID 1148 wrote to memory of 3688	1148	vbc.exe	94
PID 1480 wrote to memory of 4132	1480	CertPropSvc.exe	95
PID 1480 wrote to memory of 4132	1480	CertPropSvc.exe	95
PID 1480 wrote to memory of 4132	1480	CertPropSvc.exe	95
PID 224 wrote to memory of 2044	224	vbc.exe	96
PID 224 wrote to memory of 2044	224	vbc.exe	96
PID 224 wrote to memory of 2044	224	vbc.exe	96
PID 224 wrote to memory of 2044	224	vbc.exe	96
PID 224 wrote to memory of 2044	224	vbc.exe	96
PID 224 wrote to memory of 2044	224	vbc.exe	96
PID 224 wrote to memory of 2044	224	vbc.exe	96
PID 224 wrote to memory of 2044	224	vbc.exe	96
PID 1148 wrote to memory of 1548	1148	vbc.exe	97
PID 1148 wrote to memory of 1548	1148	vbc.exe	97
PID 1148 wrote to memory of 1548	1148	vbc.exe	97
PID 1148 wrote to memory of 1548	1148	vbc.exe	97
PID 1148 wrote to memory of 1548	1148	vbc.exe	97
PID 1148 wrote to memory of 1548	1148	vbc.exe	97
PID 1148 wrote to memory of 1548	1148	vbc.exe	97
PID 1148 wrote to memory of 1548	1148	vbc.exe	97
PID 1480 wrote to memory of 1468	1480	CertPropSvc.exe	98
PID 1480 wrote to memory of 1468	1480	CertPropSvc.exe	98
PID 1480 wrote to memory of 1468	1480	CertPropSvc.exe	98
PID 1480 wrote to memory of 1468	1480	CertPropSvc.exe	98
PID 1480 wrote to memory of 1468	1480	CertPropSvc.exe	98
PID 1480 wrote to memory of 1468	1480	CertPropSvc.exe	98
PID 1480 wrote to memory of 1468	1480	CertPropSvc.exe	98
PID 1468 wrote to memory of 2516	1468	vbc.exe	99
PID 1468 wrote to memory of 2516	1468	vbc.exe	99

C:\Users\Admin\AppData\Local\Temp\0a3611b8e640f07b495d536318bc34eccec79552d2591d05a0015227ec1e62d8.exe
"C:\Users\Admin\AppData\Local\Temp\0a3611b8e640f07b495d536318bc34eccec79552d2591d05a0015227ec1e62d8.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1584
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:224
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    /scomma "C:\Users\Admin\AppData\Local\Temp\rTzsdwVrNy.ini"
    3⤵
    PID:4372
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    /scomma "C:\Users\Admin\AppData\Local\Temp\WKce1qBjed.ini"
    3⤵
    - Accesses Microsoft Outlook accounts
    PID:2044
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\NcbService.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\NcbService.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3496
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\CertPropSvc.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\CertPropSvc
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1480
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1148
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\vC7dwSklhu.ini"
        5⤵
        
        PID:3688
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\wy2EfpdFT1.ini"
        5⤵
        Accesses Microsoft Outlook accounts
        
        PID:1548
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\NcbService.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\NcbService.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:4132
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1468
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\gvvCFXUZI6.ini"
        5⤵
        
        PID:2516
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\1jiMqZcg1t.ini"
        5⤵
        Accesses Microsoft Outlook accounts
        
        PID:2180
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      PID:4896
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\x7IGbi9v2P.ini"
        5⤵
        
        PID:4812
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\4F95XsP5Ox.ini"
        5⤵
        Accesses Microsoft Outlook accounts
        
        PID:3176
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      PID:2600
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\sqeXhefXum.ini"
        5⤵
        
        PID:3356
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\RoNbPy3M2h.ini"
        5⤵
        Accesses Microsoft Outlook accounts
        
        PID:3364
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      PID:428
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\Wn78rLAIoR.ini"
        5⤵
        
        PID:4404
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\GAsQ0zb30c.ini"
        5⤵
        Accesses Microsoft Outlook accounts
        
        PID:4656
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      PID:1512
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\TycdLsa2b5.ini"
        5⤵
        
        PID:3384
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\mNzygzYJnV.ini"
        5⤵
        
        PID:4768

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

Filesize
2KB

MD5
1a295f69dfd5c6f54042f8bc5b31a6af

SHA1
d2b64e2902114ce584f382cbd78b06354b6b14f7

SHA256
b14043ac188588e6e6282e515cc581ca0aaae5fbf84a0cf087204bae7fcdad55

SHA512
3ed6b02a4b6f723f5ca54e78e2c787e5670cc7bec3e3517e06fdc57afe966fbb62b3702bf6cc6a903fd8ef83ea6f79949018e35b7ca4d93cd3f8e865bc2e724f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
1KB

MD5
136889ac23008bfdfefb91c9e5d8a11d

SHA1
8343b8ef34dc565eda256e042b43064cb8017131

SHA256
35188ecd41bd046f9f71e26f5404d5406be5e20bf8f2b6963adaec084783bef5

SHA512
b19722ef132c9169aa442b87f633f915934a51ea4164c674864aaffe4b01dd7ad6b7488450ca14b6d1467eb231e6941cad0aab29733ae4fa6b7df7d2a2f75bdb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C6872375A2E1BC120603F5605C3CEC71

Filesize
472B

MD5
bdc6b2c014249f4798958a4fbf2922b2

SHA1
de643472929c8d76e69dcafa5f4c55765c1217af

SHA256
87acc146d56827026e9c6843a2787d7845c103ef7ebc56b68fcc36001da44539

SHA512
397f82b065e13d0f8b4f83150e1da2e9f0a21c39c2be3be41536d3a7c4a0b974a0a140711a875a83aa1a056c00141fc6f78b5b46f0a97b06f71b4ab903fb614b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

Filesize
488B

MD5
29912de4388a27b9ef0dd06e0de124ee

SHA1
e2079dbe65861980226a302a265a3641890f477a

SHA256
03a44aadc69a533c66e94132930c3e69e5c385528b891b0bd68a598eeb950e79

SHA512
c99eb475d16e6adc82e2fd8615fd9c2686c06c0e179236d4e518d603f75d64013d691559181777c8def5063b03c6826fa8e937391767b2bed902f66d4e6143f2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
482B

MD5
26730ea91cefd35e0609b8971aa2a4c6

SHA1
08b195b8b20c991842ff244d92cd4e26a18a8525

SHA256
d232c90cd7a042a147c39a65144f83771c62ea45f9b69051256a2f44879b47d4

SHA512
8a2b65176373838415d4149a9a4c7ba8a7ac234d0b5446bba951a7ce400acc59a896b210bece44980277e7b570913299f24cf9b589d438e744dc61c737c68bed

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C6872375A2E1BC120603F5605C3CEC71

Filesize
484B

MD5
53ff88f06c1e791ab62a30b851c4fe89

SHA1
d032aa4957551aeb335b77827b2910d50fcd69ef

SHA256
a987b34ea6f6e9c7d428dc30658b613403ef03e016b28e94dc78972065c882dd

SHA512
3e59cfd7ff2b4cc15baee6170a4ee6692a93739d207041b2ba019b49d60f384ab28b19b7f520d2c65a342062d7536941981ad925dfb9b82d6d5125fdcd1efc13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\NcbService.exe.log

Filesize
404B

MD5
15b6596d028baa2a113143d1828bcc36

SHA1
f1be43126c4e765fe499718c388823d44bf1fef1

SHA256
529f9fde2234067382b4c6fb8e5aee49d8a8b1b85c82b0bdae425fa2a0264f75

SHA512
f2a6cb8498f596c7bf9178ea32a245dbb3657f43a179f378ce952ce5cb8580810cd67ef1efb623bcf6cd796d74e2c9b7bc42cb8665ead397546ce3b400181e83

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\48VMALJK\index[1].htm

Filesize
162B

MD5
4f8e702cc244ec5d4de32740c0ecbd97

SHA1
3adb1f02d5b6054de0046e367c1d687b6cdf7aff

SHA256
9e17cb15dd75bbbd5dbb984eda674863c3b10ab72613cf8a39a00c3e11a8492a

SHA512
21047fea5269fee75a2a187aa09316519e35068cb2f2f76cfaf371e5224445e9d5c98497bd76fb9608d2b73e9dac1a3f5bfadfdc4623c479d53ecf93d81d3c9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\48VMALJK\index[1].htm

Filesize
162B

MD5
4f8e702cc244ec5d4de32740c0ecbd97

SHA1
3adb1f02d5b6054de0046e367c1d687b6cdf7aff

SHA256
9e17cb15dd75bbbd5dbb984eda674863c3b10ab72613cf8a39a00c3e11a8492a

SHA512
21047fea5269fee75a2a187aa09316519e35068cb2f2f76cfaf371e5224445e9d5c98497bd76fb9608d2b73e9dac1a3f5bfadfdc4623c479d53ecf93d81d3c9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\48VMALJK\index[1].htm

Filesize
162B

MD5
4f8e702cc244ec5d4de32740c0ecbd97

SHA1
3adb1f02d5b6054de0046e367c1d687b6cdf7aff

SHA256
9e17cb15dd75bbbd5dbb984eda674863c3b10ab72613cf8a39a00c3e11a8492a

SHA512
21047fea5269fee75a2a187aa09316519e35068cb2f2f76cfaf371e5224445e9d5c98497bd76fb9608d2b73e9dac1a3f5bfadfdc4623c479d53ecf93d81d3c9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DUHIRKGY\index[1].htm

Filesize
162B

MD5
4f8e702cc244ec5d4de32740c0ecbd97

SHA1
3adb1f02d5b6054de0046e367c1d687b6cdf7aff

SHA256
9e17cb15dd75bbbd5dbb984eda674863c3b10ab72613cf8a39a00c3e11a8492a

SHA512
21047fea5269fee75a2a187aa09316519e35068cb2f2f76cfaf371e5224445e9d5c98497bd76fb9608d2b73e9dac1a3f5bfadfdc4623c479d53ecf93d81d3c9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DUHIRKGY\index[1].htm

Filesize
162B

MD5
4f8e702cc244ec5d4de32740c0ecbd97

SHA1
3adb1f02d5b6054de0046e367c1d687b6cdf7aff

SHA256
9e17cb15dd75bbbd5dbb984eda674863c3b10ab72613cf8a39a00c3e11a8492a

SHA512
21047fea5269fee75a2a187aa09316519e35068cb2f2f76cfaf371e5224445e9d5c98497bd76fb9608d2b73e9dac1a3f5bfadfdc4623c479d53ecf93d81d3c9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DUHIRKGY\index[1].htm

Filesize
162B

MD5
4f8e702cc244ec5d4de32740c0ecbd97

SHA1
3adb1f02d5b6054de0046e367c1d687b6cdf7aff

SHA256
9e17cb15dd75bbbd5dbb984eda674863c3b10ab72613cf8a39a00c3e11a8492a

SHA512
21047fea5269fee75a2a187aa09316519e35068cb2f2f76cfaf371e5224445e9d5c98497bd76fb9608d2b73e9dac1a3f5bfadfdc4623c479d53ecf93d81d3c9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\TycdLsa2b5.ini

Filesize
5B

MD5
d1ea279fb5559c020a1b4137dc4de237

SHA1
db6f8988af46b56216a6f0daf95ab8c9bdb57400

SHA256
fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba

SHA512
720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wn78rLAIoR.ini

Filesize
5B

MD5
d1ea279fb5559c020a1b4137dc4de237

SHA1
db6f8988af46b56216a6f0daf95ab8c9bdb57400

SHA256
fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba

SHA512
720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\gvvCFXUZI6.ini

Filesize
5B

MD5
d1ea279fb5559c020a1b4137dc4de237

SHA1
db6f8988af46b56216a6f0daf95ab8c9bdb57400

SHA256
fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba

SHA512
720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\rTzsdwVrNy.ini

Filesize
5B

MD5
d1ea279fb5559c020a1b4137dc4de237

SHA1
db6f8988af46b56216a6f0daf95ab8c9bdb57400

SHA256
fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba

SHA512
720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\sqeXhefXum.ini

Filesize
5B

MD5
d1ea279fb5559c020a1b4137dc4de237

SHA1
db6f8988af46b56216a6f0daf95ab8c9bdb57400

SHA256
fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba

SHA512
720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\vC7dwSklhu.ini

Filesize
5B

MD5
d1ea279fb5559c020a1b4137dc4de237

SHA1
db6f8988af46b56216a6f0daf95ab8c9bdb57400

SHA256
fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba

SHA512
720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\x7IGbi9v2P.ini

Filesize
5B

MD5
d1ea279fb5559c020a1b4137dc4de237

SHA1
db6f8988af46b56216a6f0daf95ab8c9bdb57400

SHA256
fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba

SHA512
720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\CertPropSvc.exe

Filesize
368KB

MD5
88ce30bc2d9e7da8d46f6bf7895d8dde

SHA1
eaba322eeddf41ca8ce013a1f7a38e658f464b40

SHA256
0a3611b8e640f07b495d536318bc34eccec79552d2591d05a0015227ec1e62d8

SHA512
0f0410c2c97757c6b1e1c9d51343db22d7fe7688b5424fde5bbcc7845eafd2302a25e289da167916aeb4e1ca85fce887b16564552965f9c35c6f64e3fe4e16d4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\CertPropSvc.exe

Filesize
368KB

MD5
88ce30bc2d9e7da8d46f6bf7895d8dde

SHA1
eaba322eeddf41ca8ce013a1f7a38e658f464b40

SHA256
0a3611b8e640f07b495d536318bc34eccec79552d2591d05a0015227ec1e62d8

SHA512
0f0410c2c97757c6b1e1c9d51343db22d7fe7688b5424fde5bbcc7845eafd2302a25e289da167916aeb4e1ca85fce887b16564552965f9c35c6f64e3fe4e16d4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\NcbService.exe

Filesize
11KB

MD5
a5bbc1dcf458ce144d1bdae33245ee5e

SHA1
b0828e9a1861bed8afabe669da763b2518e072d2

SHA256
cae810e9bbd9ad8faeff1229bfc182e611c6064ee1ce273c8e9d45df4709d7dc

SHA512
423afc2579dd197e577b11c621490fe2673e6f1a3acfb4c37a18805cf5e57c81e27bda41be0c2101c6aca0d81999c3bc35e6fd4e48655df981d485e097fcb26d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\NcbService.exe

Filesize
11KB

MD5
a5bbc1dcf458ce144d1bdae33245ee5e

SHA1
b0828e9a1861bed8afabe669da763b2518e072d2

SHA256
cae810e9bbd9ad8faeff1229bfc182e611c6064ee1ce273c8e9d45df4709d7dc

SHA512
423afc2579dd197e577b11c621490fe2673e6f1a3acfb4c37a18805cf5e57c81e27bda41be0c2101c6aca0d81999c3bc35e6fd4e48655df981d485e097fcb26d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\NcbService.exe

Filesize
11KB

MD5
a5bbc1dcf458ce144d1bdae33245ee5e

SHA1
b0828e9a1861bed8afabe669da763b2518e072d2

SHA256
cae810e9bbd9ad8faeff1229bfc182e611c6064ee1ce273c8e9d45df4709d7dc

SHA512
423afc2579dd197e577b11c621490fe2673e6f1a3acfb4c37a18805cf5e57c81e27bda41be0c2101c6aca0d81999c3bc35e6fd4e48655df981d485e097fcb26d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\NcbService.exe

Filesize
11KB

MD5
a5bbc1dcf458ce144d1bdae33245ee5e

SHA1
b0828e9a1861bed8afabe669da763b2518e072d2

SHA256
cae810e9bbd9ad8faeff1229bfc182e611c6064ee1ce273c8e9d45df4709d7dc

SHA512
423afc2579dd197e577b11c621490fe2673e6f1a3acfb4c37a18805cf5e57c81e27bda41be0c2101c6aca0d81999c3bc35e6fd4e48655df981d485e097fcb26d

Download Submit
memory/224-145-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/224-196-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/224-135-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/428-275-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/428-284-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1148-198-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1148-162-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1148-197-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1468-210-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1468-220-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1468-221-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1480-156-0x0000000075420000-0x00000000759D1000-memory.dmp

Filesize
5.7MB

Download
memory/1480-153-0x0000000075420000-0x00000000759D1000-memory.dmp

Filesize
5.7MB

Download
memory/1512-296-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1548-195-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1584-132-0x0000000075420000-0x00000000759D1000-memory.dmp

Filesize
5.7MB

Download
memory/1584-133-0x0000000075420000-0x00000000759D1000-memory.dmp

Filesize
5.7MB

Download
memory/1584-158-0x0000000075420000-0x00000000759D1000-memory.dmp

Filesize
5.7MB

Download
memory/2044-181-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2044-180-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2044-179-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2044-177-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2180-219-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2180-218-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2180-217-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2516-208-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2516-209-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2516-207-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2600-263-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2600-254-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2600-264-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3176-240-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3356-253-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3364-262-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3384-295-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3496-157-0x0000000075420000-0x00000000759D1000-memory.dmp

Filesize
5.7MB

Download
memory/3496-155-0x0000000075420000-0x00000000759D1000-memory.dmp

Filesize
5.7MB

Download
memory/3496-149-0x0000000075420000-0x00000000759D1000-memory.dmp

Filesize
5.7MB

Download
memory/3688-169-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3688-168-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3688-170-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4132-175-0x0000000075420000-0x00000000759D1000-memory.dmp

Filesize
5.7MB

Download
memory/4132-211-0x0000000075420000-0x00000000759D1000-memory.dmp

Filesize
5.7MB

Download
memory/4372-143-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4372-144-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4372-140-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4372-142-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4656-283-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4896-241-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4896-232-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4896-242-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download