isrstealer | ba8ce58efa9742a2f5639697449cf1b3394c40bc74dee3235fa81865a8dae2e0

Analysis

max time kernel
117s
max time network
99s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
01/02/2025, 17:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ba8ce58efa9742a2f5639697449cf1b3394c40bc74dee3235fa81865a8dae2e0N.exe
Size

962KB
MD5

2626b7755d40d743f55c7580a1beb8b0
SHA1

e3771299ec9da3c6ed2ee23ebf509e08fbd1237f
SHA256

ba8ce58efa9742a2f5639697449cf1b3394c40bc74dee3235fa81865a8dae2e0
SHA512

1a5df2f2c182601716575f12ea0bc6a677500e9c8a962b442bd1d31c35a6a287c790061b2071ffac31ebf94a138b0e3d6c8ef53b0cd424faa5a7e63259732e05
SSDEEP

24576:Jt24wfvf7a8DPw67oc1xuzoVF5r5QAwFv0XcI:1ef7aD6Ffuw7B2fI

Score

10^/10

isrstealer collection defense_evasion discovery persistence stealer trojan upx

Malware Config

Signatures

ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
trojan stealer isrstealer

ISR Stealer payload 3 IoCs

resource	yara_rule
behavioral1/memory/2760-30-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral1/memory/2760-50-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral1/memory/2760-51-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer

Isrstealer family
isrstealer

Modifies visiblity of hidden/system files in Explorer 2 TTPs 8 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	java.com
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	java.com
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	java.com
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	java.com
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	java.com
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	java.com
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	java.com
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	java.com

Detected Nirsoft tools 5 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral1/memory/1552-49-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral1/memory/1436-76-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral1/memory/1752-96-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral1/memory/2856-115-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral1/memory/1240-128-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft

NirSoft MailPassView 5 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral1/memory/1552-49-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral1/memory/1436-76-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral1/memory/1752-96-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral1/memory/2856-115-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral1/memory/1240-128-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView

Executes dropped EXE 9 IoCs

pid	Process
2260	java.com
2900	java.com
2104	java.com
1656	java.com
2528	java.com
2344	java.com
1072	java.com
1108	java.com
796	java.com

Loads dropped DLL 12 IoCs

pid	Process
1664	ba8ce58efa9742a2f5639697449cf1b3394c40bc74dee3235fa81865a8dae2e0N.exe
1664	ba8ce58efa9742a2f5639697449cf1b3394c40bc74dee3235fa81865a8dae2e0N.exe
1664	ba8ce58efa9742a2f5639697449cf1b3394c40bc74dee3235fa81865a8dae2e0N.exe
1664	ba8ce58efa9742a2f5639697449cf1b3394c40bc74dee3235fa81865a8dae2e0N.exe
1688	WScript.exe
3044	WScript.exe
1256	WScript.exe
2612	WScript.exe
2952	WScript.exe
2416	WScript.exe
1584	WScript.exe
1700	WScript.exe

Accesses Microsoft Outlook accounts 1 TTPs 7 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	RegSvcs.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\2j3ttgc8z87nhh = "C:\\Users\\Admin\\2j3ttgc8z87nhh\\92382.vbs"	java.com
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\2j3ttgc8z87nhh = "C:\\Users\\Admin\\2j3ttgc8z87nhh\\92382.vbs"	java.com
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\2j3ttgc8z87nhh = "C:\\Users\\Admin\\2j3ttgc8z87nhh\\92382.vbs"	java.com
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\2j3ttgc8z87nhh = "C:\\Users\\Admin\\2j3ttgc8z87nhh\\92382.vbs"	java.com
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\2j3ttgc8z87nhh = "C:\\Users\\Admin\\2j3ttgc8z87nhh\\92382.vbs"	java.com
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\2j3ttgc8z87nhh = "C:\\Users\\Admin\\2j3ttgc8z87nhh\\92382.vbs"	java.com
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\2j3ttgc8z87nhh = "C:\\Users\\Admin\\2j3ttgc8z87nhh\\92382.vbs"	java.com
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\2j3ttgc8z87nhh = "C:\\Users\\Admin\\2j3ttgc8z87nhh\\92382.vbs"	java.com

Checks whether UAC is enabled 1 TTPs 8 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	java.com
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	java.com
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	java.com
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	java.com
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	java.com
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	java.com
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	java.com
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	java.com

Suspicious use of SetThreadContext 21 IoCs

description	pid	Process	procid_target
PID 2260 set thread context of 2760	2260	java.com	31
PID 2760 set thread context of 1092	2760	RegSvcs.exe	33
PID 2760 set thread context of 1552	2760	RegSvcs.exe	35
PID 2104 set thread context of 2320	2104	java.com	41
PID 2320 set thread context of 2276	2320	RegSvcs.exe	42
PID 2320 set thread context of 1436	2320	RegSvcs.exe	43
PID 1656 set thread context of 2544	1656	java.com	47
PID 2544 set thread context of 812	2544	RegSvcs.exe	48
PID 2544 set thread context of 1752	2544	RegSvcs.exe	49
PID 2528 set thread context of 3028	2528	java.com	53
PID 3028 set thread context of 3024	3028	RegSvcs.exe	54
PID 3028 set thread context of 2856	3028	RegSvcs.exe	55
PID 2344 set thread context of 876	2344	java.com	59
PID 876 set thread context of 656	876	RegSvcs.exe	60
PID 876 set thread context of 1240	876	RegSvcs.exe	61
PID 1072 set thread context of 2260	1072	java.com	64
PID 2260 set thread context of 1844	2260	RegSvcs.exe	65
PID 2260 set thread context of 2932	2260	RegSvcs.exe	66
PID 1108 set thread context of 1560	1108	java.com	70
PID 1560 set thread context of 2276	1560	RegSvcs.exe	71
PID 1560 set thread context of 984	1560	RegSvcs.exe	72

UPX packed file 27 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1092-36-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/1092-39-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/1092-38-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/1092-37-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/1552-46-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1552-48-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1552-47-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1552-49-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/2276-68-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/2276-69-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/2276-70-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/1436-76-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1436-75-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1436-74-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/812-88-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/812-89-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/812-90-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/1752-95-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1752-96-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/3024-107-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/3024-108-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/3024-109-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/2856-115-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/2856-114-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1240-126-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1240-127-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1240-128-0x0000000000400000-0x000000000041F000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 37 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	java.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	java.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	java.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	java.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	java.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	java.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	java.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ba8ce58efa9742a2f5639697449cf1b3394c40bc74dee3235fa81865a8dae2e0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	java.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	java.com

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2260	java.com
2260	java.com
2260	java.com
2260	java.com
2260	java.com
2260	java.com
2260	java.com
2260	java.com
2260	java.com
2260	java.com
2260	java.com
2260	java.com
2260	java.com
2260	java.com
2260	java.com
2260	java.com
2260	java.com
2260	java.com
2260	java.com
2260	java.com
2260	java.com
2260	java.com
2260	java.com
2260	java.com
2260	java.com
2260	java.com
2260	java.com
2260	java.com
2260	java.com
2260	java.com
2260	java.com
2260	java.com
2260	java.com
2260	java.com
2260	java.com
2260	java.com
2260	java.com
2260	java.com
2260	java.com
2260	java.com
2260	java.com
2260	java.com
2260	java.com
2260	java.com
2260	java.com
2260	java.com
2260	java.com
2260	java.com
2260	java.com
2260	java.com
2260	java.com
2260	java.com
2260	java.com
2260	java.com
2260	java.com
2260	java.com
2260	java.com
2260	java.com
2900	java.com
2900	java.com
2900	java.com
2900	java.com
2900	java.com
2900	java.com

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2260	java.com
Token: SeDebugPrivilege	2260	java.com
Token: SeDebugPrivilege	2260	java.com
Token: SeDebugPrivilege	2260	java.com
Token: SeDebugPrivilege	2260	java.com
Token: SeDebugPrivilege	2260	java.com
Token: SeDebugPrivilege	2260	java.com
Token: SeDebugPrivilege	2260	java.com
Token: SeDebugPrivilege	2260	java.com
Token: SeDebugPrivilege	2260	java.com
Token: SeDebugPrivilege	2260	java.com
Token: SeDebugPrivilege	2260	java.com
Token: SeDebugPrivilege	2260	java.com
Token: SeDebugPrivilege	2260	java.com
Token: SeDebugPrivilege	2260	java.com
Token: SeDebugPrivilege	2260	java.com
Token: SeDebugPrivilege	2260	java.com
Token: SeDebugPrivilege	2260	java.com
Token: SeDebugPrivilege	2260	java.com
Token: SeDebugPrivilege	2260	java.com
Token: SeDebugPrivilege	2260	java.com
Token: SeDebugPrivilege	2260	java.com
Token: SeDebugPrivilege	2260	java.com
Token: SeDebugPrivilege	2260	java.com
Token: SeDebugPrivilege	2260	java.com
Token: SeDebugPrivilege	2260	java.com
Token: SeDebugPrivilege	2260	java.com
Token: SeDebugPrivilege	2900	java.com
Token: SeDebugPrivilege	2900	java.com
Token: SeDebugPrivilege	2104	java.com
Token: SeDebugPrivilege	2104	java.com
Token: SeDebugPrivilege	2104	java.com
Token: SeDebugPrivilege	2104	java.com
Token: SeDebugPrivilege	2104	java.com
Token: SeDebugPrivilege	2104	java.com
Token: SeDebugPrivilege	2104	java.com
Token: SeDebugPrivilege	2104	java.com
Token: SeDebugPrivilege	2104	java.com
Token: SeDebugPrivilege	2104	java.com
Token: SeDebugPrivilege	2104	java.com
Token: SeDebugPrivilege	2104	java.com
Token: SeDebugPrivilege	2104	java.com
Token: SeDebugPrivilege	2104	java.com
Token: SeDebugPrivilege	2104	java.com
Token: SeDebugPrivilege	2104	java.com
Token: SeDebugPrivilege	2104	java.com
Token: SeDebugPrivilege	2104	java.com
Token: SeDebugPrivilege	2104	java.com
Token: SeDebugPrivilege	2104	java.com
Token: SeDebugPrivilege	2104	java.com
Token: SeDebugPrivilege	1656	java.com
Token: SeDebugPrivilege	1656	java.com
Token: SeDebugPrivilege	1656	java.com
Token: SeDebugPrivilege	1656	java.com
Token: SeDebugPrivilege	1656	java.com
Token: SeDebugPrivilege	1656	java.com
Token: SeDebugPrivilege	1656	java.com
Token: SeDebugPrivilege	1656	java.com
Token: SeDebugPrivilege	1656	java.com
Token: SeDebugPrivilege	1656	java.com
Token: SeDebugPrivilege	1656	java.com
Token: SeDebugPrivilege	1656	java.com
Token: SeDebugPrivilege	1656	java.com
Token: SeDebugPrivilege	1656	java.com

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2760	RegSvcs.exe
2320	RegSvcs.exe
2544	RegSvcs.exe
3028	RegSvcs.exe
876	RegSvcs.exe
2260	RegSvcs.exe
1560	RegSvcs.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1664 wrote to memory of 2260	1664	ba8ce58efa9742a2f5639697449cf1b3394c40bc74dee3235fa81865a8dae2e0N.exe	30
PID 1664 wrote to memory of 2260	1664	ba8ce58efa9742a2f5639697449cf1b3394c40bc74dee3235fa81865a8dae2e0N.exe	30
PID 1664 wrote to memory of 2260	1664	ba8ce58efa9742a2f5639697449cf1b3394c40bc74dee3235fa81865a8dae2e0N.exe	30
PID 1664 wrote to memory of 2260	1664	ba8ce58efa9742a2f5639697449cf1b3394c40bc74dee3235fa81865a8dae2e0N.exe	30
PID 1664 wrote to memory of 2260	1664	ba8ce58efa9742a2f5639697449cf1b3394c40bc74dee3235fa81865a8dae2e0N.exe	30
PID 1664 wrote to memory of 2260	1664	ba8ce58efa9742a2f5639697449cf1b3394c40bc74dee3235fa81865a8dae2e0N.exe	30
PID 1664 wrote to memory of 2260	1664	ba8ce58efa9742a2f5639697449cf1b3394c40bc74dee3235fa81865a8dae2e0N.exe	30
PID 2260 wrote to memory of 2760	2260	java.com	31
PID 2260 wrote to memory of 2760	2260	java.com	31
PID 2260 wrote to memory of 2760	2260	java.com	31
PID 2260 wrote to memory of 2760	2260	java.com	31
PID 2260 wrote to memory of 2760	2260	java.com	31
PID 2260 wrote to memory of 2760	2260	java.com	31
PID 2260 wrote to memory of 2760	2260	java.com	31
PID 2260 wrote to memory of 2760	2260	java.com	31
PID 2260 wrote to memory of 2760	2260	java.com	31
PID 2760 wrote to memory of 1092	2760	RegSvcs.exe	33
PID 2760 wrote to memory of 1092	2760	RegSvcs.exe	33
PID 2760 wrote to memory of 1092	2760	RegSvcs.exe	33
PID 2760 wrote to memory of 1092	2760	RegSvcs.exe	33
PID 2760 wrote to memory of 1092	2760	RegSvcs.exe	33
PID 2760 wrote to memory of 1092	2760	RegSvcs.exe	33
PID 2760 wrote to memory of 1092	2760	RegSvcs.exe	33
PID 2760 wrote to memory of 1092	2760	RegSvcs.exe	33
PID 2760 wrote to memory of 1092	2760	RegSvcs.exe	33
PID 2760 wrote to memory of 1092	2760	RegSvcs.exe	33
PID 2760 wrote to memory of 1092	2760	RegSvcs.exe	33
PID 2760 wrote to memory of 1092	2760	RegSvcs.exe	33
PID 2760 wrote to memory of 1552	2760	RegSvcs.exe	35
PID 2760 wrote to memory of 1552	2760	RegSvcs.exe	35
PID 2760 wrote to memory of 1552	2760	RegSvcs.exe	35
PID 2760 wrote to memory of 1552	2760	RegSvcs.exe	35
PID 2760 wrote to memory of 1552	2760	RegSvcs.exe	35
PID 2760 wrote to memory of 1552	2760	RegSvcs.exe	35
PID 2760 wrote to memory of 1552	2760	RegSvcs.exe	35
PID 2760 wrote to memory of 1552	2760	RegSvcs.exe	35
PID 2760 wrote to memory of 1552	2760	RegSvcs.exe	35
PID 2760 wrote to memory of 1552	2760	RegSvcs.exe	35
PID 2760 wrote to memory of 1552	2760	RegSvcs.exe	35
PID 2760 wrote to memory of 1552	2760	RegSvcs.exe	35
PID 2260 wrote to memory of 1688	2260	java.com	36
PID 2260 wrote to memory of 1688	2260	java.com	36
PID 2260 wrote to memory of 1688	2260	java.com	36
PID 2260 wrote to memory of 1688	2260	java.com	36
PID 2260 wrote to memory of 1688	2260	java.com	36
PID 2260 wrote to memory of 1688	2260	java.com	36
PID 2260 wrote to memory of 1688	2260	java.com	36
PID 1688 wrote to memory of 2900	1688	WScript.exe	37
PID 1688 wrote to memory of 2900	1688	WScript.exe	37
PID 1688 wrote to memory of 2900	1688	WScript.exe	37
PID 1688 wrote to memory of 2900	1688	WScript.exe	37
PID 1688 wrote to memory of 2900	1688	WScript.exe	37
PID 1688 wrote to memory of 2900	1688	WScript.exe	37
PID 1688 wrote to memory of 2900	1688	WScript.exe	37
PID 2900 wrote to memory of 2932	2900	java.com	38
PID 2900 wrote to memory of 2932	2900	java.com	38
PID 2900 wrote to memory of 2932	2900	java.com	38
PID 2900 wrote to memory of 2932	2900	java.com	38
PID 2900 wrote to memory of 2932	2900	java.com	38
PID 2900 wrote to memory of 2932	2900	java.com	38
PID 2900 wrote to memory of 2932	2900	java.com	38
PID 2900 wrote to memory of 3044	2900	java.com	39
PID 2900 wrote to memory of 3044	2900	java.com	39
PID 2900 wrote to memory of 3044	2900	java.com	39

C:\Users\Admin\AppData\Local\Temp\ba8ce58efa9742a2f5639697449cf1b3394c40bc74dee3235fa81865a8dae2e0N.exe
"C:\Users\Admin\AppData\Local\Temp\ba8ce58efa9742a2f5639697449cf1b3394c40bc74dee3235fa81865a8dae2e0N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1664
- C:\Users\Admin\2j3ttgc8z87nhh\java.com
  "C:\Users\Admin\2j3ttgc8z87nhh\java.com" oGQmSBaRL.VPG
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2260
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2760
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\2IcmWcXXue.ini"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1092
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\OXZweVZVa6.ini"
      4⤵
      Accesses Microsoft Outlook accounts
      System Location Discovery: System Language Discovery
      PID:1552
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\2J3TTG~1\run.vbs"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1688
  - - C:\Users\Admin\2j3ttgc8z87nhh\java.com
      "C:\Users\Admin\2j3ttgc8z87nhh\java.com" oGQmSBaRL.VPG
      4⤵
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Adds Run key to start application
      Checks whether UAC is enabled
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2900
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
        5⤵
        
        PID:2932
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\2J3TTG~1\run.vbs"
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3044
      - C:\Users\Admin\2j3ttgc8z87nhh\java.com
        
        "C:\Users\Admin\2j3ttgc8z87nhh\java.com" oGQmSBaRL.VPG
        6⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Adds Run key to start application
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2104
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
        7⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2320
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\uebhBN5X4e.ini"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2276
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\FQSdUFcQTR.ini"
        8⤵
        Accesses Microsoft Outlook accounts
        System Location Discovery: System Language Discovery
        
        PID:1436
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\2J3TTG~1\run.vbs"
        7⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1256
        
        C:\Users\Admin\2j3ttgc8z87nhh\java.com
        
        "C:\Users\Admin\2j3ttgc8z87nhh\java.com" oGQmSBaRL.VPG
        8⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Adds Run key to start application
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1656
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
        9⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2544
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\G0HJNgQeIQ.ini"
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:812
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\8U6ATX7tA5.ini"
        10⤵
        Accesses Microsoft Outlook accounts
        System Location Discovery: System Language Discovery
        
        PID:1752
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\2J3TTG~1\run.vbs"
        9⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2612
        
        C:\Users\Admin\2j3ttgc8z87nhh\java.com
        
        "C:\Users\Admin\2j3ttgc8z87nhh\java.com" oGQmSBaRL.VPG
        10⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Adds Run key to start application
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2528
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
        11⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3028
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\5PLH0CfaVf.ini"
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:3024
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\fljrbSLKZh.ini"
        12⤵
        Accesses Microsoft Outlook accounts
        System Location Discovery: System Language Discovery
        
        PID:2856
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\2J3TTG~1\run.vbs"
        11⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2952
        
        C:\Users\Admin\2j3ttgc8z87nhh\java.com
        
        "C:\Users\Admin\2j3ttgc8z87nhh\java.com" oGQmSBaRL.VPG
        12⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Adds Run key to start application
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2344
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
        13⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:876
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\ORPg2Il7PP.ini"
        14⤵
        
        PID:656
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\VdvyJGCwHx.ini"
        14⤵
        Accesses Microsoft Outlook accounts
        System Location Discovery: System Language Discovery
        
        PID:1240
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\2J3TTG~1\run.vbs"
        13⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2416
        
        C:\Users\Admin\2j3ttgc8z87nhh\java.com
        
        "C:\Users\Admin\2j3ttgc8z87nhh\java.com" oGQmSBaRL.VPG
        14⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Adds Run key to start application
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1072
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
        15⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2260
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\ULEa6mMFIu.ini"
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:1844
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\lVPG7j6FKy.ini"
        16⤵
        Accesses Microsoft Outlook accounts
        System Location Discovery: System Language Discovery
        
        PID:2932
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\2J3TTG~1\run.vbs"
        15⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1584
        
        C:\Users\Admin\2j3ttgc8z87nhh\java.com
        
        "C:\Users\Admin\2j3ttgc8z87nhh\java.com" oGQmSBaRL.VPG
        16⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Adds Run key to start application
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1108
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
        17⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1560
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\Swpbkr1YZd.ini"
        18⤵
        
        PID:2276
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\nlaq7a1444.ini"
        18⤵
        Accesses Microsoft Outlook accounts
        System Location Discovery: System Language Discovery
        
        PID:984
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\2J3TTG~1\run.vbs"
        17⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1700
        
        C:\Users\Admin\2j3ttgc8z87nhh\java.com
        
        "C:\Users\Admin\2j3ttgc8z87nhh\java.com" oGQmSBaRL.VPG
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\2J3TTG~1\RnVPBHBJlpC.HSV

Filesize
175B

MD5
8f44d5f1c08fd7351d73a3daca2bbfd0

SHA1
e8e669b9fa500019b7b87fdb363e9036f8417531

SHA256
0a90c52851b8e20c3fb985c7ab763a61b9b94d9423ad893132ec0f794fe6faf1

SHA512
fc610f4be75b452a1e146e8d166f25a8c74402b2abac15206a61c53b1eb2d64eb6dcae56da02388581fbaeac965f9144ff23dcec863415dd5f6eeebb7d7fbca0

Download Submit
C:\Users\Admin\2J3TTG~1\VvpRdmt.LGK

Filesize
260KB

MD5
887bfe186323191177fcc1d92fe45aba

SHA1
07edd3c86a74c0a96d4a715761bd35531d716c92

SHA256
0c0d3f3782b615900301db24caa9351ff7decf3f9ce3eb1577c17dda4ab59d1e

SHA512
d9483090b49afc0ab4ec60aac56500fcb60411759d0b94db199e586b530939891f321390c99efddd518d4b873391e144bcb26deb7ea672aec5f1882ae4d3c2b4

Download Submit
C:\Users\Admin\2J3TTG~1\run.vbs

Filesize
90B

MD5
b67f9f21ffe6ce14e34a3faa763e3d7e

SHA1
283811a92820f5558632e2f7eabf4deb198fd131

SHA256
3baee1be372ff258064ab7fd2f72b7330d933160ad3829bcc51782b9d82a5b0c

SHA512
445e9ab432136848c4df6d085899336e89b171bd0497fe08aac49e955be24807a5497682d97169f2d0d785c5d93d75da338c70fc7657f5775d3efbcc83c70c9e

Download Submit
C:\Users\Admin\2j3ttgc8z87nhh\oGQmSBaRL.VPG

Filesize
30.9MB

MD5
b809efdf2ec2751251cb835183d82bb5

SHA1
32cd37d5bbe861d9d7c7044b98c1c2e9312128f6

SHA256
887b5699fc70c681821d92f2e2937696ce68b98277771e9057320278d24aa931

SHA512
752b1ef10868105741d94c32e8053e6131ee4f3a37feda8453b5fd9e35649fd0f400848cfda665c230d81d7a6141313b6035bc5f46d8086e33cb6ac863e97be6

Download Submit
C:\Users\Admin\AppData\Local\Temp\2IcmWcXXue.ini

Filesize
5B

MD5
d1ea279fb5559c020a1b4137dc4de237

SHA1
db6f8988af46b56216a6f0daf95ab8c9bdb57400

SHA256
fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba

SHA512
720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3

Download Submit
\Users\Admin\2j3ttgc8z87nhh\java.com

Filesize
912KB

MD5
6a93a4071cc7c22628af40a4d872f49b

SHA1
ba916e686aa0cae19ab907bdab94924ada92b5f4

SHA256
8465f3fcbccce3ea12495edbb0bd09c3b066e3df891613ce3180f9bb38b37b01

SHA512
5a26af395a03397aadab13a53cac320f1d8bbe77046a61ae12e1f72f93df7afb360f52ef52f979f7b946a814365a298c3a3a536add6cdd7165896fb82abc4afd

Download Submit
memory/812-90-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/812-89-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/812-88-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1092-37-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1092-39-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1092-36-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1092-38-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1240-128-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1240-127-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1240-126-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1436-74-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1436-76-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1436-75-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1552-49-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1552-47-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1552-48-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1552-46-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1752-96-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1752-95-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2276-69-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2276-70-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2276-68-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2320-62-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2544-82-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2760-29-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2760-30-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2760-28-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2760-51-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2760-50-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2856-115-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2856-114-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3024-107-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3024-108-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3024-109-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download