a12f12687d68214acd6a9cc676004f593e2bc23434fdf81a05dc06a0fa2d4957

Analysis

max time kernel
149s
max time network
17s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
08/08/2024, 20:43

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a12f12687d68214acd6a9cc676004f593e2bc23434fdf81a05dc06a0fa2d4957.exe
Size

1.1MB
MD5

3eea0bfd936008540680eff1af2b166b
SHA1

9d4487579231b8c44a4db8008861735c8249ffa5
SHA256

a12f12687d68214acd6a9cc676004f593e2bc23434fdf81a05dc06a0fa2d4957
SHA512

faa638e8787f6af8e15f7f8dbe3c3c8f0b0498c103e0ee4c529f3fc5475316c473197ed4ccbb79f88fac0efd57320a8f78a9c19c12ccec4b2988008769f03425
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5Qf:acallSllG4ZM7QzM4

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2324	svchcst.exe

Executes dropped EXE 23 IoCs

pid	Process
2324	svchcst.exe
1956	svchcst.exe
2984	svchcst.exe
1248	svchcst.exe
1764	svchcst.exe
868	svchcst.exe
2536	svchcst.exe
2072	svchcst.exe
2664	svchcst.exe
2388	svchcst.exe
3008	svchcst.exe
1060	svchcst.exe
1740	svchcst.exe
1952	svchcst.exe
2036	svchcst.exe
2420	svchcst.exe
2148	svchcst.exe
2380	svchcst.exe
2388	svchcst.exe
2260	svchcst.exe
2348	svchcst.exe
1520	svchcst.exe
2596	svchcst.exe

Loads dropped DLL 46 IoCs

pid	Process
2264	WScript.exe
2264	WScript.exe
2700	WScript.exe
2700	WScript.exe
3036	WScript.exe
3036	WScript.exe
1056	WScript.exe
1056	WScript.exe
1632	WScript.exe
1632	WScript.exe
488	WScript.exe
488	WScript.exe
2032	WScript.exe
2032	WScript.exe
1576	WScript.exe
1576	WScript.exe
2996	WScript.exe
2996	WScript.exe
884	WScript.exe
884	WScript.exe
3068	WScript.exe
3068	WScript.exe
2368	WScript.exe
2368	WScript.exe
2384	WScript.exe
2384	WScript.exe
1296	WScript.exe
1296	WScript.exe
1756	WScript.exe
1756	WScript.exe
2424	WScript.exe
2424	WScript.exe
2692	WScript.exe
2692	WScript.exe
2664	WScript.exe
2664	WScript.exe
344	WScript.exe
344	WScript.exe
1560	WScript.exe
1560	WScript.exe
2104	WScript.exe
2104	WScript.exe
1672	WScript.exe
1672	WScript.exe
868	WScript.exe
868	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 49 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a12f12687d68214acd6a9cc676004f593e2bc23434fdf81a05dc06a0fa2d4957.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1820	a12f12687d68214acd6a9cc676004f593e2bc23434fdf81a05dc06a0fa2d4957.exe
2324	svchcst.exe
2324	svchcst.exe
2324	svchcst.exe
2324	svchcst.exe
2324	svchcst.exe
2324	svchcst.exe
2324	svchcst.exe
2324	svchcst.exe
2324	svchcst.exe
2324	svchcst.exe
2324	svchcst.exe
2324	svchcst.exe
2324	svchcst.exe
2324	svchcst.exe
2324	svchcst.exe
2324	svchcst.exe
2324	svchcst.exe
2324	svchcst.exe
2324	svchcst.exe
2324	svchcst.exe
2324	svchcst.exe
2324	svchcst.exe
2324	svchcst.exe
2324	svchcst.exe
2324	svchcst.exe
2324	svchcst.exe
2324	svchcst.exe
2324	svchcst.exe
2324	svchcst.exe
2324	svchcst.exe
2324	svchcst.exe
2324	svchcst.exe
2324	svchcst.exe
2324	svchcst.exe
2324	svchcst.exe
2324	svchcst.exe
2324	svchcst.exe
2324	svchcst.exe
2324	svchcst.exe
2324	svchcst.exe
2324	svchcst.exe
2324	svchcst.exe
2324	svchcst.exe
2324	svchcst.exe
2324	svchcst.exe
2324	svchcst.exe
2324	svchcst.exe
2324	svchcst.exe
2324	svchcst.exe
2324	svchcst.exe
2324	svchcst.exe
2324	svchcst.exe
2324	svchcst.exe
2324	svchcst.exe
2324	svchcst.exe
2324	svchcst.exe
2324	svchcst.exe
2324	svchcst.exe
2324	svchcst.exe
2324	svchcst.exe
2324	svchcst.exe
2324	svchcst.exe
1956	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1820	a12f12687d68214acd6a9cc676004f593e2bc23434fdf81a05dc06a0fa2d4957.exe

Suspicious use of SetWindowsHookEx 48 IoCs

pid	Process
1820	a12f12687d68214acd6a9cc676004f593e2bc23434fdf81a05dc06a0fa2d4957.exe
1820	a12f12687d68214acd6a9cc676004f593e2bc23434fdf81a05dc06a0fa2d4957.exe
2324	svchcst.exe
2324	svchcst.exe
1956	svchcst.exe
1956	svchcst.exe
2984	svchcst.exe
2984	svchcst.exe
1248	svchcst.exe
1248	svchcst.exe
1764	svchcst.exe
1764	svchcst.exe
868	svchcst.exe
868	svchcst.exe
2536	svchcst.exe
2536	svchcst.exe
2072	svchcst.exe
2072	svchcst.exe
2664	svchcst.exe
2664	svchcst.exe
2388	svchcst.exe
2388	svchcst.exe
3008	svchcst.exe
3008	svchcst.exe
1060	svchcst.exe
1060	svchcst.exe
1740	svchcst.exe
1740	svchcst.exe
1952	svchcst.exe
1952	svchcst.exe
2036	svchcst.exe
2036	svchcst.exe
2420	svchcst.exe
2420	svchcst.exe
2148	svchcst.exe
2148	svchcst.exe
2380	svchcst.exe
2380	svchcst.exe
2388	svchcst.exe
2388	svchcst.exe
2260	svchcst.exe
2260	svchcst.exe
2348	svchcst.exe
2348	svchcst.exe
1520	svchcst.exe
1520	svchcst.exe
2596	svchcst.exe
2596	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1820 wrote to memory of 2264	1820	a12f12687d68214acd6a9cc676004f593e2bc23434fdf81a05dc06a0fa2d4957.exe	29
PID 1820 wrote to memory of 2264	1820	a12f12687d68214acd6a9cc676004f593e2bc23434fdf81a05dc06a0fa2d4957.exe	29
PID 1820 wrote to memory of 2264	1820	a12f12687d68214acd6a9cc676004f593e2bc23434fdf81a05dc06a0fa2d4957.exe	29
PID 1820 wrote to memory of 2264	1820	a12f12687d68214acd6a9cc676004f593e2bc23434fdf81a05dc06a0fa2d4957.exe	29
PID 2264 wrote to memory of 2324	2264	WScript.exe	31
PID 2264 wrote to memory of 2324	2264	WScript.exe	31
PID 2264 wrote to memory of 2324	2264	WScript.exe	31
PID 2264 wrote to memory of 2324	2264	WScript.exe	31
PID 2324 wrote to memory of 2700	2324	svchcst.exe	32
PID 2324 wrote to memory of 2700	2324	svchcst.exe	32
PID 2324 wrote to memory of 2700	2324	svchcst.exe	32
PID 2324 wrote to memory of 2700	2324	svchcst.exe	32
PID 2700 wrote to memory of 1956	2700	WScript.exe	33
PID 2700 wrote to memory of 1956	2700	WScript.exe	33
PID 2700 wrote to memory of 1956	2700	WScript.exe	33
PID 2700 wrote to memory of 1956	2700	WScript.exe	33
PID 1956 wrote to memory of 3036	1956	svchcst.exe	34
PID 1956 wrote to memory of 3036	1956	svchcst.exe	34
PID 1956 wrote to memory of 3036	1956	svchcst.exe	34
PID 1956 wrote to memory of 3036	1956	svchcst.exe	34
PID 3036 wrote to memory of 2984	3036	WScript.exe	35
PID 3036 wrote to memory of 2984	3036	WScript.exe	35
PID 3036 wrote to memory of 2984	3036	WScript.exe	35
PID 3036 wrote to memory of 2984	3036	WScript.exe	35
PID 2984 wrote to memory of 1056	2984	svchcst.exe	36
PID 2984 wrote to memory of 1056	2984	svchcst.exe	36
PID 2984 wrote to memory of 1056	2984	svchcst.exe	36
PID 2984 wrote to memory of 1056	2984	svchcst.exe	36
PID 1056 wrote to memory of 1248	1056	WScript.exe	37
PID 1056 wrote to memory of 1248	1056	WScript.exe	37
PID 1056 wrote to memory of 1248	1056	WScript.exe	37
PID 1056 wrote to memory of 1248	1056	WScript.exe	37
PID 1248 wrote to memory of 1632	1248	svchcst.exe	38
PID 1248 wrote to memory of 1632	1248	svchcst.exe	38
PID 1248 wrote to memory of 1632	1248	svchcst.exe	38
PID 1248 wrote to memory of 1632	1248	svchcst.exe	38
PID 1632 wrote to memory of 1764	1632	WScript.exe	39
PID 1632 wrote to memory of 1764	1632	WScript.exe	39
PID 1632 wrote to memory of 1764	1632	WScript.exe	39
PID 1632 wrote to memory of 1764	1632	WScript.exe	39
PID 1764 wrote to memory of 488	1764	svchcst.exe	40
PID 1764 wrote to memory of 488	1764	svchcst.exe	40
PID 1764 wrote to memory of 488	1764	svchcst.exe	40
PID 1764 wrote to memory of 488	1764	svchcst.exe	40
PID 488 wrote to memory of 868	488	WScript.exe	41
PID 488 wrote to memory of 868	488	WScript.exe	41
PID 488 wrote to memory of 868	488	WScript.exe	41
PID 488 wrote to memory of 868	488	WScript.exe	41
PID 868 wrote to memory of 2032	868	svchcst.exe	42
PID 868 wrote to memory of 2032	868	svchcst.exe	42
PID 868 wrote to memory of 2032	868	svchcst.exe	42
PID 868 wrote to memory of 2032	868	svchcst.exe	42
PID 2032 wrote to memory of 2536	2032	WScript.exe	43
PID 2032 wrote to memory of 2536	2032	WScript.exe	43
PID 2032 wrote to memory of 2536	2032	WScript.exe	43
PID 2032 wrote to memory of 2536	2032	WScript.exe	43
PID 2536 wrote to memory of 1576	2536	svchcst.exe	44
PID 2536 wrote to memory of 1576	2536	svchcst.exe	44
PID 2536 wrote to memory of 1576	2536	svchcst.exe	44
PID 2536 wrote to memory of 1576	2536	svchcst.exe	44
PID 1576 wrote to memory of 2072	1576	WScript.exe	45
PID 1576 wrote to memory of 2072	1576	WScript.exe	45
PID 1576 wrote to memory of 2072	1576	WScript.exe	45
PID 1576 wrote to memory of 2072	1576	WScript.exe	45

C:\Users\Admin\AppData\Local\Temp\a12f12687d68214acd6a9cc676004f593e2bc23434fdf81a05dc06a0fa2d4957.exe
"C:\Users\Admin\AppData\Local\Temp\a12f12687d68214acd6a9cc676004f593e2bc23434fdf81a05dc06a0fa2d4957.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1820
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2264
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2324
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2700
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1956
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3036
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2984
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1056
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1248
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1632
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1764
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:488
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:868
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2032
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2536
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1576
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2072
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2996
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2664
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:884
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2388
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3068
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3008
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2368
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1060
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2384
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1740
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1296
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1952
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1756
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2036
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2424
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2420
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2692
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2148
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2664
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2380
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:344
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2388
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1560
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2260
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2104
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2348
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        44⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1672
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1520
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        46⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:868
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2596
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        48⤵
        System Location Discovery: System Language Discovery
        
        PID:2032
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        System Location Discovery: System Language Discovery
        
        PID:2500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
ed56950d31bf08fb3168805f800ce8b0

SHA1
47d382ed60576c193bb5bd4428c4b637142630e0

SHA256
b54386cd9c5674587bab37e74d5ad9006ed337d54955aa8214164db0aa476550

SHA512
1d819110ead95d2f63dcce51c85b5d4313ee1b250c6eac4d3472622eb07f2ccd9bb1962685a10319c2768cd4b750b75423aa26fe952ecff9b915d7bd5a5d7952

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
aa6578debd9e5045ad239d59ebeb6d15

SHA1
2a25e6293914cd6ada6649f34506c8bcf35494aa

SHA256
7acb095ca5298eb1d1e2ba7f02c1b876d7d28684762a9d180ae2ed8c9e68beb2

SHA512
150796c7aad73d1732103e41bd01d3c181b4a0afd37b673d184d5c6c643622704e7692b668e231a319549c2bb378f4d83c7ede82caf81dd15c934b81936e22b2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
3be529c48598ce74c5871846d63ca15c

SHA1
93bb8e6882b776b47589ffa48116e17c98071383

SHA256
f9f80c033a3cb1e2e9a8aa108427d6985dd2a08c2bea70e4dda2309f03ab7b2a

SHA512
e848a532aa9acfddfb754e081353660af23f3d0ee7720f6162fc5e8a2104d98b7be8aa461ea274a311634ae3b5b0bd219731da7d6b43c3b381de56d03bb43608

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
25741fab0bc335b1ed971b3134b0edd3

SHA1
9849046efa3f20662f73cefd0d090bef480c9835

SHA256
05963c6d3a7cc5421377a784df6474456fcbd2f95c7190f2ddb4a9ccbfbe7f98

SHA512
6e772baf90739a76c5c477780e2d158502b55d9c898e69402b0a3bfb840949959c6779f9b291c0503a4fcad95369be55b5f3233ded9329d49d5cde3f1a8369e1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
774844b08b364b32d1209ef0d962d2fd

SHA1
967a30d076aa269a5cef321d36ac1f5c1eb180cb

SHA256
c9beda5ae7965cd968f1e6b1e11f17b1b443b8fc6dddb9ad0fe830aafe35ae3a

SHA512
2bab1d82f2cf484029722e64dd75516645e3f2dc6028153b65479757a3d33bbe883a1ac97771f1a9dfff1927cbfc58b5460f0c21a3ce01a4eae32b205772c4ec

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
c5ae655707a21f6473c5f382a787e100

SHA1
1d2078ebfae286212eb90e60c9dbce5e70ac24f1

SHA256
baf83e476c96ab1af7a7482de26dae9909744fad6d12c6ae818f51b834cecb50

SHA512
af80731f380d75a643ab885ba152cb7118297ab4e70ff44dd96b7bae8542881f0d06cdbe0ac524cdc30ddca970c2b27adf6398f8efc6e510cea6cc0b2a59b34f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
d9ab21af2046aedc3484d569036c3ef7

SHA1
ade5e9eb5b1180a77a2164e61f74beb411cdfb56

SHA256
90b8f17e573879b63c512e7c0dd6ff9454d177163e2d95d0090b2ef22ae5ec79

SHA512
cb8c202cd3d66ee897982e42257320dfef0a23eb96b9a3189869e9a0ce030d4baaa8c0a6fc5e197d2d19d742b0d7b3f34adb12933192dd6e4b1388433755d1ac

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
38a699d07d8879db6356427ad5568cde

SHA1
a13f87e47243e126c2ea20018877fbeac913a320

SHA256
33039fb8b50833ea2836de980992405e10426ad862007f2fef2a96147dccc7bb

SHA512
b5373577a397c0eb493b1173f0fa5a583fe10b986eced439f39997707622fdb54dad7f39311c0148da02b9f0eda2c097d6d9e98b6a7c7d4aa5996e7cc5f4791d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
c85adfb789ee03eba0d843b08042e4db

SHA1
263793011d11bd0dd1daf4b55215a8802f9bf6e2

SHA256
8cc7784dcb4efa452913063eacec257cd1b6577c80bb3540f7cfcc48320dbf59

SHA512
b52184fa3c8a36d8e9293921a40820991247bbd203aa991678dafcd5cc96af20bf2df3e0b876b77a0d6a91f5b43aa2768137f88fca28357f883410d3b9f77539

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
82a8678ed4da97742ecf569d9a7dba1c

SHA1
b707b082939b65fcf989c3927e9330126f5aa058

SHA256
9fee7995ef94f33c550d109f46b6dcdbeba82b57f30dd10e730823ec5f4976a6

SHA512
8fe2e778bca17f0504758f03a1b4af57b1ec2c467642eb449c6f3a1ab2794f3c19467395dcc73b156dbc2ee864ec9828569206423bde2578d74a27274274d476

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
45ab6f71271dfbc4f6e8c1b3c77d0ec0

SHA1
ce4dc7aa180e6c6ccb3ea85c65ee397f28566ab5

SHA256
f10bb70e022cb295959092c3059cf7fbb79ce0222b38b39a1e8190dfe4bb1c0a

SHA512
f1ec864e6747300b8670ca390b35dc73de2d888d164f8a1aa6a70e17a25a1985b45fc2efcd60e6a0a4e059f754152b091d4641bc95da11da3a6f71458761d0be

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
1be3daf58a0b8c01c3e720646597e73a

SHA1
bc7806f4fa5c362ff559f2d37bcb841f704cf2a2

SHA256
5e7ee3f32ed252a3ee7398c51c10758f849b8958edb0f1c9e1e6e928add0c002

SHA512
344d6c60e3e42f76ef5f8835e6881a56d0787570dfb20c343e556cafc08e1870d2e32ec60c1e7e93dee15d4dfbfb9f23ce66068ec4f88e6e5f04f30be42ca245

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
27d3dd026f042077b0970f6a9d21d7be

SHA1
5fd3fd5d7469becb10b9060e28369a60af4bd047

SHA256
714536ec7ae06ee7d6087770fa3f17ec9f890209c8efe7466e054ec55bb758b6

SHA512
146b9acd98f10269a0040a040574958c226ba3d93993db6856b0d7690dcd6bf6d3603b68d1df96b109fe4dfd4d414241d93e8ec4f8c82202448019d8c34c4b0e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
74c15bd7eebb414102376d222d88fbd1

SHA1
6b41497eaa218df5e89519692393584616865dd4

SHA256
260a7b09faddafa7d48185971e87ed98c8a7e037fde03dccec1e438365e5174e

SHA512
2add1d2db2f59c9b40ec1efd240f61ebd176c7508804b0d62549f2bc3aa5ac1700770ee56f677f7fe82faf524345514d3f60e43970c5cacc15786a8af9949e97

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
672f1354dd505fe2e785624a3d5fdb84

SHA1
55812d976f752d3d0beb17b18c32e22b53654d70

SHA256
88941b10c78015e71159639704e8b505f5da9e703383be42d31d094ab1e477cf

SHA512
7f37eeafd8a00a334e5e6bf008ce9ebcd109f6bef49dd9dc22cdc37bd689e294bcfb6bb2b4b9c5e5e25d113be2a51d2b362ff55353e1142f5fa11044fe0e25db

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
5561d58cd7e7b232710e5a9e2746f3da

SHA1
560c186747bed481b8f5edd2ae9e0d18a4113255

SHA256
da5984ae146dab366a4b4fc47801e8bc66dad1149e03d539dee028db7e148f5b

SHA512
524e010bf3fd6564955a6afdf2f43d0120b47da471067f785f69122d332f9560509d159451a231f79af85391e3e9c9a8b2d421ed3f457b6141acdd3803bd96bb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
9125d518f5d9cf22cd07ea9eba057e84

SHA1
e726701cb6100135af7423a433763e4558e2eb10

SHA256
e28f4417b7f1d7f1b3610262574cf31af170615d3c75fe073afb6e7689791ef5

SHA512
fa060682a2456eb9973f84de2abef510891104c8eeb2f7ccf371e1d84a36fd5c21cc637cc2c74d7b4c3977faec783f9e82eb0e72f5b2101a011d3f65ae0678fd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
73689de1166421ed14d2bc7ccf2a050d

SHA1
2108e0386b75b9b339d92907cfde8affdd6460e7

SHA256
fc27718a71adb21c67d3ce5bbd437abd19d2557f7980734d982d49c0501836de

SHA512
29cfa9b29215011ecda552dc55d63ba927663e1ab8ada8af7987b3d018b4861aa2c82e56761537c3925a28a3373d887558c5049c3feb22a5c3a9bc420127da5e

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
8f7ddf69e202578e44ace9bae987ce08

SHA1
f05a3e6721abc4cd7c46b4575598771de740bc43

SHA256
648c30bf0b2ab005fb4b0af0114cea7309d00eabbcef4c5013fa2ffd898dcf68

SHA512
46da1eda98a4aa990fb602b086fcd8ffa7ad1297b0c33367ad0c0cd7c7b50ff1d9904d9cf87b0e24f61508016e87c2062ad7cbd7f67e29ff5fd04de1b4221c04

Download Submit
memory/344-224-0x0000000005AE0000-0x0000000005C3F000-memory.dmp

Filesize
1.4MB

Download
memory/344-229-0x0000000005AE0000-0x0000000005C3F000-memory.dmp

Filesize
1.4MB

Download
memory/868-261-0x00000000046F0000-0x000000000484F000-memory.dmp

Filesize
1.4MB

Download
memory/868-87-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/868-95-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/884-141-0x0000000005AF0000-0x0000000005C4F000-memory.dmp

Filesize
1.4MB

Download
memory/1060-158-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1060-167-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1248-60-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1248-69-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1296-178-0x00000000046C0000-0x000000000481F000-memory.dmp

Filesize
1.4MB

Download
memory/1520-252-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1520-259-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1560-260-0x0000000005A80000-0x0000000005BDF000-memory.dmp

Filesize
1.4MB

Download
memory/1560-238-0x0000000005A80000-0x0000000005BDF000-memory.dmp

Filesize
1.4MB

Download
memory/1740-170-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1740-177-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1764-82-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1764-74-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1820-10-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1820-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1952-179-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1952-186-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1956-40-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1956-32-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2032-101-0x0000000004590000-0x00000000046EF000-memory.dmp

Filesize
1.4MB

Download
memory/2036-194-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2036-191-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2072-123-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2072-115-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2104-243-0x0000000005AD0000-0x0000000005C2F000-memory.dmp

Filesize
1.4MB

Download
memory/2148-213-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2260-242-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2260-239-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2264-15-0x00000000058B0000-0x0000000005A0F000-memory.dmp

Filesize
1.4MB

Download
memory/2324-25-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2324-16-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2348-244-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2348-251-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2380-223-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2380-220-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2384-169-0x0000000005A90000-0x0000000005BEF000-memory.dmp

Filesize
1.4MB

Download
memory/2384-195-0x0000000005A90000-0x0000000005BEF000-memory.dmp

Filesize
1.4MB

Download
memory/2384-168-0x0000000005A90000-0x0000000005BEF000-memory.dmp

Filesize
1.4MB

Download
memory/2388-233-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2388-230-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2388-149-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2420-197-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2420-204-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2424-196-0x0000000005AD0000-0x0000000005C2F000-memory.dmp

Filesize
1.4MB

Download
memory/2536-102-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2536-110-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2596-262-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2664-128-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2664-137-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2664-214-0x00000000043B0000-0x000000000450F000-memory.dmp

Filesize
1.4MB

Download
memory/2664-215-0x00000000043B0000-0x000000000450F000-memory.dmp

Filesize
1.4MB

Download
memory/2692-205-0x0000000005980000-0x0000000005ADF000-memory.dmp

Filesize
1.4MB

Download
memory/2692-206-0x0000000005980000-0x0000000005ADF000-memory.dmp

Filesize
1.4MB

Download
memory/2700-31-0x00000000057F0000-0x000000000594F000-memory.dmp

Filesize
1.4MB

Download
memory/2984-46-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2984-55-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3008-150-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3008-157-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3036-45-0x0000000004500000-0x000000000465F000-memory.dmp

Filesize
1.4MB

Download