249a7bf568d45f1aa10772b3328e55fbd4d9eaaf8339e2fbc2f7f132d93ba4fa

Analysis

max time kernel
149s
max time network
17s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
23/07/2024, 18:58

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

249a7bf568d45f1aa10772b3328e55fbd4d9eaaf8339e2fbc2f7f132d93ba4fa.exe
Size

1.1MB
MD5

afd34b911de8cf80608c8de4e86854f8
SHA1

8e7df120d04ae109f1882a7116851fb1732ec2a5
SHA256

249a7bf568d45f1aa10772b3328e55fbd4d9eaaf8339e2fbc2f7f132d93ba4fa
SHA512

2886fd0e60b30e9e25b52ea7edd511b447b7d65719f81008917c06a6e3ab807fa65004697e45ca50687b853407056d69e890e0a106bf172bea37064c51f0b07f
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5Q8:acallSllG4ZM7QzM7

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2836	svchcst.exe

Executes dropped EXE 23 IoCs

pid	Process
2836	svchcst.exe
2064	svchcst.exe
3016	svchcst.exe
1844	svchcst.exe
1000	svchcst.exe
636	svchcst.exe
2236	svchcst.exe
2068	svchcst.exe
2952	svchcst.exe
2052	svchcst.exe
264	svchcst.exe
2496	svchcst.exe
2632	svchcst.exe
2708	svchcst.exe
1796	svchcst.exe
1924	svchcst.exe
2232	svchcst.exe
1936	svchcst.exe
2164	svchcst.exe
2608	svchcst.exe
1600	svchcst.exe
2016	svchcst.exe
2852	svchcst.exe

Loads dropped DLL 44 IoCs

pid	Process
2000	WScript.exe
2000	WScript.exe
2276	WScript.exe
2276	WScript.exe
3064	WScript.exe
3064	WScript.exe
820	WScript.exe
820	WScript.exe
2500	WScript.exe
2500	WScript.exe
1780	WScript.exe
1468	WScript.exe
1468	WScript.exe
2676	WScript.exe
2676	WScript.exe
2568	WScript.exe
2568	WScript.exe
876	WScript.exe
876	WScript.exe
2644	WScript.exe
1512	WScript.exe
1512	WScript.exe
808	WScript.exe
808	WScript.exe
2176	WScript.exe
2176	WScript.exe
2108	WScript.exe
2108	WScript.exe
1744	WScript.exe
1744	WScript.exe
2528	WScript.exe
2528	WScript.exe
2056	WScript.exe
2056	WScript.exe
1992	WScript.exe
1992	WScript.exe
2640	WScript.exe
2640	WScript.exe
2552	WScript.exe
2552	WScript.exe
2448	WScript.exe
2448	WScript.exe
1652	WScript.exe
1652	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 49 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	249a7bf568d45f1aa10772b3328e55fbd4d9eaaf8339e2fbc2f7f132d93ba4fa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1080	249a7bf568d45f1aa10772b3328e55fbd4d9eaaf8339e2fbc2f7f132d93ba4fa.exe
2836	svchcst.exe
2836	svchcst.exe
2836	svchcst.exe
2836	svchcst.exe
2836	svchcst.exe
2836	svchcst.exe
2836	svchcst.exe
2836	svchcst.exe
2836	svchcst.exe
2836	svchcst.exe
2836	svchcst.exe
2836	svchcst.exe
2836	svchcst.exe
2836	svchcst.exe
2836	svchcst.exe
2836	svchcst.exe
2836	svchcst.exe
2836	svchcst.exe
2836	svchcst.exe
2836	svchcst.exe
2836	svchcst.exe
2836	svchcst.exe
2836	svchcst.exe
2836	svchcst.exe
2836	svchcst.exe
2836	svchcst.exe
2836	svchcst.exe
2836	svchcst.exe
2836	svchcst.exe
2836	svchcst.exe
2836	svchcst.exe
2836	svchcst.exe
2836	svchcst.exe
2836	svchcst.exe
2836	svchcst.exe
2836	svchcst.exe
2836	svchcst.exe
2836	svchcst.exe
2836	svchcst.exe
2836	svchcst.exe
2836	svchcst.exe
2836	svchcst.exe
2836	svchcst.exe
2836	svchcst.exe
2836	svchcst.exe
2836	svchcst.exe
2836	svchcst.exe
2836	svchcst.exe
2836	svchcst.exe
2836	svchcst.exe
2836	svchcst.exe
2836	svchcst.exe
2836	svchcst.exe
2836	svchcst.exe
2836	svchcst.exe
2836	svchcst.exe
2836	svchcst.exe
2836	svchcst.exe
2836	svchcst.exe
2836	svchcst.exe
2836	svchcst.exe
2836	svchcst.exe
2836	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1080	249a7bf568d45f1aa10772b3328e55fbd4d9eaaf8339e2fbc2f7f132d93ba4fa.exe

Suspicious use of SetWindowsHookEx 48 IoCs

pid	Process
1080	249a7bf568d45f1aa10772b3328e55fbd4d9eaaf8339e2fbc2f7f132d93ba4fa.exe
1080	249a7bf568d45f1aa10772b3328e55fbd4d9eaaf8339e2fbc2f7f132d93ba4fa.exe
2836	svchcst.exe
2836	svchcst.exe
2064	svchcst.exe
2064	svchcst.exe
3016	svchcst.exe
3016	svchcst.exe
1844	svchcst.exe
1844	svchcst.exe
1000	svchcst.exe
1000	svchcst.exe
636	svchcst.exe
636	svchcst.exe
2268	svchcst.exe
2268	svchcst.exe
2068	svchcst.exe
2068	svchcst.exe
2952	svchcst.exe
2952	svchcst.exe
2052	svchcst.exe
2052	svchcst.exe
264	svchcst.exe
264	svchcst.exe
2496	svchcst.exe
2496	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
1796	svchcst.exe
1796	svchcst.exe
1924	svchcst.exe
1924	svchcst.exe
2232	svchcst.exe
2232	svchcst.exe
1936	svchcst.exe
1936	svchcst.exe
2164	svchcst.exe
2164	svchcst.exe
2608	svchcst.exe
2608	svchcst.exe
1600	svchcst.exe
1600	svchcst.exe
2016	svchcst.exe
2016	svchcst.exe
2852	svchcst.exe
2852	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1080 wrote to memory of 2000	1080	249a7bf568d45f1aa10772b3328e55fbd4d9eaaf8339e2fbc2f7f132d93ba4fa.exe	30
PID 1080 wrote to memory of 2000	1080	249a7bf568d45f1aa10772b3328e55fbd4d9eaaf8339e2fbc2f7f132d93ba4fa.exe	30
PID 1080 wrote to memory of 2000	1080	249a7bf568d45f1aa10772b3328e55fbd4d9eaaf8339e2fbc2f7f132d93ba4fa.exe	30
PID 1080 wrote to memory of 2000	1080	249a7bf568d45f1aa10772b3328e55fbd4d9eaaf8339e2fbc2f7f132d93ba4fa.exe	30
PID 2000 wrote to memory of 2836	2000	WScript.exe	32
PID 2000 wrote to memory of 2836	2000	WScript.exe	32
PID 2000 wrote to memory of 2836	2000	WScript.exe	32
PID 2000 wrote to memory of 2836	2000	WScript.exe	32
PID 2836 wrote to memory of 2276	2836	svchcst.exe	33
PID 2836 wrote to memory of 2276	2836	svchcst.exe	33
PID 2836 wrote to memory of 2276	2836	svchcst.exe	33
PID 2836 wrote to memory of 2276	2836	svchcst.exe	33
PID 2276 wrote to memory of 2064	2276	WScript.exe	34
PID 2276 wrote to memory of 2064	2276	WScript.exe	34
PID 2276 wrote to memory of 2064	2276	WScript.exe	34
PID 2276 wrote to memory of 2064	2276	WScript.exe	34
PID 2064 wrote to memory of 3064	2064	svchcst.exe	35
PID 2064 wrote to memory of 3064	2064	svchcst.exe	35
PID 2064 wrote to memory of 3064	2064	svchcst.exe	35
PID 2064 wrote to memory of 3064	2064	svchcst.exe	35
PID 3064 wrote to memory of 3016	3064	WScript.exe	36
PID 3064 wrote to memory of 3016	3064	WScript.exe	36
PID 3064 wrote to memory of 3016	3064	WScript.exe	36
PID 3064 wrote to memory of 3016	3064	WScript.exe	36
PID 3016 wrote to memory of 820	3016	svchcst.exe	37
PID 3016 wrote to memory of 820	3016	svchcst.exe	37
PID 3016 wrote to memory of 820	3016	svchcst.exe	37
PID 3016 wrote to memory of 820	3016	svchcst.exe	37
PID 820 wrote to memory of 1844	820	WScript.exe	38
PID 820 wrote to memory of 1844	820	WScript.exe	38
PID 820 wrote to memory of 1844	820	WScript.exe	38
PID 820 wrote to memory of 1844	820	WScript.exe	38
PID 1844 wrote to memory of 2500	1844	svchcst.exe	39
PID 1844 wrote to memory of 2500	1844	svchcst.exe	39
PID 1844 wrote to memory of 2500	1844	svchcst.exe	39
PID 1844 wrote to memory of 2500	1844	svchcst.exe	39
PID 2500 wrote to memory of 1000	2500	WScript.exe	40
PID 2500 wrote to memory of 1000	2500	WScript.exe	40
PID 2500 wrote to memory of 1000	2500	WScript.exe	40
PID 2500 wrote to memory of 1000	2500	WScript.exe	40
PID 1000 wrote to memory of 1780	1000	svchcst.exe	41
PID 1000 wrote to memory of 1780	1000	svchcst.exe	41
PID 1000 wrote to memory of 1780	1000	svchcst.exe	41
PID 1000 wrote to memory of 1780	1000	svchcst.exe	41
PID 1780 wrote to memory of 636	1780	WScript.exe	42
PID 1780 wrote to memory of 636	1780	WScript.exe	42
PID 1780 wrote to memory of 636	1780	WScript.exe	42
PID 1780 wrote to memory of 636	1780	WScript.exe	42
PID 636 wrote to memory of 1468	636	svchcst.exe	43
PID 636 wrote to memory of 1468	636	svchcst.exe	43
PID 636 wrote to memory of 1468	636	svchcst.exe	43
PID 636 wrote to memory of 1468	636	svchcst.exe	43
PID 1468 wrote to memory of 2236	1468	WScript.exe	44
PID 1468 wrote to memory of 2236	1468	WScript.exe	44
PID 1468 wrote to memory of 2236	1468	WScript.exe	44
PID 1468 wrote to memory of 2236	1468	WScript.exe	44
PID 2092 wrote to memory of 2268	2092	WScript.exe	46
PID 2092 wrote to memory of 2268	2092	WScript.exe	46
PID 2092 wrote to memory of 2268	2092	WScript.exe	46
PID 2092 wrote to memory of 2268	2092	WScript.exe	46
PID 2268 wrote to memory of 2676	2268	svchcst.exe	47
PID 2268 wrote to memory of 2676	2268	svchcst.exe	47
PID 2268 wrote to memory of 2676	2268	svchcst.exe	47
PID 2268 wrote to memory of 2676	2268	svchcst.exe	47

C:\Users\Admin\AppData\Local\Temp\249a7bf568d45f1aa10772b3328e55fbd4d9eaaf8339e2fbc2f7f132d93ba4fa.exe
"C:\Users\Admin\AppData\Local\Temp\249a7bf568d45f1aa10772b3328e55fbd4d9eaaf8339e2fbc2f7f132d93ba4fa.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1080
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2000
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2836
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2276
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2064
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3064
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3016
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:820
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1844
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2500
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1000
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1780
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:636
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1468
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2236
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2092
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2268
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2676
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2068
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2568
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2952
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:876
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2052
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2644
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:264
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1512
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2496
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:808
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2632
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2176
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2708
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2108
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1796
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1744
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1924
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2528
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2232
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2056
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1936
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1992
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2164
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2640
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2608
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        44⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2552
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1600
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        46⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2448
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2016
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        48⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1652
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2852
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        50⤵
        
        PID:2740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
4d92a932da8a288a20dcf69d2f1dfe21

SHA1
e39d84fc442c7117d6d76b7dea148f92d6bbf6d1

SHA256
8a938d4197b471c3d7f07cfbe7e0f239c6a7ab7d390bd320b508084a0b05c10b

SHA512
d16809fe029e76eec970dda18b39a903e5bf8881c25149ebd01a7518b897c0783eead1269a9dda59a3d3934eac61baf9fa17fd15c9fed503f109059c5e7d6456

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
6e11da1c8a05db963ff0dda7c43866e0

SHA1
e1343d4a94a629047631b0c53a0501eace14d2a9

SHA256
2605d23ba5b4a9fc117704a99d9351dfffc81f22681becb9aa59d72a64a6a8f6

SHA512
74be18fd41e091762e317fd4565c13d36832ca7d8fbcb60631c8e818c25f447db2ed4b3bc20e4a97da5efeb3ab66dbe815f34776b3db338a1e7d41abc57c99ac

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
85fa416be0b995c6e53ce5e2df106d8a

SHA1
bcffe6d0eb7594897fb6c1c1e6e409bacd04f009

SHA256
f08a191ea7850c2d2e0fa0cd1f40254eecb8dcb63a9dfa94cc8a97f609c49293

SHA512
5d92938d833d0555e94027148d0d9fc064274885bb4992f4e5840e7be03b629a3d2dc3703f9a7aa7614cb46ee19f9cfe26c69cc2e3a162f4be9045e5da18efbf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
44c38fa25d3a9963483b583388b6f47b

SHA1
e9b37eb8bcbe2ddda96178ee7502616660cfce57

SHA256
004b640ccc72e36c16e85661847b12fff228d63de834042accadde333aa33e36

SHA512
c39bd240b263314169cef9af85a8e8a89146e96400026936b68a69a7c732d301c16561971dbeaee752e2618f2a592bff5a6a91ee75893522e77f574176887905

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
1cd04c63c025f0297f2ae60e978d92a1

SHA1
047246564f4b2ab71494a82cef25f5bcdeb63469

SHA256
c5d481502d8e9429512066a0eb058459e0d7d60fbfc4aed5169b3ea47966c9ed

SHA512
dede45f2ae3b7da526e64e82f5e550d9f29d7ad0409fe97a0067bcd8ad70859a8f05441dcad0f2364710f8d9bf58997ffea6874b4797948b61486570394325a6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
02bec440e11bdc76b5de3232abd91f03

SHA1
2118a1f2249848ea084c7d98709f7ba7906e43a3

SHA256
4382e8d6fd98aeb7c574b195019c1687ac6628e8f97485614ad743ae5a0616b0

SHA512
f86e900e6bd38151fad12b160c0489823bd18d15609346172ca1f815593e69f9269cb28a0eaea6a588a29d41343f3b9d4c6489cc3c50e2b24a31720de26e0411

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
18daeaff7fc134fc2edabbaea7e7e9f0

SHA1
a6a3002f7828141bac042e08241df957ef348bb4

SHA256
56a26505482cb65715785a972070bd6b72ad56c09ec26f7a97d7b0ac5bf52303

SHA512
6a91ececa4ca5ffbd12c7ca83888a63a7baf2be281610d9b0d83ee9dfcb8f6d04c1466de5ac1b53abe3daaf2998ec40b4b3a1a1d6fc271f35d25523358bd3df0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
ee35194fa07bea6145178b37a18edb25

SHA1
7cbe9989cbc0090cc0ab534c7aa77d64d959e489

SHA256
e323603a594cf3a7e03aea20d2ab69a17040a02f256ac1e3fe02f8a36889a483

SHA512
d292e22575da17d694a33d6132cea65ca1c58a16bd2532dd24db161d2a77cf233039ed1b66b48868210f4d0ffff16678db3be341eca044432b8087b520e59f71

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
f988db0382571319f9b0af53097c2376

SHA1
fd83936b61f5d4256a899610d5c13c5a9b24e625

SHA256
8557443470cff4b30c533603a8e73dd9b9c55af2bae1ed0a7ce86d860fe4953c

SHA512
8f0df896cf7432ac5248f1149a79cc721e40e80dc1ced770f830725c00e64bb96944bbdd375aa25587e0574dba32375934cbf99bf99f33267296c1e605ac8703

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
3ed43de1cee96aaf1d64189d4482a672

SHA1
a346f6b3eca7b8442021d9878288d91084d00d79

SHA256
b2905e040a668759a3fbdc7f07ff57b3e197bbeec24099b65734e884c1e0bd98

SHA512
8f8536a36603c14a567034f0119212a6b3bf9dd52afcbe213b4e26c737394fe838baf0743440f62cd5d61d8d9c694279679e155920a9af3c2cac1549d43040dc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
06a252a9516053e44ec8e64f1ebf0533

SHA1
29ac97e0cdade946c4feb81ad3f78d70953a2277

SHA256
6b8a799c3d4b977adb7220f6790b2ac09080ca3ccde5a2c33c83b33ea905928c

SHA512
0775aabeef7c910e03efc40f96143025a2ee3544dd656c78d09ef63c85d040037752aabe72fdf3b636ee31422ae8de01b73c85e27247203d5efc1635eaf15b2d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
0be01ed53a597b1296c3e5c893b3071c

SHA1
7afb8bb8966c4d4c92fc1aa13db9ae2645ada6a8

SHA256
9769a7728d46c85bdbe7254324d3d40c70d056058401de89b83448bdb2eb8905

SHA512
3893a573587bf9cf2ab45849a4f44548386991b2be41908d8fe17d580775eb93c68cff7aa2f855064c013019020887ea34ed2e4538f4df0b9b6da0809a716472

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
be098b7982ad1dfc0b50d2e0beba42b4

SHA1
710365346db7f4b50e501ab4a0937e935ba85b2a

SHA256
083c25dd1799f7c39da1ed7e3e8ade306a8ae049f1051664a874cb02c81f97d9

SHA512
5e0d5db537b8e75650746b430908bb35a0490350828ea268f1fca7c5ddcc2b1eaa7751993bc922ef2baf912be3e9eeee7b4bc9a4b52ee163b27252de06ce9a07

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
ce481c7487deffda897f25500f672ec8

SHA1
0610f6f124b6c0d86ce98ba37fc12f9ca9bb5610

SHA256
641776684b51b437f28a1fde05eb98506db62c81f1f3ea7e4a13e9a34ac40a7f

SHA512
99870b77dc47475a723000a97b68b415d72c2279351b4097455f5870169fbaeca65d6e2c90fdc32818ff3044436827827073700b4b7a3f26074540a3f86a954b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
3b720e5962ddcd6fd83e6c52cb4d14e5

SHA1
a6fcfab53f9767d2d8aece3617d32ceba3cd269a

SHA256
18f346c7f7ae4e12af67b4e822a7f2b4686a828bc47d4fd2e5eda08f4d348e60

SHA512
be44d45171d163cfac4e94fea0f0cd515190c0f1c3c3b56af840a094125f0af9396ded81fff4709955093bfb068657b770a4c419b5c396319f782a4e040035ed

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
1116a851fde219e39123a96d5e3ac3b6

SHA1
3acdccf213c3a6efc51c9d5894bb73db8e14e426

SHA256
fe0c5f2595809562460c442750e360d870a7ca933cf038b6bb888f7bf23e83d3

SHA512
731657937c83843bae3bfe97d0fa8f89dec0e6b9802544dbccdc288511409dc9b25d2190a0b1b08ba2fe0023f3e0355ba08011a4cf200859b1c7e840937b1d92

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
db0cbbea5904afe74a68a7c53f3e09b7

SHA1
9e218ad6a11176c7249c4d626470796b45cb3e80

SHA256
2e9e68e7acdb12b873ad791f120bb0db372ad67551cce74ab5f4492c1c1d73ee

SHA512
4965edb3b1803fe290d2aaaf103e1042e46fec6acb9f4c2d1918b592a63baacb5efd64b20efc02b14f8544479b38f35f06466a5bcd5594bca9f56186b8e2deca

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
c527838dc8d0ae4c022e7fdf4ba050f5

SHA1
039ea552f8c70f20118cbda8403ebf407876bde2

SHA256
605ed28d05db708ba06e347eeae7f465763b849ef5562907c9175e40236dee8b

SHA512
a9b3181da14ff9f6f085467945090a3c1e331cca637dea0df43129113c0a4cf49b525aac0ce21e8ee9b0ccdee9965181f366c4c4c85522f9f755a6d3c033d3f9

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
53b82ba6a93a51ec155fbcfb30b092c4

SHA1
870217adf1a25e933ae9fdb377d08ae7f0f76d75

SHA256
d495c09a83ff871567cdea3210e6c00eec22d8baa7d72a444c402d491ac37f41

SHA512
972039beb08e74cc9691cf907d0436ea543006860893f7fc54dd096f7c5e98f552d4bdfa9de9758d9ab896eaba6322be47063b8be9827aef4ca9bd2f9a2e6ca9

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
837df5a52543c908b9888d93fb3770e1

SHA1
26c76e6ac4622ce8684b419a3640efac9dc2b97f

SHA256
9926d76666ab389dfb2f798d07da790387201a3d809bf61f932ceb6c775beab5

SHA512
2dc168e9f4bbdd867a40df6bae8eb5bcfd1490822615d31c8a8187e97b6fe9782233fadb1af17e149bbcaaeec8f2a11c5c620c12b94f162c0e62666ad5099be7

Download Submit
memory/264-180-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/264-173-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/636-98-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/636-89-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/820-58-0x0000000005BB0000-0x0000000005D0F000-memory.dmp

Filesize
1.4MB

Download
memory/820-59-0x0000000005BB0000-0x0000000005D0F000-memory.dmp

Filesize
1.4MB

Download
memory/876-159-0x0000000005B30000-0x0000000005C8F000-memory.dmp

Filesize
1.4MB

Download
memory/1000-76-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1000-84-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1080-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1080-9-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1468-103-0x0000000004720000-0x000000000487F000-memory.dmp

Filesize
1.4MB

Download
memory/1468-102-0x0000000004720000-0x000000000487F000-memory.dmp

Filesize
1.4MB

Download
memory/1600-260-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1600-263-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1780-88-0x0000000004950000-0x0000000004AAF000-memory.dmp

Filesize
1.4MB

Download
memory/1796-212-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1796-205-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1844-70-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1844-61-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1924-220-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1924-213-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1936-233-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1936-236-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2016-271-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2016-268-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2052-164-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2052-170-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2056-254-0x0000000004910000-0x0000000004A6F000-memory.dmp

Filesize
1.4MB

Download
memory/2064-39-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2068-130-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2068-138-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2092-113-0x0000000004610000-0x000000000476F000-memory.dmp

Filesize
1.4MB

Download
memory/2092-169-0x0000000004610000-0x000000000476F000-memory.dmp

Filesize
1.4MB

Download
memory/2164-244-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2164-237-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2232-228-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2232-225-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2236-105-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2236-111-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2268-122-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2268-114-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2276-29-0x0000000004690000-0x00000000047EF000-memory.dmp

Filesize
1.4MB

Download
memory/2276-28-0x0000000004690000-0x00000000047EF000-memory.dmp

Filesize
1.4MB

Download
memory/2496-181-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2496-188-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2500-75-0x0000000005DA0000-0x0000000005EFF000-memory.dmp

Filesize
1.4MB

Download
memory/2568-144-0x0000000004660000-0x00000000047BF000-memory.dmp

Filesize
1.4MB

Download
memory/2608-251-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2608-255-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2632-196-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2632-189-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2640-245-0x00000000047A0000-0x00000000048FF000-memory.dmp

Filesize
1.4MB

Download
memory/2640-246-0x00000000047A0000-0x00000000048FF000-memory.dmp

Filesize
1.4MB

Download
memory/2644-172-0x0000000005B60000-0x0000000005CBF000-memory.dmp

Filesize
1.4MB

Download
memory/2676-127-0x0000000005A60000-0x0000000005BBF000-memory.dmp

Filesize
1.4MB

Download
memory/2676-128-0x0000000005A60000-0x0000000005BBF000-memory.dmp

Filesize
1.4MB

Download
memory/2708-204-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2708-201-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2836-23-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2836-14-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2852-272-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2952-145-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2952-153-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3016-54-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3016-45-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3064-44-0x0000000005920000-0x0000000005A7F000-memory.dmp

Filesize
1.4MB

Download