f47cc5aab52141828d534579b3b4d1be5d4e8114f32c99fc7c4902cfd5aaeef5

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
26-07-2024 19:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f47cc5aab52141828d534579b3b4d1be5d4e8114f32c99fc7c4902cfd5aaeef5.exe
Size

1.1MB
MD5

e3dd4429cebaf4a1247916c2262e307b
SHA1

c49378589739f1d529ecb70a5c872c5e44a59f22
SHA256

f47cc5aab52141828d534579b3b4d1be5d4e8114f32c99fc7c4902cfd5aaeef5
SHA512

a10924e810c163ae56b3ee13b365a76dcd9d928cbac1f1c94c467e660fdff0052874958104f5ff6a17be681f7f5cfffd2eb5d978536759f1c48a8bed579d527d
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5Qi:acallSllG4ZM7QzMR

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2708	svchcst.exe

Executes dropped EXE 23 IoCs

pid	Process
2708	svchcst.exe
2460	svchcst.exe
2020	svchcst.exe
2900	svchcst.exe
2168	svchcst.exe
564	svchcst.exe
2040	svchcst.exe
1228	svchcst.exe
2488	svchcst.exe
1956	svchcst.exe
1152	svchcst.exe
1832	svchcst.exe
1724	svchcst.exe
3060	svchcst.exe
396	svchcst.exe
1056	svchcst.exe
2732	svchcst.exe
1892	svchcst.exe
1720	svchcst.exe
1828	svchcst.exe
932	svchcst.exe
2420	svchcst.exe
2648	svchcst.exe

Loads dropped DLL 46 IoCs

pid	Process
2140	WScript.exe
2140	WScript.exe
2656	WScript.exe
2656	WScript.exe
1152	WScript.exe
1152	WScript.exe
1820	WScript.exe
1820	WScript.exe
2968	WScript.exe
2968	WScript.exe
1488	WScript.exe
1488	WScript.exe
2852	WScript.exe
2852	WScript.exe
2416	WScript.exe
2416	WScript.exe
2636	WScript.exe
2636	WScript.exe
2928	WScript.exe
2928	WScript.exe
1796	WScript.exe
1796	WScript.exe
1784	WScript.exe
1784	WScript.exe
1296	WScript.exe
1296	WScript.exe
1580	WScript.exe
1580	WScript.exe
328	WScript.exe
328	WScript.exe
1652	WScript.exe
1652	WScript.exe
2332	WScript.exe
2332	WScript.exe
2924	WScript.exe
2924	WScript.exe
1908	WScript.exe
1908	WScript.exe
1788	WScript.exe
1788	WScript.exe
1700	WScript.exe
1700	WScript.exe
996	WScript.exe
996	WScript.exe
2068	WScript.exe
2068	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 48 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f47cc5aab52141828d534579b3b4d1be5d4e8114f32c99fc7c4902cfd5aaeef5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2052	f47cc5aab52141828d534579b3b4d1be5d4e8114f32c99fc7c4902cfd5aaeef5.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2460	svchcst.exe
2460	svchcst.exe
2460	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2052	f47cc5aab52141828d534579b3b4d1be5d4e8114f32c99fc7c4902cfd5aaeef5.exe

Suspicious use of SetWindowsHookEx 48 IoCs

pid	Process
2052	f47cc5aab52141828d534579b3b4d1be5d4e8114f32c99fc7c4902cfd5aaeef5.exe
2052	f47cc5aab52141828d534579b3b4d1be5d4e8114f32c99fc7c4902cfd5aaeef5.exe
2708	svchcst.exe
2708	svchcst.exe
2460	svchcst.exe
2460	svchcst.exe
2020	svchcst.exe
2020	svchcst.exe
2900	svchcst.exe
2900	svchcst.exe
2168	svchcst.exe
2168	svchcst.exe
564	svchcst.exe
564	svchcst.exe
2040	svchcst.exe
2040	svchcst.exe
1228	svchcst.exe
1228	svchcst.exe
2488	svchcst.exe
2488	svchcst.exe
1956	svchcst.exe
1956	svchcst.exe
1152	svchcst.exe
1152	svchcst.exe
1832	svchcst.exe
1832	svchcst.exe
1724	svchcst.exe
1724	svchcst.exe
3060	svchcst.exe
3060	svchcst.exe
396	svchcst.exe
396	svchcst.exe
1056	svchcst.exe
1056	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
1892	svchcst.exe
1892	svchcst.exe
1720	svchcst.exe
1720	svchcst.exe
1828	svchcst.exe
1828	svchcst.exe
932	svchcst.exe
932	svchcst.exe
2420	svchcst.exe
2420	svchcst.exe
2648	svchcst.exe
2648	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2052 wrote to memory of 2140	2052	f47cc5aab52141828d534579b3b4d1be5d4e8114f32c99fc7c4902cfd5aaeef5.exe	28
PID 2052 wrote to memory of 2140	2052	f47cc5aab52141828d534579b3b4d1be5d4e8114f32c99fc7c4902cfd5aaeef5.exe	28
PID 2052 wrote to memory of 2140	2052	f47cc5aab52141828d534579b3b4d1be5d4e8114f32c99fc7c4902cfd5aaeef5.exe	28
PID 2052 wrote to memory of 2140	2052	f47cc5aab52141828d534579b3b4d1be5d4e8114f32c99fc7c4902cfd5aaeef5.exe	28
PID 2140 wrote to memory of 2708	2140	WScript.exe	30
PID 2140 wrote to memory of 2708	2140	WScript.exe	30
PID 2140 wrote to memory of 2708	2140	WScript.exe	30
PID 2140 wrote to memory of 2708	2140	WScript.exe	30
PID 2708 wrote to memory of 2656	2708	svchcst.exe	31
PID 2708 wrote to memory of 2656	2708	svchcst.exe	31
PID 2708 wrote to memory of 2656	2708	svchcst.exe	31
PID 2708 wrote to memory of 2656	2708	svchcst.exe	31
PID 2656 wrote to memory of 2460	2656	WScript.exe	32
PID 2656 wrote to memory of 2460	2656	WScript.exe	32
PID 2656 wrote to memory of 2460	2656	WScript.exe	32
PID 2656 wrote to memory of 2460	2656	WScript.exe	32
PID 2460 wrote to memory of 1152	2460	svchcst.exe	33
PID 2460 wrote to memory of 1152	2460	svchcst.exe	33
PID 2460 wrote to memory of 1152	2460	svchcst.exe	33
PID 2460 wrote to memory of 1152	2460	svchcst.exe	33
PID 1152 wrote to memory of 2020	1152	WScript.exe	36
PID 1152 wrote to memory of 2020	1152	WScript.exe	36
PID 1152 wrote to memory of 2020	1152	WScript.exe	36
PID 1152 wrote to memory of 2020	1152	WScript.exe	36
PID 2020 wrote to memory of 1820	2020	svchcst.exe	37
PID 2020 wrote to memory of 1820	2020	svchcst.exe	37
PID 2020 wrote to memory of 1820	2020	svchcst.exe	37
PID 2020 wrote to memory of 1820	2020	svchcst.exe	37
PID 1820 wrote to memory of 2900	1820	WScript.exe	38
PID 1820 wrote to memory of 2900	1820	WScript.exe	38
PID 1820 wrote to memory of 2900	1820	WScript.exe	38
PID 1820 wrote to memory of 2900	1820	WScript.exe	38
PID 2900 wrote to memory of 2968	2900	svchcst.exe	39
PID 2900 wrote to memory of 2968	2900	svchcst.exe	39
PID 2900 wrote to memory of 2968	2900	svchcst.exe	39
PID 2900 wrote to memory of 2968	2900	svchcst.exe	39
PID 2968 wrote to memory of 2168	2968	WScript.exe	40
PID 2968 wrote to memory of 2168	2968	WScript.exe	40
PID 2968 wrote to memory of 2168	2968	WScript.exe	40
PID 2968 wrote to memory of 2168	2968	WScript.exe	40
PID 2168 wrote to memory of 1488	2168	svchcst.exe	41
PID 2168 wrote to memory of 1488	2168	svchcst.exe	41
PID 2168 wrote to memory of 1488	2168	svchcst.exe	41
PID 2168 wrote to memory of 1488	2168	svchcst.exe	41
PID 1488 wrote to memory of 564	1488	WScript.exe	42
PID 1488 wrote to memory of 564	1488	WScript.exe	42
PID 1488 wrote to memory of 564	1488	WScript.exe	42
PID 1488 wrote to memory of 564	1488	WScript.exe	42
PID 564 wrote to memory of 2852	564	svchcst.exe	43
PID 564 wrote to memory of 2852	564	svchcst.exe	43
PID 564 wrote to memory of 2852	564	svchcst.exe	43
PID 564 wrote to memory of 2852	564	svchcst.exe	43
PID 2852 wrote to memory of 2040	2852	WScript.exe	44
PID 2852 wrote to memory of 2040	2852	WScript.exe	44
PID 2852 wrote to memory of 2040	2852	WScript.exe	44
PID 2852 wrote to memory of 2040	2852	WScript.exe	44
PID 2040 wrote to memory of 2416	2040	svchcst.exe	45
PID 2040 wrote to memory of 2416	2040	svchcst.exe	45
PID 2040 wrote to memory of 2416	2040	svchcst.exe	45
PID 2040 wrote to memory of 2416	2040	svchcst.exe	45
PID 2416 wrote to memory of 1228	2416	WScript.exe	46
PID 2416 wrote to memory of 1228	2416	WScript.exe	46
PID 2416 wrote to memory of 1228	2416	WScript.exe	46
PID 2416 wrote to memory of 1228	2416	WScript.exe	46

C:\Users\Admin\AppData\Local\Temp\f47cc5aab52141828d534579b3b4d1be5d4e8114f32c99fc7c4902cfd5aaeef5.exe
"C:\Users\Admin\AppData\Local\Temp\f47cc5aab52141828d534579b3b4d1be5d4e8114f32c99fc7c4902cfd5aaeef5.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2052
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2140
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2708
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2656
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2460
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1152
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2020
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1820
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2900
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2968
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2168
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1488
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:564
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2852
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2040
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2416
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1228
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2636
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2488
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2928
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1956
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1796
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1152
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1784
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1832
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1296
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1724
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1580
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3060
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:328
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:396
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1652
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1056
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2332
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2732
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2924
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1892
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1908
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1720
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1788
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1828
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1700
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:932
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        44⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:996
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2420
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        46⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2068
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2648
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        48⤵
        System Location Discovery: System Language Discovery
        
        PID:1668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
5fd3414bf693bcefc687e1e404e6ec94

SHA1
1bf973e142ab14d3076da8dd3a4d4927338adfa3

SHA256
fc69f8185115e8c49b4af7fdb3d169633153fc155752dc759c09e56899e4b6a8

SHA512
83797ff40cbeeec76a3894fb423546d39b6283ba4a3a6fdf576f0cb837c2a8315673f58c23b26c54f31bf316847e7922d83629b4e1e385dc0c087d564b72248b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
c94fda6716d92036e02a0e70b433735f

SHA1
eb4e57b1461e03a201dbfd20dd308ca88694e55d

SHA256
ca8d32856a5ad76e2bf41249ee83a498c238f51d9d3addbd5ca456ee6a6108ba

SHA512
bf4b3613a4d6d2854f7750a73f84579a3022c2aaae770c392c3d4b273cbb2b493028f8109856ba66ee4636bcfac53b61b7f9b689002858a040b62b47d097d24f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
e5bba46683440caa1508061b6e638120

SHA1
538ff5b7cb3ca90cee3e60bae0b487f4b78912de

SHA256
9b324dbd185a14c0ebfd2cd2731f6bb32c501dfefa7aef4f65b137357502c65d

SHA512
466f00fee10e323273e5d1151062e9fcc36f5657a404c6dd3c0c9ecb56e5205930087e612b13a9c6d1a56df7e05a2bd9c14e95debd5e5aed96ad2ef867e8de4d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
344b0286b823cd492e5ca9c83c00ba11

SHA1
b76dbac9b5724f5b1e11a10ed7a2125edb16259b

SHA256
04ea89515062031f99eb08fad07de798532e0adea7ff18c0c9a8b1e3a1d4dbbd

SHA512
9aba17235e4f1bd62f45545cfa0e4f302c0471732b33a8398b462e334126c5a3e74fdcbe17db70029184cc1207f558efc46b868475fb607ad536288b0796bb80

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
18daeaff7fc134fc2edabbaea7e7e9f0

SHA1
a6a3002f7828141bac042e08241df957ef348bb4

SHA256
56a26505482cb65715785a972070bd6b72ad56c09ec26f7a97d7b0ac5bf52303

SHA512
6a91ececa4ca5ffbd12c7ca83888a63a7baf2be281610d9b0d83ee9dfcb8f6d04c1466de5ac1b53abe3daaf2998ec40b4b3a1a1d6fc271f35d25523358bd3df0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
f988db0382571319f9b0af53097c2376

SHA1
fd83936b61f5d4256a899610d5c13c5a9b24e625

SHA256
8557443470cff4b30c533603a8e73dd9b9c55af2bae1ed0a7ce86d860fe4953c

SHA512
8f0df896cf7432ac5248f1149a79cc721e40e80dc1ced770f830725c00e64bb96944bbdd375aa25587e0574dba32375934cbf99bf99f33267296c1e605ac8703

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
1cd04c63c025f0297f2ae60e978d92a1

SHA1
047246564f4b2ab71494a82cef25f5bcdeb63469

SHA256
c5d481502d8e9429512066a0eb058459e0d7d60fbfc4aed5169b3ea47966c9ed

SHA512
dede45f2ae3b7da526e64e82f5e550d9f29d7ad0409fe97a0067bcd8ad70859a8f05441dcad0f2364710f8d9bf58997ffea6874b4797948b61486570394325a6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
b80e64a84f22d05c1da6e47ce54973aa

SHA1
5cad9390328f2c7439c775fabb7a0456663085d9

SHA256
9dd0f5f176d3fad7c0eb3bdd6f14036a878cbce9fd50fb1a47318da147bfd82e

SHA512
983affb7f9189c1eb80982438c288ee607e7ee91675b6a6e854873c476961b39ddec66801e0a09bedd0f133a0132693a5fed5c8ff0f8c3d3aa4f470fdb8c39b9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
03088ab16e4136b8d3a3366505b767ed

SHA1
e1d73c9dc7e6009659519b33b3dd80f3011adad8

SHA256
b31956814f1bc7c1e47a025622160df37664a3ee8e6d2016ce8919f1fba63a59

SHA512
0c841cc8236b405951c5bdf0ea7c620ef32ab930077442e5c1f2eca9fe474c113e1377829e8072afdbfd9a0f0b2797cf156b2f861395d14b851abc7b365ec11a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
5f762b3b2477d92959f29d768008d453

SHA1
ceaa2b37d64bcffd7f862a75e1d0fb06edbddb97

SHA256
5827d14409ed9f3361d81904d50e067223457590dda163a680ce4216e495a3d5

SHA512
fd1445d89a0fa5d185ce51442c402d9906fa8bf7c1458a862568ad0649dfa22c5f90ed243b98339ec9706541d244b0217f1cd05e715dc49067e059fe08d80420

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
152cdcb10a0dcbdcaeb00bd4b08b2f94

SHA1
d957bd7eff64e6b13d3a088c0ae764eaeedf0ad2

SHA256
5525126f60e1b6cf4d353d30db46873836712e3964020d1dbca2694b6dc3d599

SHA512
c2e61516af9e5c14978792ec3b5e20aa84d5f6d9607322575d2f0448a67b6a10911ebf350f51e24e19f40840897251c891cda2c651c0881fccc9e0006d1a2f99

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
1ad9c18a17a7e2a06943b3e2c754b7ce

SHA1
a1da9dec564c784cff0386b87983f190a31d6743

SHA256
a7df20c7025d69d2d9c58d6f07ef6413c7d1808875f84fc240ba6e6977f3c272

SHA512
78f50d29b0a7b8fedcdffd5c439cf0d7d3d1fc7ffacf4e99b8dd0308a2d73c17035a9c253a4648d27a9ebd6adf62b09fe2425ffb391f40fa93cbddd52f1653ef

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
c603d948e4e70747601a9dfa348e75b5

SHA1
04539fd4a28bee0732095e844b9cb31e819a72b4

SHA256
ae9a04ebf97fa4578a2ba3d03dc93b78c613c85ff14d57a8f2f5ba88095ef8f6

SHA512
5975fe1ae281b1f83043f729a6365fa07ba98cfc905a61504b40f6895f2fa310fdb1ba5daed135153b4df907af8c4b6ea00343e5df00c76e213bef1ef3ea606e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
95508653343ab85a547de497aa3dc607

SHA1
3ea7527888d1dea138e2b34dd9a281e2fd9984e0

SHA256
689df1f986ac8bc7d51be603fed51d478e18ed6974e2f2770c8efb2ea6065967

SHA512
3b9181bb95b60df5520b456efdebc6cb013bba78db284a6988f7db0dd7cf6b7f2c54b772b0b0edf769d5e9c8c58be321432e58826decd25c0daa63282b6ecefc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
0384a4d7ba83475814f7c6d7333c4d7f

SHA1
b5d7111d599af079c6f21f258625920d0b8ae795

SHA256
7883172e04d92b70ea4218c57d1d9eccfce783a191ccc38f127f20ff5683661e

SHA512
29ba19b9b4ef81b482549dfb820aa1f651a54a2947413fbb6186b1676b646d3eacaecea7e129a8331eb6f0cbe40a2144d34bab4e57ccccdbebb7741ba4d54715

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
d190a1a678ed1a320222b588deb6f574

SHA1
2e660eee5e3ac506dfe411cc1e7f60e85060dd74

SHA256
61c054a17566b342b8ce69a4017c3029c0e6cc2823b0865c4029abb8666433ef

SHA512
bb22fd6d2b1e9f5fba736ffa95c399508b18206cb9330f4b2089d69143e3efd4527650137c81dabbcb67f5a15b1a8340cdd9d8e629e77134ff1d28acf3163845

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
ee4e2083f1c70fb79c5b20d840654380

SHA1
7da9ca5ff95a816cc55c05f49f250a9a836d8676

SHA256
d259917ce17573a14ab02e958c4fd31e254d21335673207a7e97afb67918387c

SHA512
818472ffb5ded870dc2bf8aa2c09cc6bbb9eed287aa54b06dfba22c4d9871f6bec403aedc618f2dbcb2e8adfbc7c7928e7555b20190707f175c42205b8c83d3c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
297bbf94061bcb87f73e8aa0acfa328b

SHA1
c27e3d881a3a937043c0acaf714d26fed8238b63

SHA256
d19c19d61d611cc0f6dc2982c73cf8d3ef17205c913c49d820a5a385caeda6fd

SHA512
6bb2a03a70b3ae9001d4418fa2ddfca737f5a59c9801ac77e376b2f0b721a514769d5947f9220cff7b5f99dba8548da68ec0bc17b8e49424f8ee390aba12151a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
0d7945057607e17de16434dc1d3b7d07

SHA1
ea42c0f04ccaf9616b31b39b93111e49035ab35a

SHA256
e438386650e888470b0f6a65c3cd74d8e41d5d676746195ace192fa4c71d3e73

SHA512
960b7fc9615670136bfc114d5374278509f53ea4147869ecd59eaa3810a4b16fc4d73ebf08738e085725f746525d5a5a6c1dcda9e046a6c78bbd58c43d414f05

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
bdc8d0e69fa3354c3cefa64bd7b4cf0f

SHA1
17b3c73adc75bcfe1dd4f68fb22f280dbc1a285d

SHA256
0f04996063cbbcd7c02dc6437fc213827b1db1fc2bdfafc1ecefd4d85cc778bd

SHA512
7e093cc8d458f8aebd6cf9197d89c81736922e286c1f1c2fda11d031ca4704bd5016ce41f0da58e93143db00a0fc223241b449999321fe2c174bda75c715f0a5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
87211e8a599052c4c715c00e52a9b779

SHA1
ab206f90a015e5c472c70d2893b4484390968f7d

SHA256
45fc8bee34a2b942ebdea849d3d0ea1a415b1dae883f47c6b83a8b9f24352571

SHA512
aea0ee470951c0a886690bc3e8ff3c2ea2ba97c231ba999a24c3b370d794e2a3d08f5ac362917df3ac3e6f1e76a03f048816cf8e7948b53bb6dbb30c1d689ff7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
d109dce0c547d58151ebcd74907d88ea

SHA1
4a17c136cbc023dda7d3091df4606c16528b2644

SHA256
6bdef338e4b4df786dedeb4a60a0cc770ae15adc34ce9660542655cf6b45c0c1

SHA512
0d9a790a45bb056ef76a41b2877dce954cba2512fac48c3cf5eee97ebc757cd908d528ca605f95a687a44d0cf2b86c5eb49fbf246ae5101eca6c5c74bf75c24e

Download Submit
memory/396-189-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/396-182-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/564-92-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/932-232-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/932-239-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1056-198-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1056-191-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1152-151-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1152-158-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1228-112-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1228-120-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1652-190-0x00000000059B0000-0x0000000005B0F000-memory.dmp

Filesize
1.4MB

Download
memory/1720-223-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1720-216-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1724-174-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1724-167-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1828-231-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1828-224-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1832-159-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1832-166-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1892-215-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1892-208-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1956-148-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1956-140-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2020-53-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2040-106-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2040-98-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2052-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2052-9-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2140-15-0x0000000005CC0000-0x0000000005E1F000-memory.dmp

Filesize
1.4MB

Download
memory/2140-14-0x0000000005CC0000-0x0000000005E1F000-memory.dmp

Filesize
1.4MB

Download
memory/2168-79-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2332-199-0x0000000005CC0000-0x0000000005E1F000-memory.dmp

Filesize
1.4MB

Download
memory/2420-240-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2420-247-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2460-31-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2460-40-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2488-126-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2488-134-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2648-248-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2708-16-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2708-26-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2732-207-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2732-200-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2900-66-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2900-58-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3060-181-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download