739c13649476661762a2ddefe71f249662e5947bc9e7c81c000f3ddc95e1a1da

Analysis

max time kernel
149s
max time network
126s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
21/08/2024, 00:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

739c13649476661762a2ddefe71f249662e5947bc9e7c81c000f3ddc95e1a1da.exe
Size

1.1MB
MD5

e45987d709ae39958be3dbc014471147
SHA1

2bc4dc9c03124df69c97e35395493a1016c56b3b
SHA256

739c13649476661762a2ddefe71f249662e5947bc9e7c81c000f3ddc95e1a1da
SHA512

ce44209c8baa926be7ed3c1e68905233c456de1853e4fdc2b9a706260c0a51b9c05146d58db1bc7f0289e02723c55692efa2e22e2c73b7087fdcecf8608ee9dd
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5Qp:acallSllG4ZM7QzMK

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2924	svchcst.exe

Executes dropped EXE 23 IoCs

pid	Process
2924	svchcst.exe
1452	svchcst.exe
1312	svchcst.exe
2972	svchcst.exe
964	svchcst.exe
1500	svchcst.exe
328	svchcst.exe
2684	svchcst.exe
2752	svchcst.exe
1628	svchcst.exe
1652	svchcst.exe
1756	svchcst.exe
556	svchcst.exe
1840	svchcst.exe
2440	svchcst.exe
2308	svchcst.exe
1996	svchcst.exe
2984	svchcst.exe
1188	svchcst.exe
1700	svchcst.exe
1684	svchcst.exe
924	svchcst.exe
1008	svchcst.exe

Loads dropped DLL 46 IoCs

pid	Process
2464	WScript.exe
2464	WScript.exe
2680	WScript.exe
2680	WScript.exe
2896	WScript.exe
2896	WScript.exe
2292	WScript.exe
2292	WScript.exe
576	WScript.exe
576	WScript.exe
1672	WScript.exe
1672	WScript.exe
2612	WScript.exe
2612	WScript.exe
2000	WScript.exe
2000	WScript.exe
2716	WScript.exe
2716	WScript.exe
2300	WScript.exe
2300	WScript.exe
2152	WScript.exe
2152	WScript.exe
1356	WScript.exe
1356	WScript.exe
1120	WScript.exe
1120	WScript.exe
2996	WScript.exe
2996	WScript.exe
2168	WScript.exe
2168	WScript.exe
2516	WScript.exe
2516	WScript.exe
2696	WScript.exe
2696	WScript.exe
2716	WScript.exe
2716	WScript.exe
2016	WScript.exe
2016	WScript.exe
1396	WScript.exe
1396	WScript.exe
3056	WScript.exe
3056	WScript.exe
1128	WScript.exe
1128	WScript.exe
1584	WScript.exe
1584	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 48 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	739c13649476661762a2ddefe71f249662e5947bc9e7c81c000f3ddc95e1a1da.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2504	739c13649476661762a2ddefe71f249662e5947bc9e7c81c000f3ddc95e1a1da.exe
2924	svchcst.exe
2924	svchcst.exe
2924	svchcst.exe
2924	svchcst.exe
2924	svchcst.exe
2924	svchcst.exe
2924	svchcst.exe
2924	svchcst.exe
2924	svchcst.exe
2924	svchcst.exe
2924	svchcst.exe
2924	svchcst.exe
2924	svchcst.exe
2924	svchcst.exe
2924	svchcst.exe
2924	svchcst.exe
2924	svchcst.exe
2924	svchcst.exe
2924	svchcst.exe
2924	svchcst.exe
2924	svchcst.exe
2924	svchcst.exe
2924	svchcst.exe
2924	svchcst.exe
2924	svchcst.exe
2924	svchcst.exe
2924	svchcst.exe
2924	svchcst.exe
2924	svchcst.exe
2924	svchcst.exe
2924	svchcst.exe
2924	svchcst.exe
2924	svchcst.exe
2924	svchcst.exe
2924	svchcst.exe
2924	svchcst.exe
2924	svchcst.exe
2924	svchcst.exe
2924	svchcst.exe
2924	svchcst.exe
2924	svchcst.exe
2924	svchcst.exe
2924	svchcst.exe
2924	svchcst.exe
2924	svchcst.exe
2924	svchcst.exe
2924	svchcst.exe
2924	svchcst.exe
2924	svchcst.exe
2924	svchcst.exe
2924	svchcst.exe
2924	svchcst.exe
2924	svchcst.exe
2924	svchcst.exe
2924	svchcst.exe
2924	svchcst.exe
2924	svchcst.exe
2924	svchcst.exe
2924	svchcst.exe
2924	svchcst.exe
2924	svchcst.exe
2924	svchcst.exe
2924	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2504	739c13649476661762a2ddefe71f249662e5947bc9e7c81c000f3ddc95e1a1da.exe

Suspicious use of SetWindowsHookEx 48 IoCs

pid	Process
2504	739c13649476661762a2ddefe71f249662e5947bc9e7c81c000f3ddc95e1a1da.exe
2504	739c13649476661762a2ddefe71f249662e5947bc9e7c81c000f3ddc95e1a1da.exe
2924	svchcst.exe
2924	svchcst.exe
1452	svchcst.exe
1452	svchcst.exe
1312	svchcst.exe
1312	svchcst.exe
2972	svchcst.exe
2972	svchcst.exe
964	svchcst.exe
964	svchcst.exe
1500	svchcst.exe
1500	svchcst.exe
328	svchcst.exe
328	svchcst.exe
2684	svchcst.exe
2684	svchcst.exe
2752	svchcst.exe
2752	svchcst.exe
1628	svchcst.exe
1628	svchcst.exe
1652	svchcst.exe
1652	svchcst.exe
1756	svchcst.exe
1756	svchcst.exe
556	svchcst.exe
556	svchcst.exe
1840	svchcst.exe
1840	svchcst.exe
2440	svchcst.exe
2440	svchcst.exe
2308	svchcst.exe
2308	svchcst.exe
1996	svchcst.exe
1996	svchcst.exe
2984	svchcst.exe
2984	svchcst.exe
1188	svchcst.exe
1188	svchcst.exe
1700	svchcst.exe
1700	svchcst.exe
1684	svchcst.exe
1684	svchcst.exe
924	svchcst.exe
924	svchcst.exe
1008	svchcst.exe
1008	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2504 wrote to memory of 2464	2504	739c13649476661762a2ddefe71f249662e5947bc9e7c81c000f3ddc95e1a1da.exe	30
PID 2504 wrote to memory of 2464	2504	739c13649476661762a2ddefe71f249662e5947bc9e7c81c000f3ddc95e1a1da.exe	30
PID 2504 wrote to memory of 2464	2504	739c13649476661762a2ddefe71f249662e5947bc9e7c81c000f3ddc95e1a1da.exe	30
PID 2504 wrote to memory of 2464	2504	739c13649476661762a2ddefe71f249662e5947bc9e7c81c000f3ddc95e1a1da.exe	30
PID 2464 wrote to memory of 2924	2464	WScript.exe	32
PID 2464 wrote to memory of 2924	2464	WScript.exe	32
PID 2464 wrote to memory of 2924	2464	WScript.exe	32
PID 2464 wrote to memory of 2924	2464	WScript.exe	32
PID 2924 wrote to memory of 2680	2924	svchcst.exe	33
PID 2924 wrote to memory of 2680	2924	svchcst.exe	33
PID 2924 wrote to memory of 2680	2924	svchcst.exe	33
PID 2924 wrote to memory of 2680	2924	svchcst.exe	33
PID 2680 wrote to memory of 1452	2680	WScript.exe	34
PID 2680 wrote to memory of 1452	2680	WScript.exe	34
PID 2680 wrote to memory of 1452	2680	WScript.exe	34
PID 2680 wrote to memory of 1452	2680	WScript.exe	34
PID 1452 wrote to memory of 2896	1452	svchcst.exe	35
PID 1452 wrote to memory of 2896	1452	svchcst.exe	35
PID 1452 wrote to memory of 2896	1452	svchcst.exe	35
PID 1452 wrote to memory of 2896	1452	svchcst.exe	35
PID 2896 wrote to memory of 1312	2896	WScript.exe	37
PID 2896 wrote to memory of 1312	2896	WScript.exe	37
PID 2896 wrote to memory of 1312	2896	WScript.exe	37
PID 2896 wrote to memory of 1312	2896	WScript.exe	37
PID 1312 wrote to memory of 2292	1312	svchcst.exe	38
PID 1312 wrote to memory of 2292	1312	svchcst.exe	38
PID 1312 wrote to memory of 2292	1312	svchcst.exe	38
PID 1312 wrote to memory of 2292	1312	svchcst.exe	38
PID 2292 wrote to memory of 2972	2292	WScript.exe	39
PID 2292 wrote to memory of 2972	2292	WScript.exe	39
PID 2292 wrote to memory of 2972	2292	WScript.exe	39
PID 2292 wrote to memory of 2972	2292	WScript.exe	39
PID 2972 wrote to memory of 576	2972	svchcst.exe	40
PID 2972 wrote to memory of 576	2972	svchcst.exe	40
PID 2972 wrote to memory of 576	2972	svchcst.exe	40
PID 2972 wrote to memory of 576	2972	svchcst.exe	40
PID 576 wrote to memory of 964	576	WScript.exe	41
PID 576 wrote to memory of 964	576	WScript.exe	41
PID 576 wrote to memory of 964	576	WScript.exe	41
PID 576 wrote to memory of 964	576	WScript.exe	41
PID 964 wrote to memory of 1672	964	svchcst.exe	42
PID 964 wrote to memory of 1672	964	svchcst.exe	42
PID 964 wrote to memory of 1672	964	svchcst.exe	42
PID 964 wrote to memory of 1672	964	svchcst.exe	42
PID 1672 wrote to memory of 1500	1672	WScript.exe	43
PID 1672 wrote to memory of 1500	1672	WScript.exe	43
PID 1672 wrote to memory of 1500	1672	WScript.exe	43
PID 1672 wrote to memory of 1500	1672	WScript.exe	43
PID 1500 wrote to memory of 2612	1500	svchcst.exe	44
PID 1500 wrote to memory of 2612	1500	svchcst.exe	44
PID 1500 wrote to memory of 2612	1500	svchcst.exe	44
PID 1500 wrote to memory of 2612	1500	svchcst.exe	44
PID 2612 wrote to memory of 328	2612	WScript.exe	45
PID 2612 wrote to memory of 328	2612	WScript.exe	45
PID 2612 wrote to memory of 328	2612	WScript.exe	45
PID 2612 wrote to memory of 328	2612	WScript.exe	45
PID 328 wrote to memory of 2000	328	svchcst.exe	46
PID 328 wrote to memory of 2000	328	svchcst.exe	46
PID 328 wrote to memory of 2000	328	svchcst.exe	46
PID 328 wrote to memory of 2000	328	svchcst.exe	46
PID 2000 wrote to memory of 2684	2000	WScript.exe	47
PID 2000 wrote to memory of 2684	2000	WScript.exe	47
PID 2000 wrote to memory of 2684	2000	WScript.exe	47
PID 2000 wrote to memory of 2684	2000	WScript.exe	47

C:\Users\Admin\AppData\Local\Temp\739c13649476661762a2ddefe71f249662e5947bc9e7c81c000f3ddc95e1a1da.exe
"C:\Users\Admin\AppData\Local\Temp\739c13649476661762a2ddefe71f249662e5947bc9e7c81c000f3ddc95e1a1da.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2504
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2464
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2924
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2680
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1452
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2896
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1312
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2292
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2972
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:576
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:964
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1672
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1500
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2612
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:328
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2000
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2684
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2716
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2752
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2300
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1628
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2152
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1652
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1356
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1756
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1120
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:556
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2996
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1840
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2168
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2440
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2516
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2308
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2696
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1996
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2716
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2984
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2016
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1188
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1396
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1700
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3056
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1684
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        44⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1128
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:924
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        46⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1584
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1008
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        48⤵
        System Location Discovery: System Language Discovery
        
        PID:756
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        49⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        50⤵
        
        PID:2272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
a23e9045780a348c3207097e4c817569

SHA1
de33667f33f125a3e90954e327752425077f2a12

SHA256
5a64ea65210ee0930094469db3d4bae629a7752ea32e19d4073a97f4dd9647bf

SHA512
179ba1a5dcf9e85ef3cb5178cc6fb2bb3cd32f19218e34fb64ba948e5a01e7c926ceb67c45f2ad300b8240002b74e89368d343172ad94900eeea36747916d45a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
25741fab0bc335b1ed971b3134b0edd3

SHA1
9849046efa3f20662f73cefd0d090bef480c9835

SHA256
05963c6d3a7cc5421377a784df6474456fcbd2f95c7190f2ddb4a9ccbfbe7f98

SHA512
6e772baf90739a76c5c477780e2d158502b55d9c898e69402b0a3bfb840949959c6779f9b291c0503a4fcad95369be55b5f3233ded9329d49d5cde3f1a8369e1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
f02b234115a56496bcd6642d1de04e5d

SHA1
d383b9d3c82fe145f25a9a6e7e4333151fd4ecc6

SHA256
9eca0120263ab4947d38369d9a4986744e61189382c1d313eb464ad449ea2651

SHA512
c446eccd822729a81d49321c88ecc0fba4e4f7b6f6277d2660c7f3a18a67614915ae24a96353bf93b039eb441f0c260c1961a1363f16524dbeaf2554626c1b4e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
e0e0a1f6d22e3905753a9c1ed053cbff

SHA1
52c11b8049f4015d7825fc1fcbd0d5eadb29a6e4

SHA256
2eca9ba67f160c00268003e7239f9cfc5da0f10b6a0b3c82538ef2a0874b871d

SHA512
3eb98287cc8115cb648626272eaa6cc77cb57fcd614f0e969d3af3977a8e09e0f7f6f3ee6ef9322e096bf0cec546f681a6983030a10e972b538d42e2bd17740c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
9f87870aabac31b89e8f641cc4796a67

SHA1
0e7c4d9fa14eb4afe07e0ded564229685c3cbe4b

SHA256
c5ccc91ebc3838b354e5ae05c7b3efa01813e004b427f843ba23e78ff272e695

SHA512
28c7fe3049354286831a5c2b52ea96583bef30c4a294d07bfb10c11bb9e3469b944d8029d58f73611daa616a279e280d0c14fa037d390ab34a5daa2f5a25c4f6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
c1f667683c1809dc2fa81d863ea10a4e

SHA1
dc9fdbeca32f2afbcfdc5363769ebb594fc93e44

SHA256
a0afd04975f7f5cf26533640020a9533d4dcf1b152143e69196f93bd5b49fa1e

SHA512
e4c894530934444cb97392b0180e5b6040b84ab5c639412c6b9e5355a13152412da8d881403832c2f3c601624465b16242ebd8710f6e6a4666a27e15ce759b2f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
9e8dca236ce949019c46b94428612ac9

SHA1
0917050afcbb7b94fce6fbb9827fb57de7432b0b

SHA256
bd9f06dbb8f2165c3b75da289ad7983f0c57328d236b2c68a2b5798188874fb3

SHA512
23ce9deba9286cbb24c1725503542b63d7e44ea7ada302e5aba6595f84398e2162008d7431f842cccfb2b8fae126216d85c566931d5fcc8c8c5625e2c05f44d6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
3612d3ea6472851cf27d0650f30a8461

SHA1
6deb8050a9d5911a2bcaa1dff30442b243389423

SHA256
2952c41a53b0569f4005c91e142940e5e96ab915146591fd27e380826de74370

SHA512
274ea073a41fbb585172d72f0f3c37132154378212b24cf3609f2bb450d631741c438035f81046ec36f08e62f287949079776d359cd42602ad097cfc0689f49c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
a66ca64afe431b7c50358bd05ba54e34

SHA1
f34d905ac06b3c07f936352bff4db70469f5057c

SHA256
3a2a423d9df888fadef3786fdbf7fb0125eb8e1d08b22a707b6efa4bc00b7f43

SHA512
90ea8413b1fce013f8e902e0e3efbbfd1ec30c7f26ca2fb05e390a847d22a1181eeb60dccf6e3f8fec5aeff2568506977ab47018a54d328078ab14407f3eeb09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
98328aa8ad181fbf0b87edfc21155dce

SHA1
3ca100ca64d5f62a5dceef47f414c0953fd4f559

SHA256
a6928cf27564f6f983d8f62358463a2dee471715b220de03db8b72ebf105f20c

SHA512
75f298c982eeebf184fdd0612436583a863beba740bd55053539dc1b1c20103a1c6f5da46b41621eb00d601cdfc86c1705080a0da08fef7756637805dcb588ec

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
b583e43db5444b61f2a05098bfdb56a9

SHA1
090f879cdc462ada744ada284a57a95abee6df56

SHA256
8e3e5108bc270bf8818ec1d7bb404c7b9d6a791caa48ff2b7a9d743b71e0b8fa

SHA512
fba875fdcf9ddfbbb2ef3f4579b1d94b3f97837ac24b1fc78e8f538f85c7071bac39b347296227807f2b0067f5668b542cf40686d6d01897e7c8fcc6a9264e02

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
4aa1a12bde46322d569766c95a5a612e

SHA1
90001b51470fd7a7b7a69b3e5ee4b71b4120b2e8

SHA256
95ded70b71a481921a1b43277b3330fb991b5e8723b9b8df8be34ee7af15b7f7

SHA512
5f9a687dcf4f561360859133b98277f32862668137979920fd12c8cad5234408d80007df969e2fd6b77e55825eb9633354716384584dd9e9af37118aaa418cb4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
5e005e21c99eb65b35fc6a11432a9b4a

SHA1
da6fee196b40c643e6afa4a31940d2c52865a592

SHA256
249ff190a7cafa185e195bb36044195b2b414f1712c2a696d76133fe3bb7c23c

SHA512
38048c9bc02b841eacd08bd3db648d939b1d7be22b4ed0ab9c22b37f7d59d83b5576311f14107b58e2429a6a92fc0683740b4ffc4860f748f3612bd5abd62c15

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
ef9667ed4ea5fe42a081d653b6e0b3d9

SHA1
65277b3b37c8385073f51eb85f80c24b7f96c135

SHA256
51e5bfc7d8fdc61e72736b681586251a24a52775190a710868d29b9be9d8e4a1

SHA512
61d11f81be4414075a7c007d6c7e3dcd1950841808e4c4a925238ff7db262a1ecc4d75185803d08772ce7957f2f25a79ed09d45c246e18392b7148e834b674a4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
fd353a0247692094650e20a9cbc82821

SHA1
f526d75f147d0979c75ac914774f6f3ca15acfc4

SHA256
e6d36ca04b0bf604ca3dc40ab65ea0b35fec18991a4f80cfedf7724b0cbb5206

SHA512
28257543b92924ff180ee367bbe27c263c41314cee5946d96a8007d51cca214815112341af84f354ee756c8800aa668179b4cb0075c54bad3b811f27f64e70c1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
7108134bd2ac9a0df5c35fd030ebaac4

SHA1
b559042bae51fc5f09c91211ed653d05e40625c9

SHA256
f849cbd680d2e4859eddba48522595f35f8c3d09c050a515b52dd0b0a87c0557

SHA512
92c1ac3f4efa0c09d91aabdff9bfe2a8da95c45e29fd8a60282d27eb287d791bcd2704ac25a99a1f9cfa4e0057de84d505723832d9c725304b17be138e54137b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
c6c2b983eeefdb3db61906e95af72ce2

SHA1
6eda78a92deda4c5c279b1df3d1c49546b15a25f

SHA256
4a072b13d3b1094ee3f5091b55d0ccdd086baab5d765211adf43a966bdec1b07

SHA512
2f7e348c841c4f8c8844f5fee3b417af77c6d8f6fa46b0a82aca8303cf44dcaff0aeff4c9e7c545a05618c5baafa1fa9fd382f9c28716e4c90aaa03dd6fd22cc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
e8caeac3af62aae529c89d86ecffd686

SHA1
1ffcc6473a982812519520150d66a5df458c6221

SHA256
233bb1861bd7c9b44e5da4fe9a10a8287f6727b66c56506833f797739c4a52c2

SHA512
5e57b4b42affd084ad5e5d24453d35c0f381b391a5ce49d35e96e8909a4b84b5950acbbbc1c932218bf784a07e792bdc96e8c2a7cfbf289e40fdf26f421c6ac1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
5e1beb6059dd679f8d2b92eba14bf11e

SHA1
86e74018a29cb101799fe10b2e24fa81eff001c6

SHA256
5a1847af30e6e6f7dd016fb9116eee81976d6bbf9b614b550734b91e771b9c8d

SHA512
c284ae2fcc151047bc00adccc4f576d280a3251042ec40d88a3fd746cfae84b439d1ae987c780ac6b9ba27929bc6395ad8474f9a2e700dc44095b4d9a4dd6177

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
479d4f003b0d04dcad94a8e7209ad879

SHA1
4587f44b5cefe9f8063ca5b9c266bce3cb9a098b

SHA256
40d958e82735a6536534da66aafc815396bcc92e84d05e0a1cdd1f462310374a

SHA512
384643f2caa1248ab83fbd4b660cb05cbee7cc8c728c7ddfba36153446acd87bae6585f8a809d06baad050028bcc002a92b2e0bb2ec604e44fa2a4ed2dfc5fa8

Download Submit
memory/328-109-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/556-176-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/576-72-0x0000000005980000-0x0000000005ADF000-memory.dmp

Filesize
1.4MB

Download
memory/576-71-0x0000000005980000-0x0000000005ADF000-memory.dmp

Filesize
1.4MB

Download
memory/756-261-0x0000000005C70000-0x0000000005DCF000-memory.dmp

Filesize
1.4MB

Download
memory/924-249-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/924-252-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/964-73-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/964-81-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1008-260-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1008-253-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1120-169-0x0000000004300000-0x000000000445F000-memory.dmp

Filesize
1.4MB

Download
memory/1188-220-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1188-227-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1312-44-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1312-52-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1356-160-0x0000000005CB0000-0x0000000005E0F000-memory.dmp

Filesize
1.4MB

Download
memory/1396-228-0x00000000059D0000-0x0000000005B2F000-memory.dmp

Filesize
1.4MB

Download
memory/1396-229-0x00000000059D0000-0x0000000005B2F000-memory.dmp

Filesize
1.4MB

Download
memory/1452-38-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1500-96-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1628-150-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1652-152-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1652-159-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1672-86-0x0000000005A60000-0x0000000005BBF000-memory.dmp

Filesize
1.4MB

Download
memory/1672-87-0x0000000005A60000-0x0000000005BBF000-memory.dmp

Filesize
1.4MB

Download
memory/1684-244-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1700-230-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1700-237-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1756-161-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1756-168-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1840-183-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1996-210-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1996-203-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2000-114-0x0000000005AF0000-0x0000000005C4F000-memory.dmp

Filesize
1.4MB

Download
memory/2152-151-0x0000000004A60000-0x0000000004BBF000-memory.dmp

Filesize
1.4MB

Download
memory/2168-184-0x0000000005BF0000-0x0000000005D4F000-memory.dmp

Filesize
1.4MB

Download
memory/2292-56-0x0000000004500000-0x000000000465F000-memory.dmp

Filesize
1.4MB

Download
memory/2300-143-0x0000000005CE0000-0x0000000005E3F000-memory.dmp

Filesize
1.4MB

Download
memory/2308-194-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2308-201-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2440-192-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2440-185-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2464-13-0x0000000004040000-0x000000000419F000-memory.dmp

Filesize
1.4MB

Download
memory/2464-14-0x0000000004040000-0x000000000419F000-memory.dmp

Filesize
1.4MB

Download
memory/2504-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2504-9-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2516-193-0x0000000004420000-0x000000000457F000-memory.dmp

Filesize
1.4MB

Download
memory/2612-101-0x00000000045A0000-0x00000000046FF000-memory.dmp

Filesize
1.4MB

Download
memory/2684-122-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2696-202-0x00000000047D0000-0x000000000492F000-memory.dmp

Filesize
1.4MB

Download
memory/2716-211-0x00000000044F0000-0x000000000464F000-memory.dmp

Filesize
1.4MB

Download
memory/2716-129-0x0000000004970000-0x0000000004ACF000-memory.dmp

Filesize
1.4MB

Download
memory/2716-128-0x0000000004970000-0x0000000004ACF000-memory.dmp

Filesize
1.4MB

Download
memory/2752-130-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2752-138-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2896-43-0x0000000005B20000-0x0000000005C7F000-memory.dmp

Filesize
1.4MB

Download
memory/2924-26-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2924-16-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2972-66-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2984-219-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2984-212-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download