3a73f28addfe97376973a4570f438295bcc6b5c1106c2d0474a444b70f6e63b8

Analysis

max time kernel
150s
max time network
130s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
02-09-2024 22:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3a73f28addfe97376973a4570f438295bcc6b5c1106c2d0474a444b70f6e63b8.exe
Size

1.1MB
MD5

11107a055699d5bad90ccab080f3861f
SHA1

7c5a819de26ff9ec5ab963afa21402166abf4c64
SHA256

3a73f28addfe97376973a4570f438295bcc6b5c1106c2d0474a444b70f6e63b8
SHA512

b295fd5c6a707341ac9b414a509acf98c8b9998d24c926f09162adefcbb89829be3f3bcf5fb7c9e389951b234ea50a76fb0ce2c261c4183085f8f895dd16de31
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5Qv:acallSllG4ZM7QzM4

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2320	svchcst.exe

Executes dropped EXE 24 IoCs

pid	Process
2320	svchcst.exe
1504	svchcst.exe
536	svchcst.exe
408	svchcst.exe
296	svchcst.exe
2132	svchcst.exe
2484	svchcst.exe
1628	svchcst.exe
2944	svchcst.exe
2900	svchcst.exe
2820	svchcst.exe
536	svchcst.exe
408	svchcst.exe
2020	svchcst.exe
1400	svchcst.exe
2600	svchcst.exe
376	svchcst.exe
2704	svchcst.exe
1668	svchcst.exe
2216	svchcst.exe
2400	svchcst.exe
984	svchcst.exe
3012	svchcst.exe
1968	svchcst.exe

Loads dropped DLL 44 IoCs

pid	Process
2652	WScript.exe
2652	WScript.exe
2884	WScript.exe
2884	WScript.exe
1244	WScript.exe
1244	WScript.exe
2088	WScript.exe
1716	WScript.exe
1716	WScript.exe
1716	WScript.exe
1836	WScript.exe
1836	WScript.exe
1836	WScript.exe
2576	WScript.exe
2576	WScript.exe
544	WScript.exe
544	WScript.exe
2240	WScript.exe
2240	WScript.exe
2204	WScript.exe
1216	WScript.exe
1216	WScript.exe
3036	WScript.exe
3036	WScript.exe
2936	WScript.exe
2936	WScript.exe
3048	WScript.exe
3048	WScript.exe
1604	WScript.exe
1604	WScript.exe
2920	WScript.exe
2920	WScript.exe
800	WScript.exe
800	WScript.exe
1084	WScript.exe
1084	WScript.exe
1440	WScript.exe
1440	WScript.exe
2352	WScript.exe
2352	WScript.exe
2584	WScript.exe
2584	WScript.exe
2992	WScript.exe
2992	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 50 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3a73f28addfe97376973a4570f438295bcc6b5c1106c2d0474a444b70f6e63b8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1892	3a73f28addfe97376973a4570f438295bcc6b5c1106c2d0474a444b70f6e63b8.exe
2320	svchcst.exe
2320	svchcst.exe
2320	svchcst.exe
2320	svchcst.exe
2320	svchcst.exe
2320	svchcst.exe
2320	svchcst.exe
2320	svchcst.exe
2320	svchcst.exe
2320	svchcst.exe
2320	svchcst.exe
2320	svchcst.exe
2320	svchcst.exe
2320	svchcst.exe
2320	svchcst.exe
2320	svchcst.exe
2320	svchcst.exe
2320	svchcst.exe
2320	svchcst.exe
2320	svchcst.exe
2320	svchcst.exe
2320	svchcst.exe
2320	svchcst.exe
2320	svchcst.exe
2320	svchcst.exe
2320	svchcst.exe
2320	svchcst.exe
2320	svchcst.exe
2320	svchcst.exe
2320	svchcst.exe
2320	svchcst.exe
2320	svchcst.exe
2320	svchcst.exe
2320	svchcst.exe
2320	svchcst.exe
2320	svchcst.exe
2320	svchcst.exe
2320	svchcst.exe
2320	svchcst.exe
2320	svchcst.exe
2320	svchcst.exe
2320	svchcst.exe
2320	svchcst.exe
2320	svchcst.exe
2320	svchcst.exe
2320	svchcst.exe
2320	svchcst.exe
2320	svchcst.exe
2320	svchcst.exe
2320	svchcst.exe
2320	svchcst.exe
2320	svchcst.exe
2320	svchcst.exe
2320	svchcst.exe
2320	svchcst.exe
2320	svchcst.exe
2320	svchcst.exe
2320	svchcst.exe
2320	svchcst.exe
2320	svchcst.exe
2320	svchcst.exe
2320	svchcst.exe
2320	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1892	3a73f28addfe97376973a4570f438295bcc6b5c1106c2d0474a444b70f6e63b8.exe

Suspicious use of SetWindowsHookEx 50 IoCs

pid	Process
1892	3a73f28addfe97376973a4570f438295bcc6b5c1106c2d0474a444b70f6e63b8.exe
1892	3a73f28addfe97376973a4570f438295bcc6b5c1106c2d0474a444b70f6e63b8.exe
2320	svchcst.exe
2320	svchcst.exe
1504	svchcst.exe
1504	svchcst.exe
536	svchcst.exe
536	svchcst.exe
408	svchcst.exe
408	svchcst.exe
296	svchcst.exe
296	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2484	svchcst.exe
2484	svchcst.exe
1628	svchcst.exe
1628	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2900	svchcst.exe
2900	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
536	svchcst.exe
536	svchcst.exe
408	svchcst.exe
408	svchcst.exe
2020	svchcst.exe
2020	svchcst.exe
1400	svchcst.exe
1400	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
376	svchcst.exe
376	svchcst.exe
2704	svchcst.exe
2704	svchcst.exe
1668	svchcst.exe
1668	svchcst.exe
2216	svchcst.exe
2216	svchcst.exe
2400	svchcst.exe
2400	svchcst.exe
984	svchcst.exe
984	svchcst.exe
3012	svchcst.exe
3012	svchcst.exe
1968	svchcst.exe
1968	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1892 wrote to memory of 2652	1892	3a73f28addfe97376973a4570f438295bcc6b5c1106c2d0474a444b70f6e63b8.exe	30
PID 1892 wrote to memory of 2652	1892	3a73f28addfe97376973a4570f438295bcc6b5c1106c2d0474a444b70f6e63b8.exe	30
PID 1892 wrote to memory of 2652	1892	3a73f28addfe97376973a4570f438295bcc6b5c1106c2d0474a444b70f6e63b8.exe	30
PID 1892 wrote to memory of 2652	1892	3a73f28addfe97376973a4570f438295bcc6b5c1106c2d0474a444b70f6e63b8.exe	30
PID 2652 wrote to memory of 2320	2652	WScript.exe	32
PID 2652 wrote to memory of 2320	2652	WScript.exe	32
PID 2652 wrote to memory of 2320	2652	WScript.exe	32
PID 2652 wrote to memory of 2320	2652	WScript.exe	32
PID 2320 wrote to memory of 2884	2320	svchcst.exe	33
PID 2320 wrote to memory of 2884	2320	svchcst.exe	33
PID 2320 wrote to memory of 2884	2320	svchcst.exe	33
PID 2320 wrote to memory of 2884	2320	svchcst.exe	33
PID 2884 wrote to memory of 1504	2884	WScript.exe	34
PID 2884 wrote to memory of 1504	2884	WScript.exe	34
PID 2884 wrote to memory of 1504	2884	WScript.exe	34
PID 2884 wrote to memory of 1504	2884	WScript.exe	34
PID 1504 wrote to memory of 1244	1504	svchcst.exe	35
PID 1504 wrote to memory of 1244	1504	svchcst.exe	35
PID 1504 wrote to memory of 1244	1504	svchcst.exe	35
PID 1504 wrote to memory of 1244	1504	svchcst.exe	35
PID 1504 wrote to memory of 1976	1504	svchcst.exe	36
PID 1504 wrote to memory of 1976	1504	svchcst.exe	36
PID 1504 wrote to memory of 1976	1504	svchcst.exe	36
PID 1504 wrote to memory of 1976	1504	svchcst.exe	36
PID 1244 wrote to memory of 536	1244	WScript.exe	37
PID 1244 wrote to memory of 536	1244	WScript.exe	37
PID 1244 wrote to memory of 536	1244	WScript.exe	37
PID 1244 wrote to memory of 536	1244	WScript.exe	37
PID 536 wrote to memory of 2088	536	svchcst.exe	38
PID 536 wrote to memory of 2088	536	svchcst.exe	38
PID 536 wrote to memory of 2088	536	svchcst.exe	38
PID 536 wrote to memory of 2088	536	svchcst.exe	38
PID 2088 wrote to memory of 408	2088	WScript.exe	39
PID 2088 wrote to memory of 408	2088	WScript.exe	39
PID 2088 wrote to memory of 408	2088	WScript.exe	39
PID 2088 wrote to memory of 408	2088	WScript.exe	39
PID 408 wrote to memory of 1716	408	svchcst.exe	40
PID 408 wrote to memory of 1716	408	svchcst.exe	40
PID 408 wrote to memory of 1716	408	svchcst.exe	40
PID 408 wrote to memory of 1716	408	svchcst.exe	40
PID 1716 wrote to memory of 296	1716	WScript.exe	41
PID 1716 wrote to memory of 296	1716	WScript.exe	41
PID 1716 wrote to memory of 296	1716	WScript.exe	41
PID 1716 wrote to memory of 296	1716	WScript.exe	41
PID 296 wrote to memory of 1836	296	svchcst.exe	42
PID 296 wrote to memory of 1836	296	svchcst.exe	42
PID 296 wrote to memory of 1836	296	svchcst.exe	42
PID 296 wrote to memory of 1836	296	svchcst.exe	42
PID 1716 wrote to memory of 2132	1716	WScript.exe	43
PID 1716 wrote to memory of 2132	1716	WScript.exe	43
PID 1716 wrote to memory of 2132	1716	WScript.exe	43
PID 1716 wrote to memory of 2132	1716	WScript.exe	43
PID 2132 wrote to memory of 2468	2132	svchcst.exe	44
PID 2132 wrote to memory of 2468	2132	svchcst.exe	44
PID 2132 wrote to memory of 2468	2132	svchcst.exe	44
PID 2132 wrote to memory of 2468	2132	svchcst.exe	44
PID 1836 wrote to memory of 2484	1836	WScript.exe	45
PID 1836 wrote to memory of 2484	1836	WScript.exe	45
PID 1836 wrote to memory of 2484	1836	WScript.exe	45
PID 1836 wrote to memory of 2484	1836	WScript.exe	45
PID 1836 wrote to memory of 1628	1836	WScript.exe	46
PID 1836 wrote to memory of 1628	1836	WScript.exe	46
PID 1836 wrote to memory of 1628	1836	WScript.exe	46
PID 1836 wrote to memory of 1628	1836	WScript.exe	46

C:\Users\Admin\AppData\Local\Temp\3a73f28addfe97376973a4570f438295bcc6b5c1106c2d0474a444b70f6e63b8.exe
"C:\Users\Admin\AppData\Local\Temp\3a73f28addfe97376973a4570f438295bcc6b5c1106c2d0474a444b70f6e63b8.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1892
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2652
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2320
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2884
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1504
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1244
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:536
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2088
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:408
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1716
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:296
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1836
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2484
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1628
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2576
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2944
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:544
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2900
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2240
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2820
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2204
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:536
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1216
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:408
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3036
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2020
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2936
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1400
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3048
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2600
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1604
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:376
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2920
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2704
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:800
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1668
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1084
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2216
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1440
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2400
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2352
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:984
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2584
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3012
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        44⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2992
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1968
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        46⤵
        System Location Discovery: System Language Discovery
        
        PID:1732
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2132
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2468
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
35248e8ffbe1b704260ec2d716bbd5a7

SHA1
6a26b3e8443e62a28fe984f1ca0b977e6d5684e4

SHA256
66daa29eba5012520fb1a5d1a2472785470c874fe4fc973cc967e50413511454

SHA512
6f1dc250b9152c3a629de3157d0a95f48dd3497dcfe2bec677c2d7839c5a64564551a3300ee6c2bbac1170bd447c5890e76a55cc0206c060d21bcb808bc42c30

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
067a3458406fce1e0caec803b21a2c58

SHA1
1277d2a3236100a0758d4f4f279cd02d537e626b

SHA256
35c0d5d7757b50c61a708107c8e2ab5df872fdc25516f8003d9d58d3ae5ec9e3

SHA512
99918a35f93140231d63a17c97bb9ef66a5744dc044c7e48034c3d2fcc49c3b97fe0d37a32ae6307a7b7e772b8016a6727672d2844b5ed7dcf20c31dd01724e4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
81911744d71ed066085116eec2026095

SHA1
47cfe383cd90c80f367d20667fa26cd160507a8f

SHA256
3154f7fe0c77b8441733285f257a444605ca5badb1148288aa7275033f75d3f5

SHA512
e64925ee682737251c7d5f42a378a4f6c23a50a07a6811882547567725b59c172da356b235afc977d4c1e8209f5c1ba696b9dd54e7739f67a71c099c031d7396

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
2551ae733b39ac9061a9d5ebd2f29d98

SHA1
08247d27dd5bf959db0b29d3e5b0551dc47c9d02

SHA256
c69ee4a632cc1c351d5fa930d42546923a4125e7d9cbccb2ad9f9e3318be2b77

SHA512
a1c669cb87194c2b496a7131f7f2920b6c31156f88d6c1140e79f3b83fbca3785cd57fea2d47cb951ed576e69a1240e81746a5bc5444e65fd05fa5234125731c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
298f56408ef5bfe14b938d85e57c843d

SHA1
691d78c4c4887333b4679d3e340a7a04caad13a3

SHA256
b5738b726b24c9d220bd7256e4abb2e97215d50416bf67983cc82dc83b46298a

SHA512
227bf6d7e70568144112dc142ef60fa38f2b5f39196e3d3377a120b78fa86382726021f024bf5413548df0ce1734bb905d28e56de4dd80c6f21c05ab2a5ef83e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
c91530bbaec9815f2db19bd6645b8729

SHA1
ea901a28f06bfbfc1dc9c3391910a87bfaf07020

SHA256
7924a95b4fb309a069dcb92b65632f01f9db2560b224d4812ebb84130994ab8d

SHA512
7ebce2d0627561189c27073f3e43e84e6164c3c4a63fe4172d2c1214fe799795393573038fb3dd75359327e7cca4eec17889749411e289480580f568b02e6588

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
0b07dbb471d7fe60f6b7446050131aa9

SHA1
4e1f1ada445a0bd2f1df1b5fe3ac6fff22c577a1

SHA256
483f571197412d4524e63cd78ae3ccd6a0c934a2178119e6aea3331a7bae6929

SHA512
6ddb5ad7ea76630d076b3e6ff03cf3087f65b035e7de9a4b30c6243641efc9a1c2f2975f05662039e95558aa81e78ecc1694114b22877f1029cb0d551df59ec1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
f76c7cf504b872903a1325a57e8baaf9

SHA1
896ac9d8338b41c7673781f07915612c538c385f

SHA256
46436b128cbdb907e9666c1aa6257164f7e5a2ebe1c79b9198b36e50115a8163

SHA512
59c0e9f508682af572185dd2578ad1e62abb99297a99018af7638bc8d2f6693fe00900bd739e00a912088f77624f08034dba041ce1677e2924cb8ab3196b6054

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
c4e7c6e63669b7ac19a2abc4d482e577

SHA1
0b715c1b8c52526a168c5972ce10621deb7454cb

SHA256
44ce88ac30afb018736ddeb48d6592af936aa52a424f3630ed07f9ff016b3a58

SHA512
f95b66230ceb77d9ce412c472376233324766a3b31adcfe85797f5628b933811c970a7c538ebb06e5c66418656766704206c178745f71bec63bbbabab46af747

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
e5bba46683440caa1508061b6e638120

SHA1
538ff5b7cb3ca90cee3e60bae0b487f4b78912de

SHA256
9b324dbd185a14c0ebfd2cd2731f6bb32c501dfefa7aef4f65b137357502c65d

SHA512
466f00fee10e323273e5d1151062e9fcc36f5657a404c6dd3c0c9ecb56e5205930087e612b13a9c6d1a56df7e05a2bd9c14e95debd5e5aed96ad2ef867e8de4d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
1c4a20bad462e2ead31b207cd4b0dd1b

SHA1
e6037559a47f711d0e930c907b6c33269cb8ecb9

SHA256
7cbf5f523fb2c8a62f6308bc56b5ff19556c167b7ce2c9e2d74329835c79d29e

SHA512
78e63943987dbb5fa66f2b9865002911c5225dbcba3e89ea0de4ed94dbd211e965e766073e19205a55a7d83cc631e87c50b9f6815d83fced9f41a72c842c145b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
dbfd949debe257da6cd03fc569368556

SHA1
894e3e95f359131db9f435ba751600fd47e52153

SHA256
b0806b5cbf7c80f9ac2f41ef4ebad3f67c2bb86a520c4667e1aabe90d7ea7cc6

SHA512
ffc4cf73936809bc36e19e586ac457436fe6f3e9d8c48e6855104f973581beeb81889b43a09aca3055faad4d5843d947c47afd02c41899a7bd53970ca6194841

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
5d58431f69bae657efa1e6cd95c3be69

SHA1
1d8fdb5d18503307a59a435cc7e2b86e196d47d9

SHA256
9b1166e21f5c9488946a6a9c5113d60f8637c37429ecdc521edec16abf998e19

SHA512
dc8d1fb394c2b4e691fbeca0b44324213edd2a4fd168e02066f1d49aae540944c6ad222eba8e35b09282eaff74d0bb293d948f0a119659b631685b98a1e6b239

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
ae6fbfbd9a4b99f5c1ea04a5d67dfd99

SHA1
9605a413fbabf43bf66102c146c299073a94dd25

SHA256
b2b9ff859520d482d1e4620254a77b7710f0a07ff2913f00c51bf28c6ee30f9a

SHA512
fba25ca3b5657736af51b98a478299052d0a1324c71a98cb78fc816fdf00e9cc7326c781b3799d91b6e2235881e29abddb93d408437ae9cb889b390d1d2c2010

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
15a9c482ae726313cffe340ac0971a59

SHA1
6aa5b450edf8fddf33e7931ff56b09a43cdea132

SHA256
4ee20c64d3c8b3247f7994329ccdd86bc7fd671304fbc2956042de3e3320e26a

SHA512
1e734edc38e91db3b18239c87d3780957933879dddebbd084cdc53084091c25c695409c5b467123e3444507e3840e46b4aabb617c2e4ab9a89f88215c4a2e2b6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
0a7c4bb69f50ec530160c0d8ef925740

SHA1
589f789accbb72b1bd7c40357d93daf7a3f6d311

SHA256
76723add8195a0c0c3e3b6d66e8bc725c650cf97451fe42bff76dfb7e6425d6c

SHA512
8849da8c9b434354ae199a1bf7be66f20867c682b4d6f1a39c66557bb6fb24402838d9c3036dcd2e1d4554f6f71e14ca1a776529f8de9fdb16167451a918f038

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
a02d18accbe338cac72676304b81680f

SHA1
ae14bf77a442d1e897c7171a9293d088586b5603

SHA256
d608b14078075db246d1df103c36660c1249fc815ba4e8682b6fc6e2300abf85

SHA512
5064a3b38af8b062cc869660cbc1697a77a3c07440a133e26657320dab85f8c6ccdfeb6cb1b0ba5efe98a85a2af9424fd065df75cea1c5ecc2c0f049e4fa96d1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
417e621525cef55242bd026da8525318

SHA1
25ea54a4f807ce94d089b4ee8215fb10de3f3cb6

SHA256
f09e0aa832a48ad2622917296900009bf69ba35667a3d046e6b343cf9436de07

SHA512
0e8c7b038e0ec106c58da7d1e5933d9aedc1840406746db83a43a3ccc1d1f5e84f560970efdc2c2c17fbc1c951bf6400092bb8a6534e28ff59164f66d74556c4

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
d566dbb38a8a7e0be860b142acd8d74f

SHA1
d076a1fe38490dd0ae678523b2ebeec67a9b7246

SHA256
c952509c1de3e84b6bb7bf1bbe7b2071893327c16a0dbcfc5e904639ae5af88a

SHA512
b5702339eed2a4cd8377cf141b7a1960a6cba8777bbe40c1a240b62c40435321f3ab1d2a071807aa6735a96e9678b5923f180364c16ee279db436bb74ae1426b

Download Submit
memory/296-71-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/296-79-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/376-191-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/376-198-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/408-160-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/408-67-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/408-167-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/536-152-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/536-159-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/536-53-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/536-57-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/984-235-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1244-48-0x00000000059D0000-0x0000000005B2F000-memory.dmp

Filesize
1.4MB

Download
memory/1400-183-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1400-176-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1504-43-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1504-33-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1628-102-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1628-110-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1668-213-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1716-70-0x0000000004540000-0x000000000469F000-memory.dmp

Filesize
1.4MB

Download
memory/1716-84-0x0000000005D20000-0x0000000005E7F000-memory.dmp

Filesize
1.4MB

Download
memory/1892-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1892-9-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2020-175-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2132-85-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2132-99-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2216-221-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2216-214-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2320-25-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2320-16-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2400-228-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2484-97-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2600-190-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2652-15-0x0000000005A90000-0x0000000005BEF000-memory.dmp

Filesize
1.4MB

Download
memory/2652-12-0x0000000005A90000-0x0000000005BEF000-memory.dmp

Filesize
1.4MB

Download
memory/2704-199-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2704-206-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2820-151-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2820-143-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2884-32-0x0000000005790000-0x00000000058EF000-memory.dmp

Filesize
1.4MB

Download
memory/2884-31-0x0000000005790000-0x00000000058EF000-memory.dmp

Filesize
1.4MB

Download
memory/2900-138-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2900-129-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2944-124-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2944-115-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3012-236-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3012-243-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3036-168-0x0000000005960000-0x0000000005ABF000-memory.dmp

Filesize
1.4MB

Download