89d4d80bec5fc2e4428cdfd93a5ff8e05e0aa2592f22e14cc6b1cd66df808ea9

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
23/08/2024, 02:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

89d4d80bec5fc2e4428cdfd93a5ff8e05e0aa2592f22e14cc6b1cd66df808ea9.exe
Size

1.1MB
MD5

058c96e6ca8a9b4b678af5c0f2d8ee3e
SHA1

6940d9f4e3fcfde303dc3dd6191f66a6e2a100c8
SHA256

89d4d80bec5fc2e4428cdfd93a5ff8e05e0aa2592f22e14cc6b1cd66df808ea9
SHA512

9507f130b9de90ce98b110b0c44aa4aa10918c600de408a97ee393475b9b9ccd4711222106246482734fcec2561e52a6758e0c87fb02f97772139a87b6771dca
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5Q3:acallSllG4ZM7QzMg

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2800	svchcst.exe

Executes dropped EXE 23 IoCs

pid	Process
2800	svchcst.exe
2016	svchcst.exe
772	svchcst.exe
556	svchcst.exe
1248	svchcst.exe
880	svchcst.exe
1504	svchcst.exe
2988	svchcst.exe
3028	svchcst.exe
308	svchcst.exe
2592	svchcst.exe
1004	svchcst.exe
1696	svchcst.exe
1760	svchcst.exe
2236	svchcst.exe
2328	svchcst.exe
1936	svchcst.exe
1828	svchcst.exe
2620	svchcst.exe
2064	svchcst.exe
1380	svchcst.exe
932	svchcst.exe
2384	svchcst.exe

Loads dropped DLL 45 IoCs

pid	Process
2332	WScript.exe
2332	WScript.exe
2552	WScript.exe
1480	WScript.exe
1480	WScript.exe
856	WScript.exe
856	WScript.exe
656	WScript.exe
656	WScript.exe
1388	WScript.exe
1388	WScript.exe
1332	WScript.exe
1332	WScript.exe
1972	WScript.exe
1972	WScript.exe
2796	WScript.exe
2796	WScript.exe
2836	WScript.exe
2836	WScript.exe
768	WScript.exe
768	WScript.exe
2424	WScript.exe
2424	WScript.exe
1176	WScript.exe
1176	WScript.exe
1984	WScript.exe
1984	WScript.exe
316	WScript.exe
316	WScript.exe
3056	WScript.exe
3056	WScript.exe
3008	WScript.exe
3008	WScript.exe
1808	WScript.exe
1808	WScript.exe
1260	WScript.exe
1260	WScript.exe
2176	WScript.exe
2176	WScript.exe
2948	WScript.exe
2948	WScript.exe
1052	WScript.exe
1052	WScript.exe
1696	WScript.exe
1696	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 48 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	89d4d80bec5fc2e4428cdfd93a5ff8e05e0aa2592f22e14cc6b1cd66df808ea9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2988	89d4d80bec5fc2e4428cdfd93a5ff8e05e0aa2592f22e14cc6b1cd66df808ea9.exe
2800	svchcst.exe
2800	svchcst.exe
2800	svchcst.exe
2800	svchcst.exe
2800	svchcst.exe
2800	svchcst.exe
2800	svchcst.exe
2800	svchcst.exe
2800	svchcst.exe
2800	svchcst.exe
2800	svchcst.exe
2800	svchcst.exe
2800	svchcst.exe
2800	svchcst.exe
2800	svchcst.exe
2800	svchcst.exe
2800	svchcst.exe
2800	svchcst.exe
2800	svchcst.exe
2800	svchcst.exe
2800	svchcst.exe
2800	svchcst.exe
2800	svchcst.exe
2800	svchcst.exe
2800	svchcst.exe
2800	svchcst.exe
2800	svchcst.exe
2800	svchcst.exe
2800	svchcst.exe
2800	svchcst.exe
2800	svchcst.exe
2800	svchcst.exe
2800	svchcst.exe
2800	svchcst.exe
2800	svchcst.exe
2800	svchcst.exe
2800	svchcst.exe
2800	svchcst.exe
2800	svchcst.exe
2800	svchcst.exe
2800	svchcst.exe
2800	svchcst.exe
2800	svchcst.exe
2800	svchcst.exe
2800	svchcst.exe
2800	svchcst.exe
2800	svchcst.exe
2800	svchcst.exe
2800	svchcst.exe
2800	svchcst.exe
2800	svchcst.exe
2800	svchcst.exe
2800	svchcst.exe
2800	svchcst.exe
2800	svchcst.exe
2800	svchcst.exe
2800	svchcst.exe
2800	svchcst.exe
2800	svchcst.exe
2800	svchcst.exe
2800	svchcst.exe
2800	svchcst.exe
2800	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2988	89d4d80bec5fc2e4428cdfd93a5ff8e05e0aa2592f22e14cc6b1cd66df808ea9.exe

Suspicious use of SetWindowsHookEx 48 IoCs

pid	Process
2988	89d4d80bec5fc2e4428cdfd93a5ff8e05e0aa2592f22e14cc6b1cd66df808ea9.exe
2988	89d4d80bec5fc2e4428cdfd93a5ff8e05e0aa2592f22e14cc6b1cd66df808ea9.exe
2800	svchcst.exe
2800	svchcst.exe
2016	svchcst.exe
2016	svchcst.exe
772	svchcst.exe
772	svchcst.exe
556	svchcst.exe
556	svchcst.exe
1248	svchcst.exe
1248	svchcst.exe
880	svchcst.exe
880	svchcst.exe
1504	svchcst.exe
1504	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
3028	svchcst.exe
3028	svchcst.exe
308	svchcst.exe
308	svchcst.exe
2592	svchcst.exe
2592	svchcst.exe
1004	svchcst.exe
1004	svchcst.exe
1696	svchcst.exe
1696	svchcst.exe
1760	svchcst.exe
1760	svchcst.exe
2236	svchcst.exe
2236	svchcst.exe
2328	svchcst.exe
2328	svchcst.exe
1936	svchcst.exe
1936	svchcst.exe
1828	svchcst.exe
1828	svchcst.exe
2620	svchcst.exe
2620	svchcst.exe
2064	svchcst.exe
2064	svchcst.exe
1380	svchcst.exe
1380	svchcst.exe
932	svchcst.exe
932	svchcst.exe
2384	svchcst.exe
2384	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2988 wrote to memory of 2332	2988	89d4d80bec5fc2e4428cdfd93a5ff8e05e0aa2592f22e14cc6b1cd66df808ea9.exe	30
PID 2988 wrote to memory of 2332	2988	89d4d80bec5fc2e4428cdfd93a5ff8e05e0aa2592f22e14cc6b1cd66df808ea9.exe	30
PID 2988 wrote to memory of 2332	2988	89d4d80bec5fc2e4428cdfd93a5ff8e05e0aa2592f22e14cc6b1cd66df808ea9.exe	30
PID 2988 wrote to memory of 2332	2988	89d4d80bec5fc2e4428cdfd93a5ff8e05e0aa2592f22e14cc6b1cd66df808ea9.exe	30
PID 2332 wrote to memory of 2800	2332	WScript.exe	32
PID 2332 wrote to memory of 2800	2332	WScript.exe	32
PID 2332 wrote to memory of 2800	2332	WScript.exe	32
PID 2332 wrote to memory of 2800	2332	WScript.exe	32
PID 2800 wrote to memory of 2552	2800	svchcst.exe	33
PID 2800 wrote to memory of 2552	2800	svchcst.exe	33
PID 2800 wrote to memory of 2552	2800	svchcst.exe	33
PID 2800 wrote to memory of 2552	2800	svchcst.exe	33
PID 2552 wrote to memory of 2016	2552	WScript.exe	34
PID 2552 wrote to memory of 2016	2552	WScript.exe	34
PID 2552 wrote to memory of 2016	2552	WScript.exe	34
PID 2552 wrote to memory of 2016	2552	WScript.exe	34
PID 2016 wrote to memory of 1480	2016	svchcst.exe	35
PID 2016 wrote to memory of 1480	2016	svchcst.exe	35
PID 2016 wrote to memory of 1480	2016	svchcst.exe	35
PID 2016 wrote to memory of 1480	2016	svchcst.exe	35
PID 1480 wrote to memory of 772	1480	WScript.exe	37
PID 1480 wrote to memory of 772	1480	WScript.exe	37
PID 1480 wrote to memory of 772	1480	WScript.exe	37
PID 1480 wrote to memory of 772	1480	WScript.exe	37
PID 772 wrote to memory of 856	772	svchcst.exe	38
PID 772 wrote to memory of 856	772	svchcst.exe	38
PID 772 wrote to memory of 856	772	svchcst.exe	38
PID 772 wrote to memory of 856	772	svchcst.exe	38
PID 856 wrote to memory of 556	856	WScript.exe	39
PID 856 wrote to memory of 556	856	WScript.exe	39
PID 856 wrote to memory of 556	856	WScript.exe	39
PID 856 wrote to memory of 556	856	WScript.exe	39
PID 556 wrote to memory of 656	556	svchcst.exe	40
PID 556 wrote to memory of 656	556	svchcst.exe	40
PID 556 wrote to memory of 656	556	svchcst.exe	40
PID 556 wrote to memory of 656	556	svchcst.exe	40
PID 656 wrote to memory of 1248	656	WScript.exe	41
PID 656 wrote to memory of 1248	656	WScript.exe	41
PID 656 wrote to memory of 1248	656	WScript.exe	41
PID 656 wrote to memory of 1248	656	WScript.exe	41
PID 1248 wrote to memory of 1388	1248	svchcst.exe	42
PID 1248 wrote to memory of 1388	1248	svchcst.exe	42
PID 1248 wrote to memory of 1388	1248	svchcst.exe	42
PID 1248 wrote to memory of 1388	1248	svchcst.exe	42
PID 1388 wrote to memory of 880	1388	WScript.exe	43
PID 1388 wrote to memory of 880	1388	WScript.exe	43
PID 1388 wrote to memory of 880	1388	WScript.exe	43
PID 1388 wrote to memory of 880	1388	WScript.exe	43
PID 880 wrote to memory of 1332	880	svchcst.exe	44
PID 880 wrote to memory of 1332	880	svchcst.exe	44
PID 880 wrote to memory of 1332	880	svchcst.exe	44
PID 880 wrote to memory of 1332	880	svchcst.exe	44
PID 1332 wrote to memory of 1504	1332	WScript.exe	45
PID 1332 wrote to memory of 1504	1332	WScript.exe	45
PID 1332 wrote to memory of 1504	1332	WScript.exe	45
PID 1332 wrote to memory of 1504	1332	WScript.exe	45
PID 1504 wrote to memory of 1972	1504	svchcst.exe	46
PID 1504 wrote to memory of 1972	1504	svchcst.exe	46
PID 1504 wrote to memory of 1972	1504	svchcst.exe	46
PID 1504 wrote to memory of 1972	1504	svchcst.exe	46
PID 1972 wrote to memory of 2988	1972	WScript.exe	47
PID 1972 wrote to memory of 2988	1972	WScript.exe	47
PID 1972 wrote to memory of 2988	1972	WScript.exe	47
PID 1972 wrote to memory of 2988	1972	WScript.exe	47

C:\Users\Admin\AppData\Local\Temp\89d4d80bec5fc2e4428cdfd93a5ff8e05e0aa2592f22e14cc6b1cd66df808ea9.exe
"C:\Users\Admin\AppData\Local\Temp\89d4d80bec5fc2e4428cdfd93a5ff8e05e0aa2592f22e14cc6b1cd66df808ea9.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2988
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2332
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2800
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2552
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2016
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1480
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:772
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:856
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:556
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:656
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1248
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1388
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:880
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1332
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1504
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1972
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2988
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2796
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3028
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2836
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:308
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:768
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2592
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2424
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1004
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1176
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1696
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1984
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1760
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:316
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2236
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3056
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2328
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3008
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1936
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1808
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1828
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1260
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2620
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2176
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2064
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2948
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1380
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        44⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1052
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:932
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        46⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1696
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2384
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        48⤵
        System Location Discovery: System Language Discovery
        
        PID:1952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
16319de573a6043ab685873f9144a6be

SHA1
3e02d57fbbfa190b6b4206d56af1631b2b249ab8

SHA256
e36c809467823799a1d6ec1d14e3e126e2cc038a0dcdd116ebbdb0aa5e263752

SHA512
ea0b7a4e34cc77347139ac1903c23e5ae271a9da1f5039fb71eafb7412e3b026024c452be15bfd55cbbcd04453940c1a18f2bf1d669944e957608739504ef56e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
8cb32754e88999ece2a392d94875313e

SHA1
da0ef4e297872b82db206ebdc4cafefeed2a4e3d

SHA256
3dc5ae697f3f5a3ffe053412e05a646883c49be29b179039ceadf5f71a595f9d

SHA512
a331a2472d0ef04f4d6a9b41a147020a688c96977feec8d61878f31382af8c27b8e990dc404137475d48f0155d600cc0d6ebe0a5d1cbb60b1fecf364301ebaa7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
1106df09ec5fdde059876fabb3b189f8

SHA1
ff325b628bb07f43bc277ad1b343ca9b797324f1

SHA256
646d2e16d16c0dc4f95a42ab11dd666e4ecb28752154e1586316faa059fa0829

SHA512
0503a6256c3b327ee4f56644baa5d4237e00877e3502e044d3d698626d32e05f0ec2a71187ce371cf7d68f888e8ceb43a0212b8cce3e74d8f5607c21e574db86

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
067a3458406fce1e0caec803b21a2c58

SHA1
1277d2a3236100a0758d4f4f279cd02d537e626b

SHA256
35c0d5d7757b50c61a708107c8e2ab5df872fdc25516f8003d9d58d3ae5ec9e3

SHA512
99918a35f93140231d63a17c97bb9ef66a5744dc044c7e48034c3d2fcc49c3b97fe0d37a32ae6307a7b7e772b8016a6727672d2844b5ed7dcf20c31dd01724e4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
5200291c61f8a54498d5ea3882597c4f

SHA1
7faf4fa36d25b6e6a25fa637cd4d565bacfc98c9

SHA256
370d3f0009b4f5179e917aaf335aa8267dd7e03688f0fff18f72d7d7af43d55f

SHA512
7fab6730403115fe4a56ca1d5d9056a0796ca40f75c0499cb0a1d7cb77ad696163f960414f3248c7893a1cc99dadcdb73251603bca50a54668b45b79bc62b06e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
10ffe941ac3b45a1b27eaab090d03e3b

SHA1
4f72abac858bc7659692930176f0cd4f18e354f1

SHA256
b2a27182b84ccf59736264c5fc788f96d92a2d3a14fe7c964e0976af00956144

SHA512
638a48fe06a5e0c47e50ac67e0df2d6952e5e39620a585e5fb086d40ff61cff9bee6a6cfda6582c54e216f052dc6ba4ce5d742ae5174a987701701e67dc65544

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
6e11da1c8a05db963ff0dda7c43866e0

SHA1
e1343d4a94a629047631b0c53a0501eace14d2a9

SHA256
2605d23ba5b4a9fc117704a99d9351dfffc81f22681becb9aa59d72a64a6a8f6

SHA512
74be18fd41e091762e317fd4565c13d36832ca7d8fbcb60631c8e818c25f447db2ed4b3bc20e4a97da5efeb3ab66dbe815f34776b3db338a1e7d41abc57c99ac

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
4e9605159361f93230fef3cc5ad4301c

SHA1
64e6d5673487e049cc4e96650b507641062ca1bf

SHA256
2abd0c0ae088f6c911f23add50e985c447f1c62c8a45f848698b08d6e6dd20e7

SHA512
5cf02982826cc6e08ea33c4ce5d186ad4277493480cf08c2df56a7deea87e58a6df3a95097c96409a89317528933e0999d4ccddc2403024bd04b6e1c312f42fe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
6d7f7c489889b75561316023d3e8b801

SHA1
222906d8a273e49d99b9107d388856ba8e6a5400

SHA256
3c01dd72d85883db4a345c0092b799f8deb31d43fde226e7df011c64d95202a7

SHA512
7238e65f9b93ee3be8828f01b54fbb6acaeaaf31e2b62af398356b02fa80d615acc3f41139fb001b9c1e8855e5cfa467f2883acda663a08194955cadb409a24a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
02bec440e11bdc76b5de3232abd91f03

SHA1
2118a1f2249848ea084c7d98709f7ba7906e43a3

SHA256
4382e8d6fd98aeb7c574b195019c1687ac6628e8f97485614ad743ae5a0616b0

SHA512
f86e900e6bd38151fad12b160c0489823bd18d15609346172ca1f815593e69f9269cb28a0eaea6a588a29d41343f3b9d4c6489cc3c50e2b24a31720de26e0411

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
ee0711e9052ce7329c3ebd6a1136faab

SHA1
29e9347712ef2a1089c4f89e366a7eaaa94d5c5b

SHA256
1ec1bb4be56d65752594dd185cb79e7c4321c1493653f3ccad440d138dd74bbb

SHA512
9b6f5e5debfc80cf506d45c030b2987a6c27527f9c5865fc7175bb05f4efaf01cc13b951e4a54ca538374716736a9cbdf6c4ca35ba6959e28e4d193a9f355c61

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
b5321c0d3ad261ce471b3a210def8dde

SHA1
9424c055eb27ad2b6c20e682b906cc2ce6f987d4

SHA256
bcff4d38816b180ab6cc6f5e49ab28f8b31ad3111498889d8f85f0d3180b39a5

SHA512
a5c70ea47f9d244f3ed5507c69c0fc5a700f842db29099cd647656218537206fa189840c66a97f51bc28922ed1c0437973174fab763a6b90c6e1410d4d11ee97

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
a6d3f8f6c33f240b6ce630a6c53f226b

SHA1
7d8b973fa691dfc5b207d13cb6991c0219062e10

SHA256
658fa8eed424d1123ccc154ec88245f5217588ddebce8b37fea6c9b85f8f6e2c

SHA512
18e8204eaaa48882774ef9667e12a60c10ffc1742875b4391af24646be36f3374f6f9c4c7cf76db424e51bb448c52eeff22518ce1cd3cfdee6d37adaccfdade9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
27617e358922784934428d74fed3858d

SHA1
5b037a022b984b94894a318f63f7f663152603cd

SHA256
7a906fe1d6c5edf535fc8e848860549001de9b389cd554852ba65aecde97b317

SHA512
471780b9b03d7815c7f544980b3c12182a9c830ae0081eecd0b8817eeb71d0264125ce07e6fc376e6de9b52545d507905410fcdbe7af8b4915540f0f3faa2b78

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
3d9dbe212cbdfeaed0b6e768fdbc5511

SHA1
eb538ebeae1c29d1e3eab2f037105261e0fabfb7

SHA256
6427ac91b3ec4e713e556fd8da1652ca09c393ffd459ff9574405f9104264d0a

SHA512
89d9c7a3a792a34972b794873aa4baf289cedeeb43e67b8bf40ee920105c6ecd3d4d266bdc662c8cc4c700693ea6b068ce742620bfa81c314e4c70be838ca6e2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
553291f7ae8940a78a0f14c177531b35

SHA1
14f6b0a6887b517c82cca13f1058f8c09c330d9e

SHA256
830c603d7e4a0b1eac0fd8f4eba9c1c316476b77a1fc6ec3cfb205c68ce12b07

SHA512
69a9102f1b328811bac9c4fec265ce660e213530579af41a7ba8ee4d8876b8d4ae3539182543f89b383f7eba2ae0e7db875cc2077bd2e47b3daeb73f880183f3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
221dec364f7b1c523a2c7004a45689e0

SHA1
6b0658544c2d4991470be7321b88ed5beccb8ebc

SHA256
75618bae71d3165a08a38b7151b2db50e84c7ddc661356c17ce81c4cc6d40507

SHA512
b4e4502b62957e6a7691d38dda2e14de707a7a6fa4d050e63d8066f6175bb9c61c7422f41adc0b9921033013e973413375e26e2f7790efd5f2c7096e83bc067c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
ff29dc1744a29f86965281e31c712dcb

SHA1
22c9a8be265146ea4646c6322692a68a19128796

SHA256
fead80f095301ae58b350266cc3f0e832141ecdd0fff7071e00633977be00848

SHA512
b9bf3dd054bc504abd9b4fabe354165b7956f58c27670056cceeb72c26d6bb39e0241e0123780cd17587d14168c08b0d75f131415d046588a9f5739c8629bead

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
dfbb4c4d4400d75bcbc2accf48d3592e

SHA1
f781ab123bad410140c57470331e2b5eddd6d2f1

SHA256
ca18caaf9341226f7557169eb1e08298d7997e965a15cd1c808cd66ce116f0e0

SHA512
ffe6f9cb9399c913603c61b79725a3393a9d10ca130132fd734022522df74c261314e2861d9346ae009120f024a5f2b32e4f7ab2442d5c9c4603f2f5d3c065c5

Download Submit
memory/308-142-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/316-172-0x0000000003E20000-0x0000000003F7F000-memory.dmp

Filesize
1.4MB

Download
memory/556-64-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/772-51-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/880-90-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/932-233-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1004-150-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1004-157-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1248-77-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1260-203-0x0000000004900000-0x0000000004A5F000-memory.dmp

Filesize
1.4MB

Download
memory/1332-94-0x0000000004910000-0x0000000004A6F000-memory.dmp

Filesize
1.4MB

Download
memory/1380-226-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1480-42-0x0000000004880000-0x00000000049DF000-memory.dmp

Filesize
1.4MB

Download
memory/1504-103-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1696-234-0x00000000049B0000-0x0000000004B0F000-memory.dmp

Filesize
1.4MB

Download
memory/1696-164-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1760-171-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1828-202-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1936-188-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1936-195-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2016-38-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2016-29-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2064-219-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2064-212-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2176-211-0x0000000004900000-0x0000000004A5F000-memory.dmp

Filesize
1.4MB

Download
memory/2236-180-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2236-173-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2328-187-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2332-37-0x00000000045D0000-0x000000000472F000-memory.dmp

Filesize
1.4MB

Download
memory/2332-14-0x00000000045D0000-0x000000000472F000-memory.dmp

Filesize
1.4MB

Download
memory/2384-242-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2384-235-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2552-26-0x0000000004730000-0x000000000488F000-memory.dmp

Filesize
1.4MB

Download
memory/2592-149-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2620-210-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2800-19-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2800-24-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2988-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2988-9-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2988-117-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2988-108-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3028-130-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download