05a1a6c50b29d35b22494a23c7c153afe2c6e167f26ca58d4f5d843aaafd84c8

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
26/08/2024, 06:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

05a1a6c50b29d35b22494a23c7c153afe2c6e167f26ca58d4f5d843aaafd84c8.exe
Size

1.1MB
MD5

62783a3e2165a5c3adac27b02f3e57cf
SHA1

d0bd557476cca0fce1c7b57cfd72d6a8088be3e4
SHA256

05a1a6c50b29d35b22494a23c7c153afe2c6e167f26ca58d4f5d843aaafd84c8
SHA512

4fe5c4ff6606628029008159f2aa9de051b4b7a5828014023c6cd93460d2874e2cabc45586ddeb34aeae7e29e12abdddf37ba6939e52b56548a7e9d31a82c544
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5Qm:acallSllG4ZM7QzMd

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2768	svchcst.exe

Executes dropped EXE 25 IoCs

pid	Process
2768	svchcst.exe
2020	svchcst.exe
2912	svchcst.exe
952	svchcst.exe
1444	svchcst.exe
644	svchcst.exe
2516	svchcst.exe
1608	svchcst.exe
2612	svchcst.exe
3028	svchcst.exe
2264	svchcst.exe
1032	svchcst.exe
1444	svchcst.exe
568	svchcst.exe
2372	svchcst.exe
2820	svchcst.exe
2944	svchcst.exe
2624	svchcst.exe
2900	svchcst.exe
2912	svchcst.exe
2836	svchcst.exe
1820	svchcst.exe
1272	svchcst.exe
644	svchcst.exe
1384	svchcst.exe

Loads dropped DLL 46 IoCs

pid	Process
308	WScript.exe
308	WScript.exe
1744	WScript.exe
1744	WScript.exe
1860	WScript.exe
1860	WScript.exe
1860	WScript.exe
1860	WScript.exe
2240	WScript.exe
2240	WScript.exe
2240	WScript.exe
2240	WScript.exe
1312	WScript.exe
1984	WScript.exe
1984	WScript.exe
1984	WScript.exe
2748	WScript.exe
772	WScript.exe
772	WScript.exe
856	WScript.exe
856	WScript.exe
1272	WScript.exe
1272	WScript.exe
1768	WScript.exe
1768	WScript.exe
1652	WScript.exe
1652	WScript.exe
2128	WScript.exe
2128	WScript.exe
2128	WScript.exe
1720	WScript.exe
1720	WScript.exe
2064	WScript.exe
2064	WScript.exe
2892	WScript.exe
2892	WScript.exe
2172	WScript.exe
2172	WScript.exe
1644	WScript.exe
1644	WScript.exe
2436	WScript.exe
2436	WScript.exe
1540	WScript.exe
1540	WScript.exe
2380	WScript.exe
2380	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 52 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	05a1a6c50b29d35b22494a23c7c153afe2c6e167f26ca58d4f5d843aaafd84c8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3056	05a1a6c50b29d35b22494a23c7c153afe2c6e167f26ca58d4f5d843aaafd84c8.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3056	05a1a6c50b29d35b22494a23c7c153afe2c6e167f26ca58d4f5d843aaafd84c8.exe

Suspicious use of SetWindowsHookEx 52 IoCs

pid	Process
3056	05a1a6c50b29d35b22494a23c7c153afe2c6e167f26ca58d4f5d843aaafd84c8.exe
3056	05a1a6c50b29d35b22494a23c7c153afe2c6e167f26ca58d4f5d843aaafd84c8.exe
2768	svchcst.exe
2768	svchcst.exe
2020	svchcst.exe
2020	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
952	svchcst.exe
952	svchcst.exe
1444	svchcst.exe
1444	svchcst.exe
644	svchcst.exe
644	svchcst.exe
2516	svchcst.exe
2516	svchcst.exe
1608	svchcst.exe
1608	svchcst.exe
2612	svchcst.exe
2612	svchcst.exe
3028	svchcst.exe
3028	svchcst.exe
2264	svchcst.exe
2264	svchcst.exe
1032	svchcst.exe
1032	svchcst.exe
1444	svchcst.exe
1444	svchcst.exe
568	svchcst.exe
568	svchcst.exe
2372	svchcst.exe
2372	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2900	svchcst.exe
2900	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2836	svchcst.exe
2836	svchcst.exe
1820	svchcst.exe
1820	svchcst.exe
1272	svchcst.exe
1272	svchcst.exe
644	svchcst.exe
644	svchcst.exe
1384	svchcst.exe
1384	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3056 wrote to memory of 308	3056	05a1a6c50b29d35b22494a23c7c153afe2c6e167f26ca58d4f5d843aaafd84c8.exe	31
PID 3056 wrote to memory of 308	3056	05a1a6c50b29d35b22494a23c7c153afe2c6e167f26ca58d4f5d843aaafd84c8.exe	31
PID 3056 wrote to memory of 308	3056	05a1a6c50b29d35b22494a23c7c153afe2c6e167f26ca58d4f5d843aaafd84c8.exe	31
PID 3056 wrote to memory of 308	3056	05a1a6c50b29d35b22494a23c7c153afe2c6e167f26ca58d4f5d843aaafd84c8.exe	31
PID 308 wrote to memory of 2768	308	WScript.exe	33
PID 308 wrote to memory of 2768	308	WScript.exe	33
PID 308 wrote to memory of 2768	308	WScript.exe	33
PID 308 wrote to memory of 2768	308	WScript.exe	33
PID 2768 wrote to memory of 2636	2768	svchcst.exe	34
PID 2768 wrote to memory of 2636	2768	svchcst.exe	34
PID 2768 wrote to memory of 2636	2768	svchcst.exe	34
PID 2768 wrote to memory of 2636	2768	svchcst.exe	34
PID 2768 wrote to memory of 1744	2768	svchcst.exe	35
PID 2768 wrote to memory of 1744	2768	svchcst.exe	35
PID 2768 wrote to memory of 1744	2768	svchcst.exe	35
PID 2768 wrote to memory of 1744	2768	svchcst.exe	35
PID 1744 wrote to memory of 2020	1744	WScript.exe	36
PID 1744 wrote to memory of 2020	1744	WScript.exe	36
PID 1744 wrote to memory of 2020	1744	WScript.exe	36
PID 1744 wrote to memory of 2020	1744	WScript.exe	36
PID 2020 wrote to memory of 1860	2020	svchcst.exe	37
PID 2020 wrote to memory of 1860	2020	svchcst.exe	37
PID 2020 wrote to memory of 1860	2020	svchcst.exe	37
PID 2020 wrote to memory of 1860	2020	svchcst.exe	37
PID 1860 wrote to memory of 2912	1860	WScript.exe	38
PID 1860 wrote to memory of 2912	1860	WScript.exe	38
PID 1860 wrote to memory of 2912	1860	WScript.exe	38
PID 1860 wrote to memory of 2912	1860	WScript.exe	38
PID 2912 wrote to memory of 2240	2912	svchcst.exe	39
PID 2912 wrote to memory of 2240	2912	svchcst.exe	39
PID 2912 wrote to memory of 2240	2912	svchcst.exe	39
PID 2912 wrote to memory of 2240	2912	svchcst.exe	39
PID 1860 wrote to memory of 952	1860	WScript.exe	40
PID 1860 wrote to memory of 952	1860	WScript.exe	40
PID 1860 wrote to memory of 952	1860	WScript.exe	40
PID 1860 wrote to memory of 952	1860	WScript.exe	40
PID 2240 wrote to memory of 1444	2240	WScript.exe	41
PID 2240 wrote to memory of 1444	2240	WScript.exe	41
PID 2240 wrote to memory of 1444	2240	WScript.exe	41
PID 2240 wrote to memory of 1444	2240	WScript.exe	41
PID 1444 wrote to memory of 468	1444	svchcst.exe	42
PID 1444 wrote to memory of 468	1444	svchcst.exe	42
PID 1444 wrote to memory of 468	1444	svchcst.exe	42
PID 1444 wrote to memory of 468	1444	svchcst.exe	42
PID 2240 wrote to memory of 644	2240	WScript.exe	43
PID 2240 wrote to memory of 644	2240	WScript.exe	43
PID 2240 wrote to memory of 644	2240	WScript.exe	43
PID 2240 wrote to memory of 644	2240	WScript.exe	43
PID 644 wrote to memory of 1312	644	svchcst.exe	44
PID 644 wrote to memory of 1312	644	svchcst.exe	44
PID 644 wrote to memory of 1312	644	svchcst.exe	44
PID 644 wrote to memory of 1312	644	svchcst.exe	44
PID 1312 wrote to memory of 2516	1312	WScript.exe	45
PID 1312 wrote to memory of 2516	1312	WScript.exe	45
PID 1312 wrote to memory of 2516	1312	WScript.exe	45
PID 1312 wrote to memory of 2516	1312	WScript.exe	45
PID 2516 wrote to memory of 1984	2516	svchcst.exe	46
PID 2516 wrote to memory of 1984	2516	svchcst.exe	46
PID 2516 wrote to memory of 1984	2516	svchcst.exe	46
PID 2516 wrote to memory of 1984	2516	svchcst.exe	46
PID 1984 wrote to memory of 1608	1984	WScript.exe	47
PID 1984 wrote to memory of 1608	1984	WScript.exe	47
PID 1984 wrote to memory of 1608	1984	WScript.exe	47
PID 1984 wrote to memory of 1608	1984	WScript.exe	47

C:\Users\Admin\AppData\Local\Temp\05a1a6c50b29d35b22494a23c7c153afe2c6e167f26ca58d4f5d843aaafd84c8.exe
"C:\Users\Admin\AppData\Local\Temp\05a1a6c50b29d35b22494a23c7c153afe2c6e167f26ca58d4f5d843aaafd84c8.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3056
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:308
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2768
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2636
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1744
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2020
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1860
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2912
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2240
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1444
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:468
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:644
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1312
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2516
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1984
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1608
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2748
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3028
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:772
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2264
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:856
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1032
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1272
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1444
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1768
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:568
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1652
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2372
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        System Location Discovery: System Language Discovery
        
        PID:2704
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2128
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2820
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2944
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1720
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2624
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2064
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2900
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2892
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2912
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2172
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2836
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1644
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1820
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2436
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1272
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1540
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:644
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2380
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1384
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        System Location Discovery: System Language Discovery
        
        PID:2288
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2612
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:2984
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
b093b405736403d8ec85788275897a62

SHA1
1ea123b12aea62cc1551a2f40f1972e051b0fc27

SHA256
ceaa2fdcfb006233fcd391e8633ab824b4d147b668f46e4a59ea0247c42455ad

SHA512
c7b9d94ca56b2824bd4b1dfd2783bde9466ffee2136db09bd880b5bd738ca31d44e6154008406510e762d1a311862dd820c9569984649109d669611b2452a61d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
ab52ce62f84a24d48d9cebec5331b1c6

SHA1
6fcb810a46e83020e55af419752f5583f9dcb9ba

SHA256
908bec6021a78b90a02c6123db4ac62b590ea738e97fa35aac7c4dce624f3244

SHA512
8823f3f60863692a8fd2be8610670b06077ea7c948b7c46f9a1ab712276b27e48c19d0a394e7f51c0fbdf753f989af4cac5dab078e4f04ee5ee6a50427368cd2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
c91530bbaec9815f2db19bd6645b8729

SHA1
ea901a28f06bfbfc1dc9c3391910a87bfaf07020

SHA256
7924a95b4fb309a069dcb92b65632f01f9db2560b224d4812ebb84130994ab8d

SHA512
7ebce2d0627561189c27073f3e43e84e6164c3c4a63fe4172d2c1214fe799795393573038fb3dd75359327e7cca4eec17889749411e289480580f568b02e6588

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
1ca638ab56e1883ffe75969d1d8c4a61

SHA1
2f32fe1ad07a21f4aade2693ef174e30427e4f26

SHA256
ab716890ffa3b303c706ba2fc2ff48ba57e82b94b3bb3198cbb5700d74218c9d

SHA512
91f259046507902e077ac73aa23005f33cb3f93b6822e325bf3dd785b7616128bae36e13ba016f6a67cdddedef644d9cf44d49bba7d989dc5e59b93d446d626c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
632419f9e97777f0bcd1af67443cadae

SHA1
52edb2e30a2b1156ff9f77c0fe7435bc1a616ac8

SHA256
50e39163065b39c8cac4f381ff35c00972adde6c6fcd6d9cf555d1b0b8b68554

SHA512
b9b188d33cab5023dd410c0d6c01b5b200c003b432d44fe47da9b6ca1d4a5fa6fd3e869baeac6c8f5d7fae063e6128ee9c96b9258e10e550093e199cccaca2b1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
7e30bbf5f589f6ae6e5daf322f9f4c63

SHA1
4078c36ab68538c4d3aa3996b3a218fa786e5813

SHA256
9ed68f0cb63b2fca99956af2a550eb26ac99a883afef4ea6dc1236c14593266b

SHA512
63bb07bfbef6c96b50bbcb60d7f805930aaeefd6eadaa39dcb3e591c84636c670257a7f544bb0565174578a517d06de29a6c086812ef5cfb3039aea1917fb4b8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
4d8de8aafa7849de2f40f61eb205cc42

SHA1
67decea42f8c2ee805e859a898922c90ae105cdc

SHA256
44a2def2aab8221d4302282a111d1b9592b8828363736aa27a3343836817d2e2

SHA512
a44c1b2e8bc3b432daac94073c22e3b93ee412e345f4b2037586fc178fc7909f9360c2ba0817d7648d0739aabf51c6533e87226bffcd7109974e561d901610fc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
5ba8c208c5700f7f25c2e24e00d50ac8

SHA1
9838a0ab093ed94bc85a80b1feee14b68e4df8d1

SHA256
213371c33e19f6f9e28f089e3206fe50c39b190548b0500f7ba8aff869a68cd6

SHA512
065e45ebe4197cdf7e13b799928dfb29e17d4a1741e3e103000b147288b34f16300b72874ec85aefa2c04cc939df115a9fb383d5c95982c1371e75605d1a9b17

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
4e9605159361f93230fef3cc5ad4301c

SHA1
64e6d5673487e049cc4e96650b507641062ca1bf

SHA256
2abd0c0ae088f6c911f23add50e985c447f1c62c8a45f848698b08d6e6dd20e7

SHA512
5cf02982826cc6e08ea33c4ce5d186ad4277493480cf08c2df56a7deea87e58a6df3a95097c96409a89317528933e0999d4ccddc2403024bd04b6e1c312f42fe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
b42266100fb9f5e0b7be593aac3c37cf

SHA1
7cd55f31fd2871d09de73a6f62e3a7e1a53327b2

SHA256
1a6710caaf3886be368f3205ee8c9905e10f8ed754d80598c80f1455a700d846

SHA512
d3e5a4f7395d6196403e60214239043b2da6e546cbe080f74c3a680a6f4a7fe1374988df0a1aa84dbc0e41199efd8fb11050d1d1295f3b45811935d740a5108b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
234d3bd7d4c79c9f8515c4e3812a1c9b

SHA1
f0add1f9e02bad7016d7b183f6d64d4800df4e12

SHA256
c9ba84b70031261f15918f7e74bd45b7b889b8e8427efa4ff19537e3d27633d0

SHA512
3d42cb367d8ba46cff006692c69f88ab165b9b326000c0bf187e682ce181413dd6f8eb083972765f332dc4309996b3621018ce3cf22d4d944c2b3c0e51f4aea0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
57e51d7e4374cd875109b11b9b8deb29

SHA1
aa5554bdcf8417f4b5fc9242f1de625e2fb820bf

SHA256
054ccb4671ec5693715c290f0bed875878cda62addcb38ef21257c59037fe30a

SHA512
6f58d52a71466d92d7da68e1bfdd91db03619d810eae2622b4e5623d2ad4e30e294d885c8c5405b775aa3256e3acbd0442a3bb2a4b6eb50001ee5f8848d66da3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
844d21d861501972be20008046a44beb

SHA1
f9af0205a5a3e525a6731157bfebf1d453f44f75

SHA256
6bbf9225bf5a3ed01b349e3fac5cefd129adebed30a353216f25d6ad8db1c6c6

SHA512
8e3a98bfeb99c47cdc8f8f10a4e255698b0031cbd0070bdd7b0fea77118acfc518b252701fe7e9a95f2f32eac18be2dddf617791b3a8ba700bc1c64068b6a719

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
3c06c00f93240646fa6934c6f3de64ae

SHA1
ee91b8f891b69191670cd00e070ea576c9d915c9

SHA256
a7f064399f44f8b735ad51956d5d067ef18ac9df1dc5d26a4b3465e1e63b9c27

SHA512
6eaf375f0a5def9c4d0feac347f76204901028c5198d0f9be4ae55f4220e6aed0a957f99fa4e6c92ee8e20414d828f424c3caedc7ff79601bb5268273ac58077

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
71684bef36f01ee8cbcb3054ccfbfe66

SHA1
9a400e6a28bca68b65cbac1b44770ec450ee20ac

SHA256
caacd33e151c0b7a7623b64e0521c4695cce34e25ca9a64c93204c1ddc8b5e04

SHA512
e8643c89cb9d2f098c7456ea34e67193c4c2aa1d395d20374e42d7a75472f4bcc5e4b041a5c51275c54ab4e113ef3d16b6b1f4a10a68be572f6fa87af8ba8a33

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
7a7c1b047cd71b66a2a1615b29bf6682

SHA1
4003b789487f09a5af70db1601c13b69ac23f2dd

SHA256
77e90978096f03dd21a92e3aceb2f1d73964b274f6169225dcf5d389ae098beb

SHA512
dc87f0658f1207ab2af9c81ba24a84c79b738c961b292a109e7f0e87eae8ea0130b6da356b8cc3ed9e08c9f23f6293dbdbb3548035beec11f1df2ef20c22f78d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
a22e56926be52a9089929391d34a1cf5

SHA1
f3431e806ee463e63a5d11427dd0788ce5f2f29f

SHA256
153d0b8482799889f3f773222d2771e7cf9814f941b9b861adac440f0b0df7c2

SHA512
192d24ca43fbe5e31bb5264924b66b3f2667abdf563d9f19648dd43046aeaf3b715475a55ca9fa923a13998e4e7517aed23499daa45747444b9dd116f668bcc9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
f89d66add93a92e2a96725601c6a6351

SHA1
1247c96bf6322d54d293ff232d1ed6a15c44185e

SHA256
772ae32b6257fad581a4f71352d052cdd618f9bf5d855d6663541c60737f6e31

SHA512
3e70f050d1239a35897677c5baced4e5a1f95e87a3754c2f3bb4ebeea9c6499cf7c57e5e370bdd103177bef0e168b838999c5d61dd9cbdc9e0fd639c4e7bfd79

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
5be497007daad1f41679983f8698df6f

SHA1
a3e8584df54b20c9f9a9d5f61e267c9f65420dfe

SHA256
dadbcb155628f3d674199905e031dc3f36752e0f6d9dd5af1cbc1d92d22042e7

SHA512
22915f230a6592a528ae086d88b0d029702d4a6b79bf02a3dab8708f7851b4ec0d03be498dc9339a44de5015e9307e001afd7f24516f804118fa97fed82e2cea

Download Submit
memory/308-14-0x0000000004690000-0x00000000047EF000-memory.dmp

Filesize
1.4MB

Download
memory/308-15-0x0000000004690000-0x00000000047EF000-memory.dmp

Filesize
1.4MB

Download
memory/568-178-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/644-248-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/644-90-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/644-241-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/644-81-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/856-153-0x00000000047F0000-0x000000000494F000-memory.dmp

Filesize
1.4MB

Download
memory/952-65-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1032-160-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1272-240-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1384-249-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1384-256-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1444-67-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1444-161-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1444-168-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1444-75-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1608-111-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1652-179-0x00000000058E0000-0x0000000005A3F000-memory.dmp

Filesize
1.4MB

Download
memory/1744-46-0x00000000058E0000-0x0000000005A3F000-memory.dmp

Filesize
1.4MB

Download
memory/1744-31-0x00000000058E0000-0x0000000005A3F000-memory.dmp

Filesize
1.4MB

Download
memory/1768-169-0x00000000046A0000-0x00000000047FF000-memory.dmp

Filesize
1.4MB

Download
memory/1820-226-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1820-233-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1860-64-0x0000000005D50000-0x0000000005EAF000-memory.dmp

Filesize
1.4MB

Download
memory/2020-33-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2020-42-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2240-80-0x0000000004620000-0x000000000477F000-memory.dmp

Filesize
1.4MB

Download
memory/2264-143-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2264-152-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2372-189-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2372-184-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2516-100-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2612-116-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2612-124-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2624-204-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2768-27-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2768-16-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2820-188-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2820-187-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2836-225-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2900-211-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2912-218-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2912-48-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2912-56-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2944-197-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2944-190-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3028-128-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3028-137-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3056-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3056-9-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download