b93b4d1fc799b6e42bd3527a6059dd34028996b3337cd73f7ad52165902ecc92

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
26/08/2024, 00:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b93b4d1fc799b6e42bd3527a6059dd34028996b3337cd73f7ad52165902ecc92.exe
Size

1.1MB
MD5

daf15c06d86beb529d7c885ef1167988
SHA1

153793f870c13371173b4111fd9ecb7b1164ecab
SHA256

b93b4d1fc799b6e42bd3527a6059dd34028996b3337cd73f7ad52165902ecc92
SHA512

b1ee38c0dc48a9612e235b1edeb21891953bf1db51f8a0f29522568885f68e9824b2bf8c3e7e6727d0025a227ab602c6e61bb8615e977408519a1aa9bea7fa7d
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5Q8:acallSllG4ZM7QzMb

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2848	svchcst.exe

Executes dropped EXE 22 IoCs

pid	Process
2848	svchcst.exe
2108	svchcst.exe
552	svchcst.exe
2252	svchcst.exe
1584	svchcst.exe
2912	svchcst.exe
2268	svchcst.exe
2668	svchcst.exe
1256	svchcst.exe
844	svchcst.exe
1660	svchcst.exe
1932	svchcst.exe
1576	svchcst.exe
1572	svchcst.exe
2652	svchcst.exe
1296	svchcst.exe
1728	svchcst.exe
1032	svchcst.exe
2376	svchcst.exe
1244	svchcst.exe
3016	svchcst.exe
884	svchcst.exe

Loads dropped DLL 41 IoCs

pid	Process
2100	WScript.exe
2100	WScript.exe
2616	WScript.exe
2616	WScript.exe
2424	WScript.exe
1908	WScript.exe
2588	WScript.exe
2588	WScript.exe
1820	WScript.exe
1820	WScript.exe
1820	WScript.exe
2648	WScript.exe
2648	WScript.exe
2036	WScript.exe
2036	WScript.exe
112	WScript.exe
112	WScript.exe
2860	WScript.exe
2860	WScript.exe
2928	WScript.exe
2928	WScript.exe
868	WScript.exe
868	WScript.exe
836	WScript.exe
836	WScript.exe
2548	WScript.exe
2548	WScript.exe
3064	WScript.exe
3064	WScript.exe
1540	WScript.exe
1540	WScript.exe
540	WScript.exe
540	WScript.exe
2504	WScript.exe
2504	WScript.exe
844	WScript.exe
844	WScript.exe
1336	WScript.exe
1336	WScript.exe
2912	WScript.exe
2912	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 49 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b93b4d1fc799b6e42bd3527a6059dd34028996b3337cd73f7ad52165902ecc92.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2516	b93b4d1fc799b6e42bd3527a6059dd34028996b3337cd73f7ad52165902ecc92.exe
2848	svchcst.exe
2848	svchcst.exe
2848	svchcst.exe
2848	svchcst.exe
2848	svchcst.exe
2848	svchcst.exe
2848	svchcst.exe
2848	svchcst.exe
2848	svchcst.exe
2848	svchcst.exe
2848	svchcst.exe
2848	svchcst.exe
2848	svchcst.exe
2848	svchcst.exe
2848	svchcst.exe
2848	svchcst.exe
2848	svchcst.exe
2848	svchcst.exe
2848	svchcst.exe
2848	svchcst.exe
2848	svchcst.exe
2848	svchcst.exe
2848	svchcst.exe
2848	svchcst.exe
2848	svchcst.exe
2848	svchcst.exe
2848	svchcst.exe
2848	svchcst.exe
2848	svchcst.exe
2848	svchcst.exe
2848	svchcst.exe
2848	svchcst.exe
2848	svchcst.exe
2848	svchcst.exe
2848	svchcst.exe
2848	svchcst.exe
2848	svchcst.exe
2848	svchcst.exe
2848	svchcst.exe
2848	svchcst.exe
2848	svchcst.exe
2848	svchcst.exe
2848	svchcst.exe
2848	svchcst.exe
2848	svchcst.exe
2848	svchcst.exe
2848	svchcst.exe
2848	svchcst.exe
2848	svchcst.exe
2848	svchcst.exe
2848	svchcst.exe
2848	svchcst.exe
2848	svchcst.exe
2848	svchcst.exe
2848	svchcst.exe
2848	svchcst.exe
2848	svchcst.exe
2848	svchcst.exe
2848	svchcst.exe
2848	svchcst.exe
2848	svchcst.exe
2848	svchcst.exe
2848	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2516	b93b4d1fc799b6e42bd3527a6059dd34028996b3337cd73f7ad52165902ecc92.exe

Suspicious use of SetWindowsHookEx 46 IoCs

pid	Process
2516	b93b4d1fc799b6e42bd3527a6059dd34028996b3337cd73f7ad52165902ecc92.exe
2516	b93b4d1fc799b6e42bd3527a6059dd34028996b3337cd73f7ad52165902ecc92.exe
2848	svchcst.exe
2848	svchcst.exe
2108	svchcst.exe
2108	svchcst.exe
552	svchcst.exe
552	svchcst.exe
2252	svchcst.exe
2252	svchcst.exe
1584	svchcst.exe
1584	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2668	svchcst.exe
2668	svchcst.exe
1256	svchcst.exe
1256	svchcst.exe
844	svchcst.exe
844	svchcst.exe
1660	svchcst.exe
1660	svchcst.exe
1932	svchcst.exe
1932	svchcst.exe
1576	svchcst.exe
1576	svchcst.exe
1572	svchcst.exe
1572	svchcst.exe
2652	svchcst.exe
2652	svchcst.exe
1296	svchcst.exe
1296	svchcst.exe
1728	svchcst.exe
1728	svchcst.exe
1032	svchcst.exe
1032	svchcst.exe
2376	svchcst.exe
2376	svchcst.exe
1244	svchcst.exe
1244	svchcst.exe
3016	svchcst.exe
3016	svchcst.exe
884	svchcst.exe
884	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2516 wrote to memory of 2100	2516	b93b4d1fc799b6e42bd3527a6059dd34028996b3337cd73f7ad52165902ecc92.exe	30
PID 2516 wrote to memory of 2100	2516	b93b4d1fc799b6e42bd3527a6059dd34028996b3337cd73f7ad52165902ecc92.exe	30
PID 2516 wrote to memory of 2100	2516	b93b4d1fc799b6e42bd3527a6059dd34028996b3337cd73f7ad52165902ecc92.exe	30
PID 2516 wrote to memory of 2100	2516	b93b4d1fc799b6e42bd3527a6059dd34028996b3337cd73f7ad52165902ecc92.exe	30
PID 2100 wrote to memory of 2848	2100	WScript.exe	33
PID 2100 wrote to memory of 2848	2100	WScript.exe	33
PID 2100 wrote to memory of 2848	2100	WScript.exe	33
PID 2100 wrote to memory of 2848	2100	WScript.exe	33
PID 2848 wrote to memory of 2616	2848	svchcst.exe	34
PID 2848 wrote to memory of 2616	2848	svchcst.exe	34
PID 2848 wrote to memory of 2616	2848	svchcst.exe	34
PID 2848 wrote to memory of 2616	2848	svchcst.exe	34
PID 2616 wrote to memory of 2108	2616	WScript.exe	35
PID 2616 wrote to memory of 2108	2616	WScript.exe	35
PID 2616 wrote to memory of 2108	2616	WScript.exe	35
PID 2616 wrote to memory of 2108	2616	WScript.exe	35
PID 2108 wrote to memory of 2424	2108	svchcst.exe	36
PID 2108 wrote to memory of 2424	2108	svchcst.exe	36
PID 2108 wrote to memory of 2424	2108	svchcst.exe	36
PID 2108 wrote to memory of 2424	2108	svchcst.exe	36
PID 2424 wrote to memory of 552	2424	WScript.exe	37
PID 2424 wrote to memory of 552	2424	WScript.exe	37
PID 2424 wrote to memory of 552	2424	WScript.exe	37
PID 2424 wrote to memory of 552	2424	WScript.exe	37
PID 552 wrote to memory of 1908	552	svchcst.exe	38
PID 552 wrote to memory of 1908	552	svchcst.exe	38
PID 552 wrote to memory of 1908	552	svchcst.exe	38
PID 552 wrote to memory of 1908	552	svchcst.exe	38
PID 1908 wrote to memory of 2252	1908	WScript.exe	39
PID 1908 wrote to memory of 2252	1908	WScript.exe	39
PID 1908 wrote to memory of 2252	1908	WScript.exe	39
PID 1908 wrote to memory of 2252	1908	WScript.exe	39
PID 2252 wrote to memory of 2588	2252	svchcst.exe	40
PID 2252 wrote to memory of 2588	2252	svchcst.exe	40
PID 2252 wrote to memory of 2588	2252	svchcst.exe	40
PID 2252 wrote to memory of 2588	2252	svchcst.exe	40
PID 2588 wrote to memory of 1584	2588	WScript.exe	41
PID 2588 wrote to memory of 1584	2588	WScript.exe	41
PID 2588 wrote to memory of 1584	2588	WScript.exe	41
PID 2588 wrote to memory of 1584	2588	WScript.exe	41
PID 1584 wrote to memory of 1820	1584	svchcst.exe	42
PID 1584 wrote to memory of 1820	1584	svchcst.exe	42
PID 1584 wrote to memory of 1820	1584	svchcst.exe	42
PID 1584 wrote to memory of 1820	1584	svchcst.exe	42
PID 1820 wrote to memory of 2912	1820	WScript.exe	43
PID 1820 wrote to memory of 2912	1820	WScript.exe	43
PID 1820 wrote to memory of 2912	1820	WScript.exe	43
PID 1820 wrote to memory of 2912	1820	WScript.exe	43
PID 2912 wrote to memory of 1620	2912	svchcst.exe	44
PID 2912 wrote to memory of 1620	2912	svchcst.exe	44
PID 2912 wrote to memory of 1620	2912	svchcst.exe	44
PID 2912 wrote to memory of 1620	2912	svchcst.exe	44
PID 1820 wrote to memory of 2268	1820	WScript.exe	45
PID 1820 wrote to memory of 2268	1820	WScript.exe	45
PID 1820 wrote to memory of 2268	1820	WScript.exe	45
PID 1820 wrote to memory of 2268	1820	WScript.exe	45
PID 2096 wrote to memory of 2788	2096	WScript.exe	47
PID 2096 wrote to memory of 2788	2096	WScript.exe	47
PID 2096 wrote to memory of 2788	2096	WScript.exe	47
PID 2096 wrote to memory of 2788	2096	WScript.exe	47
PID 2788 wrote to memory of 2648	2788	svchcst.exe	48
PID 2788 wrote to memory of 2648	2788	svchcst.exe	48
PID 2788 wrote to memory of 2648	2788	svchcst.exe	48
PID 2788 wrote to memory of 2648	2788	svchcst.exe	48

C:\Users\Admin\AppData\Local\Temp\b93b4d1fc799b6e42bd3527a6059dd34028996b3337cd73f7ad52165902ecc92.exe
"C:\Users\Admin\AppData\Local\Temp\b93b4d1fc799b6e42bd3527a6059dd34028996b3337cd73f7ad52165902ecc92.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2516
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2100
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2848
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2616
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2108
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2424
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:552
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1908
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2252
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2588
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1584
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1820
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2912
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:1620
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2268
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2096
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2788
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2648
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2668
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2036
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1256
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:112
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:844
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2860
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1660
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2928
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1932
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:868
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1576
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:836
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1572
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2548
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2652
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3064
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1296
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1540
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1728
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:540
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1032
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2504
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2376
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:844
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1244
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1336
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3016
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        44⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2912
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:884
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        46⤵
        System Location Discovery: System Language Discovery
        
        PID:1356
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        44⤵
        System Location Discovery: System Language Discovery
        
        PID:1608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
298f56408ef5bfe14b938d85e57c843d

SHA1
691d78c4c4887333b4679d3e340a7a04caad13a3

SHA256
b5738b726b24c9d220bd7256e4abb2e97215d50416bf67983cc82dc83b46298a

SHA512
227bf6d7e70568144112dc142ef60fa38f2b5f39196e3d3377a120b78fa86382726021f024bf5413548df0ce1734bb905d28e56de4dd80c6f21c05ab2a5ef83e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
5426d6d5c0b3c65e8324618c1d616d7f

SHA1
f81884e90212b4d95e2745245c1c2737797a3ddd

SHA256
f1f206d03e5cf84d689070fbd36d2bce03fecde83156b4283e1a18d60e2df984

SHA512
1b10b98ef7603a5286889692050a45024456d2beb66e23d56517cb3aa9b3acaabf6a6fab0cbbd70acb489d7ba4dee6de8ebd858ab2c2194b97d8b06184f13267

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
072a46f071251f08c67b3aba4c983435

SHA1
371837f885eac20c802901026d2e7aa1d4f6cd5c

SHA256
0d0a8daeceed64600e817a5a0437a39048c52e857868a35d9130d42fdfa896ed

SHA512
e3d35d428a29eec047b0cc43c87aa701eed81e9efe921b4ef13fa2e8e24ef11ce602bd67868b7ad1bdbd9f39eb681a8c95c715479238a2f17c17105ea4653c83

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
8ff9269f0a87aaf29e707ac354505e61

SHA1
68c900e567a236096ac8c812cb14dec97e3e088c

SHA256
ed84c3ff01194f8f55c30fb4f5685d4f74c186732e01e20d9909fb7a63ebb7d1

SHA512
5980c8ca52c3c047380b9aabced91699a68228bf8e5d545ff3105bdc5c469f30f7e490f459e2e8bc57f088d904ae0fb3e3167dfa0cd84b83b3d8e78402e8ae9d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
6d7f7c489889b75561316023d3e8b801

SHA1
222906d8a273e49d99b9107d388856ba8e6a5400

SHA256
3c01dd72d85883db4a345c0092b799f8deb31d43fde226e7df011c64d95202a7

SHA512
7238e65f9b93ee3be8828f01b54fbb6acaeaaf31e2b62af398356b02fa80d615acc3f41139fb001b9c1e8855e5cfa467f2883acda663a08194955cadb409a24a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
cd34ba54e0dd84bc94990092afc183a9

SHA1
938feedabe63e3e7c6cbb6a405512e21a7ebe449

SHA256
44358f1aedf540acf9e56069e4cc6d4e6a2445ccba362dad9ec4e2f59e0178ab

SHA512
1c261ac13591d4d1cd3692dae12de7fb393134b014dbc766b2946b6ea983e74cef7984bb7003241d5221dea9df78e5f5fe31a839ad7d8453a79db887c8d09958

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
d7e57302723e6adcd36bc753c7cb3d1b

SHA1
24f5af99f2988b5fa7383dae1f53347b597956a3

SHA256
abf7ef48d31eaabd0227b0a91a44e8b53e9fbadff16ef2d9c2b131776898977e

SHA512
0aee51cab495d2df1e1957f85cbfa1a8ca95fad5fa669d2f0918a0e4be4d090c868582935136684d872695bdd075523ad1386639690e9d7016201b6985a9c8a6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
d44632a3e4cce7689f6de0096ea7b712

SHA1
62726ae2641d71b6a218793f1ca8c00c81443eda

SHA256
013ba01f27689a865f4497bdab298b8914e8c235beac2311020fa928649a7603

SHA512
ed9934194e0211fca3d30bb16802ae080086a71d4b8b065afecea339f06f4d5dc43f51786059d6ccaf7718a54dde8b050268068ed6a416dacfa6c79a8ba0881a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
418e489a61f524eb101168676ee507c0

SHA1
c2d403388bfdccf0d75b4ef92dd8a453c413057c

SHA256
2ec2f981acbd3a091e05e93f06c952fdf6372e4d4d4ad78e7ddfe60043b1ad3c

SHA512
56033db0322098091059ab662f14f51c8bd98fc6784e3a5c553428c3c91d160fa5f784e43020fde5630515f87a2dbd7dff88865a5ecc4f349f6482eaef1b522a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
02bec440e11bdc76b5de3232abd91f03

SHA1
2118a1f2249848ea084c7d98709f7ba7906e43a3

SHA256
4382e8d6fd98aeb7c574b195019c1687ac6628e8f97485614ad743ae5a0616b0

SHA512
f86e900e6bd38151fad12b160c0489823bd18d15609346172ca1f815593e69f9269cb28a0eaea6a588a29d41343f3b9d4c6489cc3c50e2b24a31720de26e0411

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
30eafc82ac9962314c98d54ef2588957

SHA1
3bf1e1f24264448ba2688366b10b083c808e1e7a

SHA256
fc93c94af2daa9c8b70b9f6104f613a1cf0ac39bf1856542a3dbb6f828d2bee6

SHA512
5cd90109e61e06fda91874fd3cd28d83b42b6e586446ce99cf69a611f0015f56010937fadca4accef57ab47b5bca54b4171479a9a989ab5b1a015d491f985fb5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
ed546bb522a06b2fe1964359d1c00489

SHA1
f645b56f6b42e6e187d97e90006e64493e168dfd

SHA256
770b107915197c74e581cfd8ea4047ad94180a81a2e6422eb5a8139839645257

SHA512
bc0172ea605aeb832088b2e5d3cd3c4ba9f052a1f4afaa3696e8672f3e6a5776537472d56805f0dea9d8474ffca77d9b574331c9dc57bc7a6e029e01169de0b3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
b5ee54e64de27e6b50412e7818e7c7ae

SHA1
47bd1b9a44ec3f5a60e2a0ea7d3cdff2d2468bac

SHA256
d8604f35c6f1f519f6996437a43c04506337927c595b673acee62ec85784a57b

SHA512
4ea90d2248d1a2a09601f9e1ed7a7e81069e6e7381f613b23b33fdfcfa255bedd9f6dd51d3b599bba7355c9cade3d493b32ca2d53462b9fa71065507bff54ab9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
02d721c9644a8d575c3ea5575ccca19a

SHA1
d933d83cc4d3c63aef543279de2071c6c47dd59c

SHA256
f190b7ead6675f0478662e946561b288678fead3ede3b5b5253340805e0c4869

SHA512
a73413c55cecfd662cdd74823bf70272a23e2f2221448ef7136c4837e2040b57bd80127556601d76d9d00aac469855fde5195a0eaf23fd62df4e4d07e61e74d3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
ee702263d92eb8e88854bcc89e9e36a7

SHA1
c06b13b6cd388923f10a60825fccc27ff9db0df7

SHA256
7c17be34c8d0b713aebde28a7cf98ddb4bd493c351c31c421a5dcd3d7461cf9b

SHA512
222530a321e19579632cb13b3743dda2bf5e60c57c68fee335123380a43a48f9b7f0d4c3c84f30fd5b84e4ae8a2c1c00b545d249f9cb28ef9c454c7387259adc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
0ed9b8633bbc44764d4ef77af767f0ee

SHA1
d505974fe0d00f8dae12d9c98cf7a2dc72accf88

SHA256
41d11fb7ad122cd8947be3786b3e7c8e155fb70e2abc6f8b049615412583adaa

SHA512
3ddd75a48282045d8e61738df64d53ecdaa5f24a7b878c1eef3610ee80423f3bb1533b64746b4e5fc3325b28c540a7bde91a7b1bcaf750a0237ee8f2318ed083

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
cb6642bb6f704d4412d13ee639cbaab2

SHA1
2499332a5a89fd01fcc76907b182c6df242f0ea4

SHA256
37208e01d5d1fd215e8022c56f2f2555389c77dd85840c178b3075a9701fd198

SHA512
f10bca2600e221e7e74fb34de97a1c2aa3c6f8e245f740be33026942a5e4606c82f009bab3132ad3ddb6e659810b11df995480ea0b1fed0581c028695f11c886

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
dfe742835d69143ce2195b1eaf3e911f

SHA1
3f670b8f1d20308aaa193ffeadcd14cce63c2aed

SHA256
0d741aa99a92827a800662a17fb82f2e29b9cd856b9dca5f08ad01227169316f

SHA512
b6149f25bfae95339ba71396dd39ea8dc6cb336a3af17019a658f34533d746195ced8ddfab0fa0ed51dcbcc36282defcc1b874ae32101485aacffbfcc73b4baf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
7de58f39a6c1d90f25604a49ee36aa32

SHA1
e5ab3856e27eff81b94c6088df5a1cad540a6ffb

SHA256
8e40421429d7ca4658ace6b04acdb4fa7fc89f5cfb07be5f1eb6f1e71ed6dbe7

SHA512
1f4b5707f105235fc32ff52f178ce36f49d85e79b887d028faaaa3b1ed3e6e11263df1ccf96a2b4d8cbeed936b8ad1c4c2aa7950b8a783603ee8fb2e14357f82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
3e88192baee4b4347a2f627fc8e8b259

SHA1
0eb92681ae59dc81dc2ef29227b9724c4fb2c611

SHA256
b6ac42048963acf9995f5427c2eaed83b1ced779eebf5370536afd4217f391b3

SHA512
26e719974c30ff3e2cdac6b83fdfdc461043fe914d31e7dba281b9b4c8c0222ea860ca8ee902527bc8968033532217b4759c66b7ee6c345a22d6be7ab0166441

Download Submit
memory/552-50-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/844-151-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/844-143-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1032-215-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1244-229-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1256-137-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1296-201-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1296-194-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1572-186-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1576-179-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1576-172-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1584-78-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1660-164-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1660-157-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1728-208-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1820-82-0x0000000004510000-0x000000000466F000-memory.dmp

Filesize
1.4MB

Download
memory/1908-53-0x0000000004820000-0x000000000497F000-memory.dmp

Filesize
1.4MB

Download
memory/1908-69-0x0000000004820000-0x000000000497F000-memory.dmp

Filesize
1.4MB

Download
memory/1932-171-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2096-103-0x0000000004800000-0x000000000495F000-memory.dmp

Filesize
1.4MB

Download
memory/2100-13-0x0000000003EA0000-0x0000000003FFF000-memory.dmp

Filesize
1.4MB

Download
memory/2100-14-0x0000000003EA0000-0x0000000003FFF000-memory.dmp

Filesize
1.4MB

Download
memory/2108-31-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2108-40-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2252-62-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2268-101-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2376-222-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2424-42-0x0000000004A80000-0x0000000004BDF000-memory.dmp

Filesize
1.4MB

Download
memory/2516-9-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2516-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2588-66-0x00000000049B0000-0x0000000004B0F000-memory.dmp

Filesize
1.4MB

Download
memory/2588-67-0x00000000049B0000-0x0000000004B0F000-memory.dmp

Filesize
1.4MB

Download
memory/2588-83-0x00000000049B0000-0x0000000004B0F000-memory.dmp

Filesize
1.4MB

Download
memory/2616-30-0x00000000048B0000-0x0000000004A0F000-memory.dmp

Filesize
1.4MB

Download
memory/2652-193-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2668-124-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2788-112-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2788-104-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2848-24-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2860-156-0x0000000004640000-0x000000000479F000-memory.dmp

Filesize
1.4MB

Download
memory/2912-93-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2912-85-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3016-230-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3016-239-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download