4094a77af8766c0431a312e6d435ff536514f8124e51f8c4f12e9b41df12ea1a

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
06-09-2024 20:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4094a77af8766c0431a312e6d435ff536514f8124e51f8c4f12e9b41df12ea1a.exe
Size

1.1MB
MD5

692139bd235a83648043abf1a813f1a4
SHA1

830f005eeebeb9177307603ed3bcc71479cc8a3c
SHA256

4094a77af8766c0431a312e6d435ff536514f8124e51f8c4f12e9b41df12ea1a
SHA512

ab8e1c343840a4f50549dce13feb8eddb7ccdd2d3e1489d461647a6c1a6444dac32910f8f4e9fc655af05876e71d40310f206ee2cb0735b9e69dd7e4e0b0f675
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5Qm:acallSllG4ZM7QzMd

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2548	svchcst.exe

Executes dropped EXE 24 IoCs

pid	Process
2548	svchcst.exe
2756	svchcst.exe
2128	svchcst.exe
3000	svchcst.exe
392	svchcst.exe
2384	svchcst.exe
1620	svchcst.exe
3032	svchcst.exe
1600	svchcst.exe
1920	svchcst.exe
2216	svchcst.exe
552	svchcst.exe
1968	svchcst.exe
2088	svchcst.exe
952	svchcst.exe
2964	svchcst.exe
1824	svchcst.exe
1516	svchcst.exe
2500	svchcst.exe
2744	svchcst.exe
2888	svchcst.exe
2060	svchcst.exe
2124	svchcst.exe
2288	svchcst.exe

Loads dropped DLL 40 IoCs

pid	Process
2836	WScript.exe
2836	WScript.exe
2424	WScript.exe
1076	WScript.exe
1076	WScript.exe
2340	WScript.exe
1528	WScript.exe
1528	WScript.exe
1464	WScript.exe
1512	WScript.exe
1512	WScript.exe
2296	WScript.exe
2296	WScript.exe
2972	WScript.exe
2972	WScript.exe
2344	WScript.exe
2344	WScript.exe
3008	WScript.exe
3008	WScript.exe
3008	WScript.exe
3008	WScript.exe
2356	WScript.exe
2356	WScript.exe
2828	WScript.exe
1152	WScript.exe
1152	WScript.exe
1600	WScript.exe
1600	WScript.exe
2604	WScript.exe
2604	WScript.exe
2116	WScript.exe
2116	WScript.exe
2640	WScript.exe
2640	WScript.exe
572	WScript.exe
572	WScript.exe
2268	WScript.exe
2268	WScript.exe
2808	WScript.exe
2808	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 50 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4094a77af8766c0431a312e6d435ff536514f8124e51f8c4f12e9b41df12ea1a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3032	4094a77af8766c0431a312e6d435ff536514f8124e51f8c4f12e9b41df12ea1a.exe
2548	svchcst.exe
2548	svchcst.exe
2548	svchcst.exe
2548	svchcst.exe
2548	svchcst.exe
2548	svchcst.exe
2548	svchcst.exe
2548	svchcst.exe
2548	svchcst.exe
2548	svchcst.exe
2548	svchcst.exe
2548	svchcst.exe
2548	svchcst.exe
2548	svchcst.exe
2548	svchcst.exe
2548	svchcst.exe
2548	svchcst.exe
2548	svchcst.exe
2548	svchcst.exe
2548	svchcst.exe
2548	svchcst.exe
2548	svchcst.exe
2548	svchcst.exe
2548	svchcst.exe
2548	svchcst.exe
2548	svchcst.exe
2548	svchcst.exe
2548	svchcst.exe
2548	svchcst.exe
2548	svchcst.exe
2548	svchcst.exe
2548	svchcst.exe
2548	svchcst.exe
2548	svchcst.exe
2548	svchcst.exe
2548	svchcst.exe
2548	svchcst.exe
2548	svchcst.exe
2548	svchcst.exe
2548	svchcst.exe
2548	svchcst.exe
2548	svchcst.exe
2548	svchcst.exe
2548	svchcst.exe
2548	svchcst.exe
2548	svchcst.exe
2548	svchcst.exe
2548	svchcst.exe
2548	svchcst.exe
2548	svchcst.exe
2548	svchcst.exe
2548	svchcst.exe
2548	svchcst.exe
2548	svchcst.exe
2548	svchcst.exe
2548	svchcst.exe
2548	svchcst.exe
2548	svchcst.exe
2548	svchcst.exe
2548	svchcst.exe
2548	svchcst.exe
2548	svchcst.exe
2548	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3032	4094a77af8766c0431a312e6d435ff536514f8124e51f8c4f12e9b41df12ea1a.exe

Suspicious use of SetWindowsHookEx 48 IoCs

pid	Process
3032	4094a77af8766c0431a312e6d435ff536514f8124e51f8c4f12e9b41df12ea1a.exe
3032	4094a77af8766c0431a312e6d435ff536514f8124e51f8c4f12e9b41df12ea1a.exe
2548	svchcst.exe
2548	svchcst.exe
2756	svchcst.exe
2756	svchcst.exe
2128	svchcst.exe
2128	svchcst.exe
3000	svchcst.exe
3000	svchcst.exe
392	svchcst.exe
392	svchcst.exe
2384	svchcst.exe
2384	svchcst.exe
1620	svchcst.exe
1620	svchcst.exe
3032	svchcst.exe
3032	svchcst.exe
1600	svchcst.exe
1600	svchcst.exe
1920	svchcst.exe
1920	svchcst.exe
2216	svchcst.exe
2216	svchcst.exe
552	svchcst.exe
552	svchcst.exe
1968	svchcst.exe
1968	svchcst.exe
2088	svchcst.exe
2088	svchcst.exe
2964	svchcst.exe
2964	svchcst.exe
1824	svchcst.exe
1824	svchcst.exe
1516	svchcst.exe
1516	svchcst.exe
2500	svchcst.exe
2500	svchcst.exe
2744	svchcst.exe
2744	svchcst.exe
2888	svchcst.exe
2888	svchcst.exe
2060	svchcst.exe
2060	svchcst.exe
2124	svchcst.exe
2124	svchcst.exe
2288	svchcst.exe
2288	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3032 wrote to memory of 2836	3032	4094a77af8766c0431a312e6d435ff536514f8124e51f8c4f12e9b41df12ea1a.exe	30
PID 3032 wrote to memory of 2836	3032	4094a77af8766c0431a312e6d435ff536514f8124e51f8c4f12e9b41df12ea1a.exe	30
PID 3032 wrote to memory of 2836	3032	4094a77af8766c0431a312e6d435ff536514f8124e51f8c4f12e9b41df12ea1a.exe	30
PID 3032 wrote to memory of 2836	3032	4094a77af8766c0431a312e6d435ff536514f8124e51f8c4f12e9b41df12ea1a.exe	30
PID 2836 wrote to memory of 2548	2836	WScript.exe	32
PID 2836 wrote to memory of 2548	2836	WScript.exe	32
PID 2836 wrote to memory of 2548	2836	WScript.exe	32
PID 2836 wrote to memory of 2548	2836	WScript.exe	32
PID 2548 wrote to memory of 2424	2548	svchcst.exe	33
PID 2548 wrote to memory of 2424	2548	svchcst.exe	33
PID 2548 wrote to memory of 2424	2548	svchcst.exe	33
PID 2548 wrote to memory of 2424	2548	svchcst.exe	33
PID 2424 wrote to memory of 2756	2424	WScript.exe	34
PID 2424 wrote to memory of 2756	2424	WScript.exe	34
PID 2424 wrote to memory of 2756	2424	WScript.exe	34
PID 2424 wrote to memory of 2756	2424	WScript.exe	34
PID 2756 wrote to memory of 1076	2756	svchcst.exe	35
PID 2756 wrote to memory of 1076	2756	svchcst.exe	35
PID 2756 wrote to memory of 1076	2756	svchcst.exe	35
PID 2756 wrote to memory of 1076	2756	svchcst.exe	35
PID 2756 wrote to memory of 2764	2756	svchcst.exe	36
PID 2756 wrote to memory of 2764	2756	svchcst.exe	36
PID 2756 wrote to memory of 2764	2756	svchcst.exe	36
PID 2756 wrote to memory of 2764	2756	svchcst.exe	36
PID 1076 wrote to memory of 2128	1076	WScript.exe	37
PID 1076 wrote to memory of 2128	1076	WScript.exe	37
PID 1076 wrote to memory of 2128	1076	WScript.exe	37
PID 1076 wrote to memory of 2128	1076	WScript.exe	37
PID 2128 wrote to memory of 2340	2128	svchcst.exe	38
PID 2128 wrote to memory of 2340	2128	svchcst.exe	38
PID 2128 wrote to memory of 2340	2128	svchcst.exe	38
PID 2128 wrote to memory of 2340	2128	svchcst.exe	38
PID 2340 wrote to memory of 3000	2340	WScript.exe	39
PID 2340 wrote to memory of 3000	2340	WScript.exe	39
PID 2340 wrote to memory of 3000	2340	WScript.exe	39
PID 2340 wrote to memory of 3000	2340	WScript.exe	39
PID 3000 wrote to memory of 1528	3000	svchcst.exe	40
PID 3000 wrote to memory of 1528	3000	svchcst.exe	40
PID 3000 wrote to memory of 1528	3000	svchcst.exe	40
PID 3000 wrote to memory of 1528	3000	svchcst.exe	40
PID 1528 wrote to memory of 392	1528	WScript.exe	41
PID 1528 wrote to memory of 392	1528	WScript.exe	41
PID 1528 wrote to memory of 392	1528	WScript.exe	41
PID 1528 wrote to memory of 392	1528	WScript.exe	41
PID 392 wrote to memory of 1464	392	svchcst.exe	42
PID 392 wrote to memory of 1464	392	svchcst.exe	42
PID 392 wrote to memory of 1464	392	svchcst.exe	42
PID 392 wrote to memory of 1464	392	svchcst.exe	42
PID 1528 wrote to memory of 2384	1528	WScript.exe	43
PID 1528 wrote to memory of 2384	1528	WScript.exe	43
PID 1528 wrote to memory of 2384	1528	WScript.exe	43
PID 1528 wrote to memory of 2384	1528	WScript.exe	43
PID 2384 wrote to memory of 2296	2384	svchcst.exe	44
PID 2384 wrote to memory of 2296	2384	svchcst.exe	44
PID 2384 wrote to memory of 2296	2384	svchcst.exe	44
PID 2384 wrote to memory of 2296	2384	svchcst.exe	44
PID 1464 wrote to memory of 1620	1464	WScript.exe	45
PID 1464 wrote to memory of 1620	1464	WScript.exe	45
PID 1464 wrote to memory of 1620	1464	WScript.exe	45
PID 1464 wrote to memory of 1620	1464	WScript.exe	45
PID 1620 wrote to memory of 1512	1620	svchcst.exe	46
PID 1620 wrote to memory of 1512	1620	svchcst.exe	46
PID 1620 wrote to memory of 1512	1620	svchcst.exe	46
PID 1620 wrote to memory of 1512	1620	svchcst.exe	46

C:\Users\Admin\AppData\Local\Temp\4094a77af8766c0431a312e6d435ff536514f8124e51f8c4f12e9b41df12ea1a.exe
"C:\Users\Admin\AppData\Local\Temp\4094a77af8766c0431a312e6d435ff536514f8124e51f8c4f12e9b41df12ea1a.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3032
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2836
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2548
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2424
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2756
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1076
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2128
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2340
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3000
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1528
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:392
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1464
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1620
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1512
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3032
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:2184
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1600
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2972
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2216
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2344
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:552
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3008
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1968
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2356
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:952
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2088
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2828
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2964
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1152
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1824
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1600
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1516
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2604
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2500
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2116
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2744
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2640
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2888
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:572
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2060
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2268
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2124
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2808
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2288
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        System Location Discovery: System Language Discovery
        
        PID:2196
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2384
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2296
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1920
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:2112
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
5cfaf550c0c90a99696701ea8622331e

SHA1
cf316cb835eb8de5823651a92b83a647255d6c78

SHA256
013cc6bc36eaf1edf2422145495592b86549e71b4c8e7af703cc1f1fe7278acb

SHA512
5caeb314d363c273efed0ab08e1e758754e452c6e9f95860f255bbda052be078e126b3c0a44cab6dfbaee693d8bcf4d1c831fc5cdf5962fc3a56b9f1a796c91a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
298f56408ef5bfe14b938d85e57c843d

SHA1
691d78c4c4887333b4679d3e340a7a04caad13a3

SHA256
b5738b726b24c9d220bd7256e4abb2e97215d50416bf67983cc82dc83b46298a

SHA512
227bf6d7e70568144112dc142ef60fa38f2b5f39196e3d3377a120b78fa86382726021f024bf5413548df0ce1734bb905d28e56de4dd80c6f21c05ab2a5ef83e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
840853c0aa5a4d702a8110a0cb763b4b

SHA1
58d028e09818c3fd2a9d521c26772cf4d1a9072a

SHA256
4438df44bf53668a332407b1c60d745bd1293a3f1acab9953b1d77e5131d2728

SHA512
f2b044e4710dadb03164bc78519207bd8d39d2cf9d4568fc11c38271eabc3e57410083b1cf29e40b1f6119ffa33ed4784ef652f112e50b554c2983755a606b6a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
3fe126921f6537cf36cd507b1649ffbb

SHA1
445c8796d072bb5829f0af8421e3eb7da34add70

SHA256
b4af7c7ab452f12e0ea38532d00cfa19cf99247ef169e5e698acd882e72750a6

SHA512
5d8527210f01cc30bda93521cdbd9828d03f2af3e2810996ad8c60cf62a35e415c0e54a34e00847ae30bf2718e8c431b65ed4f509c11986a8eb54ed6ed64ac94

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
0b07dbb471d7fe60f6b7446050131aa9

SHA1
4e1f1ada445a0bd2f1df1b5fe3ac6fff22c577a1

SHA256
483f571197412d4524e63cd78ae3ccd6a0c934a2178119e6aea3331a7bae6929

SHA512
6ddb5ad7ea76630d076b3e6ff03cf3087f65b035e7de9a4b30c6243641efc9a1c2f2975f05662039e95558aa81e78ecc1694114b22877f1029cb0d551df59ec1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
6cc9dd78b42e2ca0e1deb237988b6ae2

SHA1
6ec16a7e43a4c558a19f125758d56ed9a180e6ee

SHA256
11367ac6f6a1b237ca69aeeb571a435181256f8836d6910f036beb90e160f7b2

SHA512
331f0ae896c0fb9906dd2fc2e3d58860073af97deb31cdb2184cc4bd104e2e066bfec6bdef0e16a8eda3d5605875fe7c03480b1e2d68bc9d7e3a2b237a3020a4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
08e59d2d672728796d1d263f61b8e693

SHA1
e2cf49b43ffba5735bf7d9aa4e1da8c5a1a4a243

SHA256
f0504a6142a9709ba8612a4e55816d410dc92778bedea66d34316e77edd2f923

SHA512
328bc5a9404388f3ef192bb0e4da20cc34b9eacd974299461b5cc2f37ce7d7f9bb494e933fe7e8bca0baa037b40778b06965e76ce258b596b60e88bd6b2f4253

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
18daeaff7fc134fc2edabbaea7e7e9f0

SHA1
a6a3002f7828141bac042e08241df957ef348bb4

SHA256
56a26505482cb65715785a972070bd6b72ad56c09ec26f7a97d7b0ac5bf52303

SHA512
6a91ececa4ca5ffbd12c7ca83888a63a7baf2be281610d9b0d83ee9dfcb8f6d04c1466de5ac1b53abe3daaf2998ec40b4b3a1a1d6fc271f35d25523358bd3df0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
48e04b8c794b661550560f9e02af5bb4

SHA1
973d939e48bc7713c0338e95966219616bd415d0

SHA256
f3bfe9c6c363e0ef4e22d9990175cb4c1c5d7d087aa5a2cff9f912d5ac6676da

SHA512
23ca46c09e1c2c320c7c79e71056dc6cb78d1dbaa75f4cee92e63626fe1eef268d91c519a8a0219f816049d2babd0276d27471ccc57a05825ce339ea88eea778

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
234d3bd7d4c79c9f8515c4e3812a1c9b

SHA1
f0add1f9e02bad7016d7b183f6d64d4800df4e12

SHA256
c9ba84b70031261f15918f7e74bd45b7b889b8e8427efa4ff19537e3d27633d0

SHA512
3d42cb367d8ba46cff006692c69f88ab165b9b326000c0bf187e682ce181413dd6f8eb083972765f332dc4309996b3621018ce3cf22d4d944c2b3c0e51f4aea0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
f988db0382571319f9b0af53097c2376

SHA1
fd83936b61f5d4256a899610d5c13c5a9b24e625

SHA256
8557443470cff4b30c533603a8e73dd9b9c55af2bae1ed0a7ce86d860fe4953c

SHA512
8f0df896cf7432ac5248f1149a79cc721e40e80dc1ced770f830725c00e64bb96944bbdd375aa25587e0574dba32375934cbf99bf99f33267296c1e605ac8703

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
2c6490a42a6a0c40ff0c4e23b3e1aa2f

SHA1
673399038e095a86936267b5014fc7d216ee5c0a

SHA256
4b5b75f23c5d2765bccf9691327947fcdd4e1e17e6da73c1b1c47dab8db99b3d

SHA512
8ffd13c3e9ecd8c522703bf13f839b3925bf3dd0418c33e8b4edc5cd07ca53d76d21e3d8f2e47622d51cc73ac3eed7dd2f7308bb332cde1bd1e6f1cb8f8bb8d5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
4dc589917512e517a25e653252327773

SHA1
f917b2a707b47fe0a05f4081d7301f856ab70ad0

SHA256
4fff2b3b1b787e81e2dde21a03185d5370a963edaee85247adb8422c7a851167

SHA512
c82a1df083b812b8351a3f962bf9eaa0e837bd42ad5e19aeb94fa8ac21d600a5c00fc0b4fd81f31d805e4a93a29b0109ab44a2237e08cdb8ddbce0498d8076e9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
94d37d9b8dfb0b9ae562276de67a5247

SHA1
9b34388394f5f5b3137d8acef05b48ff0bd7cc12

SHA256
a9865a8c48ea2015f508cc4f0ff17a7c8372bfda238107b181a74b5e66229a8e

SHA512
d537128bdfc961d813e83e091f10b9c3fc82356af473dcc326abd848dbdc750569b75656eb6e0795a4a4768f47751b2e29c7b47fcc0b96421587ff6cea8c7e60

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
df92b7a9db6ad49b4c6c827eaa6a9b35

SHA1
971ed044ede1892e05cb7c04cd502f6531231c81

SHA256
82d95b4b9bb00cf5f43613275fcf07ff215281a3ae2d255707b85be17084f6d0

SHA512
6fc17a3a9c437050dc3f7b5d0c1a64f59c7e23749cdbcd5179ff0cbe93a09cba569e58545815996550df41bd63ce004b2e1b438b3c6bea06fb4da6c120e8fcf2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
1be44ecbd5e0e880dcf97e9be339516b

SHA1
44014cf0da3e6e41155be4b604813d954314781a

SHA256
b8e4f53c104bc791d62cd4e183af24b504d26bf49952a278c0b9896501ba0fbc

SHA512
ff06793607393c9ff60db8c5c384c210f4ac4580927eb3ab1bd8f13a6e1cd62dae1bb37533f736289f2d5ec208067c8b419addbe1a2512c4c3df2d2ec69bd3b8

Download Submit
memory/392-74-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/552-159-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/552-156-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/952-180-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/952-177-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1152-190-0x0000000005910000-0x0000000005A6F000-memory.dmp

Filesize
1.4MB

Download
memory/1464-89-0x00000000045B0000-0x000000000470F000-memory.dmp

Filesize
1.4MB

Download
memory/1512-122-0x0000000005B80000-0x0000000005CDF000-memory.dmp

Filesize
1.4MB

Download
memory/1512-102-0x0000000005B80000-0x0000000005CDF000-memory.dmp

Filesize
1.4MB

Download
memory/1512-113-0x0000000005D60000-0x0000000005EBF000-memory.dmp

Filesize
1.4MB

Download
memory/1516-199-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1516-206-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1528-77-0x0000000005D00000-0x0000000005E5F000-memory.dmp

Filesize
1.4MB

Download
memory/1528-78-0x0000000005D00000-0x0000000005E5F000-memory.dmp

Filesize
1.4MB

Download
memory/1600-118-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1600-198-0x00000000059A0000-0x0000000005AFF000-memory.dmp

Filesize
1.4MB

Download
memory/1600-123-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1620-94-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1620-99-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1824-197-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1920-136-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1920-128-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1968-168-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1968-165-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2060-240-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2060-233-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2088-169-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2088-181-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2116-216-0x0000000004590000-0x00000000046EF000-memory.dmp

Filesize
1.4MB

Download
memory/2124-241-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2124-248-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2128-52-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2128-44-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2216-142-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2216-150-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2288-249-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2344-151-0x0000000005B50000-0x0000000005CAF000-memory.dmp

Filesize
1.4MB

Download
memory/2356-176-0x0000000005AE0000-0x0000000005C3F000-memory.dmp

Filesize
1.4MB

Download
memory/2384-79-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2384-86-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2500-214-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2500-207-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2548-16-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2548-25-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2640-224-0x00000000049F0000-0x0000000004B4F000-memory.dmp

Filesize
1.4MB

Download
memory/2744-215-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2744-223-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2756-28-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2756-39-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2836-14-0x0000000004480000-0x00000000045DF000-memory.dmp

Filesize
1.4MB

Download
memory/2836-15-0x0000000004480000-0x00000000045DF000-memory.dmp

Filesize
1.4MB

Download
memory/2888-225-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2888-232-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2964-189-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2964-182-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2972-140-0x0000000005C50000-0x0000000005DAF000-memory.dmp

Filesize
1.4MB

Download
memory/3000-55-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3000-62-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3008-160-0x0000000004750000-0x00000000048AF000-memory.dmp

Filesize
1.4MB

Download
memory/3032-9-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3032-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3032-110-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3032-106-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download