bb940f526889c808dbb6e670d2f13d9a5e6ee305f7d21db5a1b762962bc49c6f

Analysis

max time kernel
149s
max time network
118s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
05/08/2024, 18:51

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

bb940f526889c808dbb6e670d2f13d9a5e6ee305f7d21db5a1b762962bc49c6f.exe
Size

1.1MB
MD5

758876e4926513d16311fbd2d4eae9d5
SHA1

2ff9f669d3f7d0f28e1c7336cc1c291716486b54
SHA256

bb940f526889c808dbb6e670d2f13d9a5e6ee305f7d21db5a1b762962bc49c6f
SHA512

9e891ded77d9b90cb11f60236e3417f020e307156ecd20b5b0059f05016479e72e394d0ba57003d535ae205f70a30b16ed0730222b2958ec3225fa315ea870d4
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5QN:acallSllG4ZM7QzM2

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2700	svchcst.exe

Executes dropped EXE 23 IoCs

pid	Process
2700	svchcst.exe
2444	svchcst.exe
2828	svchcst.exe
2320	svchcst.exe
1516	svchcst.exe
700	svchcst.exe
1856	svchcst.exe
1764	svchcst.exe
2424	svchcst.exe
2796	svchcst.exe
2120	svchcst.exe
944	svchcst.exe
604	svchcst.exe
648	svchcst.exe
2408	svchcst.exe
2028	svchcst.exe
1520	svchcst.exe
2832	svchcst.exe
2932	svchcst.exe
484	svchcst.exe
2336	svchcst.exe
1716	svchcst.exe
3040	svchcst.exe

Loads dropped DLL 44 IoCs

pid	Process
868	WScript.exe
868	WScript.exe
2732	WScript.exe
2732	WScript.exe
2812	WScript.exe
2812	WScript.exe
1228	WScript.exe
1228	WScript.exe
2072	WScript.exe
3048	WScript.exe
3048	WScript.exe
1500	WScript.exe
1500	WScript.exe
2660	WScript.exe
2660	WScript.exe
2584	WScript.exe
2584	WScript.exe
2904	WScript.exe
2904	WScript.exe
2404	WScript.exe
2328	WScript.exe
2328	WScript.exe
1656	WScript.exe
1656	WScript.exe
2240	WScript.exe
2240	WScript.exe
2292	WScript.exe
2292	WScript.exe
2856	WScript.exe
2856	WScript.exe
2620	WScript.exe
2620	WScript.exe
2804	WScript.exe
2804	WScript.exe
1944	WScript.exe
1944	WScript.exe
1420	WScript.exe
1420	WScript.exe
2188	WScript.exe
2188	WScript.exe
760	WScript.exe
760	WScript.exe
1268	WScript.exe
1268	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 49 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bb940f526889c808dbb6e670d2f13d9a5e6ee305f7d21db5a1b762962bc49c6f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3032	bb940f526889c808dbb6e670d2f13d9a5e6ee305f7d21db5a1b762962bc49c6f.exe
2700	svchcst.exe
2700	svchcst.exe
2700	svchcst.exe
2700	svchcst.exe
2700	svchcst.exe
2700	svchcst.exe
2700	svchcst.exe
2700	svchcst.exe
2700	svchcst.exe
2700	svchcst.exe
2700	svchcst.exe
2700	svchcst.exe
2700	svchcst.exe
2700	svchcst.exe
2700	svchcst.exe
2700	svchcst.exe
2700	svchcst.exe
2700	svchcst.exe
2700	svchcst.exe
2700	svchcst.exe
2700	svchcst.exe
2700	svchcst.exe
2700	svchcst.exe
2700	svchcst.exe
2700	svchcst.exe
2700	svchcst.exe
2700	svchcst.exe
2700	svchcst.exe
2700	svchcst.exe
2700	svchcst.exe
2700	svchcst.exe
2700	svchcst.exe
2700	svchcst.exe
2700	svchcst.exe
2700	svchcst.exe
2700	svchcst.exe
2700	svchcst.exe
2700	svchcst.exe
2700	svchcst.exe
2700	svchcst.exe
2700	svchcst.exe
2700	svchcst.exe
2700	svchcst.exe
2700	svchcst.exe
2700	svchcst.exe
2700	svchcst.exe
2700	svchcst.exe
2700	svchcst.exe
2700	svchcst.exe
2700	svchcst.exe
2700	svchcst.exe
2700	svchcst.exe
2700	svchcst.exe
2700	svchcst.exe
2700	svchcst.exe
2700	svchcst.exe
2700	svchcst.exe
2700	svchcst.exe
2700	svchcst.exe
2700	svchcst.exe
2700	svchcst.exe
2700	svchcst.exe
2700	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3032	bb940f526889c808dbb6e670d2f13d9a5e6ee305f7d21db5a1b762962bc49c6f.exe

Suspicious use of SetWindowsHookEx 48 IoCs

pid	Process
3032	bb940f526889c808dbb6e670d2f13d9a5e6ee305f7d21db5a1b762962bc49c6f.exe
3032	bb940f526889c808dbb6e670d2f13d9a5e6ee305f7d21db5a1b762962bc49c6f.exe
2700	svchcst.exe
2700	svchcst.exe
2444	svchcst.exe
2444	svchcst.exe
2828	svchcst.exe
2828	svchcst.exe
2320	svchcst.exe
2320	svchcst.exe
1516	svchcst.exe
1516	svchcst.exe
700	svchcst.exe
700	svchcst.exe
1856	svchcst.exe
1856	svchcst.exe
1764	svchcst.exe
1764	svchcst.exe
2424	svchcst.exe
2424	svchcst.exe
2796	svchcst.exe
2796	svchcst.exe
2120	svchcst.exe
2120	svchcst.exe
944	svchcst.exe
944	svchcst.exe
604	svchcst.exe
604	svchcst.exe
648	svchcst.exe
648	svchcst.exe
2408	svchcst.exe
2408	svchcst.exe
2028	svchcst.exe
2028	svchcst.exe
1520	svchcst.exe
1520	svchcst.exe
2832	svchcst.exe
2832	svchcst.exe
2932	svchcst.exe
2932	svchcst.exe
484	svchcst.exe
484	svchcst.exe
2336	svchcst.exe
2336	svchcst.exe
1716	svchcst.exe
1716	svchcst.exe
3040	svchcst.exe
3040	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3032 wrote to memory of 868	3032	bb940f526889c808dbb6e670d2f13d9a5e6ee305f7d21db5a1b762962bc49c6f.exe	31
PID 3032 wrote to memory of 868	3032	bb940f526889c808dbb6e670d2f13d9a5e6ee305f7d21db5a1b762962bc49c6f.exe	31
PID 3032 wrote to memory of 868	3032	bb940f526889c808dbb6e670d2f13d9a5e6ee305f7d21db5a1b762962bc49c6f.exe	31
PID 3032 wrote to memory of 868	3032	bb940f526889c808dbb6e670d2f13d9a5e6ee305f7d21db5a1b762962bc49c6f.exe	31
PID 868 wrote to memory of 2700	868	WScript.exe	33
PID 868 wrote to memory of 2700	868	WScript.exe	33
PID 868 wrote to memory of 2700	868	WScript.exe	33
PID 868 wrote to memory of 2700	868	WScript.exe	33
PID 2700 wrote to memory of 2732	2700	svchcst.exe	34
PID 2700 wrote to memory of 2732	2700	svchcst.exe	34
PID 2700 wrote to memory of 2732	2700	svchcst.exe	34
PID 2700 wrote to memory of 2732	2700	svchcst.exe	34
PID 2732 wrote to memory of 2444	2732	WScript.exe	35
PID 2732 wrote to memory of 2444	2732	WScript.exe	35
PID 2732 wrote to memory of 2444	2732	WScript.exe	35
PID 2732 wrote to memory of 2444	2732	WScript.exe	35
PID 2444 wrote to memory of 2812	2444	svchcst.exe	36
PID 2444 wrote to memory of 2812	2444	svchcst.exe	36
PID 2444 wrote to memory of 2812	2444	svchcst.exe	36
PID 2444 wrote to memory of 2812	2444	svchcst.exe	36
PID 2812 wrote to memory of 2828	2812	WScript.exe	37
PID 2812 wrote to memory of 2828	2812	WScript.exe	37
PID 2812 wrote to memory of 2828	2812	WScript.exe	37
PID 2812 wrote to memory of 2828	2812	WScript.exe	37
PID 2828 wrote to memory of 1228	2828	svchcst.exe	38
PID 2828 wrote to memory of 1228	2828	svchcst.exe	38
PID 2828 wrote to memory of 1228	2828	svchcst.exe	38
PID 2828 wrote to memory of 1228	2828	svchcst.exe	38
PID 1228 wrote to memory of 2320	1228	WScript.exe	39
PID 1228 wrote to memory of 2320	1228	WScript.exe	39
PID 1228 wrote to memory of 2320	1228	WScript.exe	39
PID 1228 wrote to memory of 2320	1228	WScript.exe	39
PID 2320 wrote to memory of 2072	2320	svchcst.exe	40
PID 2320 wrote to memory of 2072	2320	svchcst.exe	40
PID 2320 wrote to memory of 2072	2320	svchcst.exe	40
PID 2320 wrote to memory of 2072	2320	svchcst.exe	40
PID 2072 wrote to memory of 1516	2072	WScript.exe	41
PID 2072 wrote to memory of 1516	2072	WScript.exe	41
PID 2072 wrote to memory of 1516	2072	WScript.exe	41
PID 2072 wrote to memory of 1516	2072	WScript.exe	41
PID 1516 wrote to memory of 3048	1516	svchcst.exe	42
PID 1516 wrote to memory of 3048	1516	svchcst.exe	42
PID 1516 wrote to memory of 3048	1516	svchcst.exe	42
PID 1516 wrote to memory of 3048	1516	svchcst.exe	42
PID 3048 wrote to memory of 700	3048	WScript.exe	43
PID 3048 wrote to memory of 700	3048	WScript.exe	43
PID 3048 wrote to memory of 700	3048	WScript.exe	43
PID 3048 wrote to memory of 700	3048	WScript.exe	43
PID 700 wrote to memory of 1500	700	svchcst.exe	44
PID 700 wrote to memory of 1500	700	svchcst.exe	44
PID 700 wrote to memory of 1500	700	svchcst.exe	44
PID 700 wrote to memory of 1500	700	svchcst.exe	44
PID 1500 wrote to memory of 1856	1500	WScript.exe	45
PID 1500 wrote to memory of 1856	1500	WScript.exe	45
PID 1500 wrote to memory of 1856	1500	WScript.exe	45
PID 1500 wrote to memory of 1856	1500	WScript.exe	45
PID 1856 wrote to memory of 2660	1856	svchcst.exe	46
PID 1856 wrote to memory of 2660	1856	svchcst.exe	46
PID 1856 wrote to memory of 2660	1856	svchcst.exe	46
PID 1856 wrote to memory of 2660	1856	svchcst.exe	46
PID 2660 wrote to memory of 1764	2660	WScript.exe	47
PID 2660 wrote to memory of 1764	2660	WScript.exe	47
PID 2660 wrote to memory of 1764	2660	WScript.exe	47
PID 2660 wrote to memory of 1764	2660	WScript.exe	47

C:\Users\Admin\AppData\Local\Temp\bb940f526889c808dbb6e670d2f13d9a5e6ee305f7d21db5a1b762962bc49c6f.exe
"C:\Users\Admin\AppData\Local\Temp\bb940f526889c808dbb6e670d2f13d9a5e6ee305f7d21db5a1b762962bc49c6f.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3032
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:868
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2700
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2732
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2444
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2812
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2828
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1228
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2320
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2072
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1516
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3048
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:700
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1500
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1856
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2660
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1764
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2584
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2424
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2904
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2796
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2404
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2120
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2328
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:944
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1656
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:604
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2240
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:648
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2292
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2408
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2856
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2028
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2620
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1520
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2804
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2832
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1944
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2932
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1420
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:484
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2188
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2336
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        44⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:760
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1716
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        46⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1268
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3040
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        48⤵
        System Location Discovery: System Language Discovery
        
        PID:1208
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        System Location Discovery: System Language Discovery
        
        PID:1268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
5c9d6f3947fc28c78bcbd7efef6f29d2

SHA1
d0bbb8f023a34d034712476495bfe12de40e027c

SHA256
28ac4c731f9e3d411276ac28d4ccc8069885995b78f28ddd32688e62545f140d

SHA512
73b686e10dcb547deef3675c04bf25e5c791279ad459501ad20119bde0c0250ecd09a54d657fdbc8b8a0cec9d6f52ded5636bc2a4cc1f6e33c6e392e7a928318

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
55765ba68da8820ee35d2d4d1dedeac0

SHA1
19f5f147056f3d837a11d6b08a7fc9544f9927f6

SHA256
1eb237d283717ac45bdfef217d3d09fb4ef73db3838859057c94e488b329c522

SHA512
61b6361b8dfef2067016c50e830db1fc768d0654a3f643cf4b4cb1193de722f74401e73f719d8cff5a443058adfa7e3cd0dfc502f25dd249cdc36a7056c81c18

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
f68761d0622df41d256ee6fc39583d8a

SHA1
2dd40e574a86ff4b4be5e6aca6fda4d7fcc33d56

SHA256
b4bf1092c76497e935596e32fcb9119a44acab11e9b80b660ecea53867655245

SHA512
fd70e0b445bcd24117b449853c98a4996063d49f774a55bc5aca087b44cdb5381974551c4fcd2d3d1c82cd708fcb616009519f3914267ea5c37cdda4d31ea3a1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
418e489a61f524eb101168676ee507c0

SHA1
c2d403388bfdccf0d75b4ef92dd8a453c413057c

SHA256
2ec2f981acbd3a091e05e93f06c952fdf6372e4d4d4ad78e7ddfe60043b1ad3c

SHA512
56033db0322098091059ab662f14f51c8bd98fc6784e3a5c553428c3c91d160fa5f784e43020fde5630515f87a2dbd7dff88865a5ecc4f349f6482eaef1b522a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
5c256ba320c7487a2c3cdb62bea97bb5

SHA1
2a28e5d7bd4483a40fb6035f1ec6fcf1d66cb2fc

SHA256
854aeaf6ba44537fc01088f8c336552a1aab4c6df84938d241c8616b6f0802e4

SHA512
bb55f293471dda9b074664d4cf2dad094f8f0c2479c1fd754dd85199d1d1b1012cfa3b050711ac0b59368d6bf1756cfcadcaff1e47d4f103a093a0b77782fdc0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
251a70f0c55d02e74e34c409c5795274

SHA1
b0eb587b5e8d597ef801848722b790692d804be2

SHA256
f5397f02a6c8c59bc9869c0e5c726c096a69c84ad7f0934608fdbd8bc7e5b9f3

SHA512
023cca65a97265961790183f43605fb3dd47426049f2152e5ed90d2daed98607d1e215cb8cabf54d7d2068f7a86d3b01b1d101823e8ed1acfb09076e69b67c71

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
ae63ded87a90f9812749cac189d07a57

SHA1
5a37ba565ce8c2445ff71f7c3d7adc38cb68627f

SHA256
6251cc562aff44a7222fe555019800d44c515c0319748fae595621d92f5d9236

SHA512
293cf9a753b1456071db8840910ec3ee7a0a00342caeb27a3bf7c150b54e51a22673e8262fd4376bad6c29eff3b3a77c1c47c1e10c49abffaba899b9193d9429

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
2551ae733b39ac9061a9d5ebd2f29d98

SHA1
08247d27dd5bf959db0b29d3e5b0551dc47c9d02

SHA256
c69ee4a632cc1c351d5fa930d42546923a4125e7d9cbccb2ad9f9e3318be2b77

SHA512
a1c669cb87194c2b496a7131f7f2920b6c31156f88d6c1140e79f3b83fbca3785cd57fea2d47cb951ed576e69a1240e81746a5bc5444e65fd05fa5234125731c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
423a0fabd3a9fd2cbedc3aba67c69650

SHA1
880097557ac6718e93822ac7efc9a3e2986c51de

SHA256
d77f549afde3b88ac747c3d0dee3069f914fac77b572ae08737ffc05f696491b

SHA512
c65d3db8250c7885b05075ebc3485db4506dde6c435247ad6a86e9085d59b039f4629583b327662a2eb40c79bc135d5d17b5bfb01f63ee02726aa57ecd7ed139

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
4e9605159361f93230fef3cc5ad4301c

SHA1
64e6d5673487e049cc4e96650b507641062ca1bf

SHA256
2abd0c0ae088f6c911f23add50e985c447f1c62c8a45f848698b08d6e6dd20e7

SHA512
5cf02982826cc6e08ea33c4ce5d186ad4277493480cf08c2df56a7deea87e58a6df3a95097c96409a89317528933e0999d4ccddc2403024bd04b6e1c312f42fe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
33923002ff087d4e9d20dc9167bf4b6f

SHA1
cd218dc8073081f7329889f96e1159c6d11fb8a1

SHA256
f24781ed9f535b0d29cbef666b2e299ee84ab75c48fd47bfdf0e9c2beaa0796e

SHA512
628c465e3ebed9b3ad689a6fa1fe38d3194c69a7446320408c28667acd49a157b853f734325e828a1577810393d0f9e69b6719bd7c201816ef0f06219a26534c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
b43cc190210c9c6b2742cc52bd8296bc

SHA1
5476b0b4ca6b80be460b3e183f51d50599750324

SHA256
0081c1fe196153e4e7651f0c4a3888bda7623ba8f76218b8df10dc5147d778c0

SHA512
dee2b38b2222020a8fdf2bb241461b3e58978761cfa4c2099184badfc7a98d4acdd0f75d9417a94928a62da7f7c10e9cc04546636e88004897dd3c73cabeed27

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
8fbde3bf8f93558478d3a22036529b02

SHA1
dc18bf880a8d740cbad804ba8330cb4e94cdc428

SHA256
2634c1cf1d690089fb68cb780022eb05f8de8778f36477a7065e77a03bff33ee

SHA512
27d51a516a70995db8e8d127dd20fffbbbbbc8004c4a324a9324a1fe4389d29fb71f4695dbc61df358380c06fbbc5b9d8eca5c9d3445ac2e70cdbaf15077348e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
0d8037508f3dc91e3b1397a3903c62a7

SHA1
86f259f5a4aeae74c3a5046e3bd8c850afcb3fee

SHA256
cc30bd5c8b18ddfe751cdd3a4f76961d6d7cd8fbcb9e43b73bca1afdf7a7af46

SHA512
a1f9b601083030f6fca3589fec348e50483047c4d9abf7c1315157a78a6eefc8d8081ab0a12e4f3115ef589c1bdc1a5245a2a7cd99f76edf8e4d20e62af51ad6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
a0fd8fadf92900f028ac51c0d282190e

SHA1
3ed09088c9c861038b456f47885ee78a6cca3b0b

SHA256
44157a16567781070af8ec17782937d940087fdb85cbd750efa0d4406c1a304c

SHA512
764a8b4aeb5990fbd11fce409a5150675966f3e1ecbf47c09ea4d645b10bc89c1dc8f1061890f557c29dd78d96d8cefc3657eac8504245e11f37955f99d9cbc9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
0a4635d48d59f731fe07276dc7c7dc8c

SHA1
1eb7d1c948b82e2de4b9e578b43f088013ac2e3e

SHA256
fe3928c66a1ddaf82c781a87d5f756a555c59ffb24691b309f5ba4d2272955c4

SHA512
4101eec14f3ee281bbbd8b3ba455264ff2ce956aaa91d81d0fdd6efac1e4b6dcd014bebb446bf8f824a813e705b638fd78c66a00dfb3d6c0e470bd9f30ec2823

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
25fd683ae8f52c1e19071472de5b8489

SHA1
0ae45cf94b39c3c691cd12ad80a1b61638b2d86e

SHA256
e2221ac48cf4ff58b38ac3ad0e1c09e08c44f6f07ad638bc777d77ef06e0116b

SHA512
67c96a198a05a67cfbe07adb2558bebbcaab240b18447559fcdfe5df37b99ef19200c7514df6107001c60dab950f60e138d17a80a3a0d2dc6a791121e0f5f434

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
2d3c1b3597ef5e07b5b3c0af8888e2dd

SHA1
fce50e4d48c3559599b7705edb493d0197dadc79

SHA256
ba4bee86499c03d5cea60bb01ee1e2d0580fe20dfe45da0d4bdea70c716e1f25

SHA512
faf8fb7893844620d82968927ac31201dc2b654f52d2e307d03108ad95190cabc48a568ce249f286b6a3f2d2c8b54aa4511bf15434713c009c696827e02ff2c3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
2ee5a26a5006c706a4c32bfc1036c027

SHA1
7e92087756fd8c37457c2b8894a7693681ce6ee0

SHA256
dfb6be543b966d7593d606095f039ec05fb47f90c466c007733d06df0c395e7b

SHA512
137b44eb881d20c1a090027b63012881047124249a747807d1d391a0fc752ea8f1d7a2666cc9c56659bdcd6d7593878bee9022c7137ad443f3c0459b0a2cf5e3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
bff0c579213401b3ff52682fbb8cf5d1

SHA1
58fafa9cef87ad325509b35075449e90f109f722

SHA256
848dd405713956e09864443d69f496035c70150d94dc8dc4f2306bd588cb07d8

SHA512
1b1e3140bad1b649cbcab8dd0871fbba46e77a12bd65109d7910da4d6104bb32e244389b15026d94e1666350cf16cd8bb644c0347933e5d17f436ee9b980ce13

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
9dbfa646871e48ea74e59e5b4a07fd7c

SHA1
04bd23c229d7fd5cc104c4438d6dd78723731f95

SHA256
d2a6be67e5c586ae69044dc49358cd28fefe82822af6bc541b77e502eceb0789

SHA512
e169b14761e441f12df9a32c09c13a98ce158aade5ce25ea9d870ff3b2555794fe895f8627a7f8764b6b6fa5ea8b948e3e290d5eb0ea0fec1846ce6b5a5003dd

Download Submit
memory/484-241-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/484-244-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/604-177-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/604-184-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/648-186-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/648-193-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/700-88-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/700-97-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/944-166-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/944-175-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1228-58-0x0000000004820000-0x000000000497F000-memory.dmp

Filesize
1.4MB

Download
memory/1500-101-0x0000000004A00000-0x0000000004B5F000-memory.dmp

Filesize
1.4MB

Download
memory/1516-81-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1520-215-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1520-218-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1656-176-0x0000000005EE0000-0x000000000603F000-memory.dmp

Filesize
1.4MB

Download
memory/1716-260-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1716-253-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1764-124-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1856-111-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1944-227-0x00000000059B0000-0x0000000005B0F000-memory.dmp

Filesize
1.4MB

Download
memory/1944-228-0x00000000059B0000-0x0000000005B0F000-memory.dmp

Filesize
1.4MB

Download
memory/2028-207-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2028-210-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2072-71-0x00000000046D0000-0x000000000482F000-memory.dmp

Filesize
1.4MB

Download
memory/2120-165-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2120-157-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2240-185-0x00000000046A0000-0x00000000047FF000-memory.dmp

Filesize
1.4MB

Download
memory/2292-194-0x0000000005B80000-0x0000000005CDF000-memory.dmp

Filesize
1.4MB

Download
memory/2320-59-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2320-68-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2336-252-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2336-245-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2408-202-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2408-199-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2424-140-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2424-132-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2444-31-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2444-39-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2584-130-0x0000000004890000-0x00000000049EF000-memory.dmp

Filesize
1.4MB

Download
memory/2584-164-0x0000000004890000-0x00000000049EF000-memory.dmp

Filesize
1.4MB

Download
memory/2584-131-0x0000000004890000-0x00000000049EF000-memory.dmp

Filesize
1.4MB

Download
memory/2660-115-0x0000000005AE0000-0x0000000005C3F000-memory.dmp

Filesize
1.4MB

Download
memory/2700-25-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2700-15-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2732-30-0x0000000004710000-0x000000000486F000-memory.dmp

Filesize
1.4MB

Download
memory/2796-155-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2796-146-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2812-44-0x00000000046E0000-0x000000000483F000-memory.dmp

Filesize
1.4MB

Download
memory/2828-53-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2828-45-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2832-226-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2832-219-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2904-145-0x0000000004A40000-0x0000000004B9F000-memory.dmp

Filesize
1.4MB

Download
memory/2932-229-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2932-236-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3032-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3032-10-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3040-261-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3048-87-0x00000000045A0000-0x00000000046FF000-memory.dmp

Filesize
1.4MB

Download
memory/3048-86-0x00000000045A0000-0x00000000046FF000-memory.dmp

Filesize
1.4MB

Download