d4017e9f5ec9dac95ef92cc87022a68c200b28761250328d843b5e29b171b519

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
23-08-2024 05:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d4017e9f5ec9dac95ef92cc87022a68c200b28761250328d843b5e29b171b519.exe
Size

1.1MB
MD5

774a45010ef067c6b2298c96f7a14ba9
SHA1

a4941c52688d46e4f9451e96c106a7e279ec9b9e
SHA256

d4017e9f5ec9dac95ef92cc87022a68c200b28761250328d843b5e29b171b519
SHA512

4f44afb8e01757d9cdb49c73bb116b89c425ae2b0ee83b88a676094cf337a5456de4a9021256102349b4c9e064443f6f443472b2db68643de2741b034048640c
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5Qh:acallSllG4ZM7QzMC

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2680	svchcst.exe

Executes dropped EXE 23 IoCs

pid	Process
2680	svchcst.exe
2848	svchcst.exe
1628	svchcst.exe
2480	svchcst.exe
1124	svchcst.exe
1272	svchcst.exe
1844	svchcst.exe
2248	svchcst.exe
2880	svchcst.exe
896	svchcst.exe
2492	svchcst.exe
2432	svchcst.exe
2556	svchcst.exe
1544	svchcst.exe
1296	svchcst.exe
2648	svchcst.exe
2576	svchcst.exe
1636	svchcst.exe
484	svchcst.exe
2352	svchcst.exe
712	svchcst.exe
1444	svchcst.exe
2124	svchcst.exe

Loads dropped DLL 43 IoCs

pid	Process
2752	WScript.exe
2752	WScript.exe
1008	WScript.exe
2948	WScript.exe
2948	WScript.exe
2948	WScript.exe
3032	WScript.exe
3032	WScript.exe
1752	WScript.exe
1752	WScript.exe
2572	WScript.exe
2572	WScript.exe
2764	WScript.exe
2764	WScript.exe
2172	WScript.exe
2172	WScript.exe
2908	WScript.exe
2908	WScript.exe
2352	WScript.exe
1648	WScript.exe
1648	WScript.exe
2408	WScript.exe
2408	WScript.exe
1784	WScript.exe
1784	WScript.exe
2748	WScript.exe
2748	WScript.exe
2692	WScript.exe
2692	WScript.exe
2960	WScript.exe
2960	WScript.exe
1912	WScript.exe
1912	WScript.exe
2288	WScript.exe
2288	WScript.exe
2976	WScript.exe
2976	WScript.exe
816	WScript.exe
816	WScript.exe
776	WScript.exe
776	WScript.exe
2944	WScript.exe
2944	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 49 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d4017e9f5ec9dac95ef92cc87022a68c200b28761250328d843b5e29b171b519.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2224	d4017e9f5ec9dac95ef92cc87022a68c200b28761250328d843b5e29b171b519.exe
2680	svchcst.exe
2680	svchcst.exe
2680	svchcst.exe
2680	svchcst.exe
2680	svchcst.exe
2680	svchcst.exe
2680	svchcst.exe
2680	svchcst.exe
2680	svchcst.exe
2680	svchcst.exe
2680	svchcst.exe
2680	svchcst.exe
2680	svchcst.exe
2680	svchcst.exe
2680	svchcst.exe
2680	svchcst.exe
2680	svchcst.exe
2680	svchcst.exe
2680	svchcst.exe
2680	svchcst.exe
2680	svchcst.exe
2680	svchcst.exe
2680	svchcst.exe
2680	svchcst.exe
2680	svchcst.exe
2680	svchcst.exe
2680	svchcst.exe
2680	svchcst.exe
2680	svchcst.exe
2680	svchcst.exe
2680	svchcst.exe
2680	svchcst.exe
2680	svchcst.exe
2680	svchcst.exe
2680	svchcst.exe
2680	svchcst.exe
2680	svchcst.exe
2680	svchcst.exe
2680	svchcst.exe
2680	svchcst.exe
2680	svchcst.exe
2680	svchcst.exe
2680	svchcst.exe
2680	svchcst.exe
2680	svchcst.exe
2680	svchcst.exe
2680	svchcst.exe
2680	svchcst.exe
2680	svchcst.exe
2680	svchcst.exe
2680	svchcst.exe
2680	svchcst.exe
2680	svchcst.exe
2680	svchcst.exe
2680	svchcst.exe
2680	svchcst.exe
2680	svchcst.exe
2680	svchcst.exe
2680	svchcst.exe
2680	svchcst.exe
2680	svchcst.exe
2680	svchcst.exe
2680	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2224	d4017e9f5ec9dac95ef92cc87022a68c200b28761250328d843b5e29b171b519.exe

Suspicious use of SetWindowsHookEx 48 IoCs

pid	Process
2224	d4017e9f5ec9dac95ef92cc87022a68c200b28761250328d843b5e29b171b519.exe
2224	d4017e9f5ec9dac95ef92cc87022a68c200b28761250328d843b5e29b171b519.exe
2680	svchcst.exe
2680	svchcst.exe
2848	svchcst.exe
2848	svchcst.exe
1628	svchcst.exe
1628	svchcst.exe
2480	svchcst.exe
2480	svchcst.exe
1124	svchcst.exe
1124	svchcst.exe
1272	svchcst.exe
1272	svchcst.exe
1844	svchcst.exe
1844	svchcst.exe
2248	svchcst.exe
2248	svchcst.exe
2880	svchcst.exe
2880	svchcst.exe
896	svchcst.exe
896	svchcst.exe
2492	svchcst.exe
2492	svchcst.exe
2432	svchcst.exe
2432	svchcst.exe
2556	svchcst.exe
2556	svchcst.exe
1544	svchcst.exe
1544	svchcst.exe
1296	svchcst.exe
1296	svchcst.exe
2648	svchcst.exe
2648	svchcst.exe
2576	svchcst.exe
2576	svchcst.exe
1636	svchcst.exe
1636	svchcst.exe
484	svchcst.exe
484	svchcst.exe
2352	svchcst.exe
2352	svchcst.exe
712	svchcst.exe
712	svchcst.exe
1444	svchcst.exe
1444	svchcst.exe
2124	svchcst.exe
2124	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2224 wrote to memory of 2752	2224	d4017e9f5ec9dac95ef92cc87022a68c200b28761250328d843b5e29b171b519.exe	30
PID 2224 wrote to memory of 2752	2224	d4017e9f5ec9dac95ef92cc87022a68c200b28761250328d843b5e29b171b519.exe	30
PID 2224 wrote to memory of 2752	2224	d4017e9f5ec9dac95ef92cc87022a68c200b28761250328d843b5e29b171b519.exe	30
PID 2224 wrote to memory of 2752	2224	d4017e9f5ec9dac95ef92cc87022a68c200b28761250328d843b5e29b171b519.exe	30
PID 2752 wrote to memory of 2680	2752	WScript.exe	32
PID 2752 wrote to memory of 2680	2752	WScript.exe	32
PID 2752 wrote to memory of 2680	2752	WScript.exe	32
PID 2752 wrote to memory of 2680	2752	WScript.exe	32
PID 2680 wrote to memory of 1008	2680	svchcst.exe	33
PID 2680 wrote to memory of 1008	2680	svchcst.exe	33
PID 2680 wrote to memory of 1008	2680	svchcst.exe	33
PID 2680 wrote to memory of 1008	2680	svchcst.exe	33
PID 1008 wrote to memory of 2848	1008	WScript.exe	34
PID 1008 wrote to memory of 2848	1008	WScript.exe	34
PID 1008 wrote to memory of 2848	1008	WScript.exe	34
PID 1008 wrote to memory of 2848	1008	WScript.exe	34
PID 2848 wrote to memory of 2948	2848	svchcst.exe	35
PID 2848 wrote to memory of 2948	2848	svchcst.exe	35
PID 2848 wrote to memory of 2948	2848	svchcst.exe	35
PID 2848 wrote to memory of 2948	2848	svchcst.exe	35
PID 2948 wrote to memory of 1628	2948	WScript.exe	37
PID 2948 wrote to memory of 1628	2948	WScript.exe	37
PID 2948 wrote to memory of 1628	2948	WScript.exe	37
PID 2948 wrote to memory of 1628	2948	WScript.exe	37
PID 1628 wrote to memory of 1360	1628	svchcst.exe	38
PID 1628 wrote to memory of 1360	1628	svchcst.exe	38
PID 1628 wrote to memory of 1360	1628	svchcst.exe	38
PID 1628 wrote to memory of 1360	1628	svchcst.exe	38
PID 2948 wrote to memory of 2480	2948	WScript.exe	39
PID 2948 wrote to memory of 2480	2948	WScript.exe	39
PID 2948 wrote to memory of 2480	2948	WScript.exe	39
PID 2948 wrote to memory of 2480	2948	WScript.exe	39
PID 2480 wrote to memory of 3032	2480	svchcst.exe	40
PID 2480 wrote to memory of 3032	2480	svchcst.exe	40
PID 2480 wrote to memory of 3032	2480	svchcst.exe	40
PID 2480 wrote to memory of 3032	2480	svchcst.exe	40
PID 3032 wrote to memory of 1124	3032	WScript.exe	41
PID 3032 wrote to memory of 1124	3032	WScript.exe	41
PID 3032 wrote to memory of 1124	3032	WScript.exe	41
PID 3032 wrote to memory of 1124	3032	WScript.exe	41
PID 1124 wrote to memory of 1752	1124	svchcst.exe	42
PID 1124 wrote to memory of 1752	1124	svchcst.exe	42
PID 1124 wrote to memory of 1752	1124	svchcst.exe	42
PID 1124 wrote to memory of 1752	1124	svchcst.exe	42
PID 1752 wrote to memory of 1272	1752	WScript.exe	43
PID 1752 wrote to memory of 1272	1752	WScript.exe	43
PID 1752 wrote to memory of 1272	1752	WScript.exe	43
PID 1752 wrote to memory of 1272	1752	WScript.exe	43
PID 1272 wrote to memory of 2572	1272	svchcst.exe	44
PID 1272 wrote to memory of 2572	1272	svchcst.exe	44
PID 1272 wrote to memory of 2572	1272	svchcst.exe	44
PID 1272 wrote to memory of 2572	1272	svchcst.exe	44
PID 2572 wrote to memory of 1844	2572	WScript.exe	45
PID 2572 wrote to memory of 1844	2572	WScript.exe	45
PID 2572 wrote to memory of 1844	2572	WScript.exe	45
PID 2572 wrote to memory of 1844	2572	WScript.exe	45
PID 1844 wrote to memory of 2764	1844	svchcst.exe	46
PID 1844 wrote to memory of 2764	1844	svchcst.exe	46
PID 1844 wrote to memory of 2764	1844	svchcst.exe	46
PID 1844 wrote to memory of 2764	1844	svchcst.exe	46
PID 1844 wrote to memory of 2960	1844	svchcst.exe	47
PID 1844 wrote to memory of 2960	1844	svchcst.exe	47
PID 1844 wrote to memory of 2960	1844	svchcst.exe	47
PID 1844 wrote to memory of 2960	1844	svchcst.exe	47

C:\Users\Admin\AppData\Local\Temp\d4017e9f5ec9dac95ef92cc87022a68c200b28761250328d843b5e29b171b519.exe
"C:\Users\Admin\AppData\Local\Temp\d4017e9f5ec9dac95ef92cc87022a68c200b28761250328d843b5e29b171b519.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2224
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2752
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2680
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1008
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2848
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2948
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1628
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1360
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2480
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3032
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1124
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1752
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1272
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2572
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1844
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2764
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2248
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2172
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2880
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2908
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:896
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2352
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2492
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1648
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2432
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2408
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2556
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1784
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1544
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2748
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1296
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2692
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2648
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2960
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2576
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1912
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1636
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2288
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:484
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2976
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2352
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:816
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:712
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:776
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1444
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        44⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2944
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2124
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        46⤵
        System Location Discovery: System Language Discovery
        
        PID:2980
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:2960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
35b6e08397cce4de0cd3b276a62df42e

SHA1
2aa6c4039546a2f45a3f37f37c76ab6d66500785

SHA256
13a439c4c1e4c95dcb3a2e4d5ac01f98d34215cecf9bcc0ed1c3432a9938cf4a

SHA512
18ddebc55679cbdc2dd953bc5e970da76314cad785f49cf24c08d894d4d49d71eb2d3f4f3a9da6f79e777422f502c9c4cfb3515d2739aa8f7d282ff9dfc4d9de

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
5c256ba320c7487a2c3cdb62bea97bb5

SHA1
2a28e5d7bd4483a40fb6035f1ec6fcf1d66cb2fc

SHA256
854aeaf6ba44537fc01088f8c336552a1aab4c6df84938d241c8616b6f0802e4

SHA512
bb55f293471dda9b074664d4cf2dad094f8f0c2479c1fd754dd85199d1d1b1012cfa3b050711ac0b59368d6bf1756cfcadcaff1e47d4f103a093a0b77782fdc0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
d9ab21af2046aedc3484d569036c3ef7

SHA1
ade5e9eb5b1180a77a2164e61f74beb411cdfb56

SHA256
90b8f17e573879b63c512e7c0dd6ff9454d177163e2d95d0090b2ef22ae5ec79

SHA512
cb8c202cd3d66ee897982e42257320dfef0a23eb96b9a3189869e9a0ce030d4baaa8c0a6fc5e197d2d19d742b0d7b3f34adb12933192dd6e4b1388433755d1ac

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
ddd204c2596c95e0b37f2faf17345158

SHA1
fb5c9a676eb0b0e08ed0498a5696bbd7d443b1a2

SHA256
6ba8498e50d16dedd7a4479998981b504b684f524c08329269fd4eb6e3fe52a2

SHA512
17f8ff158d74cb8b37954cd5d458440cbf7e41dd03d08d5101b55f7ca259fdd1e36967e5231a31362c68456d0e91bdbac1c83cc19876ab7ec1c97bde0ec03244

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
dcda7be7bee467e770890045f8b7ae2a

SHA1
c2d1c9669b5115473dd2fcb27bb76aed83afdcd1

SHA256
5818c70269cba768813218e1a65265488b4c36ebee593535af98a52bf1eeed33

SHA512
5a69286101d6a3f52a919910584f2618e2e7adcf8b77806b5e4ecd8b881a86693df968818cec771b93b50d05849e165da0d66c5cfb121297f56cf7bef804a408

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
463784728a0ab2b8cc52ee1ed0e5258e

SHA1
620a618c31439d36e8539e50359713befcc28e92

SHA256
a34e1ed304dca4f58275bdd5daaf071d1767db7bb7ccc6bf2aea2df5e2be023b

SHA512
52f9736297fbaf65179d35e01c7a15d516d2ff8b5c949a45046bc668bbe94b5da63aea4d5920ebfc1a884721f16fdcae75ea08ca9a6aa78297a44051ed979c7f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
38a699d07d8879db6356427ad5568cde

SHA1
a13f87e47243e126c2ea20018877fbeac913a320

SHA256
33039fb8b50833ea2836de980992405e10426ad862007f2fef2a96147dccc7bb

SHA512
b5373577a397c0eb493b1173f0fa5a583fe10b986eced439f39997707622fdb54dad7f39311c0148da02b9f0eda2c097d6d9e98b6a7c7d4aa5996e7cc5f4791d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
067a3458406fce1e0caec803b21a2c58

SHA1
1277d2a3236100a0758d4f4f279cd02d537e626b

SHA256
35c0d5d7757b50c61a708107c8e2ab5df872fdc25516f8003d9d58d3ae5ec9e3

SHA512
99918a35f93140231d63a17c97bb9ef66a5744dc044c7e48034c3d2fcc49c3b97fe0d37a32ae6307a7b7e772b8016a6727672d2844b5ed7dcf20c31dd01724e4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
cd3670279cfd4857ab7ae976f56ad473

SHA1
2b4136cb5f5aa98e7cf48135db771fe497da942f

SHA256
9824342f00af60b70c73fd0b0b08c54f1439d6f6964ce1286a7eec748047041f

SHA512
30e7536c3209027ad3df30edd10d69b666a936c4184f3ad26ebf683ae2d066607b9eda521955af0a3cb235d6d84cc5c6fda747525bef19ec3a5016db66945889

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
774844b08b364b32d1209ef0d962d2fd

SHA1
967a30d076aa269a5cef321d36ac1f5c1eb180cb

SHA256
c9beda5ae7965cd968f1e6b1e11f17b1b443b8fc6dddb9ad0fe830aafe35ae3a

SHA512
2bab1d82f2cf484029722e64dd75516645e3f2dc6028153b65479757a3d33bbe883a1ac97771f1a9dfff1927cbfc58b5460f0c21a3ce01a4eae32b205772c4ec

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
7a01dad1af2b3e0327e1d352436bbcd7

SHA1
10612930777b11e8edeb9bd33c74a6a2404c9d6b

SHA256
185fe22d4d1af7aee3fd8cf94dcfe20c5daf320764d2c96c2ad5f2cff4cd1655

SHA512
1fee128690213b1ffd6c1f95d9894f52c2b0374ca99b16795028fab6b364298c1d678c3f92775c410c0fe7a1a71a33d3db5635e5bb6c71449feb60c9f5316616

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
aca94ca92ea7d160469fd8631fe3e9ab

SHA1
fe64e7ed5ac691c34da276b6ab09fdb6d624a666

SHA256
b6ddad7657345b2e707985d52d9694add75aba005caddb5c5356e81230b22e4c

SHA512
de8340e953c076b97a9b8ee3708f79d0e2f7201812691d08645235e47af8ba6032f65e8e4af98f7789c1a8d35366488735bb4ad254cea57979df1f2c67ba0434

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
4765408cdd0aeec5da11dd954177f683

SHA1
75cce323774a5851f0107df8fdc08b4d9db217bd

SHA256
821536800190c778bb23bd0070e1aabfbf393b3f4f81fdc27129fbf0bf94ae87

SHA512
11a352ff077452fa468364a5d6792e9ba7c40b7eb809b1adbc0022175d700a17bccbc0e6a6eae96d51ef3f86fec449c32fac5cf4fc0a2c46abf1ad1b1d13a883

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
0bf90450872c7186ebbff464a241f3a5

SHA1
6e5d2182ff361985e7f6ba90a278959cc7b4760c

SHA256
70d6f887738f1b140ee8e52be8c594eb18aaef690e50dd55bd4bd369b3534678

SHA512
d6d143e60bd5e3212967510a6324c9ee472a267329d56919c68c39cd026ecded32e15de919b7f53fec360ddf61102fc12f6fa44c8fed3200113845370dc4e16e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
cfe7a0bfa8b70ce0ba7248a83f59261c

SHA1
5861c71a1dfd353e6b20b7dc5424bf1e6b560df6

SHA256
792573b657c288c65119ee3a23dea8333708792ab4244f9a378d7b98e45f8413

SHA512
874c92c8fe2cadac7e011c294ecec56a535aa4e31f7d9edf175610dffd6319be7f2eb9acf3ba9666b6681752123b8d1abd251f81293128276c299b733bbe87d4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
61b611ac9ef3ca784ec356e661b72998

SHA1
6a81e3bd9f6179889143e9cc790fda783a2b1159

SHA256
7324c11cb88f1329c3b5bcafa36cdfdd4f03437743a39a8567b8001757f9927b

SHA512
46d87e478f598f1b06e67258a2f123b899c95439a1e1fc53b9b5fdc8143f6d97a52eb11ddcfc16e0bcb6de0f404190a46a209229bf9ae2d667dade551448c09d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
f443fb5bade835a2e50ab703cfab0d26

SHA1
a18f39814ad20a0b66dd5fbfadf60075d457b520

SHA256
fe7842baac2a590bd80272fbae8d952c4183095fefd286cd01079f3dc7e0e93c

SHA512
96c47f239d55612f0c2426a4c748d5785a1dbe52f2b2579bb9f7d26db40b50f5ef5921420fb3cfa53195079ed088b50c897f959e99d25e59aafe5903c7366dcf

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
28ebbbb682af80bc9648b7f74661b757

SHA1
6a48fb59835c54c6d5d107bf23ff007f6f05b40d

SHA256
fc961b56d9f562e3c9f2bd2d9f103b0602b930c8e64e1163dcc285ab472df5d6

SHA512
c2758839753f6af6b7cd501b5aa87dfd36670da2e46e1eb7095c26e1dc1529c4288b9866bb95a98e704bc6b818ccf0cd0a299aadb59236f31a65fe86e7c221e9

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
d3581c15ea1875c2d16a95d0cdc103fb

SHA1
e9cf3ac6f895f08522199c0d578c6f945fad17f5

SHA256
6cafb8279d87a3e74d19d69385421e92843ac3a53736be2e19c13e881a89ff4a

SHA512
a53b41d1109d13b6b646cc76d54ce95cb1ba1611a772f979fdb967d029aae1c949b056902165f0444a0683aa5d5617517cdc084d4b57e63c6d6e413c2371b939

Download Submit
memory/484-215-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/484-222-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/712-236-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/712-239-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/816-246-0x00000000047B0000-0x000000000490F000-memory.dmp

Filesize
1.4MB

Download
memory/896-146-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/896-141-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1008-26-0x0000000004B80000-0x0000000004CDF000-memory.dmp

Filesize
1.4MB

Download
memory/1124-74-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1272-88-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1296-188-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1296-181-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1444-247-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1544-180-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1544-173-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1628-46-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1636-206-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1636-214-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1752-79-0x0000000003D80000-0x0000000003EDF000-memory.dmp

Filesize
1.4MB

Download
memory/1752-78-0x0000000003D80000-0x0000000003EDF000-memory.dmp

Filesize
1.4MB

Download
memory/1844-104-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1912-207-0x0000000004820000-0x000000000497F000-memory.dmp

Filesize
1.4MB

Download
memory/2224-9-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2224-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2248-118-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2352-231-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2352-224-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2432-164-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2432-161-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2480-60-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2492-156-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2492-149-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2556-172-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2556-165-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2572-93-0x0000000004910000-0x0000000004A6F000-memory.dmp

Filesize
1.4MB

Download
memory/2576-202-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2576-205-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2648-190-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2648-197-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2680-19-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2680-24-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2692-189-0x0000000004810000-0x000000000496F000-memory.dmp

Filesize
1.4MB

Download
memory/2752-18-0x0000000004800000-0x000000000495F000-memory.dmp

Filesize
1.4MB

Download
memory/2752-35-0x0000000004800000-0x000000000495F000-memory.dmp

Filesize
1.4MB

Download
memory/2764-107-0x0000000004860000-0x00000000049BF000-memory.dmp

Filesize
1.4MB

Download
memory/2848-36-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2848-28-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2880-123-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2880-132-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2944-248-0x0000000004760000-0x00000000048BF000-memory.dmp

Filesize
1.4MB

Download
memory/2944-249-0x0000000004760000-0x00000000048BF000-memory.dmp

Filesize
1.4MB

Download
memory/2948-51-0x0000000004670000-0x00000000047CF000-memory.dmp

Filesize
1.4MB

Download
memory/2948-49-0x00000000049A0000-0x0000000004AFF000-memory.dmp

Filesize
1.4MB

Download
memory/2976-223-0x00000000046E0000-0x000000000483F000-memory.dmp

Filesize
1.4MB

Download
memory/3032-64-0x0000000004A70000-0x0000000004BCF000-memory.dmp

Filesize
1.4MB

Download