isrstealer | ec889c7b55d7236ba0d5bde2c5d842d15752267d38597b2eb165cd04d3c0129c

Analysis

max time kernel
85s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
27-11-2022 13:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ec889c7b55d7236ba0d5bde2c5d842d15752267d38597b2eb165cd04d3c0129c.exe
Size

648KB
MD5

894076096dbed940112524f6f4c5e03e
SHA1

708137b59727628d351d3b13f10c5630ec7127be
SHA256

ec889c7b55d7236ba0d5bde2c5d842d15752267d38597b2eb165cd04d3c0129c
SHA512

78520cf458378e6d646caa1ae2e1baaafeb3c4f2299c40c6575b64f5e76d0bb6daba34451ebf6e51fe93a8a2a43ae510200b8be46e1209cd87fa75cb6963ae2c
SSDEEP

12288:LW6hqMI1GJsvLBOyEtoWW6hqMI1GJsvLBOyEto1X:LW6hqMIcJgBvEtoWW6hqMIcJgBvEto1X

Score

10^/10

isrstealer collection spyware stealer trojan upx

Malware Config

Signatures

ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
trojan stealer isrstealer

ISR Stealer payload 9 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Server.exe	family_isrstealer
C:\Users\Admin\AppData\Local\Temp\Server.exe	family_isrstealer
behavioral2/memory/4256-142-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral2/memory/4256-140-0x0000000000000000-mapping.dmp	family_isrstealer
C:\Users\Admin\AppData\Local\Temp\Server.exe	family_isrstealer
behavioral2/memory/4256-154-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
C:\Users\Admin\AppData\Local\Temp\Server.exe	family_isrstealer
behavioral2/memory/4256-181-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral2/memory/4256-182-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer

NirSoft MailPassView 5 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral2/memory/4412-169-0x0000000000000000-mapping.dmp	MailPassView
behavioral2/memory/5008-168-0x0000000000000000-mapping.dmp	MailPassView
behavioral2/memory/4412-177-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral2/memory/4412-179-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral2/memory/5008-180-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView

Nirsoft 5 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4412-169-0x0000000000000000-mapping.dmp	Nirsoft
behavioral2/memory/5008-168-0x0000000000000000-mapping.dmp	Nirsoft
behavioral2/memory/4412-177-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral2/memory/4412-179-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral2/memory/5008-180-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft

Executes dropped EXE 3 IoCs

Processes:

Server.exeServer.exeServer.exe

pid process

4808 Server.exe
3600 Server.exe
5008 Server.exe

pid	process
4808	Server.exe
3600	Server.exe
5008	Server.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4724-147-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/4724-152-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/3600-155-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/3600-158-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/4724-157-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/5008-170-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4412-175-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4412-177-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4412-179-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/5008-180-0x0000000000400000-0x000000000041F000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ec889c7b55d7236ba0d5bde2c5d842d15752267d38597b2eb165cd04d3c0129c.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	ec889c7b55d7236ba0d5bde2c5d842d15752267d38597b2eb165cd04d3c0129c.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook accounts 1 TTPs 2 IoCs

collection

Email Collection

T1114

Processes:

ec889c7b55d7236ba0d5bde2c5d842d15752267d38597b2eb165cd04d3c0129c.exeServer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	ec889c7b55d7236ba0d5bde2c5d842d15752267d38597b2eb165cd04d3c0129c.exe
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	Server.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

ec889c7b55d7236ba0d5bde2c5d842d15752267d38597b2eb165cd04d3c0129c.exeServer.exe

description	pid	process	target process
PID 4256 set thread context of 4724	4256	ec889c7b55d7236ba0d5bde2c5d842d15752267d38597b2eb165cd04d3c0129c.exe	ec889c7b55d7236ba0d5bde2c5d842d15752267d38597b2eb165cd04d3c0129c.exe
PID 4808 set thread context of 3600	4808	Server.exe	Server.exe
PID 4808 set thread context of 5008	4808	Server.exe	Server.exe
PID 4256 set thread context of 4412	4256	ec889c7b55d7236ba0d5bde2c5d842d15752267d38597b2eb165cd04d3c0129c.exe	ec889c7b55d7236ba0d5bde2c5d842d15752267d38597b2eb165cd04d3c0129c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

ec889c7b55d7236ba0d5bde2c5d842d15752267d38597b2eb165cd04d3c0129c.exeServer.exeec889c7b55d7236ba0d5bde2c5d842d15752267d38597b2eb165cd04d3c0129c.exe

pid	process
1556	ec889c7b55d7236ba0d5bde2c5d842d15752267d38597b2eb165cd04d3c0129c.exe
4808	Server.exe
4256	ec889c7b55d7236ba0d5bde2c5d842d15752267d38597b2eb165cd04d3c0129c.exe

Suspicious use of WriteProcessMemory 49 IoCs

Processes:

ec889c7b55d7236ba0d5bde2c5d842d15752267d38597b2eb165cd04d3c0129c.exeServer.exeec889c7b55d7236ba0d5bde2c5d842d15752267d38597b2eb165cd04d3c0129c.exe

C:\Users\Admin\AppData\Local\Temp\ec889c7b55d7236ba0d5bde2c5d842d15752267d38597b2eb165cd04d3c0129c.exe
"C:\Users\Admin\AppData\Local\Temp\ec889c7b55d7236ba0d5bde2c5d842d15752267d38597b2eb165cd04d3c0129c.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1556

C:\Users\Admin\AppData\Local\Temp\Server.exe
"C:\Users\Admin\AppData\Local\Temp\Server.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4808

C:\Users\Admin\AppData\Local\Temp\Server.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\KpkBtevw45.ini"
3⤵
- Executes dropped EXE
PID:3600

C:\Users\Admin\AppData\Local\Temp\Server.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\uBygUjjUDR.ini"
3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
PID:5008

C:\Users\Admin\AppData\Local\Temp\ec889c7b55d7236ba0d5bde2c5d842d15752267d38597b2eb165cd04d3c0129c.exe
"C:\Users\Admin\AppData\Local\Temp\ec889c7b55d7236ba0d5bde2c5d842d15752267d38597b2eb165cd04d3c0129c.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4256

C:\Users\Admin\AppData\Local\Temp\ec889c7b55d7236ba0d5bde2c5d842d15752267d38597b2eb165cd04d3c0129c.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\exBSOFwRsj.ini"
3⤵
PID:4724

C:\Users\Admin\AppData\Local\Temp\ec889c7b55d7236ba0d5bde2c5d842d15752267d38597b2eb165cd04d3c0129c.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\uBygUjjUDR.ini"
3⤵
- Accesses Microsoft Outlook accounts
PID:4412

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
Filesize
2KB

MD5
76e7d5bf61b2e80d159f88aa9798ce91

SHA1
32a46de50c9c02b068e39cf49b78c7e2d5ace20d

SHA256
280fd6ae3ad21323199759814c4dd82329eb8f9847ed1fa2be145e83b4c88bf3

SHA512
5efd8c64ac40ae006d2ce4509eb9e5f1448fb1156e914d303e8bc4dcfe1d94c57c7eae216b362877e7b644876656cc9e5c4cebfc905bab3f8b09cb1a051d69c4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize
1KB

MD5
916c512d221c683beeea9d5cb311b0b0

SHA1
bf0db4b1c4566275b629efb095b6ff8857b5748e

SHA256
64a36c1637d0a111152002a2c0385b0df9dd81b616b3f2073fbbe3f2975aa4d8

SHA512
af32cffea722438e9b17b08062dc2e209edc5417418964ead0b392bd502e1a647a8456b2ee2ea59faf69f93d0c6ea6f15949b6c30924db7da65b91cb18e8dc6c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C6872375A2E1BC120603F5605C3CEC71
Filesize
472B

MD5
b5170f55c5fd102cd23a641a76db5095

SHA1
9c9855182d6d8c7d281a88eb74c4ad964c166d51

SHA256
87cd0f31cae591c772a1ce76a198c8480e575b163cfcde3a0a191ae7a491e6e8

SHA512
b503d73c7b9e99a0f43c0fea92a2b8f49bfb164a2ef290f69860dd20623c735199f6b3abbaac472585365d71c3551e006bcef504456fcd728d7f781fe1d568c0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
Filesize
488B

MD5
6620005514f3af001a7b5bd25f0f8120

SHA1
62534c1aad783151d81eb92c0a0886fd079e2bbd

SHA256
8abfb252be76739083d33394da802f69c490193b1c7ca6372c43ff9f7fc7b18e

SHA512
3dd5b76e2bc03b91fab2f2428568c174cede3ebd6242fa85a3ee4c2b18ef5acff23ab3093e69477272eb2936fbcce638632ab4019ac6e2d25e1697fecf53b9d2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize
482B

MD5
e2641d8a2d196387c2c07f7c50a3910e

SHA1
7d1107e5bd57d8a73039ea6af68e9365936569f6

SHA256
81bad4f3841680ffadb7e5a4a19956932dabb6ee8cafd76bb8d9367c06649139

SHA512
7cc9b8272868e4dadac1e81130e5977406db4a09529a97616c84aad805abaa8d5994589fdcfc365b4a3d5bd80b9e55c0b4134573f122d6b9669f56a43f3397c6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize
482B

MD5
e2641d8a2d196387c2c07f7c50a3910e

SHA1
7d1107e5bd57d8a73039ea6af68e9365936569f6

SHA256
81bad4f3841680ffadb7e5a4a19956932dabb6ee8cafd76bb8d9367c06649139

SHA512
7cc9b8272868e4dadac1e81130e5977406db4a09529a97616c84aad805abaa8d5994589fdcfc365b4a3d5bd80b9e55c0b4134573f122d6b9669f56a43f3397c6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C6872375A2E1BC120603F5605C3CEC71
Filesize
484B

MD5
9c0497baf9a047af7b35ca60b6f20741

SHA1
d6844a200e160070bcf0270dd812f53e772ba400

SHA256
c55ee2d0f70311a17ef65d6a49670b9f6c78d72bef630a070a8cfe845e0b1db8

SHA512
afebe18ab7bcfee410d1e44cfa8c5db986491901c99cea92472f34ddd7cf776b9513c4aafab596835a005aa0d34a8b53e6334547e5871b57b64c56fdf72ee346

Download Submit
C:\Users\Admin\AppData\Local\Temp\KpkBtevw45.ini
Filesize
5B

MD5
d1ea279fb5559c020a1b4137dc4de237

SHA1
db6f8988af46b56216a6f0daf95ab8c9bdb57400

SHA256
fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba

SHA512
720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server.exe
Filesize
260KB

MD5
41d7addcd76dd58c8133bdd7fe4f4842

SHA1
b561ecda6f23d843ddb29b0d9fe9afda1493e3e0

SHA256
0582db61775b6cff423a7dc8621a0318f2ef23ee83d47525f3c8b8c6f432e9af

SHA512
4b695bc156590310bef57936f01b4882f20988410e3b3d5d7507bfb0057f2c88d72f3ae4b6d4dbf9b4ade388071b13c7f1cf3a5f97277e0b60a2c5cfdcdf84a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server.exe
Filesize
260KB

MD5
41d7addcd76dd58c8133bdd7fe4f4842

SHA1
b561ecda6f23d843ddb29b0d9fe9afda1493e3e0

SHA256
0582db61775b6cff423a7dc8621a0318f2ef23ee83d47525f3c8b8c6f432e9af

SHA512
4b695bc156590310bef57936f01b4882f20988410e3b3d5d7507bfb0057f2c88d72f3ae4b6d4dbf9b4ade388071b13c7f1cf3a5f97277e0b60a2c5cfdcdf84a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server.exe
Filesize
260KB

MD5
41d7addcd76dd58c8133bdd7fe4f4842

SHA1
b561ecda6f23d843ddb29b0d9fe9afda1493e3e0

SHA256
0582db61775b6cff423a7dc8621a0318f2ef23ee83d47525f3c8b8c6f432e9af

SHA512
4b695bc156590310bef57936f01b4882f20988410e3b3d5d7507bfb0057f2c88d72f3ae4b6d4dbf9b4ade388071b13c7f1cf3a5f97277e0b60a2c5cfdcdf84a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server.exe
Filesize
260KB

MD5
41d7addcd76dd58c8133bdd7fe4f4842

SHA1
b561ecda6f23d843ddb29b0d9fe9afda1493e3e0

SHA256
0582db61775b6cff423a7dc8621a0318f2ef23ee83d47525f3c8b8c6f432e9af

SHA512
4b695bc156590310bef57936f01b4882f20988410e3b3d5d7507bfb0057f2c88d72f3ae4b6d4dbf9b4ade388071b13c7f1cf3a5f97277e0b60a2c5cfdcdf84a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\exBSOFwRsj.ini
Filesize
5B

MD5
d1ea279fb5559c020a1b4137dc4de237

SHA1
db6f8988af46b56216a6f0daf95ab8c9bdb57400

SHA256
fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba

SHA512
720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3

Download Submit
memory/1556-141-0x0000000002B10000-0x0000000002B16000-memory.dmp

Filesize
24KB

Download
memory/1556-134-0x0000000002B10000-0x0000000002B16000-memory.dmp

Filesize
24KB

Download
memory/3600-158-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3600-155-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3600-146-0x0000000000000000-mapping.dmp

Download
memory/4256-182-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4256-154-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4256-181-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4256-142-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4256-140-0x0000000000000000-mapping.dmp

Download
memory/4412-175-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4412-169-0x0000000000000000-mapping.dmp

Download
memory/4412-177-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4412-179-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4724-147-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4724-145-0x0000000000000000-mapping.dmp

Download
memory/4724-152-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4724-157-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4808-135-0x0000000000000000-mapping.dmp

Download
memory/5008-170-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5008-168-0x0000000000000000-mapping.dmp

Download
memory/5008-180-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download

description	pid	process	target process
PID 1556 wrote to memory of 4808	1556	ec889c7b55d7236ba0d5bde2c5d842d15752267d38597b2eb165cd04d3c0129c.exe	Server.exe
PID 1556 wrote to memory of 4808	1556	ec889c7b55d7236ba0d5bde2c5d842d15752267d38597b2eb165cd04d3c0129c.exe	Server.exe
PID 1556 wrote to memory of 4808	1556	ec889c7b55d7236ba0d5bde2c5d842d15752267d38597b2eb165cd04d3c0129c.exe	Server.exe
PID 1556 wrote to memory of 4256	1556	ec889c7b55d7236ba0d5bde2c5d842d15752267d38597b2eb165cd04d3c0129c.exe	ec889c7b55d7236ba0d5bde2c5d842d15752267d38597b2eb165cd04d3c0129c.exe
PID 1556 wrote to memory of 4256	1556	ec889c7b55d7236ba0d5bde2c5d842d15752267d38597b2eb165cd04d3c0129c.exe	ec889c7b55d7236ba0d5bde2c5d842d15752267d38597b2eb165cd04d3c0129c.exe
PID 1556 wrote to memory of 4256	1556	ec889c7b55d7236ba0d5bde2c5d842d15752267d38597b2eb165cd04d3c0129c.exe	ec889c7b55d7236ba0d5bde2c5d842d15752267d38597b2eb165cd04d3c0129c.exe
PID 1556 wrote to memory of 4256	1556	ec889c7b55d7236ba0d5bde2c5d842d15752267d38597b2eb165cd04d3c0129c.exe	ec889c7b55d7236ba0d5bde2c5d842d15752267d38597b2eb165cd04d3c0129c.exe
PID 1556 wrote to memory of 4256	1556	ec889c7b55d7236ba0d5bde2c5d842d15752267d38597b2eb165cd04d3c0129c.exe	ec889c7b55d7236ba0d5bde2c5d842d15752267d38597b2eb165cd04d3c0129c.exe
PID 1556 wrote to memory of 4256	1556	ec889c7b55d7236ba0d5bde2c5d842d15752267d38597b2eb165cd04d3c0129c.exe	ec889c7b55d7236ba0d5bde2c5d842d15752267d38597b2eb165cd04d3c0129c.exe
PID 1556 wrote to memory of 4256	1556	ec889c7b55d7236ba0d5bde2c5d842d15752267d38597b2eb165cd04d3c0129c.exe	ec889c7b55d7236ba0d5bde2c5d842d15752267d38597b2eb165cd04d3c0129c.exe
PID 1556 wrote to memory of 4256	1556	ec889c7b55d7236ba0d5bde2c5d842d15752267d38597b2eb165cd04d3c0129c.exe	ec889c7b55d7236ba0d5bde2c5d842d15752267d38597b2eb165cd04d3c0129c.exe
PID 1556 wrote to memory of 4256	1556	ec889c7b55d7236ba0d5bde2c5d842d15752267d38597b2eb165cd04d3c0129c.exe	ec889c7b55d7236ba0d5bde2c5d842d15752267d38597b2eb165cd04d3c0129c.exe
PID 1556 wrote to memory of 4256	1556	ec889c7b55d7236ba0d5bde2c5d842d15752267d38597b2eb165cd04d3c0129c.exe	ec889c7b55d7236ba0d5bde2c5d842d15752267d38597b2eb165cd04d3c0129c.exe
PID 1556 wrote to memory of 4256	1556	ec889c7b55d7236ba0d5bde2c5d842d15752267d38597b2eb165cd04d3c0129c.exe	ec889c7b55d7236ba0d5bde2c5d842d15752267d38597b2eb165cd04d3c0129c.exe
PID 1556 wrote to memory of 4256	1556	ec889c7b55d7236ba0d5bde2c5d842d15752267d38597b2eb165cd04d3c0129c.exe	ec889c7b55d7236ba0d5bde2c5d842d15752267d38597b2eb165cd04d3c0129c.exe
PID 1556 wrote to memory of 4256	1556	ec889c7b55d7236ba0d5bde2c5d842d15752267d38597b2eb165cd04d3c0129c.exe	ec889c7b55d7236ba0d5bde2c5d842d15752267d38597b2eb165cd04d3c0129c.exe
PID 1556 wrote to memory of 4256	1556	ec889c7b55d7236ba0d5bde2c5d842d15752267d38597b2eb165cd04d3c0129c.exe	ec889c7b55d7236ba0d5bde2c5d842d15752267d38597b2eb165cd04d3c0129c.exe
PID 4808 wrote to memory of 3600	4808	Server.exe	Server.exe
PID 4808 wrote to memory of 3600	4808	Server.exe	Server.exe
PID 4808 wrote to memory of 3600	4808	Server.exe	Server.exe
PID 4808 wrote to memory of 3600	4808	Server.exe	Server.exe
PID 4808 wrote to memory of 3600	4808	Server.exe	Server.exe
PID 4808 wrote to memory of 3600	4808	Server.exe	Server.exe
PID 4808 wrote to memory of 3600	4808	Server.exe	Server.exe
PID 4256 wrote to memory of 4724	4256	ec889c7b55d7236ba0d5bde2c5d842d15752267d38597b2eb165cd04d3c0129c.exe	ec889c7b55d7236ba0d5bde2c5d842d15752267d38597b2eb165cd04d3c0129c.exe
PID 4256 wrote to memory of 4724	4256	ec889c7b55d7236ba0d5bde2c5d842d15752267d38597b2eb165cd04d3c0129c.exe	ec889c7b55d7236ba0d5bde2c5d842d15752267d38597b2eb165cd04d3c0129c.exe
PID 4256 wrote to memory of 4724	4256	ec889c7b55d7236ba0d5bde2c5d842d15752267d38597b2eb165cd04d3c0129c.exe	ec889c7b55d7236ba0d5bde2c5d842d15752267d38597b2eb165cd04d3c0129c.exe
PID 4256 wrote to memory of 4724	4256	ec889c7b55d7236ba0d5bde2c5d842d15752267d38597b2eb165cd04d3c0129c.exe	ec889c7b55d7236ba0d5bde2c5d842d15752267d38597b2eb165cd04d3c0129c.exe
PID 4256 wrote to memory of 4724	4256	ec889c7b55d7236ba0d5bde2c5d842d15752267d38597b2eb165cd04d3c0129c.exe	ec889c7b55d7236ba0d5bde2c5d842d15752267d38597b2eb165cd04d3c0129c.exe
PID 4256 wrote to memory of 4724	4256	ec889c7b55d7236ba0d5bde2c5d842d15752267d38597b2eb165cd04d3c0129c.exe	ec889c7b55d7236ba0d5bde2c5d842d15752267d38597b2eb165cd04d3c0129c.exe
PID 4256 wrote to memory of 4724	4256	ec889c7b55d7236ba0d5bde2c5d842d15752267d38597b2eb165cd04d3c0129c.exe	ec889c7b55d7236ba0d5bde2c5d842d15752267d38597b2eb165cd04d3c0129c.exe
PID 4256 wrote to memory of 4724	4256	ec889c7b55d7236ba0d5bde2c5d842d15752267d38597b2eb165cd04d3c0129c.exe	ec889c7b55d7236ba0d5bde2c5d842d15752267d38597b2eb165cd04d3c0129c.exe
PID 4808 wrote to memory of 3600	4808	Server.exe	Server.exe
PID 4808 wrote to memory of 5008	4808	Server.exe	Server.exe
PID 4808 wrote to memory of 5008	4808	Server.exe	Server.exe
PID 4808 wrote to memory of 5008	4808	Server.exe	Server.exe
PID 4256 wrote to memory of 4412	4256	ec889c7b55d7236ba0d5bde2c5d842d15752267d38597b2eb165cd04d3c0129c.exe	ec889c7b55d7236ba0d5bde2c5d842d15752267d38597b2eb165cd04d3c0129c.exe
PID 4256 wrote to memory of 4412	4256	ec889c7b55d7236ba0d5bde2c5d842d15752267d38597b2eb165cd04d3c0129c.exe	ec889c7b55d7236ba0d5bde2c5d842d15752267d38597b2eb165cd04d3c0129c.exe
PID 4256 wrote to memory of 4412	4256	ec889c7b55d7236ba0d5bde2c5d842d15752267d38597b2eb165cd04d3c0129c.exe	ec889c7b55d7236ba0d5bde2c5d842d15752267d38597b2eb165cd04d3c0129c.exe
PID 4808 wrote to memory of 5008	4808	Server.exe	Server.exe
PID 4808 wrote to memory of 5008	4808	Server.exe	Server.exe
PID 4808 wrote to memory of 5008	4808	Server.exe	Server.exe
PID 4808 wrote to memory of 5008	4808	Server.exe	Server.exe
PID 4256 wrote to memory of 4412	4256	ec889c7b55d7236ba0d5bde2c5d842d15752267d38597b2eb165cd04d3c0129c.exe	ec889c7b55d7236ba0d5bde2c5d842d15752267d38597b2eb165cd04d3c0129c.exe
PID 4256 wrote to memory of 4412	4256	ec889c7b55d7236ba0d5bde2c5d842d15752267d38597b2eb165cd04d3c0129c.exe	ec889c7b55d7236ba0d5bde2c5d842d15752267d38597b2eb165cd04d3c0129c.exe
PID 4256 wrote to memory of 4412	4256	ec889c7b55d7236ba0d5bde2c5d842d15752267d38597b2eb165cd04d3c0129c.exe	ec889c7b55d7236ba0d5bde2c5d842d15752267d38597b2eb165cd04d3c0129c.exe
PID 4256 wrote to memory of 4412	4256	ec889c7b55d7236ba0d5bde2c5d842d15752267d38597b2eb165cd04d3c0129c.exe	ec889c7b55d7236ba0d5bde2c5d842d15752267d38597b2eb165cd04d3c0129c.exe
PID 4808 wrote to memory of 5008	4808	Server.exe	Server.exe
PID 4256 wrote to memory of 4412	4256	ec889c7b55d7236ba0d5bde2c5d842d15752267d38597b2eb165cd04d3c0129c.exe	ec889c7b55d7236ba0d5bde2c5d842d15752267d38597b2eb165cd04d3c0129c.exe