08d5568abcc7f49f7383500491ef4d3ef7b65da86dae227126547933d36affdc

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
08/09/2024, 14:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

08d5568abcc7f49f7383500491ef4d3ef7b65da86dae227126547933d36affdc.exe
Size

1.1MB
MD5

664ba2abd33f1369879e9c034225e215
SHA1

73af3ce078cb89ca29accd0683880e38434bb58f
SHA256

08d5568abcc7f49f7383500491ef4d3ef7b65da86dae227126547933d36affdc
SHA512

a7bda79a247ad4c29baf6b08ceb2ae1d547f0e467d34695115865789f1a532b2b63f71cac977685f60e8da491580d7137a0551a5a5323731130d49779aa34c3e
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5Qc:acallSllG4ZM7QzM7

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2888	svchcst.exe

Executes dropped EXE 33 IoCs

pid	Process
2576	svchcst.exe
1964	svchcst.exe
552	svchcst.exe
1540	svchcst.exe
444	svchcst.exe
1096	svchcst.exe
3020	svchcst.exe
2216	svchcst.exe
2348	svchcst.exe
2932	svchcst.exe
2888	svchcst.exe
2228	svchcst.exe
1108	svchcst.exe
2024	svchcst.exe
1080	svchcst.exe
2576	svchcst.exe
1276	svchcst.exe
2352	svchcst.exe
2592	svchcst.exe
1320	svchcst.exe
780	svchcst.exe
1640	svchcst.exe
2060	svchcst.exe
2680	svchcst.exe
444	svchcst.exe
2168	svchcst.exe
540	svchcst.exe
1768	svchcst.exe
1736	svchcst.exe
684	svchcst.exe
764	svchcst.exe
1496	svchcst.exe
2344	svchcst.exe

Loads dropped DLL 54 IoCs

pid	Process
2792	WScript.exe
2792	WScript.exe
2792	WScript.exe
2792	WScript.exe
2792	WScript.exe
2792	WScript.exe
2792	WScript.exe
2792	WScript.exe
2792	WScript.exe
2792	WScript.exe
2792	WScript.exe
2792	WScript.exe
2308	WScript.exe
2308	WScript.exe
264	WScript.exe
264	WScript.exe
2976	WScript.exe
1464	WScript.exe
1464	WScript.exe
1620	WScript.exe
1620	WScript.exe
2892	WScript.exe
2892	WScript.exe
2348	WScript.exe
1864	WScript.exe
1864	WScript.exe
548	WScript.exe
548	WScript.exe
2440	WScript.exe
2440	WScript.exe
2104	WScript.exe
2104	WScript.exe
2024	WScript.exe
2024	WScript.exe
1608	WScript.exe
1608	WScript.exe
1964	WScript.exe
1964	WScript.exe
2760	WScript.exe
2760	WScript.exe
2328	WScript.exe
2328	WScript.exe
776	WScript.exe
776	WScript.exe
960	WScript.exe
960	WScript.exe
2140	WScript.exe
2140	WScript.exe
1716	WScript.exe
1716	WScript.exe
1904	WScript.exe
1904	WScript.exe
2580	WScript.exe
2580	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 58 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	08d5568abcc7f49f7383500491ef4d3ef7b65da86dae227126547933d36affdc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2168	08d5568abcc7f49f7383500491ef4d3ef7b65da86dae227126547933d36affdc.exe
2888	svchcst.exe
2888	svchcst.exe
2888	svchcst.exe
2888	svchcst.exe
2888	svchcst.exe
2888	svchcst.exe
2888	svchcst.exe
2888	svchcst.exe
2888	svchcst.exe
2888	svchcst.exe
2888	svchcst.exe
2888	svchcst.exe
2888	svchcst.exe
2888	svchcst.exe
2888	svchcst.exe
2888	svchcst.exe
2888	svchcst.exe
2888	svchcst.exe
2888	svchcst.exe
2888	svchcst.exe
2888	svchcst.exe
2888	svchcst.exe
2888	svchcst.exe
2888	svchcst.exe
2888	svchcst.exe
2888	svchcst.exe
2888	svchcst.exe
2888	svchcst.exe
2888	svchcst.exe
2888	svchcst.exe
2888	svchcst.exe
2888	svchcst.exe
2888	svchcst.exe
2888	svchcst.exe
2888	svchcst.exe
2888	svchcst.exe
2888	svchcst.exe
2888	svchcst.exe
2888	svchcst.exe
2888	svchcst.exe
2888	svchcst.exe
2888	svchcst.exe
2888	svchcst.exe
2888	svchcst.exe
2888	svchcst.exe
2888	svchcst.exe
2888	svchcst.exe
2888	svchcst.exe
2888	svchcst.exe
2888	svchcst.exe
2888	svchcst.exe
2888	svchcst.exe
2888	svchcst.exe
2888	svchcst.exe
2888	svchcst.exe
2888	svchcst.exe
2888	svchcst.exe
2888	svchcst.exe
2888	svchcst.exe
2888	svchcst.exe
2888	svchcst.exe
2888	svchcst.exe
2888	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2168	08d5568abcc7f49f7383500491ef4d3ef7b65da86dae227126547933d36affdc.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2168	08d5568abcc7f49f7383500491ef4d3ef7b65da86dae227126547933d36affdc.exe
2168	08d5568abcc7f49f7383500491ef4d3ef7b65da86dae227126547933d36affdc.exe
2576	svchcst.exe
2576	svchcst.exe
1964	svchcst.exe
1964	svchcst.exe
552	svchcst.exe
552	svchcst.exe
1540	svchcst.exe
1540	svchcst.exe
444	svchcst.exe
444	svchcst.exe
1096	svchcst.exe
1096	svchcst.exe
3020	svchcst.exe
3020	svchcst.exe
2216	svchcst.exe
2216	svchcst.exe
2348	svchcst.exe
2348	svchcst.exe
2932	svchcst.exe
2932	svchcst.exe
2888	svchcst.exe
2888	svchcst.exe
2228	svchcst.exe
2228	svchcst.exe
1108	svchcst.exe
1108	svchcst.exe
2024	svchcst.exe
2024	svchcst.exe
1080	svchcst.exe
1080	svchcst.exe
2576	svchcst.exe
2576	svchcst.exe
1276	svchcst.exe
1276	svchcst.exe
2352	svchcst.exe
2352	svchcst.exe
2592	svchcst.exe
2592	svchcst.exe
1320	svchcst.exe
1320	svchcst.exe
780	svchcst.exe
780	svchcst.exe
1640	svchcst.exe
1640	svchcst.exe
2060	svchcst.exe
2060	svchcst.exe
2680	svchcst.exe
2680	svchcst.exe
444	svchcst.exe
444	svchcst.exe
2168	svchcst.exe
2168	svchcst.exe
540	svchcst.exe
540	svchcst.exe
1768	svchcst.exe
1768	svchcst.exe
1736	svchcst.exe
1736	svchcst.exe
684	svchcst.exe
684	svchcst.exe
764	svchcst.exe
764	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2168 wrote to memory of 2792	2168	08d5568abcc7f49f7383500491ef4d3ef7b65da86dae227126547933d36affdc.exe	30
PID 2168 wrote to memory of 2792	2168	08d5568abcc7f49f7383500491ef4d3ef7b65da86dae227126547933d36affdc.exe	30
PID 2168 wrote to memory of 2792	2168	08d5568abcc7f49f7383500491ef4d3ef7b65da86dae227126547933d36affdc.exe	30
PID 2168 wrote to memory of 2792	2168	08d5568abcc7f49f7383500491ef4d3ef7b65da86dae227126547933d36affdc.exe	30
PID 2792 wrote to memory of 2576	2792	WScript.exe	32
PID 2792 wrote to memory of 2576	2792	WScript.exe	32
PID 2792 wrote to memory of 2576	2792	WScript.exe	32
PID 2792 wrote to memory of 2576	2792	WScript.exe	32
PID 2792 wrote to memory of 1964	2792	WScript.exe	33
PID 2792 wrote to memory of 1964	2792	WScript.exe	33
PID 2792 wrote to memory of 1964	2792	WScript.exe	33
PID 2792 wrote to memory of 1964	2792	WScript.exe	33
PID 2792 wrote to memory of 552	2792	WScript.exe	34
PID 2792 wrote to memory of 552	2792	WScript.exe	34
PID 2792 wrote to memory of 552	2792	WScript.exe	34
PID 2792 wrote to memory of 552	2792	WScript.exe	34
PID 2792 wrote to memory of 1540	2792	WScript.exe	35
PID 2792 wrote to memory of 1540	2792	WScript.exe	35
PID 2792 wrote to memory of 1540	2792	WScript.exe	35
PID 2792 wrote to memory of 1540	2792	WScript.exe	35
PID 2792 wrote to memory of 444	2792	WScript.exe	36
PID 2792 wrote to memory of 444	2792	WScript.exe	36
PID 2792 wrote to memory of 444	2792	WScript.exe	36
PID 2792 wrote to memory of 444	2792	WScript.exe	36
PID 2792 wrote to memory of 1096	2792	WScript.exe	37
PID 2792 wrote to memory of 1096	2792	WScript.exe	37
PID 2792 wrote to memory of 1096	2792	WScript.exe	37
PID 2792 wrote to memory of 1096	2792	WScript.exe	37
PID 2792 wrote to memory of 3020	2792	WScript.exe	38
PID 2792 wrote to memory of 3020	2792	WScript.exe	38
PID 2792 wrote to memory of 3020	2792	WScript.exe	38
PID 2792 wrote to memory of 3020	2792	WScript.exe	38
PID 2792 wrote to memory of 2216	2792	WScript.exe	39
PID 2792 wrote to memory of 2216	2792	WScript.exe	39
PID 2792 wrote to memory of 2216	2792	WScript.exe	39
PID 2792 wrote to memory of 2216	2792	WScript.exe	39
PID 2792 wrote to memory of 2348	2792	WScript.exe	40
PID 2792 wrote to memory of 2348	2792	WScript.exe	40
PID 2792 wrote to memory of 2348	2792	WScript.exe	40
PID 2792 wrote to memory of 2348	2792	WScript.exe	40
PID 2792 wrote to memory of 2932	2792	WScript.exe	41
PID 2792 wrote to memory of 2932	2792	WScript.exe	41
PID 2792 wrote to memory of 2932	2792	WScript.exe	41
PID 2792 wrote to memory of 2932	2792	WScript.exe	41
PID 2792 wrote to memory of 2888	2792	WScript.exe	42
PID 2792 wrote to memory of 2888	2792	WScript.exe	42
PID 2792 wrote to memory of 2888	2792	WScript.exe	42
PID 2792 wrote to memory of 2888	2792	WScript.exe	42
PID 2888 wrote to memory of 2308	2888	svchcst.exe	43
PID 2888 wrote to memory of 2308	2888	svchcst.exe	43
PID 2888 wrote to memory of 2308	2888	svchcst.exe	43
PID 2888 wrote to memory of 2308	2888	svchcst.exe	43
PID 2308 wrote to memory of 2228	2308	WScript.exe	44
PID 2308 wrote to memory of 2228	2308	WScript.exe	44
PID 2308 wrote to memory of 2228	2308	WScript.exe	44
PID 2308 wrote to memory of 2228	2308	WScript.exe	44
PID 2228 wrote to memory of 264	2228	svchcst.exe	45
PID 2228 wrote to memory of 264	2228	svchcst.exe	45
PID 2228 wrote to memory of 264	2228	svchcst.exe	45
PID 2228 wrote to memory of 264	2228	svchcst.exe	45
PID 264 wrote to memory of 1108	264	WScript.exe	46
PID 264 wrote to memory of 1108	264	WScript.exe	46
PID 264 wrote to memory of 1108	264	WScript.exe	46
PID 264 wrote to memory of 1108	264	WScript.exe	46

C:\Users\Admin\AppData\Local\Temp\08d5568abcc7f49f7383500491ef4d3ef7b65da86dae227126547933d36affdc.exe
"C:\Users\Admin\AppData\Local\Temp\08d5568abcc7f49f7383500491ef4d3ef7b65da86dae227126547933d36affdc.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2168
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2792
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2576
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1964
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:552
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1540
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:444
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1096
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3020
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2216
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2348
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2932
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2888
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2308
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2228
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:264
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1108
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2976
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2024
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1464
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1080
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1620
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2576
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2892
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1276
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2348
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2352
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1864
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2592
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:548
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1320
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2440
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:780
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2104
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1640
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2024
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2060
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1608
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2680
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1964
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:444
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2760
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2168
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2328
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:540
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:776
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1768
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:960
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1736
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2140
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:684
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1716
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:764
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        44⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1904
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1496
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        46⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2580
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2344
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        48⤵
        System Location Discovery: System Language Discovery
        
        PID:2784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
8c29ec11527738bc95d2f69d390f7c74

SHA1
949510bf8d59f3658d1722a1335c8b3d133a56cb

SHA256
5509e9f9eee86d2e262835e86e611765ed7fb9004c2f395b77af5b0756a52b27

SHA512
25e41315732d061be0248380dda36b5ddf25b8b53f6dd63427e51a0ae0396fbf43b12d85791911fb6fea3c16ee18b22946df545629a0352808528f47bdd2f7fe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
30eafc82ac9962314c98d54ef2588957

SHA1
3bf1e1f24264448ba2688366b10b083c808e1e7a

SHA256
fc93c94af2daa9c8b70b9f6104f613a1cf0ac39bf1856542a3dbb6f828d2bee6

SHA512
5cd90109e61e06fda91874fd3cd28d83b42b6e586446ce99cf69a611f0015f56010937fadca4accef57ab47b5bca54b4171479a9a989ab5b1a015d491f985fb5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
80ebf5d44551af5680e6faa0b57e8c8b

SHA1
2e17219fbf9ac0ffaf25efb6a11dfe6e9e404798

SHA256
ca82157de4bf3edea1ce728fea480f64259153ea391b2be7b5f59864c0ae7a53

SHA512
a96c9d64087a4b9eccb235e9e1b19da6adfa1adc40ea11eca5cca69cc7b57eb4c3a299eb2103768398d99aee534c3eced7e76099917c52d1499ea9af07ba2ca8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
418e489a61f524eb101168676ee507c0

SHA1
c2d403388bfdccf0d75b4ef92dd8a453c413057c

SHA256
2ec2f981acbd3a091e05e93f06c952fdf6372e4d4d4ad78e7ddfe60043b1ad3c

SHA512
56033db0322098091059ab662f14f51c8bd98fc6784e3a5c553428c3c91d160fa5f784e43020fde5630515f87a2dbd7dff88865a5ecc4f349f6482eaef1b522a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
5ef4272f4d6f345fc8cc1b2f059c81b4

SHA1
78bcb559f775d70e10396e1d6d7b95c28d2645d1

SHA256
19f8d5209b4a5789cdfd5b67cb0b9f6c3546c62912bcb1ef1c69a15602beb652

SHA512
002693255c600456d965b5a7e36f780deec4d80cd9fe56f7f974b8762e2b140002a1dabf4b059d6163c9cc00a0e1e9da71899e13347fb4bb2985bbc7058469cb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
66073a2944d79129b28645fed6bc1286

SHA1
2cbba938ab66f7f5c9b0cb2a5c58940e2e14599b

SHA256
87d79920ed0fb49971153bdcb8a8ca003a247e5937d8cc3dc3b871e91ef79042

SHA512
95b8dffed82c126394ce16db0af1874ade41cca2b096d9ffe388e9c6a462c86e21723f811c0fb8c8445047906b0dfe035f5a421b5d406b8e8d3e6a1ad5d4351b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
25741fab0bc335b1ed971b3134b0edd3

SHA1
9849046efa3f20662f73cefd0d090bef480c9835

SHA256
05963c6d3a7cc5421377a784df6474456fcbd2f95c7190f2ddb4a9ccbfbe7f98

SHA512
6e772baf90739a76c5c477780e2d158502b55d9c898e69402b0a3bfb840949959c6779f9b291c0503a4fcad95369be55b5f3233ded9329d49d5cde3f1a8369e1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
dabf4e9d32908d961aaffdd1c77d4879

SHA1
e41572d98b7452016fb004c843236377364ab1d3

SHA256
3488c64a6d2da3c00e50e954c495ac354ee504e54f3ed6dda6a991c5b9d33e19

SHA512
911d46aca8005857c86eddbb3cbbc4301ee5e173b2358a717053cf12727c06cc3b2d757ddf513f969dafe61c6b88d03b1478d8c483495f153e30bf64585195aa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
f080eefd41c0fca1c404d5133fb5c957

SHA1
bef3f9c014eca7cf4dc001f3d85befd3681d4bcc

SHA256
758f74e1aa31de598fbf37f70ffd76f936c0b5dd2227b17c0d8e9ac4506f3aaf

SHA512
e2066e4082f51d4064bfd68eff48c97c481bbb524bb0fa2da0b5ae25bda730811d2933480a72d91a8e5c10ac794f0e793fb8323892332eb9b7c43890ee25c4d7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
008d8ac5c6d3f3a8d72b6a916b0e0068

SHA1
94c37ab08ac20b6b90cb2268a6290ef91ac85b81

SHA256
9675f691e0489df4a924756baa943b97dd42304b44413e2767115a9b55c99a0e

SHA512
74e3db6fa3be33e3a79a4191ffd2dfc74c33927acee27ebe347f34cae5c2630eabee4b95d714e765ead026c0f0f34bdb21159baa57c8e37150568beec61cc815

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
c7e291ebe5c9b4bb8120ecca3f1247ac

SHA1
37d4b89ad85193b97571d06cb0118791d0261327

SHA256
eef52463222284785797beddfbdb271276a74d19280ed37ff473c476e5731fc5

SHA512
9f67331c9123c6ac9adfc97688c639bca1b5922dc62065e28180553bf2f2a680c9adfe0ce03ad38ecbb74895bb21b6108efb619eb632dee2afe1d7e9d15781f8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
d7debd42fc4654f39346aff5123fe970

SHA1
431a892f58b608331d6363df782f2b5472e81d31

SHA256
6210d599b2214b8dfb0f4d85f5eaff4e3253690d18a8c51d7ff149b663baa43a

SHA512
6bf51525115728444179888e2536145dde1a8bb57e6585d8cfd6148da1fbbe6340b9f2d0a2a4d246c762340e81576a33b5e58fcc4080b489aad1a9bf84182a16

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
9455c08a954edeac6e73b2bf4c130a41

SHA1
479eac32f1a7efbcbbde3128d427f1bff61330c7

SHA256
c8ac2a40d5188473dc0d0ec2bb7b6a6ab4da38663c06bbf7eb0a15265e6e6109

SHA512
5c2b2610c93a3a57e85e5ed7a3c56689ca0bcec81ddbb019d838005d652487513fc6be43175dc26c712870be21e1008a78b1e799f94ab5a837e3d66fe7a2975d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
64ba49a9cac4bf1abff85caa89a85093

SHA1
36743023c77f8cb67fdeb99e4c545cd9100678e8

SHA256
7143c78760d45569c3b5f3edf635ff3ab64ae0e55fb66a5b9bd5911f46ac2bc0

SHA512
1f72cdf4585d751ab4c39d3f06abb692b7035c4e1a31cceb99bbcfe3f4522adef7c3b69b2650542f993a95d85c6f7a281cbf9894bbdb109c5621c97579ffdebb

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
c0f4ced3725da82c66844462abe40017

SHA1
644373f6fd789b90a5e068d909253d9b1b397a7c

SHA256
3378441a119ebd0fff8b45a56b60486842aebd0e8ba2674e4b36cb8f35dbd547

SHA512
94d04df47a7f0c799d563ad101c9b7a794caf02fbbb4a4508412421413a12b7e680da7cd926e09ab9028d5f7d6a97daed6451bb2c6f3d905eb05351eba5304e6

Download Submit
memory/264-88-0x0000000005AE0000-0x0000000005C3F000-memory.dmp

Filesize
1.4MB

Download
memory/444-204-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/444-32-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/444-31-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/444-211-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/540-228-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/540-221-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/548-165-0x00000000058D0000-0x0000000005A2F000-memory.dmp

Filesize
1.4MB

Download
memory/552-22-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/552-21-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/780-180-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1080-123-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1080-115-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1096-37-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1096-36-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1108-89-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1108-97-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1276-142-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1276-149-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1320-166-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1320-173-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1540-25-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1540-26-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1620-127-0x0000000004580000-0x00000000046DF000-memory.dmp

Filesize
1.4MB

Download
memory/1640-188-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1640-181-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1768-235-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1964-18-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1964-42-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2024-100-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2024-109-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2060-189-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2060-196-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2168-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2168-57-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2168-29-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2168-212-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2168-219-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2216-47-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2216-46-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2228-83-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2308-74-0x0000000004970000-0x0000000004ACF000-memory.dmp

Filesize
1.4MB

Download
memory/2328-220-0x0000000005AD0000-0x0000000005C2F000-memory.dmp

Filesize
1.4MB

Download
memory/2348-51-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2352-150-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2352-157-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2576-136-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2576-15-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2592-164-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2680-203-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2792-49-0x0000000004900000-0x0000000004A5F000-memory.dmp

Filesize
1.4MB

Download
memory/2792-54-0x0000000005E60000-0x0000000005FBF000-memory.dmp

Filesize
1.4MB

Download
memory/2792-59-0x0000000005E60000-0x0000000005FBF000-memory.dmp

Filesize
1.4MB

Download
memory/2792-40-0x0000000005E60000-0x0000000005FBF000-memory.dmp

Filesize
1.4MB

Download
memory/2792-34-0x0000000005E60000-0x0000000005FBF000-memory.dmp

Filesize
1.4MB

Download
memory/2792-30-0x0000000004990000-0x0000000004AEF000-memory.dmp

Filesize
1.4MB

Download
memory/2792-12-0x0000000004990000-0x0000000004AEF000-memory.dmp

Filesize
1.4MB

Download
memory/2792-13-0x0000000004990000-0x0000000004AEF000-memory.dmp

Filesize
1.4MB

Download
memory/2888-69-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2932-55-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3020-43-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3020-41-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download