1bbefc9d546f87b88c54b698fea78e1ca2a1dfe557d77e94e141d6ff4ce76752

Analysis

max time kernel
150s
max time network
119s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
01/09/2024, 05:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1bbefc9d546f87b88c54b698fea78e1ca2a1dfe557d77e94e141d6ff4ce76752.exe
Size

1.1MB
MD5

ffb8fe4175f2fa8859206dd4aa254cf8
SHA1

fec39d23251a3a0d53454099d61b0409c8909b9f
SHA256

1bbefc9d546f87b88c54b698fea78e1ca2a1dfe557d77e94e141d6ff4ce76752
SHA512

20b003367b31c34c57aa8efa8ff3def2869849829d1f3afe26be141748e5eb61b8f1291d0ba25ebddadaf0fbcd679f40a66f8055ef014920e6bb38a24e179509
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5QL:acallSllG4ZM7QzMs

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2792	svchcst.exe

Executes dropped EXE 24 IoCs

pid	Process
2792	svchcst.exe
2832	svchcst.exe
2016	svchcst.exe
2032	svchcst.exe
2416	svchcst.exe
692	svchcst.exe
2960	svchcst.exe
2820	svchcst.exe
1880	svchcst.exe
1436	svchcst.exe
1300	svchcst.exe
2560	svchcst.exe
1000	svchcst.exe
2164	svchcst.exe
2964	svchcst.exe
1656	svchcst.exe
2812	svchcst.exe
2300	svchcst.exe
1140	svchcst.exe
1728	svchcst.exe
1912	svchcst.exe
2212	svchcst.exe
1480	svchcst.exe
2232	svchcst.exe

Loads dropped DLL 40 IoCs

pid	Process
2704	WScript.exe
2704	WScript.exe
2748	WScript.exe
2748	WScript.exe
828	WScript.exe
828	WScript.exe
3040	WScript.exe
1204	WScript.exe
920	WScript.exe
2092	WScript.exe
2264	WScript.exe
920	WScript.exe
2452	WScript.exe
1868	WScript.exe
1868	WScript.exe
1344	WScript.exe
1344	WScript.exe
2116	WScript.exe
988	WScript.exe
988	WScript.exe
2992	WScript.exe
2992	WScript.exe
2780	WScript.exe
2780	WScript.exe
920	WScript.exe
920	WScript.exe
2576	WScript.exe
2576	WScript.exe
1440	WScript.exe
1440	WScript.exe
2864	WScript.exe
2864	WScript.exe
3004	WScript.exe
3004	WScript.exe
2356	WScript.exe
2356	WScript.exe
344	WScript.exe
344	WScript.exe
1612	WScript.exe
1612	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 51 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1bbefc9d546f87b88c54b698fea78e1ca2a1dfe557d77e94e141d6ff4ce76752.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1016	1bbefc9d546f87b88c54b698fea78e1ca2a1dfe557d77e94e141d6ff4ce76752.exe
2792	svchcst.exe
2792	svchcst.exe
2792	svchcst.exe
2792	svchcst.exe
2792	svchcst.exe
2792	svchcst.exe
2792	svchcst.exe
2792	svchcst.exe
2792	svchcst.exe
2792	svchcst.exe
2792	svchcst.exe
2792	svchcst.exe
2792	svchcst.exe
2792	svchcst.exe
2792	svchcst.exe
2792	svchcst.exe
2792	svchcst.exe
2792	svchcst.exe
2792	svchcst.exe
2792	svchcst.exe
2792	svchcst.exe
2792	svchcst.exe
2792	svchcst.exe
2792	svchcst.exe
2792	svchcst.exe
2792	svchcst.exe
2792	svchcst.exe
2792	svchcst.exe
2792	svchcst.exe
2792	svchcst.exe
2792	svchcst.exe
2792	svchcst.exe
2792	svchcst.exe
2792	svchcst.exe
2792	svchcst.exe
2792	svchcst.exe
2792	svchcst.exe
2792	svchcst.exe
2792	svchcst.exe
2792	svchcst.exe
2792	svchcst.exe
2792	svchcst.exe
2792	svchcst.exe
2792	svchcst.exe
2792	svchcst.exe
2792	svchcst.exe
2792	svchcst.exe
2792	svchcst.exe
2792	svchcst.exe
2792	svchcst.exe
2792	svchcst.exe
2792	svchcst.exe
2792	svchcst.exe
2792	svchcst.exe
2792	svchcst.exe
2792	svchcst.exe
2792	svchcst.exe
2792	svchcst.exe
2792	svchcst.exe
2792	svchcst.exe
2792	svchcst.exe
2792	svchcst.exe
2792	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1016	1bbefc9d546f87b88c54b698fea78e1ca2a1dfe557d77e94e141d6ff4ce76752.exe

Suspicious use of SetWindowsHookEx 50 IoCs

pid	Process
1016	1bbefc9d546f87b88c54b698fea78e1ca2a1dfe557d77e94e141d6ff4ce76752.exe
1016	1bbefc9d546f87b88c54b698fea78e1ca2a1dfe557d77e94e141d6ff4ce76752.exe
2792	svchcst.exe
2792	svchcst.exe
2832	svchcst.exe
2832	svchcst.exe
2016	svchcst.exe
2016	svchcst.exe
2032	svchcst.exe
2032	svchcst.exe
2416	svchcst.exe
2416	svchcst.exe
692	svchcst.exe
692	svchcst.exe
2960	svchcst.exe
2960	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
1880	svchcst.exe
1880	svchcst.exe
1436	svchcst.exe
1436	svchcst.exe
1300	svchcst.exe
1300	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
1000	svchcst.exe
1000	svchcst.exe
2164	svchcst.exe
2164	svchcst.exe
2964	svchcst.exe
2964	svchcst.exe
1656	svchcst.exe
1656	svchcst.exe
2812	svchcst.exe
2812	svchcst.exe
2300	svchcst.exe
2300	svchcst.exe
1140	svchcst.exe
1140	svchcst.exe
1728	svchcst.exe
1728	svchcst.exe
1912	svchcst.exe
1912	svchcst.exe
2212	svchcst.exe
2212	svchcst.exe
1480	svchcst.exe
1480	svchcst.exe
2232	svchcst.exe
2232	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1016 wrote to memory of 2704	1016	1bbefc9d546f87b88c54b698fea78e1ca2a1dfe557d77e94e141d6ff4ce76752.exe	31
PID 1016 wrote to memory of 2704	1016	1bbefc9d546f87b88c54b698fea78e1ca2a1dfe557d77e94e141d6ff4ce76752.exe	31
PID 1016 wrote to memory of 2704	1016	1bbefc9d546f87b88c54b698fea78e1ca2a1dfe557d77e94e141d6ff4ce76752.exe	31
PID 1016 wrote to memory of 2704	1016	1bbefc9d546f87b88c54b698fea78e1ca2a1dfe557d77e94e141d6ff4ce76752.exe	31
PID 2704 wrote to memory of 2792	2704	WScript.exe	33
PID 2704 wrote to memory of 2792	2704	WScript.exe	33
PID 2704 wrote to memory of 2792	2704	WScript.exe	33
PID 2704 wrote to memory of 2792	2704	WScript.exe	33
PID 2792 wrote to memory of 2748	2792	svchcst.exe	34
PID 2792 wrote to memory of 2748	2792	svchcst.exe	34
PID 2792 wrote to memory of 2748	2792	svchcst.exe	34
PID 2792 wrote to memory of 2748	2792	svchcst.exe	34
PID 2792 wrote to memory of 2516	2792	svchcst.exe	35
PID 2792 wrote to memory of 2516	2792	svchcst.exe	35
PID 2792 wrote to memory of 2516	2792	svchcst.exe	35
PID 2792 wrote to memory of 2516	2792	svchcst.exe	35
PID 2748 wrote to memory of 2832	2748	WScript.exe	36
PID 2748 wrote to memory of 2832	2748	WScript.exe	36
PID 2748 wrote to memory of 2832	2748	WScript.exe	36
PID 2748 wrote to memory of 2832	2748	WScript.exe	36
PID 2832 wrote to memory of 828	2832	svchcst.exe	37
PID 2832 wrote to memory of 828	2832	svchcst.exe	37
PID 2832 wrote to memory of 828	2832	svchcst.exe	37
PID 2832 wrote to memory of 828	2832	svchcst.exe	37
PID 828 wrote to memory of 2016	828	WScript.exe	38
PID 828 wrote to memory of 2016	828	WScript.exe	38
PID 828 wrote to memory of 2016	828	WScript.exe	38
PID 828 wrote to memory of 2016	828	WScript.exe	38
PID 2016 wrote to memory of 3040	2016	svchcst.exe	39
PID 2016 wrote to memory of 3040	2016	svchcst.exe	39
PID 2016 wrote to memory of 3040	2016	svchcst.exe	39
PID 2016 wrote to memory of 3040	2016	svchcst.exe	39
PID 3040 wrote to memory of 2032	3040	WScript.exe	40
PID 3040 wrote to memory of 2032	3040	WScript.exe	40
PID 3040 wrote to memory of 2032	3040	WScript.exe	40
PID 3040 wrote to memory of 2032	3040	WScript.exe	40
PID 2032 wrote to memory of 1204	2032	svchcst.exe	41
PID 2032 wrote to memory of 1204	2032	svchcst.exe	41
PID 2032 wrote to memory of 1204	2032	svchcst.exe	41
PID 2032 wrote to memory of 1204	2032	svchcst.exe	41
PID 1204 wrote to memory of 2416	1204	WScript.exe	42
PID 1204 wrote to memory of 2416	1204	WScript.exe	42
PID 1204 wrote to memory of 2416	1204	WScript.exe	42
PID 1204 wrote to memory of 2416	1204	WScript.exe	42
PID 2416 wrote to memory of 920	2416	svchcst.exe	43
PID 2416 wrote to memory of 920	2416	svchcst.exe	43
PID 2416 wrote to memory of 920	2416	svchcst.exe	43
PID 2416 wrote to memory of 920	2416	svchcst.exe	43
PID 920 wrote to memory of 692	920	WScript.exe	44
PID 920 wrote to memory of 692	920	WScript.exe	44
PID 920 wrote to memory of 692	920	WScript.exe	44
PID 920 wrote to memory of 692	920	WScript.exe	44
PID 692 wrote to memory of 2092	692	svchcst.exe	45
PID 692 wrote to memory of 2092	692	svchcst.exe	45
PID 692 wrote to memory of 2092	692	svchcst.exe	45
PID 692 wrote to memory of 2092	692	svchcst.exe	45
PID 2092 wrote to memory of 2960	2092	WScript.exe	46
PID 2092 wrote to memory of 2960	2092	WScript.exe	46
PID 2092 wrote to memory of 2960	2092	WScript.exe	46
PID 2092 wrote to memory of 2960	2092	WScript.exe	46
PID 2960 wrote to memory of 2264	2960	svchcst.exe	47
PID 2960 wrote to memory of 2264	2960	svchcst.exe	47
PID 2960 wrote to memory of 2264	2960	svchcst.exe	47
PID 2960 wrote to memory of 2264	2960	svchcst.exe	47

C:\Users\Admin\AppData\Local\Temp\1bbefc9d546f87b88c54b698fea78e1ca2a1dfe557d77e94e141d6ff4ce76752.exe
"C:\Users\Admin\AppData\Local\Temp\1bbefc9d546f87b88c54b698fea78e1ca2a1dfe557d77e94e141d6ff4ce76752.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1016
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2704
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2792
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2748
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2832
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:828
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2016
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3040
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2032
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1204
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2416
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:920
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:692
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2092
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2960
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2264
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2820
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1880
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2452
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1436
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1868
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1300
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1344
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2560
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2116
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1000
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:988
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2164
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2992
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2964
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2780
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1656
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:920
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2812
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2576
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2300
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1440
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1140
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2864
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1728
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3004
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1912
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2356
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2212
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:344
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1480
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1612
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2232
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        44⤵
        System Location Discovery: System Language Discovery
        
        PID:2988
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        System Location Discovery: System Language Discovery
        
        PID:1204
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
47335c965791b804698304f197206738

SHA1
ee4b0226f4b9e6b39c7ba824c4d5e62fd10549d2

SHA256
f26f19a43fc825e8b02c5cce5b32d697d4602621fd56a1dc31ed49820163bacc

SHA512
8cb2e813f6496dcc9cdcaeca97721d112a6d571e74f072fd5770accaaaee058efae689677958c9407c0384bfbd5e1114164b3f03b7dae729665db7674af48399

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
0746413c017663c2889cbadf684741eb

SHA1
6a61f92238e17b83adba719b52d2f3d9cd205b8a

SHA256
5e9eb3cc7e536ea1249b6bdb65b934565018fa760198e2b2c8f5537de84b86bd

SHA512
e222a18584aadd15f5c4706601acc6fa30d6a08325f2679724eba4b2952e56d4d7e1a97c42ae88aefacfa59b87723118d2dd28c1541204715dc1e11b4867b05c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
8ff9269f0a87aaf29e707ac354505e61

SHA1
68c900e567a236096ac8c812cb14dec97e3e088c

SHA256
ed84c3ff01194f8f55c30fb4f5685d4f74c186732e01e20d9909fb7a63ebb7d1

SHA512
5980c8ca52c3c047380b9aabced91699a68228bf8e5d545ff3105bdc5c469f30f7e490f459e2e8bc57f088d904ae0fb3e3167dfa0cd84b83b3d8e78402e8ae9d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
bdff210bf33c9ed5f2b10773c8c98ff5

SHA1
fc4fbaca4c7f23506dc792dec89e640050ad62e9

SHA256
900ab6b8ac0df4e138335d9d8e283495f569bf9fa1f401a6f8122661104f8cf8

SHA512
45849b735796586ea2518bd4aec42377db54b2de01025df65e52d8d1561d7e26702051c945ac7257857e00d7ab9d2d7fbf87f178e1e606905e095b22d95e5b32

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
70e226fbd8b4b3f2ddf8a8753a77586a

SHA1
a81a39d08f77479d0ee65599dd2749031c32fc19

SHA256
3eb2bfca11e83ada63c9e426764e07267c058964f959ca5e0c3f0f8933e40026

SHA512
f8c3f2f4172e8cabb856cbc2527dae48cba6d740a8ad9844bb32013ccba200b4c03dfdbe3713d9caa5f7416b8729cba4d516a73989b388c952ab08205b3cd4b8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
427acf0d31e4c051a5ecca486df18aaa

SHA1
66ed2e8e5533846366375ce855fb7b5d574d97fc

SHA256
397aa2536df328968f7006d3c5a2d0e7e53ab1e6d2deae8bb5bc7a242b4ba012

SHA512
aa2fe9a10550076d478762ed2043437460bfa1d81c3e6b793127d1235f8a6e75dc6002aad415f8086387faf7dc75a83f1790662cdfa58aa66596c640ed35b778

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
99190cc32e9995c46b8a5b9b268a5bbe

SHA1
4ad00bc8655bced61776b40f2cc5bf0180a175d4

SHA256
308f79dad8498e1020104d40c992a2a6b9d4841f2c9c705e4b4401c48764a096

SHA512
f6447cdd779f7e95f6e84469388e55d7c18249f434aadf7cb7d4ec18cded20161a1cd8bb8830186c55ce8a945ab7c7cff08f85787c2616d447a90cb6f4622571

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
4433cc23fc280ad8dcff9966bac19fe4

SHA1
62cc2abfe6e2ee0fd6b5cbce20daff4ba787bff0

SHA256
ca7cfd972b03d0b30404c8233125adda1dacc81a2e43e919d70bf1c2700af55b

SHA512
6a5e7454dde98251a987bedc21e628550c469480cbe41f3b3644789da38e782c8b94660d4a076697cc7abf3fcc767650d00ac3639b11cfeba96ece8110920b4f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
33923002ff087d4e9d20dc9167bf4b6f

SHA1
cd218dc8073081f7329889f96e1159c6d11fb8a1

SHA256
f24781ed9f535b0d29cbef666b2e299ee84ab75c48fd47bfdf0e9c2beaa0796e

SHA512
628c465e3ebed9b3ad689a6fa1fe38d3194c69a7446320408c28667acd49a157b853f734325e828a1577810393d0f9e69b6719bd7c201816ef0f06219a26534c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
d9ab21af2046aedc3484d569036c3ef7

SHA1
ade5e9eb5b1180a77a2164e61f74beb411cdfb56

SHA256
90b8f17e573879b63c512e7c0dd6ff9454d177163e2d95d0090b2ef22ae5ec79

SHA512
cb8c202cd3d66ee897982e42257320dfef0a23eb96b9a3189869e9a0ce030d4baaa8c0a6fc5e197d2d19d742b0d7b3f34adb12933192dd6e4b1388433755d1ac

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
a28791ebea83786bb5889ef857a9e493

SHA1
0c7cc3d05c844d5edd4535fbd48d2c73b2764630

SHA256
ad8607d9518b14cf6e9f567194700afa64c424bbe7da5b1819babbc7678a98bf

SHA512
d357643579f32de1c3f28b9d717d4d82a91d2ae25014a2ab52c0b6340ea577c31386cfa7901694f47889e5966ab11ff6888ae19a8602f812d2484827295d12ce

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
8e2ae053ceb7062fca84af2a4b776842

SHA1
e0efd0b54009a60e3682ed38deaddd833c8652b6

SHA256
58391f462883b293fdb398c52afb015698a4aa455fde921d706159ccccc6375f

SHA512
71b28f16bbcd83fd3cd69c985cc7482ddb167f287f6f331fc6c2f71b5b9759d6692ad93eb45e3a4039e5234f795076cd090e46c80b2661a00327a19b0ceab7b3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
f9d25791d9949ef33ed0c208f3d11851

SHA1
1cdf525209a1d7ade65168011e4de530de7bdc5a

SHA256
d3592a18c2a195dba2db76e25fb1516b2a9ef5297e9d72716e232d3540bc4481

SHA512
efb6f3882b9c75aa5193cf1bfeeb430b0a963681bf5367f535e3eb9c4e7c796c0aa1d0e3df9803c635ba6d863dc129a9ab30c954c6d4af27803036859d3d3113

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
251a70f0c55d02e74e34c409c5795274

SHA1
b0eb587b5e8d597ef801848722b790692d804be2

SHA256
f5397f02a6c8c59bc9869c0e5c726c096a69c84ad7f0934608fdbd8bc7e5b9f3

SHA512
023cca65a97265961790183f43605fb3dd47426049f2152e5ed90d2daed98607d1e215cb8cabf54d7d2068f7a86d3b01b1d101823e8ed1acfb09076e69b67c71

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
453cd196a6b32f7de3d8b4fe400acea4

SHA1
6ee81f18955eb4a84ff68f786bb5efad7829d156

SHA256
1a626249168bee43ef3b59c512e1e3b0135913ef35fee9bed0eefefc57f50892

SHA512
d634487a313dd526d9fdfe1a52912e9be8c14abfeae209ecf7b8ccaafdda863ce377e5431e40e371f9c8f46c9063d0600343cf39773910680f85f20f737b9c30

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
ea78f5b83bcacf617e8d2f8f6c30e804

SHA1
afc2453968a6bd62c425c347e19262233f038b14

SHA256
500dcf13d225590dbc5cfbd96bf5f2cbd6e8579a5ac910305d34ed33f9aaeb42

SHA512
228d428710c0492e3069973d95730c7a71c323b3cb118f89c99f83990d58fe58d8c781d4c38300401dc51d0e9724f4aed51456d3ac1072254e0d07383ec0038e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
830269603921f50c7e3bd0ddb85b7537

SHA1
6656f42bd00386ea594bab411290a6224038275f

SHA256
4d0d16b2daab5d5c85896ebfd00e3fd41ed7955a63cee85e3b953d3e96a875fd

SHA512
8755cc505ef67c31310f23594adfc4061ba6eb4656b94209e437054216a53688ba792ce4cc579c110826bdeb2260b3ef1281d7670e5ce371cfdac3b30e465cc9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
f01cb33e26e6d8aed61e29ca06107ce8

SHA1
f0f550a6f0250058c013a1fe0e6a89b12490bad8

SHA256
df748dc4abd3f3d1212ae58b0a4dcf8ba998751766854c3175e36023d76bd226

SHA512
295dc243d90eb39f30dee172b7904b1d5562c050598426591232e55ac5e4a2bd35048da3f526c52429c25b4c05bf9da444d6dfe2c0fdee5ffab612c03bcc4331

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
f3ad834448b075d8c06effbef791c1e1

SHA1
fa0a012d5c83300fc6769c6e45444b116a41272f

SHA256
f95eecd2d4af3fbea6c299d743db113c27cb1ee11dc6b4198f57d55884276f79

SHA512
3315319ff6617c413232ec783fc9b948dbf5d42c98de61d6fcfd8184aeb228aeb84c074a76809e7350a307549a8d31d20c8a8588769014aabc060f5370580dcc

Download Submit
memory/692-88-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/692-83-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/828-45-0x0000000005D20000-0x0000000005E7F000-memory.dmp

Filesize
1.4MB

Download
memory/920-100-0x00000000046D0000-0x000000000482F000-memory.dmp

Filesize
1.4MB

Download
memory/1000-162-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1016-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1016-9-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1140-199-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1140-206-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1300-142-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1436-120-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1436-129-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1480-237-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1656-184-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1728-207-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1728-214-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1880-116-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1912-221-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2016-55-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2032-65-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2164-169-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2212-228-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2232-242-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2264-119-0x00000000046E0000-0x000000000483F000-memory.dmp

Filesize
1.4MB

Download
memory/2300-198-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2416-77-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2416-72-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2560-155-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2704-14-0x0000000003F20000-0x000000000407F000-memory.dmp

Filesize
1.4MB

Download
memory/2704-13-0x0000000003F20000-0x000000000407F000-memory.dmp

Filesize
1.4MB

Download
memory/2748-32-0x00000000058F0000-0x0000000005A4F000-memory.dmp

Filesize
1.4MB

Download
memory/2780-177-0x0000000004480000-0x00000000045DF000-memory.dmp

Filesize
1.4MB

Download
memory/2792-27-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2792-16-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2812-191-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2820-106-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2832-41-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2960-95-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2960-101-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2964-176-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download