isrstealer | 7606d0813a456f9f7599614e892ebd824ea29dda6b1d49c3d28210a79c253e01

Analysis

max time kernel
120s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
02-02-2025 10:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7606d0813a456f9f7599614e892ebd824ea29dda6b1d49c3d28210a79c253e01.exe
Size

962KB
MD5

05fef27b342e781baf4afb4a5b62cac3
SHA1

538f859e713439d99efb1491bfbe2c99005e209f
SHA256

7606d0813a456f9f7599614e892ebd824ea29dda6b1d49c3d28210a79c253e01
SHA512

b58d6351a7503b330d9cc96926f9e05514f6106fc560cfc89d3ce04cbfa8885394c296798485630b2b61d96c72f2aa3230838e63b33d2b9481876f6267d16435
SSDEEP

24576:Jt24wfvf7a8DPw67oc1xuzoVF5r5QAwFv0XcI:1ef7aD6Ffuw7B2fI

Score

10^/10

isrstealer collection defense_evasion discovery persistence stealer trojan upx

Malware Config

Signatures

ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
trojan stealer isrstealer

ISR Stealer payload 8 IoCs

resource	yara_rule
behavioral2/memory/4268-22-0x0000000000400000-0x0000000000500000-memory.dmp	family_isrstealer
behavioral2/memory/4268-38-0x0000000000400000-0x0000000000500000-memory.dmp	family_isrstealer
behavioral2/memory/4268-39-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral2/memory/2028-44-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral2/memory/2028-45-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral2/memory/1172-58-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral2/memory/4820-72-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral2/memory/1160-93-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer

Isrstealer family
isrstealer

Modifies visiblity of hidden/system files in Explorer 2 TTPs 8 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	java.com
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	java.com
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	java.com
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	java.com
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	java.com
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	java.com
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	java.com
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	java.com

Detected Nirsoft tools 4 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral2/memory/3016-55-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral2/memory/4024-68-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral2/memory/1352-78-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral2/memory/4688-89-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft

NirSoft MailPassView 4 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral2/memory/3016-55-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral2/memory/4024-68-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral2/memory/1352-78-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral2/memory/4688-89-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	java.com
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	java.com
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	7606d0813a456f9f7599614e892ebd824ea29dda6b1d49c3d28210a79c253e01.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	java.com
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	java.com
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	java.com
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	java.com
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	java.com

Executes dropped EXE 8 IoCs

pid	Process
344	java.com
1576	java.com
1796	java.com
4408	java.com
4268	java.com
5116	java.com
1344	java.com
2952	java.com

Accesses Microsoft Outlook accounts 1 TTPs 4 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	RegSvcs.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\2j3ttgc8z87nhh = "C:\\Users\\Admin\\2j3ttgc8z87nhh\\92382.vbs"	java.com
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\2j3ttgc8z87nhh = "C:\\Users\\Admin\\2j3ttgc8z87nhh\\92382.vbs"	java.com
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\2j3ttgc8z87nhh = "C:\\Users\\Admin\\2j3ttgc8z87nhh\\92382.vbs"	java.com
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\2j3ttgc8z87nhh = "C:\\Users\\Admin\\2j3ttgc8z87nhh\\92382.vbs"	java.com
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\2j3ttgc8z87nhh = "C:\\Users\\Admin\\2j3ttgc8z87nhh\\92382.vbs"	java.com
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\2j3ttgc8z87nhh = "C:\\Users\\Admin\\2j3ttgc8z87nhh\\92382.vbs"	java.com
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\2j3ttgc8z87nhh = "C:\\Users\\Admin\\2j3ttgc8z87nhh\\92382.vbs"	java.com
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\2j3ttgc8z87nhh = "C:\\Users\\Admin\\2j3ttgc8z87nhh\\92382.vbs"	java.com

Checks whether UAC is enabled 1 TTPs 8 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	java.com
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	java.com
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	java.com
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	java.com
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	java.com
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	java.com
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	java.com
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	java.com

Suspicious use of SetThreadContext 17 IoCs

description	pid	Process	procid_target
PID 344 set thread context of 4268	344	java.com	84
PID 4268 set thread context of 2000	4268	RegSvcs.exe	85
PID 4268 set thread context of 4300	4268	RegSvcs.exe	90
PID 1576 set thread context of 2028	1576	java.com	102
PID 2028 set thread context of 4528	2028	RegSvcs.exe	103
PID 2028 set thread context of 3016	2028	RegSvcs.exe	105
PID 1796 set thread context of 1172	1796	java.com	108
PID 1172 set thread context of 3148	1172	RegSvcs.exe	109
PID 1172 set thread context of 4024	1172	RegSvcs.exe	110
PID 4408 set thread context of 4820	4408	java.com	113
PID 4820 set thread context of 2300	4820	RegSvcs.exe	114
PID 4820 set thread context of 1352	4820	RegSvcs.exe	117
PID 5116 set thread context of 2292	5116	java.com	123
PID 2292 set thread context of 3188	2292	RegSvcs.exe	124
PID 2292 set thread context of 4688	2292	RegSvcs.exe	127
PID 2952 set thread context of 1160	2952	java.com	133
PID 1160 set thread context of 2792	1160	RegSvcs.exe	134

UPX packed file 21 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2000-25-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/2000-27-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/2000-28-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/2000-29-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/2000-31-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/4300-37-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral2/memory/4528-49-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/4528-50-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/3016-53-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3016-54-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3016-55-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3148-62-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/3148-63-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/4024-67-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4024-68-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1352-77-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1352-78-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4688-88-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4688-89-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2792-97-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/2792-98-0x0000000000400000-0x0000000000453000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 4 IoCs

pid	pid_target	Process	procid_target
2348	4300	WerFault.exe	90
452	4300	WerFault.exe	90
220	2300	WerFault.exe	114
1876	3188	WerFault.exe	124

System Location Discovery: System Language Discovery 1 TTPs 30 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	java.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	java.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7606d0813a456f9f7599614e892ebd824ea29dda6b1d49c3d28210a79c253e01.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	java.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	java.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	java.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	java.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	java.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	java.com

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	java.com
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	java.com
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	java.com
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	java.com
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	java.com
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	java.com
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	java.com

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
344	java.com
344	java.com
344	java.com
344	java.com
344	java.com
344	java.com
344	java.com
344	java.com
344	java.com
344	java.com
344	java.com
344	java.com
344	java.com
344	java.com
344	java.com
344	java.com
344	java.com
344	java.com
344	java.com
344	java.com
344	java.com
344	java.com
344	java.com
344	java.com
344	java.com
344	java.com
344	java.com
344	java.com
344	java.com
344	java.com
344	java.com
344	java.com
344	java.com
344	java.com
344	java.com
344	java.com
344	java.com
344	java.com
344	java.com
344	java.com
344	java.com
344	java.com
344	java.com
344	java.com
344	java.com
344	java.com
344	java.com
344	java.com
344	java.com
344	java.com
344	java.com
344	java.com
344	java.com
344	java.com
344	java.com
344	java.com
344	java.com
344	java.com
344	java.com
344	java.com
344	java.com
344	java.com
344	java.com
344	java.com

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	344	java.com
Token: SeDebugPrivilege	344	java.com
Token: SeDebugPrivilege	344	java.com
Token: SeDebugPrivilege	344	java.com
Token: SeDebugPrivilege	344	java.com
Token: SeDebugPrivilege	344	java.com
Token: SeDebugPrivilege	344	java.com
Token: SeDebugPrivilege	344	java.com
Token: SeDebugPrivilege	344	java.com
Token: SeDebugPrivilege	344	java.com
Token: SeDebugPrivilege	344	java.com
Token: SeDebugPrivilege	344	java.com
Token: SeDebugPrivilege	344	java.com
Token: SeDebugPrivilege	344	java.com
Token: SeDebugPrivilege	344	java.com
Token: SeDebugPrivilege	344	java.com
Token: SeDebugPrivilege	344	java.com
Token: SeDebugPrivilege	344	java.com
Token: SeDebugPrivilege	344	java.com
Token: SeDebugPrivilege	344	java.com
Token: SeDebugPrivilege	344	java.com
Token: SeDebugPrivilege	344	java.com
Token: SeDebugPrivilege	344	java.com
Token: SeDebugPrivilege	344	java.com
Token: SeDebugPrivilege	344	java.com
Token: SeDebugPrivilege	344	java.com
Token: SeDebugPrivilege	344	java.com
Token: SeDebugPrivilege	344	java.com
Token: SeDebugPrivilege	344	java.com
Token: SeDebugPrivilege	344	java.com
Token: SeDebugPrivilege	344	java.com
Token: SeDebugPrivilege	344	java.com
Token: SeDebugPrivilege	1576	java.com
Token: SeDebugPrivilege	1576	java.com
Token: SeDebugPrivilege	1576	java.com
Token: SeDebugPrivilege	1576	java.com
Token: SeDebugPrivilege	1576	java.com
Token: SeDebugPrivilege	1576	java.com
Token: SeDebugPrivilege	1576	java.com
Token: SeDebugPrivilege	1576	java.com
Token: SeDebugPrivilege	1576	java.com
Token: SeDebugPrivilege	1576	java.com
Token: SeDebugPrivilege	1576	java.com
Token: SeDebugPrivilege	1576	java.com
Token: SeDebugPrivilege	1576	java.com
Token: SeDebugPrivilege	1576	java.com
Token: SeDebugPrivilege	1576	java.com
Token: SeDebugPrivilege	1576	java.com
Token: SeDebugPrivilege	1576	java.com
Token: SeDebugPrivilege	1576	java.com
Token: SeDebugPrivilege	1576	java.com
Token: SeDebugPrivilege	1576	java.com
Token: SeDebugPrivilege	1576	java.com
Token: SeDebugPrivilege	1576	java.com
Token: SeDebugPrivilege	1796	java.com
Token: SeDebugPrivilege	1796	java.com
Token: SeDebugPrivilege	1796	java.com
Token: SeDebugPrivilege	1796	java.com
Token: SeDebugPrivilege	1796	java.com
Token: SeDebugPrivilege	1796	java.com
Token: SeDebugPrivilege	1796	java.com
Token: SeDebugPrivilege	1796	java.com
Token: SeDebugPrivilege	1796	java.com
Token: SeDebugPrivilege	1796	java.com

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
4268	RegSvcs.exe
2028	RegSvcs.exe
1172	RegSvcs.exe
4820	RegSvcs.exe
2292	RegSvcs.exe
1160	RegSvcs.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4440 wrote to memory of 344	4440	7606d0813a456f9f7599614e892ebd824ea29dda6b1d49c3d28210a79c253e01.exe	82
PID 4440 wrote to memory of 344	4440	7606d0813a456f9f7599614e892ebd824ea29dda6b1d49c3d28210a79c253e01.exe	82
PID 4440 wrote to memory of 344	4440	7606d0813a456f9f7599614e892ebd824ea29dda6b1d49c3d28210a79c253e01.exe	82
PID 344 wrote to memory of 4268	344	java.com	84
PID 344 wrote to memory of 4268	344	java.com	84
PID 344 wrote to memory of 4268	344	java.com	84
PID 344 wrote to memory of 4268	344	java.com	84
PID 344 wrote to memory of 4268	344	java.com	84
PID 4268 wrote to memory of 2000	4268	RegSvcs.exe	85
PID 4268 wrote to memory of 2000	4268	RegSvcs.exe	85
PID 4268 wrote to memory of 2000	4268	RegSvcs.exe	85
PID 4268 wrote to memory of 2000	4268	RegSvcs.exe	85
PID 4268 wrote to memory of 2000	4268	RegSvcs.exe	85
PID 4268 wrote to memory of 2000	4268	RegSvcs.exe	85
PID 4268 wrote to memory of 2000	4268	RegSvcs.exe	85
PID 4268 wrote to memory of 2000	4268	RegSvcs.exe	85
PID 4268 wrote to memory of 4300	4268	RegSvcs.exe	90
PID 4268 wrote to memory of 4300	4268	RegSvcs.exe	90
PID 4268 wrote to memory of 4300	4268	RegSvcs.exe	90
PID 4268 wrote to memory of 4300	4268	RegSvcs.exe	90
PID 4268 wrote to memory of 4300	4268	RegSvcs.exe	90
PID 4268 wrote to memory of 4300	4268	RegSvcs.exe	90
PID 4268 wrote to memory of 4300	4268	RegSvcs.exe	90
PID 4268 wrote to memory of 4300	4268	RegSvcs.exe	90
PID 344 wrote to memory of 3440	344	java.com	99
PID 344 wrote to memory of 3440	344	java.com	99
PID 344 wrote to memory of 3440	344	java.com	99
PID 3440 wrote to memory of 1576	3440	WScript.exe	100
PID 3440 wrote to memory of 1576	3440	WScript.exe	100
PID 3440 wrote to memory of 1576	3440	WScript.exe	100
PID 1576 wrote to memory of 2028	1576	java.com	102
PID 1576 wrote to memory of 2028	1576	java.com	102
PID 1576 wrote to memory of 2028	1576	java.com	102
PID 1576 wrote to memory of 2028	1576	java.com	102
PID 1576 wrote to memory of 2028	1576	java.com	102
PID 2028 wrote to memory of 4528	2028	RegSvcs.exe	103
PID 2028 wrote to memory of 4528	2028	RegSvcs.exe	103
PID 2028 wrote to memory of 4528	2028	RegSvcs.exe	103
PID 2028 wrote to memory of 4528	2028	RegSvcs.exe	103
PID 2028 wrote to memory of 4528	2028	RegSvcs.exe	103
PID 2028 wrote to memory of 4528	2028	RegSvcs.exe	103
PID 2028 wrote to memory of 4528	2028	RegSvcs.exe	103
PID 2028 wrote to memory of 4528	2028	RegSvcs.exe	103
PID 2028 wrote to memory of 3016	2028	RegSvcs.exe	105
PID 2028 wrote to memory of 3016	2028	RegSvcs.exe	105
PID 2028 wrote to memory of 3016	2028	RegSvcs.exe	105
PID 2028 wrote to memory of 3016	2028	RegSvcs.exe	105
PID 2028 wrote to memory of 3016	2028	RegSvcs.exe	105
PID 2028 wrote to memory of 3016	2028	RegSvcs.exe	105
PID 2028 wrote to memory of 3016	2028	RegSvcs.exe	105
PID 2028 wrote to memory of 3016	2028	RegSvcs.exe	105
PID 1576 wrote to memory of 1908	1576	java.com	106
PID 1576 wrote to memory of 1908	1576	java.com	106
PID 1576 wrote to memory of 1908	1576	java.com	106
PID 1908 wrote to memory of 1796	1908	WScript.exe	107
PID 1908 wrote to memory of 1796	1908	WScript.exe	107
PID 1908 wrote to memory of 1796	1908	WScript.exe	107
PID 1796 wrote to memory of 1172	1796	java.com	108
PID 1796 wrote to memory of 1172	1796	java.com	108
PID 1796 wrote to memory of 1172	1796	java.com	108
PID 1796 wrote to memory of 1172	1796	java.com	108
PID 1796 wrote to memory of 1172	1796	java.com	108
PID 1172 wrote to memory of 3148	1172	RegSvcs.exe	109
PID 1172 wrote to memory of 3148	1172	RegSvcs.exe	109

C:\Users\Admin\AppData\Local\Temp\7606d0813a456f9f7599614e892ebd824ea29dda6b1d49c3d28210a79c253e01.exe
"C:\Users\Admin\AppData\Local\Temp\7606d0813a456f9f7599614e892ebd824ea29dda6b1d49c3d28210a79c253e01.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4440
- C:\Users\Admin\2j3ttgc8z87nhh\java.com
  "C:\Users\Admin\2j3ttgc8z87nhh\java.com" oGQmSBaRL.VPG
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:344
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4268
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\XXamqeP6mI.ini"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2000
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\Q3AnDToN4I.ini"
      4⤵
      PID:4300
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4300 -s 12
        5⤵
        Program crash
        
        PID:2348
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4300 -s 20
        5⤵
        Program crash
        
        PID:452
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\2J3TTG~1\run.vbs"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3440
  - - C:\Users\Admin\2j3ttgc8z87nhh\java.com
      "C:\Users\Admin\2j3ttgc8z87nhh\java.com" oGQmSBaRL.VPG
      4⤵
      Modifies visiblity of hidden/system files in Explorer
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      Checks whether UAC is enabled
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1576
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
        5⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2028
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\NdPxQXqP0G.ini"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4528
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\NwCaAdH6UI.ini"
        6⤵
        Accesses Microsoft Outlook accounts
        System Location Discovery: System Language Discovery
        
        PID:3016
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\2J3TTG~1\run.vbs"
        5⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1908
      - C:\Users\Admin\2j3ttgc8z87nhh\java.com
        
        "C:\Users\Admin\2j3ttgc8z87nhh\java.com" oGQmSBaRL.VPG
        6⤵
        Modifies visiblity of hidden/system files in Explorer
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1796
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
        7⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1172
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\WID3RZakIT.ini"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3148
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\EL98AXk91d.ini"
        8⤵
        Accesses Microsoft Outlook accounts
        System Location Discovery: System Language Discovery
        
        PID:4024
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\2J3TTG~1\run.vbs"
        7⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:2092
        
        C:\Users\Admin\2j3ttgc8z87nhh\java.com
        
        "C:\Users\Admin\2j3ttgc8z87nhh\java.com" oGQmSBaRL.VPG
        8⤵
        Modifies visiblity of hidden/system files in Explorer
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4408
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
        9⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4820
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\urEw9Tq7mI.ini"
        10⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2300 -s 80
        11⤵
        Program crash
        
        PID:220
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\3sZtwFbaiX.ini"
        10⤵
        Accesses Microsoft Outlook accounts
        System Location Discovery: System Language Discovery
        
        PID:1352
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\2J3TTG~1\run.vbs"
        9⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:408
        
        C:\Users\Admin\2j3ttgc8z87nhh\java.com
        
        "C:\Users\Admin\2j3ttgc8z87nhh\java.com" oGQmSBaRL.VPG
        10⤵
        Modifies visiblity of hidden/system files in Explorer
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Checks whether UAC is enabled
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4268
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
        11⤵
        
        PID:4876
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\2J3TTG~1\run.vbs"
        11⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:3552
        
        C:\Users\Admin\2j3ttgc8z87nhh\java.com
        
        "C:\Users\Admin\2j3ttgc8z87nhh\java.com" oGQmSBaRL.VPG
        12⤵
        Modifies visiblity of hidden/system files in Explorer
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5116
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
        13⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2292
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\tAZ9jvhm3j.ini"
        14⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3188 -s 80
        15⤵
        Program crash
        
        PID:1876
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\0FjfshW6Rc.ini"
        14⤵
        Accesses Microsoft Outlook accounts
        System Location Discovery: System Language Discovery
        
        PID:4688
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\2J3TTG~1\run.vbs"
        13⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:4076
        
        C:\Users\Admin\2j3ttgc8z87nhh\java.com
        
        "C:\Users\Admin\2j3ttgc8z87nhh\java.com" oGQmSBaRL.VPG
        14⤵
        Modifies visiblity of hidden/system files in Explorer
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Checks whether UAC is enabled
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1344
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
        15⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\2J3TTG~1\run.vbs"
        15⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:4412
        
        C:\Users\Admin\2j3ttgc8z87nhh\java.com
        
        "C:\Users\Admin\2j3ttgc8z87nhh\java.com" oGQmSBaRL.VPG
        16⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Adds Run key to start application
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2952
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
        17⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1160
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\0iHsvEBE2c.ini"
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:2792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4300 -ip 4300
1⤵
PID:4760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4300 -ip 4300
1⤵
PID:4692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2300 -ip 2300
1⤵
PID:2380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3188 -ip 3188
1⤵
PID:3540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\2J3TTG~1\RnVPBHBJlpC.HSV

Filesize
175B

MD5
8f44d5f1c08fd7351d73a3daca2bbfd0

SHA1
e8e669b9fa500019b7b87fdb363e9036f8417531

SHA256
0a90c52851b8e20c3fb985c7ab763a61b9b94d9423ad893132ec0f794fe6faf1

SHA512
fc610f4be75b452a1e146e8d166f25a8c74402b2abac15206a61c53b1eb2d64eb6dcae56da02388581fbaeac965f9144ff23dcec863415dd5f6eeebb7d7fbca0

Download Submit
C:\Users\Admin\2J3TTG~1\VvpRdmt.LGK

Filesize
260KB

MD5
887bfe186323191177fcc1d92fe45aba

SHA1
07edd3c86a74c0a96d4a715761bd35531d716c92

SHA256
0c0d3f3782b615900301db24caa9351ff7decf3f9ce3eb1577c17dda4ab59d1e

SHA512
d9483090b49afc0ab4ec60aac56500fcb60411759d0b94db199e586b530939891f321390c99efddd518d4b873391e144bcb26deb7ea672aec5f1882ae4d3c2b4

Download Submit
C:\Users\Admin\2J3TTG~1\run.vbs

Filesize
90B

MD5
b67f9f21ffe6ce14e34a3faa763e3d7e

SHA1
283811a92820f5558632e2f7eabf4deb198fd131

SHA256
3baee1be372ff258064ab7fd2f72b7330d933160ad3829bcc51782b9d82a5b0c

SHA512
445e9ab432136848c4df6d085899336e89b171bd0497fe08aac49e955be24807a5497682d97169f2d0d785c5d93d75da338c70fc7657f5775d3efbcc83c70c9e

Download Submit
C:\Users\Admin\2j3ttgc8z87nhh\java.com

Filesize
912KB

MD5
6a93a4071cc7c22628af40a4d872f49b

SHA1
ba916e686aa0cae19ab907bdab94924ada92b5f4

SHA256
8465f3fcbccce3ea12495edbb0bd09c3b066e3df891613ce3180f9bb38b37b01

SHA512
5a26af395a03397aadab13a53cac320f1d8bbe77046a61ae12e1f72f93df7afb360f52ef52f979f7b946a814365a298c3a3a536add6cdd7165896fb82abc4afd

Download Submit
C:\Users\Admin\2j3ttgc8z87nhh\oGQmSBaRL.VPG

Filesize
30.9MB

MD5
b809efdf2ec2751251cb835183d82bb5

SHA1
32cd37d5bbe861d9d7c7044b98c1c2e9312128f6

SHA256
887b5699fc70c681821d92f2e2937696ce68b98277771e9057320278d24aa931

SHA512
752b1ef10868105741d94c32e8053e6131ee4f3a37feda8453b5fd9e35649fd0f400848cfda665c230d81d7a6141313b6035bc5f46d8086e33cb6ac863e97be6

Download Submit
C:\Users\Admin\AppData\Local\Temp\XXamqeP6mI.ini

Filesize
5B

MD5
d1ea279fb5559c020a1b4137dc4de237

SHA1
db6f8988af46b56216a6f0daf95ab8c9bdb57400

SHA256
fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba

SHA512
720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3

Download Submit
memory/1160-93-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1172-58-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1352-78-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1352-77-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2000-31-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2000-28-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2000-25-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2000-27-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2000-29-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2028-44-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2028-45-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2792-98-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2792-97-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3016-53-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3016-54-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3016-55-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3148-63-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3148-62-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4024-67-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4024-68-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4268-38-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/4268-22-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/4268-39-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4300-37-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4528-50-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4528-49-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4688-88-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4688-89-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4820-72-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download