1a5b6683f12d98cd3375b1621e409ba83489b939c32a7c3d4c7b88e8a47632b8

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
08/08/2024, 20:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1a5b6683f12d98cd3375b1621e409ba83489b939c32a7c3d4c7b88e8a47632b8.exe
Size

1.1MB
MD5

a0355b8e3ef2cad724fc6ced7e45ab2a
SHA1

abdf578bfde36f4efe62c4b79bc415701de18483
SHA256

1a5b6683f12d98cd3375b1621e409ba83489b939c32a7c3d4c7b88e8a47632b8
SHA512

c78dde76cc660b5ed4c05a0a53cfe08676438aa7d051322e4c14c45a05d69c0fdad93c703dea664b95815e6953fdd283e0e870d417f436dc1539304d27ca44e3
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5QH:acallSllG4ZM7QzMg

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2132	svchcst.exe

Executes dropped EXE 23 IoCs

pid	Process
2132	svchcst.exe
2552	svchcst.exe
1308	svchcst.exe
2160	svchcst.exe
2932	svchcst.exe
2912	svchcst.exe
1488	svchcst.exe
2784	svchcst.exe
1664	svchcst.exe
2428	svchcst.exe
2468	svchcst.exe
1600	svchcst.exe
1376	svchcst.exe
1688	svchcst.exe
2500	svchcst.exe
1992	svchcst.exe
2644	svchcst.exe
2880	svchcst.exe
2952	svchcst.exe
2468	svchcst.exe
2316	svchcst.exe
2444	svchcst.exe
1356	svchcst.exe

Loads dropped DLL 41 IoCs

pid	Process
2920	WScript.exe
2920	WScript.exe
1480	WScript.exe
1480	WScript.exe
1948	WScript.exe
1948	WScript.exe
2548	WScript.exe
2548	WScript.exe
2232	WScript.exe
2232	WScript.exe
1180	WScript.exe
2288	WScript.exe
2288	WScript.exe
328	WScript.exe
328	WScript.exe
3020	WScript.exe
588	WScript.exe
2888	WScript.exe
1788	WScript.exe
1996	WScript.exe
1996	WScript.exe
1692	WScript.exe
1692	WScript.exe
1152	WScript.exe
1152	WScript.exe
2752	WScript.exe
2752	WScript.exe
916	WScript.exe
916	WScript.exe
3000	WScript.exe
3000	WScript.exe
304	WScript.exe
304	WScript.exe
2340	WScript.exe
2340	WScript.exe
2456	WScript.exe
2456	WScript.exe
2944	WScript.exe
2944	WScript.exe
2516	WScript.exe
2516	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 48 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1a5b6683f12d98cd3375b1621e409ba83489b939c32a7c3d4c7b88e8a47632b8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2764	1a5b6683f12d98cd3375b1621e409ba83489b939c32a7c3d4c7b88e8a47632b8.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2764	1a5b6683f12d98cd3375b1621e409ba83489b939c32a7c3d4c7b88e8a47632b8.exe

Suspicious use of SetWindowsHookEx 48 IoCs

pid	Process
2764	1a5b6683f12d98cd3375b1621e409ba83489b939c32a7c3d4c7b88e8a47632b8.exe
2764	1a5b6683f12d98cd3375b1621e409ba83489b939c32a7c3d4c7b88e8a47632b8.exe
2132	svchcst.exe
2132	svchcst.exe
2552	svchcst.exe
2552	svchcst.exe
1308	svchcst.exe
1308	svchcst.exe
2160	svchcst.exe
2160	svchcst.exe
2932	svchcst.exe
2932	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
1488	svchcst.exe
1488	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
1664	svchcst.exe
1664	svchcst.exe
2428	svchcst.exe
2428	svchcst.exe
2468	svchcst.exe
2468	svchcst.exe
1600	svchcst.exe
1600	svchcst.exe
1376	svchcst.exe
1376	svchcst.exe
1688	svchcst.exe
1688	svchcst.exe
2500	svchcst.exe
2500	svchcst.exe
1992	svchcst.exe
1992	svchcst.exe
2644	svchcst.exe
2644	svchcst.exe
2880	svchcst.exe
2880	svchcst.exe
2952	svchcst.exe
2952	svchcst.exe
2468	svchcst.exe
2468	svchcst.exe
2316	svchcst.exe
2316	svchcst.exe
2444	svchcst.exe
2444	svchcst.exe
1356	svchcst.exe
1356	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2764 wrote to memory of 2920	2764	1a5b6683f12d98cd3375b1621e409ba83489b939c32a7c3d4c7b88e8a47632b8.exe	30
PID 2764 wrote to memory of 2920	2764	1a5b6683f12d98cd3375b1621e409ba83489b939c32a7c3d4c7b88e8a47632b8.exe	30
PID 2764 wrote to memory of 2920	2764	1a5b6683f12d98cd3375b1621e409ba83489b939c32a7c3d4c7b88e8a47632b8.exe	30
PID 2764 wrote to memory of 2920	2764	1a5b6683f12d98cd3375b1621e409ba83489b939c32a7c3d4c7b88e8a47632b8.exe	30
PID 2920 wrote to memory of 2132	2920	WScript.exe	32
PID 2920 wrote to memory of 2132	2920	WScript.exe	32
PID 2920 wrote to memory of 2132	2920	WScript.exe	32
PID 2920 wrote to memory of 2132	2920	WScript.exe	32
PID 2132 wrote to memory of 1480	2132	svchcst.exe	33
PID 2132 wrote to memory of 1480	2132	svchcst.exe	33
PID 2132 wrote to memory of 1480	2132	svchcst.exe	33
PID 2132 wrote to memory of 1480	2132	svchcst.exe	33
PID 1480 wrote to memory of 2552	1480	WScript.exe	34
PID 1480 wrote to memory of 2552	1480	WScript.exe	34
PID 1480 wrote to memory of 2552	1480	WScript.exe	34
PID 1480 wrote to memory of 2552	1480	WScript.exe	34
PID 2552 wrote to memory of 1948	2552	svchcst.exe	35
PID 2552 wrote to memory of 1948	2552	svchcst.exe	35
PID 2552 wrote to memory of 1948	2552	svchcst.exe	35
PID 2552 wrote to memory of 1948	2552	svchcst.exe	35
PID 1948 wrote to memory of 1308	1948	WScript.exe	36
PID 1948 wrote to memory of 1308	1948	WScript.exe	36
PID 1948 wrote to memory of 1308	1948	WScript.exe	36
PID 1948 wrote to memory of 1308	1948	WScript.exe	36
PID 1308 wrote to memory of 2548	1308	svchcst.exe	37
PID 1308 wrote to memory of 2548	1308	svchcst.exe	37
PID 1308 wrote to memory of 2548	1308	svchcst.exe	37
PID 1308 wrote to memory of 2548	1308	svchcst.exe	37
PID 2548 wrote to memory of 2160	2548	WScript.exe	38
PID 2548 wrote to memory of 2160	2548	WScript.exe	38
PID 2548 wrote to memory of 2160	2548	WScript.exe	38
PID 2548 wrote to memory of 2160	2548	WScript.exe	38
PID 2160 wrote to memory of 2232	2160	svchcst.exe	39
PID 2160 wrote to memory of 2232	2160	svchcst.exe	39
PID 2160 wrote to memory of 2232	2160	svchcst.exe	39
PID 2160 wrote to memory of 2232	2160	svchcst.exe	39
PID 2232 wrote to memory of 2932	2232	WScript.exe	41
PID 2232 wrote to memory of 2932	2232	WScript.exe	41
PID 2232 wrote to memory of 2932	2232	WScript.exe	41
PID 2232 wrote to memory of 2932	2232	WScript.exe	41
PID 2932 wrote to memory of 1180	2932	svchcst.exe	42
PID 2932 wrote to memory of 1180	2932	svchcst.exe	42
PID 2932 wrote to memory of 1180	2932	svchcst.exe	42
PID 2932 wrote to memory of 1180	2932	svchcst.exe	42
PID 1180 wrote to memory of 2912	1180	WScript.exe	43
PID 1180 wrote to memory of 2912	1180	WScript.exe	43
PID 1180 wrote to memory of 2912	1180	WScript.exe	43
PID 1180 wrote to memory of 2912	1180	WScript.exe	43
PID 2912 wrote to memory of 2288	2912	svchcst.exe	44
PID 2912 wrote to memory of 2288	2912	svchcst.exe	44
PID 2912 wrote to memory of 2288	2912	svchcst.exe	44
PID 2912 wrote to memory of 2288	2912	svchcst.exe	44
PID 2288 wrote to memory of 1488	2288	WScript.exe	45
PID 2288 wrote to memory of 1488	2288	WScript.exe	45
PID 2288 wrote to memory of 1488	2288	WScript.exe	45
PID 2288 wrote to memory of 1488	2288	WScript.exe	45
PID 1488 wrote to memory of 328	1488	svchcst.exe	46
PID 1488 wrote to memory of 328	1488	svchcst.exe	46
PID 1488 wrote to memory of 328	1488	svchcst.exe	46
PID 1488 wrote to memory of 328	1488	svchcst.exe	46
PID 328 wrote to memory of 2784	328	WScript.exe	47
PID 328 wrote to memory of 2784	328	WScript.exe	47
PID 328 wrote to memory of 2784	328	WScript.exe	47
PID 328 wrote to memory of 2784	328	WScript.exe	47

C:\Users\Admin\AppData\Local\Temp\1a5b6683f12d98cd3375b1621e409ba83489b939c32a7c3d4c7b88e8a47632b8.exe
"C:\Users\Admin\AppData\Local\Temp\1a5b6683f12d98cd3375b1621e409ba83489b939c32a7c3d4c7b88e8a47632b8.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2764
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2920
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2132
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1480
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2552
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1948
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1308
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2548
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2160
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2232
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2932
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1180
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2912
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2288
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1488
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:328
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2784
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3020
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1664
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:588
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2428
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2888
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2468
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1788
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1600
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1996
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1376
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1692
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1688
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1152
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2500
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2752
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1992
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:916
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2644
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3000
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2880
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:304
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2952
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2340
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2468
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2456
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2316
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        44⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2944
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2444
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        46⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2516
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1356
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        48⤵
        System Location Discovery: System Language Discovery
        
        PID:2296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
90bb0a7f1d71933019eb43f7840187e2

SHA1
71e6b580511e8cd689b1744fed0e3387e6fc2590

SHA256
79475403edc11075740a1600ff7056c7a23a31d0df39b7df51e14aa041917840

SHA512
c578f8a41f466f2cc205c0c9c8e9deac34085d5d3173161ceb3fbfaa9aabbfea8a56d085fe51d46520e2f3210e3f4350a8f6134033c9ff79df8ff3e5414b3a4b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
e4e96c55460da5fa5643648177198d56

SHA1
da09b8271cfd09349b8e79bd8856671e6124d6a0

SHA256
6ca56d2034da62f3a82f84935631e9d90430875cfd9b95382fdf1210758ba761

SHA512
23da2c3c87c8e52aab70931c7ca6f0d04f453cff01bda2fe078a060468d9d7b9e544635eb11976541246eaed2e4cac06e0ed7ed86bce775f95ff5d5f40c5d1bb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
28167c064311357a30cc6de51b34120d

SHA1
cd6e8343bf5fa014ded5905fd8c6037eda277818

SHA256
e1a76a59c230fb740b85443e95d9db97f660e6d57f8f79060c51d3fb21f7af2a

SHA512
a8ca9a0804c9cb2c87148d82b2ffb169d766b6ea91b4106363b24d555c9a58594915364b6cb61a1757723e96f7095f06859ab83a6e1055d43c8e78e9b52c8b57

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
f988db0382571319f9b0af53097c2376

SHA1
fd83936b61f5d4256a899610d5c13c5a9b24e625

SHA256
8557443470cff4b30c533603a8e73dd9b9c55af2bae1ed0a7ce86d860fe4953c

SHA512
8f0df896cf7432ac5248f1149a79cc721e40e80dc1ced770f830725c00e64bb96944bbdd375aa25587e0574dba32375934cbf99bf99f33267296c1e605ac8703

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
f76c7cf504b872903a1325a57e8baaf9

SHA1
896ac9d8338b41c7673781f07915612c538c385f

SHA256
46436b128cbdb907e9666c1aa6257164f7e5a2ebe1c79b9198b36e50115a8163

SHA512
59c0e9f508682af572185dd2578ad1e62abb99297a99018af7638bc8d2f6693fe00900bd739e00a912088f77624f08034dba041ce1677e2924cb8ab3196b6054

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
418e489a61f524eb101168676ee507c0

SHA1
c2d403388bfdccf0d75b4ef92dd8a453c413057c

SHA256
2ec2f981acbd3a091e05e93f06c952fdf6372e4d4d4ad78e7ddfe60043b1ad3c

SHA512
56033db0322098091059ab662f14f51c8bd98fc6784e3a5c553428c3c91d160fa5f784e43020fde5630515f87a2dbd7dff88865a5ecc4f349f6482eaef1b522a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
49586bddf88b5db5b4106eee55d7e03b

SHA1
3001fb71136b5c8d307695de4f651ccd9b4dcebc

SHA256
bf9c7a65973ae0ee9e2da4bae47ba378234e45820598034a3672edfb233e002d

SHA512
6933b416d4af6997e31e7277ddbf5820f421f01763ee6560e50a0dfb8323e8c66312511b4093d16540c17521f338b239e79d67c70fcda4ff793363e1366d4011

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
6e11da1c8a05db963ff0dda7c43866e0

SHA1
e1343d4a94a629047631b0c53a0501eace14d2a9

SHA256
2605d23ba5b4a9fc117704a99d9351dfffc81f22681becb9aa59d72a64a6a8f6

SHA512
74be18fd41e091762e317fd4565c13d36832ca7d8fbcb60631c8e818c25f447db2ed4b3bc20e4a97da5efeb3ab66dbe815f34776b3db338a1e7d41abc57c99ac

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
48e04b8c794b661550560f9e02af5bb4

SHA1
973d939e48bc7713c0338e95966219616bd415d0

SHA256
f3bfe9c6c363e0ef4e22d9990175cb4c1c5d7d087aa5a2cff9f912d5ac6676da

SHA512
23ca46c09e1c2c320c7c79e71056dc6cb78d1dbaa75f4cee92e63626fe1eef268d91c519a8a0219f816049d2babd0276d27471ccc57a05825ce339ea88eea778

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
ddd204c2596c95e0b37f2faf17345158

SHA1
fb5c9a676eb0b0e08ed0498a5696bbd7d443b1a2

SHA256
6ba8498e50d16dedd7a4479998981b504b684f524c08329269fd4eb6e3fe52a2

SHA512
17f8ff158d74cb8b37954cd5d458440cbf7e41dd03d08d5101b55f7ca259fdd1e36967e5231a31362c68456d0e91bdbac1c83cc19876ab7ec1c97bde0ec03244

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
024be950e07002e527b8dd1efbb0e4b4

SHA1
1a56034c6366027442be28a75bce7cdea55a8a98

SHA256
51f47375c2a87dc9fe8cc958432adcc166d0faf75f7d1da1322e238fb5d72893

SHA512
96864be4661feeef155d1816192852146e5d2aa3266ce5b732ec203d43a6098a5fa456a7decb9ab1bd66bc959ed85b485de32c11cea6ee6d1a48d0bea2349b6f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
d6998fa6acf02bf81ca3b787bf2aac86

SHA1
c3c08503b40c243120c2815bec43823d1457c93f

SHA256
5f2a7d05a52819de3a4caa28c4b355ca484eea50de6ed9ce8078d244de25e365

SHA512
068536d1ae495d6610534c4536f6024b33bac2e935cb37f99668affefcb8d1fcd8c420e150b6e5807a58157eec83b24cc9017e7cb7b597a7523decdfbaf2a8e0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
f565fac04a83c3f88ef1c4df64569628

SHA1
b932ac31f0d09a4f3aa8fcc6582b52a0bb036b35

SHA256
cd5d4ad1a14cad1c761db8acac46c29f6f43ff082b4a60b0093ffad9b0a98b1c

SHA512
eed9e10f55810dc5f992f032802cec813830f39ede4863150331c4c6343009a43f0bceb1def17628a11af77fbe571b6314050883e94c5a28b864808abaf2cc6f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
7fa2c953ef1c2be7335472ad7a3c72e6

SHA1
7661adc3151065839dfead84e8914fa4cbbf12f8

SHA256
e7d7c6cccf4c183ff5760a325edb4479fc52d10eb4f4633ef0ae4d498f741260

SHA512
9316a02228372882d2bb7b9f66a6ca3b79f55e872045511024105b0268a893c5d5a7d49b8b1a03a78f338fe87a491ee704226c3b6a76b26a075e88722c7f55bd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
1c263ffcfe36bc398390f6885ea4b0ce

SHA1
a422ab3f43eda93f80abc471e0d52f4e43f5623b

SHA256
7a0c961d123e63dbe4d24a35c94e2147a3bbb6f2c0707b4c5f8d1fd901182d94

SHA512
61351d2d9f7b6cf7c4eaa45574d88f0125346204951a1d0d88c4a8a170926daa038faa269ab0dcad94dbcbc0fa3b4448cb8413be3273e521c7173c0f76f64456

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
01784f809d8652c61a4beae4a8019d2e

SHA1
e29ae649d5e68be191eb26385dcb176f08a785c9

SHA256
3b20387778c991c0fd365ace3bfcfde2c5f5b82b3919728a18178478a50c2868

SHA512
b4d6836dc6cc445afc7c6ef90ab62a6fc2211f44ee0e06fa0c69f4c87f3ba1ec64fd7c541f598c13f4ad73fc21fcbd32289ddb302490bcf7e153bd9b239dba83

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
58a6f91a2d9fcea28ce9f795f22256e5

SHA1
9fd1d938b7fb309c426d4419878d96986d81b2ce

SHA256
b8bf3e3995d2d4ee0573652f163e6d2ab44e5bbcb993695040b47ad0efde0c64

SHA512
984f839b56a9c6b37ba4fbd756fb0f038dd30bab8144a18b60e7816238912a079b74a2399ea117437bf4f2f2bd0a75ecce263d15f7a454e424659fa746d06dc1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
eb8690834a2bd8b8d859e44fd06943d8

SHA1
27f26a7486650aee2a813f8d8c751649674a2522

SHA256
f6eee9677339446f4e41b07e2962073f38bc75b1e5b1f0d8dd18acbb07989eb6

SHA512
fa73e6b6b4a38ac938e2bd2bde46efbe7bd38a498eed3dd4fe058f623f2e2d5bdca2104240a7b10ef14a71a510260bb0449bb7e8b39ae6ce20c23256e449c9ef

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
9e0862a05673a3f31e03e9b091fd0997

SHA1
3cc79563b75696de0e1eba0ce84fe57fc3dea809

SHA256
acf43f4d1197762a91559715a0170850b77b94a4ead021c4fe15ce5ec689a58e

SHA512
972b79573b08a33213a2f19cd251c1546d9a91c8a50761e55994bb529403205e28cf98af14aef3e76149be92b33a87165ccdee862c64ad02d7281b96def6b014

Download Submit
memory/588-141-0x00000000048B0000-0x0000000004A0F000-memory.dmp

Filesize
1.4MB

Download
memory/1180-82-0x0000000004A70000-0x0000000004BCF000-memory.dmp

Filesize
1.4MB

Download
memory/1308-52-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1308-43-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1356-248-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1376-170-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1376-173-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1480-28-0x0000000004710000-0x000000000486F000-memory.dmp

Filesize
1.4MB

Download
memory/1488-108-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1488-99-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1600-164-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1600-157-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1664-126-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1664-134-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1688-181-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1688-178-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1692-205-0x0000000004600000-0x000000000475F000-memory.dmp

Filesize
1.4MB

Download
memory/1992-197-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1992-194-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1996-165-0x00000000047C0000-0x000000000491F000-memory.dmp

Filesize
1.4MB

Download
memory/2132-14-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2132-23-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2160-65-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2160-57-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2232-74-0x00000000046E0000-0x000000000483F000-memory.dmp

Filesize
1.4MB

Download
memory/2232-113-0x00000000046E0000-0x000000000483F000-memory.dmp

Filesize
1.4MB

Download
memory/2288-97-0x0000000004730000-0x000000000488F000-memory.dmp

Filesize
1.4MB

Download
memory/2288-98-0x0000000004730000-0x000000000488F000-memory.dmp

Filesize
1.4MB

Download
memory/2316-235-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2316-238-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2428-142-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2428-146-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2444-239-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2444-246-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2468-156-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2468-230-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2468-227-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2468-153-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2500-186-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2500-189-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2516-247-0x0000000004AE0000-0x0000000004C3F000-memory.dmp

Filesize
1.4MB

Download
memory/2552-38-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2552-30-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2644-198-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2644-206-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2764-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2764-9-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2784-122-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2784-118-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2880-214-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2880-211-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2912-92-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2932-75-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2932-79-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2952-222-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2952-215-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3020-125-0x00000000043F0000-0x000000000454F000-memory.dmp

Filesize
1.4MB

Download