afee1f8858802579dac4b55891134d24636e861dab316cfb828ea62d4e903b53

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
25/08/2024, 01:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

afee1f8858802579dac4b55891134d24636e861dab316cfb828ea62d4e903b53.exe
Size

1.1MB
MD5

095e22f30a3ea2e6d72e9cf795726a39
SHA1

989eea2102e9239c7c58f094cbef41a4108bcb4f
SHA256

afee1f8858802579dac4b55891134d24636e861dab316cfb828ea62d4e903b53
SHA512

d2c5b28c615b18cafd90e42c12ab50ea72faf00cc296f643fbb6a7328228cb86380018c45f50bb7e80c9e5dbc21856cb6da6d9fef57153d865112f60d4446051
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5QD:acallSllG4ZM7QzMU

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2544	svchcst.exe

Executes dropped EXE 23 IoCs

pid	Process
2544	svchcst.exe
332	svchcst.exe
2848	svchcst.exe
848	svchcst.exe
1308	svchcst.exe
2032	svchcst.exe
1676	svchcst.exe
2004	svchcst.exe
2100	svchcst.exe
2752	svchcst.exe
2068	svchcst.exe
288	svchcst.exe
2708	svchcst.exe
1812	svchcst.exe
2896	svchcst.exe
2876	svchcst.exe
2680	svchcst.exe
2560	svchcst.exe
2472	svchcst.exe
1908	svchcst.exe
2192	svchcst.exe
2716	svchcst.exe
2416	svchcst.exe

Loads dropped DLL 43 IoCs

pid	Process
2100	WScript.exe
2100	WScript.exe
2564	WScript.exe
2052	WScript.exe
2052	WScript.exe
2972	WScript.exe
2972	WScript.exe
544	WScript.exe
544	WScript.exe
3004	WScript.exe
3004	WScript.exe
1660	WScript.exe
1660	WScript.exe
2608	WScript.exe
2608	WScript.exe
1188	WScript.exe
1188	WScript.exe
320	WScript.exe
320	WScript.exe
1088	WScript.exe
1088	WScript.exe
1708	WScript.exe
1708	WScript.exe
1080	WScript.exe
1080	WScript.exe
888	WScript.exe
888	WScript.exe
2600	WScript.exe
2600	WScript.exe
2144	WScript.exe
2144	WScript.exe
1184	WScript.exe
1184	WScript.exe
1092	WScript.exe
1092	WScript.exe
3068	WScript.exe
3068	WScript.exe
1512	WScript.exe
1512	WScript.exe
1088	WScript.exe
1088	WScript.exe
1912	WScript.exe
1912	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 48 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	afee1f8858802579dac4b55891134d24636e861dab316cfb828ea62d4e903b53.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2180	afee1f8858802579dac4b55891134d24636e861dab316cfb828ea62d4e903b53.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2180	afee1f8858802579dac4b55891134d24636e861dab316cfb828ea62d4e903b53.exe

Suspicious use of SetWindowsHookEx 48 IoCs

pid	Process
2180	afee1f8858802579dac4b55891134d24636e861dab316cfb828ea62d4e903b53.exe
2180	afee1f8858802579dac4b55891134d24636e861dab316cfb828ea62d4e903b53.exe
2544	svchcst.exe
2544	svchcst.exe
332	svchcst.exe
332	svchcst.exe
2848	svchcst.exe
2848	svchcst.exe
848	svchcst.exe
848	svchcst.exe
1308	svchcst.exe
1308	svchcst.exe
2032	svchcst.exe
2032	svchcst.exe
1676	svchcst.exe
1676	svchcst.exe
2004	svchcst.exe
2004	svchcst.exe
2100	svchcst.exe
2100	svchcst.exe
2752	svchcst.exe
2752	svchcst.exe
2068	svchcst.exe
2068	svchcst.exe
288	svchcst.exe
288	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
1812	svchcst.exe
1812	svchcst.exe
2896	svchcst.exe
2896	svchcst.exe
2876	svchcst.exe
2876	svchcst.exe
2680	svchcst.exe
2680	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2472	svchcst.exe
2472	svchcst.exe
1908	svchcst.exe
1908	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2416	svchcst.exe
2416	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2180 wrote to memory of 2100	2180	afee1f8858802579dac4b55891134d24636e861dab316cfb828ea62d4e903b53.exe	31
PID 2180 wrote to memory of 2100	2180	afee1f8858802579dac4b55891134d24636e861dab316cfb828ea62d4e903b53.exe	31
PID 2180 wrote to memory of 2100	2180	afee1f8858802579dac4b55891134d24636e861dab316cfb828ea62d4e903b53.exe	31
PID 2180 wrote to memory of 2100	2180	afee1f8858802579dac4b55891134d24636e861dab316cfb828ea62d4e903b53.exe	31
PID 2100 wrote to memory of 2544	2100	WScript.exe	33
PID 2100 wrote to memory of 2544	2100	WScript.exe	33
PID 2100 wrote to memory of 2544	2100	WScript.exe	33
PID 2100 wrote to memory of 2544	2100	WScript.exe	33
PID 2544 wrote to memory of 2564	2544	svchcst.exe	34
PID 2544 wrote to memory of 2564	2544	svchcst.exe	34
PID 2544 wrote to memory of 2564	2544	svchcst.exe	34
PID 2544 wrote to memory of 2564	2544	svchcst.exe	34
PID 2564 wrote to memory of 332	2564	WScript.exe	35
PID 2564 wrote to memory of 332	2564	WScript.exe	35
PID 2564 wrote to memory of 332	2564	WScript.exe	35
PID 2564 wrote to memory of 332	2564	WScript.exe	35
PID 332 wrote to memory of 2052	332	svchcst.exe	36
PID 332 wrote to memory of 2052	332	svchcst.exe	36
PID 332 wrote to memory of 2052	332	svchcst.exe	36
PID 332 wrote to memory of 2052	332	svchcst.exe	36
PID 2052 wrote to memory of 2848	2052	WScript.exe	37
PID 2052 wrote to memory of 2848	2052	WScript.exe	37
PID 2052 wrote to memory of 2848	2052	WScript.exe	37
PID 2052 wrote to memory of 2848	2052	WScript.exe	37
PID 2848 wrote to memory of 1732	2848	svchcst.exe	38
PID 2848 wrote to memory of 1732	2848	svchcst.exe	38
PID 2848 wrote to memory of 1732	2848	svchcst.exe	38
PID 2848 wrote to memory of 1732	2848	svchcst.exe	38
PID 2052 wrote to memory of 848	2052	WScript.exe	39
PID 2052 wrote to memory of 848	2052	WScript.exe	39
PID 2052 wrote to memory of 848	2052	WScript.exe	39
PID 2052 wrote to memory of 848	2052	WScript.exe	39
PID 848 wrote to memory of 2972	848	svchcst.exe	40
PID 848 wrote to memory of 2972	848	svchcst.exe	40
PID 848 wrote to memory of 2972	848	svchcst.exe	40
PID 848 wrote to memory of 2972	848	svchcst.exe	40
PID 2972 wrote to memory of 1308	2972	WScript.exe	41
PID 2972 wrote to memory of 1308	2972	WScript.exe	41
PID 2972 wrote to memory of 1308	2972	WScript.exe	41
PID 2972 wrote to memory of 1308	2972	WScript.exe	41
PID 1308 wrote to memory of 544	1308	svchcst.exe	42
PID 1308 wrote to memory of 544	1308	svchcst.exe	42
PID 1308 wrote to memory of 544	1308	svchcst.exe	42
PID 1308 wrote to memory of 544	1308	svchcst.exe	42
PID 544 wrote to memory of 2032	544	WScript.exe	43
PID 544 wrote to memory of 2032	544	WScript.exe	43
PID 544 wrote to memory of 2032	544	WScript.exe	43
PID 544 wrote to memory of 2032	544	WScript.exe	43
PID 2032 wrote to memory of 3004	2032	svchcst.exe	44
PID 2032 wrote to memory of 3004	2032	svchcst.exe	44
PID 2032 wrote to memory of 3004	2032	svchcst.exe	44
PID 2032 wrote to memory of 3004	2032	svchcst.exe	44
PID 3004 wrote to memory of 1676	3004	WScript.exe	45
PID 3004 wrote to memory of 1676	3004	WScript.exe	45
PID 3004 wrote to memory of 1676	3004	WScript.exe	45
PID 3004 wrote to memory of 1676	3004	WScript.exe	45
PID 1676 wrote to memory of 1660	1676	svchcst.exe	46
PID 1676 wrote to memory of 1660	1676	svchcst.exe	46
PID 1676 wrote to memory of 1660	1676	svchcst.exe	46
PID 1676 wrote to memory of 1660	1676	svchcst.exe	46
PID 1660 wrote to memory of 2004	1660	WScript.exe	47
PID 1660 wrote to memory of 2004	1660	WScript.exe	47
PID 1660 wrote to memory of 2004	1660	WScript.exe	47
PID 1660 wrote to memory of 2004	1660	WScript.exe	47

C:\Users\Admin\AppData\Local\Temp\afee1f8858802579dac4b55891134d24636e861dab316cfb828ea62d4e903b53.exe
"C:\Users\Admin\AppData\Local\Temp\afee1f8858802579dac4b55891134d24636e861dab316cfb828ea62d4e903b53.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2100
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2544
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2564
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:332
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2052
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2848
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1732
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:848
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2972
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1308
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:544
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2032
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3004
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1676
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1660
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2004
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2608
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2100
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1188
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2752
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:320
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2068
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1088
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:288
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1708
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2708
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1080
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1812
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:888
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2896
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2600
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2876
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2144
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2680
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1184
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2560
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1092
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2472
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3068
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1908
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1512
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2192
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1088
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2716
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        44⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1912
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2416
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        46⤵
        System Location Discovery: System Language Discovery
        
        PID:1664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
3ea49af5f18db17d9c0b5c35ca66fd05

SHA1
264c38d3bbfb48c1e837d295338a62bdd525c914

SHA256
848e192c2bf75331be481c4e23510621b93d94282da48f7b66ca8b317d3e7b44

SHA512
816732247c47f27c2b3282706e83a00edea2836899354b6c1a6030f807bcd85838302370ed38ec8c1e2d7de535b4385ff387d33754b2c9881bd905ac6c4def6c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
f262d0722b88145e786399f42047785d

SHA1
9f4426b6ac52bb0456945b0619fcd355d118a0b7

SHA256
f20592c5d5216a153e7d9fc67c87e2d3346f3781014162462e824a5dbc4c7aef

SHA512
da8aa8fd4f84c224f7c6f3fe483b030e2307f3313c003f17f6b9c943f9ea9d052d9d9297f93fdf49428eedd235ef6d7efe0199e1620e55cb052f2ca3cb492eb1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
1ca638ab56e1883ffe75969d1d8c4a61

SHA1
2f32fe1ad07a21f4aade2693ef174e30427e4f26

SHA256
ab716890ffa3b303c706ba2fc2ff48ba57e82b94b3bb3198cbb5700d74218c9d

SHA512
91f259046507902e077ac73aa23005f33cb3f93b6822e325bf3dd785b7616128bae36e13ba016f6a67cdddedef644d9cf44d49bba7d989dc5e59b93d446d626c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
379619305716718fbeeab2f364946c39

SHA1
b663cf106c4673549692fa39d25e9e8f4561cd64

SHA256
c844bc25686320e65c1b5259a6d0d6d47f61709f46e2c8eb2ad3f9c3b9333d84

SHA512
b2c91d0f1cbc9e253bb3bb339acbab0e31eef31188cc00132c423fee2a85c7a91132c9259b99b23a149f6ba1172b8522e2d8350f88dbb735ad8d7a32f71e2ed8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
463784728a0ab2b8cc52ee1ed0e5258e

SHA1
620a618c31439d36e8539e50359713befcc28e92

SHA256
a34e1ed304dca4f58275bdd5daaf071d1767db7bb7ccc6bf2aea2df5e2be023b

SHA512
52f9736297fbaf65179d35e01c7a15d516d2ff8b5c949a45046bc668bbe94b5da63aea4d5920ebfc1a884721f16fdcae75ea08ca9a6aa78297a44051ed979c7f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
70e226fbd8b4b3f2ddf8a8753a77586a

SHA1
a81a39d08f77479d0ee65599dd2749031c32fc19

SHA256
3eb2bfca11e83ada63c9e426764e07267c058964f959ca5e0c3f0f8933e40026

SHA512
f8c3f2f4172e8cabb856cbc2527dae48cba6d740a8ad9844bb32013ccba200b4c03dfdbe3713d9caa5f7416b8729cba4d516a73989b388c952ab08205b3cd4b8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
9e8dca236ce949019c46b94428612ac9

SHA1
0917050afcbb7b94fce6fbb9827fb57de7432b0b

SHA256
bd9f06dbb8f2165c3b75da289ad7983f0c57328d236b2c68a2b5798188874fb3

SHA512
23ce9deba9286cbb24c1725503542b63d7e44ea7ada302e5aba6595f84398e2162008d7431f842cccfb2b8fae126216d85c566931d5fcc8c8c5625e2c05f44d6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
c5ae655707a21f6473c5f382a787e100

SHA1
1d2078ebfae286212eb90e60c9dbce5e70ac24f1

SHA256
baf83e476c96ab1af7a7482de26dae9909744fad6d12c6ae818f51b834cecb50

SHA512
af80731f380d75a643ab885ba152cb7118297ab4e70ff44dd96b7bae8542881f0d06cdbe0ac524cdc30ddca970c2b27adf6398f8efc6e510cea6cc0b2a59b34f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
5ef4272f4d6f345fc8cc1b2f059c81b4

SHA1
78bcb559f775d70e10396e1d6d7b95c28d2645d1

SHA256
19f8d5209b4a5789cdfd5b67cb0b9f6c3546c62912bcb1ef1c69a15602beb652

SHA512
002693255c600456d965b5a7e36f780deec4d80cd9fe56f7f974b8762e2b140002a1dabf4b059d6163c9cc00a0e1e9da71899e13347fb4bb2985bbc7058469cb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
03f68343f5906993640e0b9e3f9c7964

SHA1
699e9c3fda1aa89e7a47ac8b77b41178c99cc8e2

SHA256
dd2d5bf380874e81adc5e05b667047dcf1b6c8a8953068fb177053e20c35f727

SHA512
76de9e035c0ad6ee3237006749fd28ee93a6fcd09700e265aaea432f7d2292aac87f0799221559caacd6dd58ff72af17d67627aace77bd2a36a802bbdc88b99c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
072a46f071251f08c67b3aba4c983435

SHA1
371837f885eac20c802901026d2e7aa1d4f6cd5c

SHA256
0d0a8daeceed64600e817a5a0437a39048c52e857868a35d9130d42fdfa896ed

SHA512
e3d35d428a29eec047b0cc43c87aa701eed81e9efe921b4ef13fa2e8e24ef11ce602bd67868b7ad1bdbd9f39eb681a8c95c715479238a2f17c17105ea4653c83

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
8636288b543daf708fe60d808b4a5eba

SHA1
3d68b00aee25b074d5baf2ad103934f4e5aeb99d

SHA256
1bb6d006cea9302e1db6bdacfcdde4a909ba0b9cdd25265680a30c814809582a

SHA512
fe1296d7a1883b0cd056f05f4c57438af97a0930dd24a2ba86d015adcc485a218f27465a291567a37722646112a629ed09de82aa1893772b08cc901d48a99e35

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
b4d4f806243ada0dc22beec44c4666ea

SHA1
379bc0bc62e1a735ccb7df58a2504bb3d81320d6

SHA256
7be67262e05e2fb56bc516330e02d37664ca2ffa16b64f9a54f1f6d38baea2e3

SHA512
dde4813179fc784b6c6dd1f61d6e9f043169ee7ea89cbbc2fd22eb2a0a4cf249c8797058db3be78698e7e8fac7f2f0b43b69bc473d9e9a2e3a67adfcc7813024

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
9416774e2bdf4c50dc404844a0a833c5

SHA1
23f812ada8dc3d7b44006e992e8853f288445768

SHA256
26bf38eaf8468ce6a263596e97fe3903849612b90c34e91d57fdfb59a52569df

SHA512
edfc41cecc0947b612c9a9a7372bdef5d399cf766654d81d2552d850bf0720f73ff17f14afc832486ce6c0fa3110a65b579bb01492b9ff78f7ea088a1442e901

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
e0a57abfce1787ac7c563f7eb0366570

SHA1
b6acf07b7e3b10584bbff4a60f80f6fde0a909c7

SHA256
18bde1be6f761fb69831d33a4cf7d6c75055564db46b3c4a0a826193bd712813

SHA512
8c1a0788c6bb3ebbe21402b67ae2a17af2a45041b3f7a8144d0724260178dde3caba5ac644d19a1852cc5aa996ad2421ba4792bced27a74e08439e959df1ac56

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
4dd40e1f063f3cef4750eb5c0747e53f

SHA1
b97d1df3e279d555671bedeabef70027fbad223b

SHA256
52dd9847d00d36d9f7ddfc6490a0698aee7c5da3f7503b7e6283e8b2a8eb419e

SHA512
92961f251735a2f74b4648a04e9d3893bb2363d06c5daaa3423158c61ff4d360ea6f38191fbfcbd6d4f19fb2399c83b9b2354dd7f59c82babd6132cc103a4429

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
ed4db0b38cdfa71239ecc03a49a7c99d

SHA1
8620a7d3eb13dafd8dabefb06ff8b788ac9d5c72

SHA256
2b77daaec374eb1daa58651536bcb9be0c64c2a80f40a7566e75728f50464f0d

SHA512
2579fa8ceffe7bc64fb29894c639a20ae3e25c8ffbb5e3b029efe9d14074ab406413e8f0a856184213bf2de1f2154f741329cfc72b6fe78f6439984972fa50d3

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
d49bbd881085cef7fff9dd2e1c280b68

SHA1
8753977a980cc8f813d2ff35330bb8466eeebeab

SHA256
b1b732b6356bd5068c4c6d0a64bf7b68f6b9fe2e167b3dd107fefc70259eca23

SHA512
2bd1d08717114962b96940d862c4843a1ce56051b23ab0b0e1c3792d0f7093a6c70f6e8941007a6200070f0d75e97d789f8af784d824753e6dff43184d1784dc

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
256d6df79df1bc179809d11ddb862c8d

SHA1
8ab799b56114401eb19186134c862e3b74002ef9

SHA256
d6f4b2009b418581cfd10b29d03b1d40916ec7eccb43220784945e285579e45c

SHA512
863fe23428e3e352805043741da651f9b5b95d0333ba039e88d528a394b85b707572fd77b10e99846a005aef10fc188d3056ab99799210dd561e539596baee34

Download Submit
memory/288-153-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/288-160-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/332-34-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/848-58-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1308-73-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1512-223-0x0000000004390000-0x00000000044EF000-memory.dmp

Filesize
1.4MB

Download
memory/1676-101-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1812-176-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1812-169-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1908-222-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2004-107-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2004-115-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2032-88-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2032-79-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2052-36-0x0000000005E90000-0x0000000005FEF000-memory.dmp

Filesize
1.4MB

Download
memory/2052-49-0x0000000005FE0000-0x000000000613F000-memory.dmp

Filesize
1.4MB

Download
memory/2068-152-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2068-145-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2100-13-0x0000000004170000-0x00000000042CF000-memory.dmp

Filesize
1.4MB

Download
memory/2100-121-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2100-14-0x0000000004170000-0x00000000042CF000-memory.dmp

Filesize
1.4MB

Download
memory/2100-129-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2180-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2180-9-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2192-230-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2416-238-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2472-212-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2472-215-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2544-25-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2560-207-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2680-200-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2680-197-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2708-161-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2708-168-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2716-237-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2752-142-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2752-134-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2848-46-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2848-42-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2876-192-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2876-185-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2896-184-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2896-177-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2972-63-0x0000000005E10000-0x0000000005F6F000-memory.dmp

Filesize
1.4MB

Download
memory/2972-64-0x0000000005E10000-0x0000000005F6F000-memory.dmp

Filesize
1.4MB

Download
memory/2972-77-0x0000000005E10000-0x0000000005F6F000-memory.dmp

Filesize
1.4MB

Download
memory/3004-92-0x0000000005DA0000-0x0000000005EFF000-memory.dmp

Filesize
1.4MB

Download