c92a1aebbd6001dd90bd60848d24ea402fe3b78c11109c0afa46eacc288c48c3

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
29-08-2024 08:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c92a1aebbd6001dd90bd60848d24ea402fe3b78c11109c0afa46eacc288c48c3.exe
Size

1.1MB
MD5

1134ef5931d60fe644adc5ebbaea12f6
SHA1

2b1aa5e95e604baf20b95c17b65f9a02d51eff5e
SHA256

c92a1aebbd6001dd90bd60848d24ea402fe3b78c11109c0afa46eacc288c48c3
SHA512

6622c5929a3eef4af935934c434c1cc8a2d3b303a62a3e27f97d5598615589f077db157539c37d6e45f981420011a439d4f2559d476cee71f4cdacb02d285759
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5QW:acallSllG4ZM7QzMN

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2568	svchcst.exe

Executes dropped EXE 23 IoCs

pid	Process
2568	svchcst.exe
1180	svchcst.exe
544	svchcst.exe
2228	svchcst.exe
2084	svchcst.exe
896	svchcst.exe
872	svchcst.exe
2556	svchcst.exe
2128	svchcst.exe
2820	svchcst.exe
3056	svchcst.exe
1856	svchcst.exe
540	svchcst.exe
2456	svchcst.exe
1644	svchcst.exe
2224	svchcst.exe
1992	svchcst.exe
1792	svchcst.exe
2940	svchcst.exe
2380	svchcst.exe
944	svchcst.exe
2260	svchcst.exe
2316	svchcst.exe

Loads dropped DLL 46 IoCs

pid	Process
2772	WScript.exe
2772	WScript.exe
1448	WScript.exe
1448	WScript.exe
1152	WScript.exe
1152	WScript.exe
2696	WScript.exe
2696	WScript.exe
2000	WScript.exe
2000	WScript.exe
1332	WScript.exe
1332	WScript.exe
1544	WScript.exe
1544	WScript.exe
2760	WScript.exe
2760	WScript.exe
300	WScript.exe
300	WScript.exe
2600	WScript.exe
2600	WScript.exe
1060	WScript.exe
1060	WScript.exe
2228	WScript.exe
2228	WScript.exe
2052	WScript.exe
2052	WScript.exe
2108	WScript.exe
2108	WScript.exe
2024	WScript.exe
2024	WScript.exe
1620	WScript.exe
1620	WScript.exe
2080	WScript.exe
2080	WScript.exe
1252	WScript.exe
1252	WScript.exe
1208	WScript.exe
1208	WScript.exe
2364	WScript.exe
2364	WScript.exe
1980	WScript.exe
1980	WScript.exe
1764	WScript.exe
1764	WScript.exe
2012	WScript.exe
2012	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 49 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c92a1aebbd6001dd90bd60848d24ea402fe3b78c11109c0afa46eacc288c48c3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2596	c92a1aebbd6001dd90bd60848d24ea402fe3b78c11109c0afa46eacc288c48c3.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2596	c92a1aebbd6001dd90bd60848d24ea402fe3b78c11109c0afa46eacc288c48c3.exe

Suspicious use of SetWindowsHookEx 48 IoCs

pid	Process
2596	c92a1aebbd6001dd90bd60848d24ea402fe3b78c11109c0afa46eacc288c48c3.exe
2596	c92a1aebbd6001dd90bd60848d24ea402fe3b78c11109c0afa46eacc288c48c3.exe
2568	svchcst.exe
2568	svchcst.exe
1180	svchcst.exe
1180	svchcst.exe
544	svchcst.exe
544	svchcst.exe
2228	svchcst.exe
2228	svchcst.exe
2084	svchcst.exe
2084	svchcst.exe
896	svchcst.exe
896	svchcst.exe
872	svchcst.exe
872	svchcst.exe
2556	svchcst.exe
2556	svchcst.exe
2128	svchcst.exe
2128	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
3056	svchcst.exe
3056	svchcst.exe
1856	svchcst.exe
1856	svchcst.exe
540	svchcst.exe
540	svchcst.exe
2456	svchcst.exe
2456	svchcst.exe
1644	svchcst.exe
1644	svchcst.exe
2224	svchcst.exe
2224	svchcst.exe
1992	svchcst.exe
1992	svchcst.exe
1792	svchcst.exe
1792	svchcst.exe
2940	svchcst.exe
2940	svchcst.exe
2380	svchcst.exe
2380	svchcst.exe
944	svchcst.exe
944	svchcst.exe
2260	svchcst.exe
2260	svchcst.exe
2316	svchcst.exe
2316	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2596 wrote to memory of 2772	2596	c92a1aebbd6001dd90bd60848d24ea402fe3b78c11109c0afa46eacc288c48c3.exe	30
PID 2596 wrote to memory of 2772	2596	c92a1aebbd6001dd90bd60848d24ea402fe3b78c11109c0afa46eacc288c48c3.exe	30
PID 2596 wrote to memory of 2772	2596	c92a1aebbd6001dd90bd60848d24ea402fe3b78c11109c0afa46eacc288c48c3.exe	30
PID 2596 wrote to memory of 2772	2596	c92a1aebbd6001dd90bd60848d24ea402fe3b78c11109c0afa46eacc288c48c3.exe	30
PID 2772 wrote to memory of 2568	2772	WScript.exe	32
PID 2772 wrote to memory of 2568	2772	WScript.exe	32
PID 2772 wrote to memory of 2568	2772	WScript.exe	32
PID 2772 wrote to memory of 2568	2772	WScript.exe	32
PID 2568 wrote to memory of 1448	2568	svchcst.exe	33
PID 2568 wrote to memory of 1448	2568	svchcst.exe	33
PID 2568 wrote to memory of 1448	2568	svchcst.exe	33
PID 2568 wrote to memory of 1448	2568	svchcst.exe	33
PID 1448 wrote to memory of 1180	1448	WScript.exe	34
PID 1448 wrote to memory of 1180	1448	WScript.exe	34
PID 1448 wrote to memory of 1180	1448	WScript.exe	34
PID 1448 wrote to memory of 1180	1448	WScript.exe	34
PID 1180 wrote to memory of 1152	1180	svchcst.exe	35
PID 1180 wrote to memory of 1152	1180	svchcst.exe	35
PID 1180 wrote to memory of 1152	1180	svchcst.exe	35
PID 1180 wrote to memory of 1152	1180	svchcst.exe	35
PID 1152 wrote to memory of 544	1152	WScript.exe	36
PID 1152 wrote to memory of 544	1152	WScript.exe	36
PID 1152 wrote to memory of 544	1152	WScript.exe	36
PID 1152 wrote to memory of 544	1152	WScript.exe	36
PID 544 wrote to memory of 2696	544	svchcst.exe	37
PID 544 wrote to memory of 2696	544	svchcst.exe	37
PID 544 wrote to memory of 2696	544	svchcst.exe	37
PID 544 wrote to memory of 2696	544	svchcst.exe	37
PID 2696 wrote to memory of 2228	2696	WScript.exe	39
PID 2696 wrote to memory of 2228	2696	WScript.exe	39
PID 2696 wrote to memory of 2228	2696	WScript.exe	39
PID 2696 wrote to memory of 2228	2696	WScript.exe	39
PID 2228 wrote to memory of 2000	2228	svchcst.exe	40
PID 2228 wrote to memory of 2000	2228	svchcst.exe	40
PID 2228 wrote to memory of 2000	2228	svchcst.exe	40
PID 2228 wrote to memory of 2000	2228	svchcst.exe	40
PID 2000 wrote to memory of 2084	2000	WScript.exe	41
PID 2000 wrote to memory of 2084	2000	WScript.exe	41
PID 2000 wrote to memory of 2084	2000	WScript.exe	41
PID 2000 wrote to memory of 2084	2000	WScript.exe	41
PID 2084 wrote to memory of 1332	2084	svchcst.exe	42
PID 2084 wrote to memory of 1332	2084	svchcst.exe	42
PID 2084 wrote to memory of 1332	2084	svchcst.exe	42
PID 2084 wrote to memory of 1332	2084	svchcst.exe	42
PID 1332 wrote to memory of 896	1332	WScript.exe	43
PID 1332 wrote to memory of 896	1332	WScript.exe	43
PID 1332 wrote to memory of 896	1332	WScript.exe	43
PID 1332 wrote to memory of 896	1332	WScript.exe	43
PID 896 wrote to memory of 1544	896	svchcst.exe	44
PID 896 wrote to memory of 1544	896	svchcst.exe	44
PID 896 wrote to memory of 1544	896	svchcst.exe	44
PID 896 wrote to memory of 1544	896	svchcst.exe	44
PID 1544 wrote to memory of 872	1544	WScript.exe	45
PID 1544 wrote to memory of 872	1544	WScript.exe	45
PID 1544 wrote to memory of 872	1544	WScript.exe	45
PID 1544 wrote to memory of 872	1544	WScript.exe	45
PID 872 wrote to memory of 2760	872	svchcst.exe	46
PID 872 wrote to memory of 2760	872	svchcst.exe	46
PID 872 wrote to memory of 2760	872	svchcst.exe	46
PID 872 wrote to memory of 2760	872	svchcst.exe	46
PID 2760 wrote to memory of 2556	2760	WScript.exe	47
PID 2760 wrote to memory of 2556	2760	WScript.exe	47
PID 2760 wrote to memory of 2556	2760	WScript.exe	47
PID 2760 wrote to memory of 2556	2760	WScript.exe	47

C:\Users\Admin\AppData\Local\Temp\c92a1aebbd6001dd90bd60848d24ea402fe3b78c11109c0afa46eacc288c48c3.exe
"C:\Users\Admin\AppData\Local\Temp\c92a1aebbd6001dd90bd60848d24ea402fe3b78c11109c0afa46eacc288c48c3.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2596
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2772
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2568
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1448
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1180
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1152
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:544
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2696
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2228
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2000
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2084
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1332
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:896
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1544
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:872
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2760
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2556
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:300
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2128
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2600
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2820
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1060
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3056
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2228
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1856
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2052
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:540
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2108
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2456
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2024
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1644
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1620
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2224
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2080
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1992
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1252
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1792
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1208
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2940
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2364
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2380
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1980
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:944
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        44⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1764
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2260
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        46⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2012
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2316
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        48⤵
        System Location Discovery: System Language Discovery
        
        PID:2516
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:1964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
040127222f4d96801266062025445506

SHA1
33782e7e9c6a5b6160c7cd4c6f735cc2e56fc5c4

SHA256
2e6a6141aad247be1fa60882657165487ea218ca0b54aec89f021e62d9deab9f

SHA512
dbe35740e7b015d78a74e52338b08a23cb02874515de97fc0192b7be8d5b28868a099287951b4de4e345343144354a03df6ee9909c8805a3918741f32fcb3185

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
99190cc32e9995c46b8a5b9b268a5bbe

SHA1
4ad00bc8655bced61776b40f2cc5bf0180a175d4

SHA256
308f79dad8498e1020104d40c992a2a6b9d4841f2c9c705e4b4401c48764a096

SHA512
f6447cdd779f7e95f6e84469388e55d7c18249f434aadf7cb7d4ec18cded20161a1cd8bb8830186c55ce8a945ab7c7cff08f85787c2616d447a90cb6f4622571

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
6cefcde7a292edfc29b3882cdeb23dba

SHA1
3588db649319258acc78049555e0c587aae5dcf1

SHA256
4fc01d17db5185ecf506bb8ad2665dc04fbc85d9b55282b364687c5c82689251

SHA512
14f7f31813f271f8ab4c58ad06504769900ae075915db76882bce80dfaa82bb76bc6c40fa76f6eae4f3c65d2311a702d5581510ea5ade452ea8b6f957da1684c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
aac0fba8016aa15609aa7abb5db077ae

SHA1
f8afa6ff11a91f46eb961727ec6a5fad360fa1c9

SHA256
76a6ce5f2e579dc37db23bb0e1ef5ebdd8b02e6b22b6f8da1a17964db237a8a0

SHA512
26a4910f08563b7c4b1e1abba82fefdefcb43b7d1149d5e6c7dda36db4aa142c4b74bc64263f23a5177804e2191696795e0de5d5368ea6903b398415d435962e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
08e59d2d672728796d1d263f61b8e693

SHA1
e2cf49b43ffba5735bf7d9aa4e1da8c5a1a4a243

SHA256
f0504a6142a9709ba8612a4e55816d410dc92778bedea66d34316e77edd2f923

SHA512
328bc5a9404388f3ef192bb0e4da20cc34b9eacd974299461b5cc2f37ce7d7f9bb494e933fe7e8bca0baa037b40778b06965e76ce258b596b60e88bd6b2f4253

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
55765ba68da8820ee35d2d4d1dedeac0

SHA1
19f5f147056f3d837a11d6b08a7fc9544f9927f6

SHA256
1eb237d283717ac45bdfef217d3d09fb4ef73db3838859057c94e488b329c522

SHA512
61b6361b8dfef2067016c50e830db1fc768d0654a3f643cf4b4cb1193de722f74401e73f719d8cff5a443058adfa7e3cd0dfc502f25dd249cdc36a7056c81c18

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
7f92a34f71720b04d60028801eb07932

SHA1
1701bae49609dc0ad1ab56823ae2414fd6c286c5

SHA256
b7445df62a392850e8ed07fba398dd5896625b6bcd694dfb5a02797ca2c637ee

SHA512
f5173fb410530956a6fcc8a15894c4186ae7fbac8e408714143359b476a2a2b1bd528cdb2e4647d1c16b99f108e452fb4fcb0a6db5eae6750fc6f6d8edd85360

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
99c82369839776d3d954a85361e76565

SHA1
fe01d71a20a80f468e5fa4df991eacca97e650a1

SHA256
ecfe1904a389f25b460a8eec64349498fde06733fa12cd5ae8e0c49a9699154f

SHA512
5deb6fd1534298cbc80f4653e60b9dcaba6cfd4af1f3b1e5369929472ab4f8cba7d50d3f63d7154170b5ea84f40f7511f1839f2e89340c6942fede255c93b69f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
a28791ebea83786bb5889ef857a9e493

SHA1
0c7cc3d05c844d5edd4535fbd48d2c73b2764630

SHA256
ad8607d9518b14cf6e9f567194700afa64c424bbe7da5b1819babbc7678a98bf

SHA512
d357643579f32de1c3f28b9d717d4d82a91d2ae25014a2ab52c0b6340ea577c31386cfa7901694f47889e5966ab11ff6888ae19a8602f812d2484827295d12ce

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
bb73f45ba0ab8d0e25bc6dcd5900a0f1

SHA1
18dd20b311cabf033725cb71f00e22449f559963

SHA256
c5b311f8ce95c93ed51768b74c6765874352e5fc61641ab54034281a5206c3b5

SHA512
f2adbb4978b02ce150fc2f4a8f6d7734ca465351c502e5a425a9dc0f751be9a048df54dfff086b4b049a80cdc8127863ea704a3b6e1855f9d4406e5778b82e04

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
c94fda6716d92036e02a0e70b433735f

SHA1
eb4e57b1461e03a201dbfd20dd308ca88694e55d

SHA256
ca8d32856a5ad76e2bf41249ee83a498c238f51d9d3addbd5ca456ee6a6108ba

SHA512
bf4b3613a4d6d2854f7750a73f84579a3022c2aaae770c392c3d4b273cbb2b493028f8109856ba66ee4636bcfac53b61b7f9b689002858a040b62b47d097d24f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
e877b63be3e315cc50f01340e987b7db

SHA1
56a8f1ae1f24c9cfb2f0a5cee7f168c1632e206b

SHA256
c732bc229af06acdb42483ad372c4e9992f312bc049d1d3ef28e0c5eb1b31418

SHA512
5e71c3589582ec10e53db220a16b149c1328f53b1de8cef4f2742f98b421f8d2dfe748d1dc8f3d99e7547e440a33fb0944de39b577f587b597ecf8b470cf23cc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
af67863d5d4d15f8fd65ffe7e18c5641

SHA1
37696fcf291fa5ff972c62799ecb9966f9959f7e

SHA256
d4d7908dca344acaef30a6959611ca65fb1245e4233f5e794585f6d8c24a3477

SHA512
df6fe8e683599dbee69a06193283c205147be5918489dcb16354287062fa9dbb224fda847a784816b2481b156ff8fbe5692dec19d5a13d2b11890a5af719f6b8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
9d3a59f9f1cba6ac883d9977463c9449

SHA1
f920561e3e6f8b7dd3ce6f0fb7c0910f4188756a

SHA256
9731bca5581b398898194c50fa40195c8559bf47e3d5980a64d03198a1733cf4

SHA512
ceee583634c08acee3986f46833cd1bf345920e029150ffcd2ef4ba516557937f021e372fb0815fb75d87085fecdedce7b76f3c806da04cc9d1b4d4b568f4dad

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
aed498c58a7e72ad3ebbf0981fec9433

SHA1
9a4713fef46159eb94654140bd48c512bc5c266a

SHA256
79ab6d43b4ca2aee47536ddcd6c97ead62540c9513a3cb058dafedeb579681c6

SHA512
2a77813d0cb0aadaf8eb844cadb1efc62506828aba0b259ec262916dd8956746ad6d20be243f6e974b66aac3d83dfe2187aa8c23af9a9e60c5c21c368f5154b1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
f791d491594e6b279ac3501532487574

SHA1
03f578aef91bac2e79161b4943ccad040877c971

SHA256
7950a1de5d630fa167636b8ec017c80ebc83763102618fc6373d3497d3214a43

SHA512
18b7ff39572b7b4463a3439459cd4b309a68fec9f2f461f187ccec058260e414135c7822abe8c0af979b89268cac694987211c875d45d491f1a0084e369e0e57

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
f7c9d53e5cdb4e7dfd935dc4b596f1bf

SHA1
daf195318725f881766ce2edce5bc46282b3f957

SHA256
7e466ea6e8a59c7bc1472b3d2f0be40b146f6779b04489c70087607f86a2f8d5

SHA512
8ef97957fa38e8e97d519fa7f3214499e2ba1ca7dc6724f51e44a3ac696183670f4ea6870105f995e049b7b5c4b5fd6884e52fc51d07856bac18a399e5d4afe0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
e7d59f87dad9916fd3a1a46ccad8ebbc

SHA1
5412b943c222e456675b47dad2a3242e07e196c1

SHA256
ed3c028dd78eef3a29e3ad49d2be9089bc8c92971f272fb67a996d7b53e89fc1

SHA512
a04ad6d99bf0f3db7ea580f9e74d0d9577d9f904d5c7e3b520b5151fd8ab6f846f5d7f66fcaf98884bcacf96b3dddf173c6b58153503b0913737d273302f26f7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
4346b26c016c7274f4870e3be6c46e22

SHA1
f1c3e292c493639a82603ca2dc571f852fb36aee

SHA256
8288f3d6ea467d59678f9806a2fb2ad2ee9020d336dca5e06796223b4e742f3d

SHA512
05a08c87128e151553ac8786ad0c96db21201c7e095aa57a5c0b1214554ffe007ce9165004e2f032ea65d3df0da0404ce2379cffb6b38c0fcaade3034185d9b0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
bd1505eaa6b1a44b74c41006a60b90df

SHA1
5943c4c1928215efed133d7428265b4d31e7e191

SHA256
76074db5af64eb5e26387b3bc4b972c5e01d4ecab252d5933114e51de51e265c

SHA512
608bc77f008dbc427b12c1c655dc8c8fa5a334415f68880c092b64c52618fc7a95ef0b407075aba7c5ee56b6dce372f85ceb2c13d1d29ec959d6bf66dfb6c9f3

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
994ca4d5c1ae3e6f24b1efedf5fec767

SHA1
e823c7de5c5f3f85a60b550acc9311c10e636c7e

SHA256
314aeb283d4e0231b66225a5f5abb74ad55373e0a5134ad1f20e0b39f6ecc4b6

SHA512
9c3fe1a15decaf312eed14834a70e71dd6223ca14af7ad7bcabeadd762c265d3db186a1c1dcd23311ed55accf95db7473cc019b91c6b9421e4197b9ce62612f7

Download Submit
memory/300-126-0x0000000005B40000-0x0000000005C9F000-memory.dmp

Filesize
1.4MB

Download
memory/540-178-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/540-171-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/544-51-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/872-108-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/896-93-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/944-235-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/944-242-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1060-155-0x00000000048A0000-0x00000000049FF000-memory.dmp

Filesize
1.4MB

Download
memory/1152-43-0x0000000004790000-0x00000000048EF000-memory.dmp

Filesize
1.4MB

Download
memory/1180-38-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1544-98-0x00000000059B0000-0x0000000005B0F000-memory.dmp

Filesize
1.4MB

Download
memory/1544-99-0x00000000059B0000-0x0000000005B0F000-memory.dmp

Filesize
1.4MB

Download
memory/1620-210-0x0000000005BE0000-0x0000000005D3F000-memory.dmp

Filesize
1.4MB

Download
memory/1644-194-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1644-187-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1792-219-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1792-216-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1856-170-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1992-203-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1992-211-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2000-69-0x0000000005900000-0x0000000005A5F000-memory.dmp

Filesize
1.4MB

Download
memory/2000-71-0x0000000005900000-0x0000000005A5F000-memory.dmp

Filesize
1.4MB

Download
memory/2084-80-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2128-136-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2224-202-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2224-195-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2228-65-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2260-250-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2260-243-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2316-255-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2380-227-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2380-234-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2456-183-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2456-186-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2556-122-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2568-25-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2568-16-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2596-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2596-9-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2600-142-0x0000000004880000-0x00000000049DF000-memory.dmp

Filesize
1.4MB

Download
memory/2600-141-0x0000000004880000-0x00000000049DF000-memory.dmp

Filesize
1.4MB

Download
memory/2696-56-0x0000000005B50000-0x0000000005CAF000-memory.dmp

Filesize
1.4MB

Download
memory/2760-112-0x00000000044E0000-0x000000000463F000-memory.dmp

Filesize
1.4MB

Download
memory/2772-13-0x00000000044F0000-0x000000000464F000-memory.dmp

Filesize
1.4MB

Download
memory/2772-14-0x00000000044F0000-0x000000000464F000-memory.dmp

Filesize
1.4MB

Download
memory/2820-153-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2820-143-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2940-226-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3056-156-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3056-163-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download