225bca3f01d288f6bacad5fc35e7b65441ac42e1720be28f713ddca780eaf8da

Analysis

max time kernel
133s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08/09/2024, 10:41

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

225bca3f01d288f6bacad5fc35e7b65441ac42e1720be28f713ddca780eaf8da.exe
Size

1.1MB
MD5

a427a7810938d546e67e2a34f87085a3
SHA1

67977b9c5cf86a29b3d032368d4f5248267cf673
SHA256

225bca3f01d288f6bacad5fc35e7b65441ac42e1720be28f713ddca780eaf8da
SHA512

9d40dc4f2d20761e7c23b71f1725a8475397c395f550a60babeb207fe0a215b7f2b7e12df2a912040b9b0dedadf8bc301a2111262c196c7ca7d9ff3ba62bf3e6
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5Qo:acallSllG4ZM7QzMf

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
696	svchcst.exe

Executes dropped EXE 22 IoCs

pid	Process
696	svchcst.exe
1972	svchcst.exe
1232	svchcst.exe
2224	svchcst.exe
2272	svchcst.exe
1380	svchcst.exe
1720	svchcst.exe
2644	svchcst.exe
2132	svchcst.exe
1764	svchcst.exe
2352	svchcst.exe
108	svchcst.exe
1632	svchcst.exe
1208	svchcst.exe
2220	svchcst.exe
2952	svchcst.exe
1972	svchcst.exe
2512	svchcst.exe
2516	svchcst.exe
3032	svchcst.exe
2152	svchcst.exe
1652	svchcst.exe

Loads dropped DLL 43 IoCs

pid	Process
2780	WScript.exe
2780	WScript.exe
2336	WScript.exe
2336	WScript.exe
2104	WScript.exe
2104	WScript.exe
2308	WScript.exe
2308	WScript.exe
1652	WScript.exe
1652	WScript.exe
1192	WScript.exe
1192	WScript.exe
2220	WScript.exe
2220	WScript.exe
2996	WScript.exe
2996	WScript.exe
1160	WScript.exe
1160	WScript.exe
2968	WScript.exe
2968	WScript.exe
1696	WScript.exe
1044	WScript.exe
1044	WScript.exe
548	WScript.exe
548	WScript.exe
904	WScript.exe
904	WScript.exe
844	WScript.exe
844	WScript.exe
2772	WScript.exe
2772	WScript.exe
2072	WScript.exe
2072	WScript.exe
2504	WScript.exe
2504	WScript.exe
2988	WScript.exe
2988	WScript.exe
1412	WScript.exe
1412	WScript.exe
1552	WScript.exe
1920	WScript.exe
1920	WScript.exe
1552	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 45 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	225bca3f01d288f6bacad5fc35e7b65441ac42e1720be28f713ddca780eaf8da.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2892	225bca3f01d288f6bacad5fc35e7b65441ac42e1720be28f713ddca780eaf8da.exe
696	svchcst.exe
696	svchcst.exe
696	svchcst.exe
696	svchcst.exe
696	svchcst.exe
696	svchcst.exe
696	svchcst.exe
696	svchcst.exe
696	svchcst.exe
696	svchcst.exe
696	svchcst.exe
696	svchcst.exe
696	svchcst.exe
696	svchcst.exe
696	svchcst.exe
696	svchcst.exe
696	svchcst.exe
696	svchcst.exe
696	svchcst.exe
696	svchcst.exe
696	svchcst.exe
696	svchcst.exe
696	svchcst.exe
696	svchcst.exe
696	svchcst.exe
696	svchcst.exe
696	svchcst.exe
696	svchcst.exe
696	svchcst.exe
696	svchcst.exe
696	svchcst.exe
696	svchcst.exe
696	svchcst.exe
696	svchcst.exe
696	svchcst.exe
696	svchcst.exe
696	svchcst.exe
696	svchcst.exe
696	svchcst.exe
696	svchcst.exe
696	svchcst.exe
696	svchcst.exe
696	svchcst.exe
696	svchcst.exe
696	svchcst.exe
696	svchcst.exe
696	svchcst.exe
696	svchcst.exe
696	svchcst.exe
696	svchcst.exe
696	svchcst.exe
696	svchcst.exe
696	svchcst.exe
696	svchcst.exe
696	svchcst.exe
696	svchcst.exe
696	svchcst.exe
696	svchcst.exe
696	svchcst.exe
696	svchcst.exe
696	svchcst.exe
696	svchcst.exe
696	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2892	225bca3f01d288f6bacad5fc35e7b65441ac42e1720be28f713ddca780eaf8da.exe

Suspicious use of SetWindowsHookEx 46 IoCs

pid	Process
2892	225bca3f01d288f6bacad5fc35e7b65441ac42e1720be28f713ddca780eaf8da.exe
2892	225bca3f01d288f6bacad5fc35e7b65441ac42e1720be28f713ddca780eaf8da.exe
696	svchcst.exe
696	svchcst.exe
1972	svchcst.exe
1972	svchcst.exe
1232	svchcst.exe
1232	svchcst.exe
2224	svchcst.exe
2224	svchcst.exe
2272	svchcst.exe
2272	svchcst.exe
1380	svchcst.exe
1380	svchcst.exe
1720	svchcst.exe
1720	svchcst.exe
2644	svchcst.exe
2644	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
1764	svchcst.exe
1764	svchcst.exe
2352	svchcst.exe
2352	svchcst.exe
108	svchcst.exe
108	svchcst.exe
1632	svchcst.exe
1632	svchcst.exe
1208	svchcst.exe
1208	svchcst.exe
2220	svchcst.exe
2220	svchcst.exe
2952	svchcst.exe
2952	svchcst.exe
1972	svchcst.exe
1972	svchcst.exe
2512	svchcst.exe
2512	svchcst.exe
2516	svchcst.exe
2516	svchcst.exe
3032	svchcst.exe
3032	svchcst.exe
2152	svchcst.exe
1652	svchcst.exe
2152	svchcst.exe
1652	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2892 wrote to memory of 2780	2892	225bca3f01d288f6bacad5fc35e7b65441ac42e1720be28f713ddca780eaf8da.exe	30
PID 2892 wrote to memory of 2780	2892	225bca3f01d288f6bacad5fc35e7b65441ac42e1720be28f713ddca780eaf8da.exe	30
PID 2892 wrote to memory of 2780	2892	225bca3f01d288f6bacad5fc35e7b65441ac42e1720be28f713ddca780eaf8da.exe	30
PID 2892 wrote to memory of 2780	2892	225bca3f01d288f6bacad5fc35e7b65441ac42e1720be28f713ddca780eaf8da.exe	30
PID 2780 wrote to memory of 696	2780	WScript.exe	32
PID 2780 wrote to memory of 696	2780	WScript.exe	32
PID 2780 wrote to memory of 696	2780	WScript.exe	32
PID 2780 wrote to memory of 696	2780	WScript.exe	32
PID 696 wrote to memory of 2336	696	svchcst.exe	33
PID 696 wrote to memory of 2336	696	svchcst.exe	33
PID 696 wrote to memory of 2336	696	svchcst.exe	33
PID 696 wrote to memory of 2336	696	svchcst.exe	33
PID 2336 wrote to memory of 1972	2336	WScript.exe	34
PID 2336 wrote to memory of 1972	2336	WScript.exe	34
PID 2336 wrote to memory of 1972	2336	WScript.exe	34
PID 2336 wrote to memory of 1972	2336	WScript.exe	34
PID 1972 wrote to memory of 2104	1972	svchcst.exe	35
PID 1972 wrote to memory of 2104	1972	svchcst.exe	35
PID 1972 wrote to memory of 2104	1972	svchcst.exe	35
PID 1972 wrote to memory of 2104	1972	svchcst.exe	35
PID 2104 wrote to memory of 1232	2104	WScript.exe	36
PID 2104 wrote to memory of 1232	2104	WScript.exe	36
PID 2104 wrote to memory of 1232	2104	WScript.exe	36
PID 2104 wrote to memory of 1232	2104	WScript.exe	36
PID 1232 wrote to memory of 2308	1232	svchcst.exe	37
PID 1232 wrote to memory of 2308	1232	svchcst.exe	37
PID 1232 wrote to memory of 2308	1232	svchcst.exe	37
PID 1232 wrote to memory of 2308	1232	svchcst.exe	37
PID 2308 wrote to memory of 2224	2308	WScript.exe	38
PID 2308 wrote to memory of 2224	2308	WScript.exe	38
PID 2308 wrote to memory of 2224	2308	WScript.exe	38
PID 2308 wrote to memory of 2224	2308	WScript.exe	38
PID 2224 wrote to memory of 1652	2224	svchcst.exe	39
PID 2224 wrote to memory of 1652	2224	svchcst.exe	39
PID 2224 wrote to memory of 1652	2224	svchcst.exe	39
PID 2224 wrote to memory of 1652	2224	svchcst.exe	39
PID 1652 wrote to memory of 2272	1652	WScript.exe	41
PID 1652 wrote to memory of 2272	1652	WScript.exe	41
PID 1652 wrote to memory of 2272	1652	WScript.exe	41
PID 1652 wrote to memory of 2272	1652	WScript.exe	41
PID 2272 wrote to memory of 1192	2272	svchcst.exe	42
PID 2272 wrote to memory of 1192	2272	svchcst.exe	42
PID 2272 wrote to memory of 1192	2272	svchcst.exe	42
PID 2272 wrote to memory of 1192	2272	svchcst.exe	42
PID 1192 wrote to memory of 1380	1192	WScript.exe	43
PID 1192 wrote to memory of 1380	1192	WScript.exe	43
PID 1192 wrote to memory of 1380	1192	WScript.exe	43
PID 1192 wrote to memory of 1380	1192	WScript.exe	43
PID 1380 wrote to memory of 2220	1380	svchcst.exe	44
PID 1380 wrote to memory of 2220	1380	svchcst.exe	44
PID 1380 wrote to memory of 2220	1380	svchcst.exe	44
PID 1380 wrote to memory of 2220	1380	svchcst.exe	44
PID 2220 wrote to memory of 1720	2220	WScript.exe	45
PID 2220 wrote to memory of 1720	2220	WScript.exe	45
PID 2220 wrote to memory of 1720	2220	WScript.exe	45
PID 2220 wrote to memory of 1720	2220	WScript.exe	45
PID 1720 wrote to memory of 2996	1720	svchcst.exe	46
PID 1720 wrote to memory of 2996	1720	svchcst.exe	46
PID 1720 wrote to memory of 2996	1720	svchcst.exe	46
PID 1720 wrote to memory of 2996	1720	svchcst.exe	46
PID 2996 wrote to memory of 2644	2996	WScript.exe	47
PID 2996 wrote to memory of 2644	2996	WScript.exe	47
PID 2996 wrote to memory of 2644	2996	WScript.exe	47
PID 2996 wrote to memory of 2644	2996	WScript.exe	47

C:\Users\Admin\AppData\Local\Temp\225bca3f01d288f6bacad5fc35e7b65441ac42e1720be28f713ddca780eaf8da.exe
"C:\Users\Admin\AppData\Local\Temp\225bca3f01d288f6bacad5fc35e7b65441ac42e1720be28f713ddca780eaf8da.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2892
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2780
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:696
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2336
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1972
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2104
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1232
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2308
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2224
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1652
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2272
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1192
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1380
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2220
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1720
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2996
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2644
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1160
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2132
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2968
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1764
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1696
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2352
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1044
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:108
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:548
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1632
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:904
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1208
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:844
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2220
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2772
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2952
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2072
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1972
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2504
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2512
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2988
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2516
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1412
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3032
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1920
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2152
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1552
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
431d78acf5cbba33a2741728fb0af85a

SHA1
36a7744e2c9582af3800aea4be570167b0dc525c

SHA256
0e3d08cd46c6e2d023e9f3ae45d9c9d7a1859865f2aaec5b105e763872f1588e

SHA512
e698715d63250c3d151b6027e325f00d93cb4583276c387e9898ba0726dfd23394618eed27b98ca2fc4f388569006bcf5850baf168d5a8379345ee7daacd8e14

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
b80e64a84f22d05c1da6e47ce54973aa

SHA1
5cad9390328f2c7439c775fabb7a0456663085d9

SHA256
9dd0f5f176d3fad7c0eb3bdd6f14036a878cbce9fd50fb1a47318da147bfd82e

SHA512
983affb7f9189c1eb80982438c288ee607e7ee91675b6a6e854873c476961b39ddec66801e0a09bedd0f133a0132693a5fed5c8ff0f8c3d3aa4f470fdb8c39b9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
f080eefd41c0fca1c404d5133fb5c957

SHA1
bef3f9c014eca7cf4dc001f3d85befd3681d4bcc

SHA256
758f74e1aa31de598fbf37f70ffd76f936c0b5dd2227b17c0d8e9ac4506f3aaf

SHA512
e2066e4082f51d4064bfd68eff48c97c481bbb524bb0fa2da0b5ae25bda730811d2933480a72d91a8e5c10ac794f0e793fb8323892332eb9b7c43890ee25c4d7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
44c38fa25d3a9963483b583388b6f47b

SHA1
e9b37eb8bcbe2ddda96178ee7502616660cfce57

SHA256
004b640ccc72e36c16e85661847b12fff228d63de834042accadde333aa33e36

SHA512
c39bd240b263314169cef9af85a8e8a89146e96400026936b68a69a7c732d301c16561971dbeaee752e2618f2a592bff5a6a91ee75893522e77f574176887905

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
0d7287608e57c918d75f595179c5fa29

SHA1
d16c5add83d14855a0d674ca2d287ef0233e7062

SHA256
539b077eb4ef610403f7c3cdec3fd11482b2a0c4f3c254c2e8f6f2a51905c9d1

SHA512
0050624a5937e196a1e7d08318d9a499ea706cf8023bf7c6b1ba42a671e98e202ab83723740e9aab99bd6c17c3895ca1f2b17f6e94dd81d1d01c064b997c8bff

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
ddd204c2596c95e0b37f2faf17345158

SHA1
fb5c9a676eb0b0e08ed0498a5696bbd7d443b1a2

SHA256
6ba8498e50d16dedd7a4479998981b504b684f524c08329269fd4eb6e3fe52a2

SHA512
17f8ff158d74cb8b37954cd5d458440cbf7e41dd03d08d5101b55f7ca259fdd1e36967e5231a31362c68456d0e91bdbac1c83cc19876ab7ec1c97bde0ec03244

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
22ee4efbc67fc70b9f9d483cf169e846

SHA1
5e0a01490f92c7a77457c1df61c009cdc5c641dd

SHA256
abd4fb5ee308e65770cced9ea111c1dcfc48e0571cfcb79284f4fbbab293e161

SHA512
7638f6551734a6256e6d7666a9811368ee2894afeb442f65c6da0680fe8134059c52f552e36b2539774c4e3e5fc0cc1ae027e3ef872b5bb5d4b8e0f6687ce238

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
33923002ff087d4e9d20dc9167bf4b6f

SHA1
cd218dc8073081f7329889f96e1159c6d11fb8a1

SHA256
f24781ed9f535b0d29cbef666b2e299ee84ab75c48fd47bfdf0e9c2beaa0796e

SHA512
628c465e3ebed9b3ad689a6fa1fe38d3194c69a7446320408c28667acd49a157b853f734325e828a1577810393d0f9e69b6719bd7c201816ef0f06219a26534c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
067a3458406fce1e0caec803b21a2c58

SHA1
1277d2a3236100a0758d4f4f279cd02d537e626b

SHA256
35c0d5d7757b50c61a708107c8e2ab5df872fdc25516f8003d9d58d3ae5ec9e3

SHA512
99918a35f93140231d63a17c97bb9ef66a5744dc044c7e48034c3d2fcc49c3b97fe0d37a32ae6307a7b7e772b8016a6727672d2844b5ed7dcf20c31dd01724e4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
d7e57302723e6adcd36bc753c7cb3d1b

SHA1
24f5af99f2988b5fa7383dae1f53347b597956a3

SHA256
abf7ef48d31eaabd0227b0a91a44e8b53e9fbadff16ef2d9c2b131776898977e

SHA512
0aee51cab495d2df1e1957f85cbfa1a8ca95fad5fa669d2f0918a0e4be4d090c868582935136684d872695bdd075523ad1386639690e9d7016201b6985a9c8a6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
e08649f2b7b5fd5618fdb21c98fab5f2

SHA1
ea149a4107e10e9467e7831f91497dbb30220616

SHA256
efab6d52b6015282557d7c8757ef1943af79f2730492afe5d5e25ab09e7936c3

SHA512
bdb1863832634da5313fb5abdec5f72581cb9e8f36e0a4f31664d2b184f0d13e44f3a6c384374ae7c526e62e5d6d7ff6950f3fc4379ba36e2209977d99704ff9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
f94febdc218c50c5874ab8f79404590b

SHA1
9ab3f927fa1b5177f51f1ea6ce984a473d940c37

SHA256
cb99fd88ae8e32314cafe92e1636608bec8f3ce2d12b59e0675f099da8083cfe

SHA512
7f9c401812ffb40488dd10c43376f64cd6855a94a0fe6ae3a4ae2cef129ab7f4b495876b5769756db891939485249d71eea2ed8d6b42a0072e3c873cb86d1f7d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
7d0763c03abbb18b3bad19ca61105b14

SHA1
67bfe7d5a0f4179cfd864e88d651e14899a66536

SHA256
8c66a32c356961b390d6b2d00dca0f97bbab5996eca71d034292fc8f1337bbbf

SHA512
4a29a45a19cd8161befd62861df6afe4e0f0b2935efe8e23e2a0c8077aac50fadfc85cef8a90534739fbdd35b44a49af36c48fa0ae9537f6ab6284750ff0ebbd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
702bdabc93e6ca486a5d294d02b1af8d

SHA1
616544d9fca9f5b5d91b56bf916a27e015ed9377

SHA256
6abea62b9fb80aea15c8a103a30086c22682cdb7828774ec27cf24690d76028a

SHA512
abcc1484080da5af63c716b0fc5d12e970ab4dd4272fc8df6ae05329187478a38e050e5dc0c470ff3dfab4d9f533617df7c414bc26458a4c4948fe45b88d1e8e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
c2ef6c7e30c03fa4c9f781100e25a1cf

SHA1
6983810d75b4fa9d6d7b885ac61a1f87294b37a1

SHA256
589948005bcf3da7c64150141e9d9ab87020432beeef391f459d1745bb73b47b

SHA512
726a4ef44458bb07bcc1effbe4a4dc9d825443d41646b371fa62c2f2d9fdb98df8731cb1155255fac207151661202a7e82e5bbc70b137481a66f1b28a1b0660c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
91a0bc5cf487be009543ff77b2dddb1c

SHA1
d30aab3d48e7f02703f2b6eb5486193e367036da

SHA256
d668d41d035d33faa3b0d4db6d6e65758c9f5e8062db40ef11587d6a6ce1a793

SHA512
368c6b4214c5aee88f1def6d2e71cfbc2f97baabea70f9e0635fa4eb18ed67a7708fbe196ee7fa38c885e1182a373f7d99305d7804767668bfcf36c526e8bba1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
5a29385d20b307109c423f7eabb945a1

SHA1
4fc5cb810973469ed925c3ca25c80cf8a5f1b225

SHA256
346eac819589d8162e0023ab6a6e32302c80e4e1e38e48a801f9e694ecca63b9

SHA512
8f50cb8876ea7c2c0a9b73d5dd9e38c9a37872beda614402319f09dabe99cb9e1f35d019d883206c949c84b1f9b39b59f5a3466bb1ba2d9c17c33e732f248838

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
c8c2d81be0c1571ff2ed949b9bfab98c

SHA1
70bef13a7df4a0d5afb092c48abfe42206fdf769

SHA256
561e6ee6c577f231578685417107a11c5a9e970879fd82428c9bee4410d81057

SHA512
f6707440b0bf2f2afe36683d3791894f3f2d1fe0ed3ede44302d739f7dd77b3edce994e24ad4bac46a7c36c0f2f1b91dd7bd8002059ff71032b8c19f82ab9d26

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
fc51f614360f158b29f8931e84bcefa9

SHA1
c038d83968612ac287fce5d078ecfbb2b07e0d37

SHA256
72a3f7232f96486ae00ea0862d5643b5f01994b0d6b74f03226d638ff431002d

SHA512
2736c3be4f6ebed54a1e7964822cc224cfa3e7729999a4690093662b67549756456244bae86f0d4306504f6c609f1ee040192c1ca363ec4505395239ccc8bb5a

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
2ef58657c5de74c382b5c1540eaa855a

SHA1
93020afe245165f5f113b128f2a34317a214881c

SHA256
956ba575a582348defd2b218c178a59c49ed30d88dd9edf2f62f897ea7889ee9

SHA512
df229452889cd51875d7ecbec90ec77f0b210984ad6108f2d7fc3fe4757f45c25c0b7352f825e830118a167137c4aaf9b2dd5e0f2ffe7639df7c3d12390070d4

Download Submit
memory/108-171-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/548-172-0x00000000045C0000-0x000000000471F000-memory.dmp

Filesize
1.4MB

Download
memory/696-26-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/696-16-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/844-189-0x00000000044D0000-0x000000000462F000-memory.dmp

Filesize
1.4MB

Download
memory/1044-164-0x0000000004770000-0x00000000048CF000-memory.dmp

Filesize
1.4MB

Download
memory/1160-132-0x0000000004590000-0x00000000046EF000-memory.dmp

Filesize
1.4MB

Download
memory/1208-181-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1208-188-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1232-55-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1380-98-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1552-240-0x0000000005930000-0x0000000005A8F000-memory.dmp

Filesize
1.4MB

Download
memory/1552-237-0x0000000005930000-0x0000000005A8F000-memory.dmp

Filesize
1.4MB

Download
memory/1632-180-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1632-173-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1652-75-0x00000000049E0000-0x0000000004B3F000-memory.dmp

Filesize
1.4MB

Download
memory/1652-76-0x00000000049E0000-0x0000000004B3F000-memory.dmp

Filesize
1.4MB

Download
memory/1652-243-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1652-242-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1696-156-0x00000000046E0000-0x000000000483F000-memory.dmp

Filesize
1.4MB

Download
memory/1720-112-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1764-155-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1920-239-0x0000000004410000-0x000000000456F000-memory.dmp

Filesize
1.4MB

Download
memory/1920-238-0x0000000004410000-0x000000000456F000-memory.dmp

Filesize
1.4MB

Download
memory/1972-42-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1972-211-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1972-33-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2104-46-0x0000000004580000-0x00000000046DF000-memory.dmp

Filesize
1.4MB

Download
memory/2132-140-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2152-244-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2152-241-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2220-196-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2220-103-0x0000000005C30000-0x0000000005D8F000-memory.dmp

Filesize
1.4MB

Download
memory/2224-62-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2224-70-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2272-85-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2308-60-0x00000000041C0000-0x000000000431F000-memory.dmp

Filesize
1.4MB

Download
memory/2336-31-0x0000000004560000-0x00000000046BF000-memory.dmp

Filesize
1.4MB

Download
memory/2336-30-0x0000000004560000-0x00000000046BF000-memory.dmp

Filesize
1.4MB

Download
memory/2352-163-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2512-212-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2512-219-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2516-227-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2644-118-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2644-126-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2772-197-0x0000000005AA0000-0x0000000005BFF000-memory.dmp

Filesize
1.4MB

Download
memory/2780-15-0x00000000043F0000-0x000000000454F000-memory.dmp

Filesize
1.4MB

Download
memory/2780-13-0x00000000043F0000-0x000000000454F000-memory.dmp

Filesize
1.4MB

Download
memory/2892-9-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2892-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2952-204-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2968-145-0x0000000004780000-0x00000000048DF000-memory.dmp

Filesize
1.4MB

Download
memory/2968-146-0x0000000004780000-0x00000000048DF000-memory.dmp

Filesize
1.4MB

Download
memory/2988-220-0x00000000043F0000-0x000000000454F000-memory.dmp

Filesize
1.4MB

Download
memory/2996-115-0x00000000044F0000-0x000000000464F000-memory.dmp

Filesize
1.4MB

Download
memory/3032-236-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download