01c6b3248d17b5ef9d712cbeaea233624a728592839b572140144a40e71cde6a

Analysis

max time kernel
79s
max time network
128s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08/09/2024, 19:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

01c6b3248d17b5ef9d712cbeaea233624a728592839b572140144a40e71cde6a.exe
Size

1.1MB
MD5

2e788badf8885c5f3a3644c05ca3a2b6
SHA1

f7b531e1ae2312ded4c85feef533042701932b94
SHA256

01c6b3248d17b5ef9d712cbeaea233624a728592839b572140144a40e71cde6a
SHA512

7ae109c68ba8e385b7bb3b0106f6d211ffd709b837c8efedcb96dfe67a9392480b923f971f9880e5805cf3daf70ed3400867a2bd96b9b79b64e87f6b307e6414
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5Qy:acallSllG4ZM7QzMh

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2788	svchcst.exe

Executes dropped EXE 17 IoCs

pid	Process
2788	svchcst.exe
1096	svchcst.exe
2056	svchcst.exe
1152	svchcst.exe
1800	svchcst.exe
2100	svchcst.exe
1552	svchcst.exe
2668	svchcst.exe
2568	svchcst.exe
2492	svchcst.exe
1912	svchcst.exe
664	svchcst.exe
428	svchcst.exe
112	svchcst.exe
1332	svchcst.exe
1716	svchcst.exe
2824	svchcst.exe

Loads dropped DLL 25 IoCs

pid	Process
2484	WScript.exe
2484	WScript.exe
2592	WScript.exe
2592	WScript.exe
2324	WScript.exe
2324	WScript.exe
2728	WScript.exe
1784	WScript.exe
1048	WScript.exe
1048	WScript.exe
1784	WScript.exe
2468	WScript.exe
2548	WScript.exe
2120	WScript.exe
2120	WScript.exe
2120	WScript.exe
1736	WScript.exe
2324	WScript.exe
2324	WScript.exe
1560	WScript.exe
1560	WScript.exe
1560	WScript.exe
1560	WScript.exe
2928	WScript.exe
2928	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 36 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	01c6b3248d17b5ef9d712cbeaea233624a728592839b572140144a40e71cde6a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1856	01c6b3248d17b5ef9d712cbeaea233624a728592839b572140144a40e71cde6a.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1856	01c6b3248d17b5ef9d712cbeaea233624a728592839b572140144a40e71cde6a.exe

Suspicious use of SetWindowsHookEx 36 IoCs

pid	Process
1856	01c6b3248d17b5ef9d712cbeaea233624a728592839b572140144a40e71cde6a.exe
1856	01c6b3248d17b5ef9d712cbeaea233624a728592839b572140144a40e71cde6a.exe
2788	svchcst.exe
2788	svchcst.exe
1096	svchcst.exe
1096	svchcst.exe
2056	svchcst.exe
2056	svchcst.exe
1152	svchcst.exe
1152	svchcst.exe
1800	svchcst.exe
1800	svchcst.exe
2100	svchcst.exe
2100	svchcst.exe
1552	svchcst.exe
1552	svchcst.exe
2668	svchcst.exe
2668	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2492	svchcst.exe
2492	svchcst.exe
1912	svchcst.exe
1912	svchcst.exe
664	svchcst.exe
664	svchcst.exe
428	svchcst.exe
428	svchcst.exe
112	svchcst.exe
112	svchcst.exe
1332	svchcst.exe
1332	svchcst.exe
1716	svchcst.exe
1716	svchcst.exe
2824	svchcst.exe
2824	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1856 wrote to memory of 2484	1856	01c6b3248d17b5ef9d712cbeaea233624a728592839b572140144a40e71cde6a.exe	30
PID 1856 wrote to memory of 2484	1856	01c6b3248d17b5ef9d712cbeaea233624a728592839b572140144a40e71cde6a.exe	30
PID 1856 wrote to memory of 2484	1856	01c6b3248d17b5ef9d712cbeaea233624a728592839b572140144a40e71cde6a.exe	30
PID 1856 wrote to memory of 2484	1856	01c6b3248d17b5ef9d712cbeaea233624a728592839b572140144a40e71cde6a.exe	30
PID 2484 wrote to memory of 2788	2484	WScript.exe	33
PID 2484 wrote to memory of 2788	2484	WScript.exe	33
PID 2484 wrote to memory of 2788	2484	WScript.exe	33
PID 2484 wrote to memory of 2788	2484	WScript.exe	33
PID 2788 wrote to memory of 2592	2788	svchcst.exe	34
PID 2788 wrote to memory of 2592	2788	svchcst.exe	34
PID 2788 wrote to memory of 2592	2788	svchcst.exe	34
PID 2788 wrote to memory of 2592	2788	svchcst.exe	34
PID 2592 wrote to memory of 1096	2592	WScript.exe	35
PID 2592 wrote to memory of 1096	2592	WScript.exe	35
PID 2592 wrote to memory of 1096	2592	WScript.exe	35
PID 2592 wrote to memory of 1096	2592	WScript.exe	35
PID 1096 wrote to memory of 2324	1096	svchcst.exe	36
PID 1096 wrote to memory of 2324	1096	svchcst.exe	36
PID 1096 wrote to memory of 2324	1096	svchcst.exe	36
PID 1096 wrote to memory of 2324	1096	svchcst.exe	36
PID 2324 wrote to memory of 2056	2324	WScript.exe	37
PID 2324 wrote to memory of 2056	2324	WScript.exe	37
PID 2324 wrote to memory of 2056	2324	WScript.exe	37
PID 2324 wrote to memory of 2056	2324	WScript.exe	37
PID 2056 wrote to memory of 2940	2056	svchcst.exe	38
PID 2056 wrote to memory of 2940	2056	svchcst.exe	38
PID 2056 wrote to memory of 2940	2056	svchcst.exe	38
PID 2056 wrote to memory of 2940	2056	svchcst.exe	38
PID 2056 wrote to memory of 2728	2056	svchcst.exe	39
PID 2056 wrote to memory of 2728	2056	svchcst.exe	39
PID 2056 wrote to memory of 2728	2056	svchcst.exe	39
PID 2056 wrote to memory of 2728	2056	svchcst.exe	39
PID 2728 wrote to memory of 1152	2728	WScript.exe	40
PID 2728 wrote to memory of 1152	2728	WScript.exe	40
PID 2728 wrote to memory of 1152	2728	WScript.exe	40
PID 2728 wrote to memory of 1152	2728	WScript.exe	40
PID 1152 wrote to memory of 1784	1152	svchcst.exe	41
PID 1152 wrote to memory of 1784	1152	svchcst.exe	41
PID 1152 wrote to memory of 1784	1152	svchcst.exe	41
PID 1152 wrote to memory of 1784	1152	svchcst.exe	41
PID 1152 wrote to memory of 1048	1152	svchcst.exe	42
PID 1152 wrote to memory of 1048	1152	svchcst.exe	42
PID 1152 wrote to memory of 1048	1152	svchcst.exe	42
PID 1152 wrote to memory of 1048	1152	svchcst.exe	42
PID 1784 wrote to memory of 1800	1784	WScript.exe	43
PID 1784 wrote to memory of 1800	1784	WScript.exe	43
PID 1784 wrote to memory of 1800	1784	WScript.exe	43
PID 1784 wrote to memory of 1800	1784	WScript.exe	43
PID 1048 wrote to memory of 2100	1048	WScript.exe	44
PID 1048 wrote to memory of 2100	1048	WScript.exe	44
PID 1048 wrote to memory of 2100	1048	WScript.exe	44
PID 1048 wrote to memory of 2100	1048	WScript.exe	44
PID 1800 wrote to memory of 2988	1800	svchcst.exe	45
PID 1800 wrote to memory of 2988	1800	svchcst.exe	45
PID 1800 wrote to memory of 2988	1800	svchcst.exe	45
PID 1800 wrote to memory of 2988	1800	svchcst.exe	45
PID 1784 wrote to memory of 1552	1784	WScript.exe	46
PID 1784 wrote to memory of 1552	1784	WScript.exe	46
PID 1784 wrote to memory of 1552	1784	WScript.exe	46
PID 1784 wrote to memory of 1552	1784	WScript.exe	46
PID 1552 wrote to memory of 2468	1552	svchcst.exe	47
PID 1552 wrote to memory of 2468	1552	svchcst.exe	47
PID 1552 wrote to memory of 2468	1552	svchcst.exe	47
PID 1552 wrote to memory of 2468	1552	svchcst.exe	47

C:\Users\Admin\AppData\Local\Temp\01c6b3248d17b5ef9d712cbeaea233624a728592839b572140144a40e71cde6a.exe
"C:\Users\Admin\AppData\Local\Temp\01c6b3248d17b5ef9d712cbeaea233624a728592839b572140144a40e71cde6a.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1856
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2484
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2788
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2592
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1096
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2324
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2056
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2940
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2728
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1152
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1784
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1800
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2988
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1552
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2468
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2668
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2548
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2568
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:1936
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2120
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2492
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1912
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1736
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:664
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2324
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:428
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:112
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1560
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1332
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:1500
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1716
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2928
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2824
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        
        PID:2836
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        
        PID:1444
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        
        PID:2880
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        
        PID:284
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        
        PID:1988
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        
        PID:112
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        
        PID:3016
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        
        PID:2524
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        
        PID:3008
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        
        PID:2240
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        
        PID:800
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        
        PID:2008
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        
        PID:2448
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        
        PID:2208
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        43⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        44⤵
        
        PID:924
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:2464
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1048
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
c0d36ac57cfb4697aeab06acf3791b84

SHA1
df65f48001735ec766af26b42e0eed9c634a6123

SHA256
87c0e066d7702372cd967aff6b1b9e6f1ce5e95bcf2435c58ad37cbca3759937

SHA512
f3c210a0e320442ce77c33c2c3b3f15f6140b20d17c59f0028304c4ef0e7b68e97d6d067e04c9eea4f9c008ff6e9562ffab1afd6434abeec773e43d4afe8a1c6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
9627e3850f4f7495f6d36ebae56aa594

SHA1
001694633bc632a7ae2812ed74828335bec77531

SHA256
0aeaf02fb74a0799c8eccaa37e1586435318608e7945b8084fe87f956822cb25

SHA512
03986ee3b4faf96fdb2bdeb1c41e216c81e1c0f7d4403b69c7e7e39baa45e2806d57fad32904bdf04728eb9db7570d94341e73bf8a1f6ba1964072a65de4e894

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
30eafc82ac9962314c98d54ef2588957

SHA1
3bf1e1f24264448ba2688366b10b083c808e1e7a

SHA256
fc93c94af2daa9c8b70b9f6104f613a1cf0ac39bf1856542a3dbb6f828d2bee6

SHA512
5cd90109e61e06fda91874fd3cd28d83b42b6e586446ce99cf69a611f0015f56010937fadca4accef57ab47b5bca54b4171479a9a989ab5b1a015d491f985fb5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
251a70f0c55d02e74e34c409c5795274

SHA1
b0eb587b5e8d597ef801848722b790692d804be2

SHA256
f5397f02a6c8c59bc9869c0e5c726c096a69c84ad7f0934608fdbd8bc7e5b9f3

SHA512
023cca65a97265961790183f43605fb3dd47426049f2152e5ed90d2daed98607d1e215cb8cabf54d7d2068f7a86d3b01b1d101823e8ed1acfb09076e69b67c71

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
d7e57302723e6adcd36bc753c7cb3d1b

SHA1
24f5af99f2988b5fa7383dae1f53347b597956a3

SHA256
abf7ef48d31eaabd0227b0a91a44e8b53e9fbadff16ef2d9c2b131776898977e

SHA512
0aee51cab495d2df1e1957f85cbfa1a8ca95fad5fa669d2f0918a0e4be4d090c868582935136684d872695bdd075523ad1386639690e9d7016201b6985a9c8a6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
1931659cf1a0b565c26fde26192e60ea

SHA1
290204916cf2bd320dd6af5de4fea33f4b987a23

SHA256
8d4ff60de30d55f81dda162ccf8ad556e3a1c9a9e20260d8a767def90595191a

SHA512
9a90635a350ecaf5d4f9c5787f4079e90d6e2983b87e8dc6db38a2d0121e68422d2fc8c7e322c0b6556cd92870713380edf55950260e9369350e96d4603f390e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
73dd42e0ba8cff47f0542d7d8aa40f90

SHA1
ffbb1b56415be5abcf4613aed3136768f2edbc38

SHA256
c73b4e554a4ae515ae3aa320a19d752e3d848d00ed0cd8f084081ed530b8fc3d

SHA512
efd0075f9e70dd557271bdbcd782a083ae2cde8cd5674bf7f8cf63064847951adfcbaa9c9cff91c57d19c7308d0b7bf4754bfbe8fce6ec0e41d920bde7f5a67e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
e74576d29f1c1a7185cdf1e12b96a260

SHA1
f76ee203cb56b7dda62a2947ff1e2fc954efa777

SHA256
e31ecb9dcf31c19fbd131b31e5191375f7aeb708ffa678363de99e118715eb65

SHA512
934e3a9171de8fe03c9b398b4e79b3eee77845750ba2b0d16c3a38bc8299d3d72643cedfbb025df848f4c5ab302f5d4b145da13c2ac3ed96bdc1658791d4f5bb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
33923002ff087d4e9d20dc9167bf4b6f

SHA1
cd218dc8073081f7329889f96e1159c6d11fb8a1

SHA256
f24781ed9f535b0d29cbef666b2e299ee84ab75c48fd47bfdf0e9c2beaa0796e

SHA512
628c465e3ebed9b3ad689a6fa1fe38d3194c69a7446320408c28667acd49a157b853f734325e828a1577810393d0f9e69b6719bd7c201816ef0f06219a26534c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
5ef4272f4d6f345fc8cc1b2f059c81b4

SHA1
78bcb559f775d70e10396e1d6d7b95c28d2645d1

SHA256
19f8d5209b4a5789cdfd5b67cb0b9f6c3546c62912bcb1ef1c69a15602beb652

SHA512
002693255c600456d965b5a7e36f780deec4d80cd9fe56f7f974b8762e2b140002a1dabf4b059d6163c9cc00a0e1e9da71899e13347fb4bb2985bbc7058469cb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
1af246ca0660faf0fa7da4b4c9c61316

SHA1
c050b0bd311f2e5240cd7e9df583e41b133e9521

SHA256
2b84bcefb62d7564e2e7d1be8105a26f798b4c73cca142c054da02262f61ede8

SHA512
3fadf6605620aea1f9c9e94d62193fc416af6d5272bc675d399ea1ea96a070b4de69cab61736cea89c744ce3b203f0790d617789d25811a6ca535fc9f6159793

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
efa4b9f79f0e80cc4480b4196f965c98

SHA1
56401c277c2e9c8111a865c9225b943fc4a7433b

SHA256
5db1107f337e47becfbcacfdc107678db82fb69fc4a9a1341c0decacff5146c3

SHA512
c3b3f2cd4b0a7257fcb391a7defee9a0db1650febb3dab466732bf81cdec9a8bbfb9e28afd2ffff03d57f2cd2be8adc8da67abeb39e295c94b3dd536fb092180

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
a60b5e4992b3a0c72668f764bc5b0c2a

SHA1
e5b4372225a3272d8199430aad2773dd647a8b45

SHA256
6fde9eae2017ebe59de7f28b7cfcdb1038ad92231eb9fdf2c01643ebd96e193a

SHA512
beb08f213c86d209c5afe621001d350f4f959b754ab20952952e56edadca22bbe66f67f9bed94c91fd3dc718989da19f6a94ef836a36f2b5710af2fd07c4408a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
3eeee7ed1abf2d71a5c552ec8a4eb39a

SHA1
13eaf984b180bb69fab8d5fe18532c534be3a749

SHA256
3c40b0c4d24492cb59042fc242cbdfabebf0590626150e0583fb513a3790f4ae

SHA512
ff23864952ed8804b72c201abab9f24f23c1662e8a84a4bb310b046a1de4f441c797a67b5f117e89a552047d3911043fd09ebd1397edc68859589828fd690330

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
2fb90bf6daca0cdab23bf41370150ab8

SHA1
6a5378bae83a6763e4389dc9947d1324b3d303f2

SHA256
dc8e2a6ae9aad59ccc79de9db54842891bcefb44a243c674389fcb4076f0eb3e

SHA512
49f3492b440f76e55a62e469ff8d076aa05679e7f675fcecd2442a83960da547c08c24ddfee66dc3cecb7c75cd411fb01fedb364c4e0ac17d5a9862478261f85

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
36d603d2e7b6832d103607ccaeab3854

SHA1
46d576b9b98d2c4b94ce39050af65dd813f3e4b2

SHA256
e78424e876694082f9393416bf13b2ae936b0e11f23b4176aa81b0343acf1e3b

SHA512
0705ceb994483c2187f8b8c0add0bc66d5ccb3f82b8922ff9c19704a3c95bfa93f1f253dec755359e35c08a2a95674fd41d3b318e9d3e24bcc6e84883c9e2a74

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
a82147ab9c6c3068ee3f7a73378f64e4

SHA1
0c3c7b240aea1df58565f1abad387d59940d098a

SHA256
87d4a9ed341088edd0df53dd4dd45a1daf919b2615ae95629b604d95ff198da3

SHA512
a0c9719f8128abb361415a7a353fe7fba95b289bf8ca4c75fc7b85aa15a0d39f7796e9893625f9d4338d7b9c36614db441e68a8733c1e8608de4d5188a2eb385

Download Submit
memory/112-234-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/112-165-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/112-241-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/112-158-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/284-224-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/284-232-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/428-155-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/428-156-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/664-153-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/800-271-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/800-278-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1048-84-0x0000000003BA0000-0x0000000003CFF000-memory.dmp

Filesize
1.4MB

Download
memory/1048-85-0x0000000003BA0000-0x0000000003CFF000-memory.dmp

Filesize
1.4MB

Download
memory/1096-39-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1152-69-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1152-63-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1332-169-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1332-176-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1444-213-0x00000000053E0000-0x000000000553F000-memory.dmp

Filesize
1.4MB

Download
memory/1444-214-0x00000000053E0000-0x000000000553F000-memory.dmp

Filesize
1.4MB

Download
memory/1552-101-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1552-93-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1560-260-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1560-177-0x0000000003C80000-0x0000000003DDF000-memory.dmp

Filesize
1.4MB

Download
memory/1560-179-0x0000000003D40000-0x0000000003E9F000-memory.dmp

Filesize
1.4MB

Download
memory/1560-269-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1560-168-0x0000000003D40000-0x0000000003E9F000-memory.dmp

Filesize
1.4MB

Download
memory/1560-178-0x0000000003C80000-0x0000000003DDF000-memory.dmp

Filesize
1.4MB

Download
memory/1560-166-0x0000000003D40000-0x0000000003E9F000-memory.dmp

Filesize
1.4MB

Download
memory/1716-189-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1716-180-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1736-152-0x0000000003E40000-0x0000000003F9F000-memory.dmp

Filesize
1.4MB

Download
memory/1784-71-0x0000000003E90000-0x0000000003FEF000-memory.dmp

Filesize
1.4MB

Download
memory/1784-92-0x00000000054B0000-0x000000000560F000-memory.dmp

Filesize
1.4MB

Download
memory/1800-89-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1856-10-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1856-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1908-215-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1908-222-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1912-146-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1912-136-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1988-233-0x0000000005180000-0x00000000052DF000-memory.dmp

Filesize
1.4MB

Download
memory/2008-280-0x0000000005040000-0x000000000519F000-memory.dmp

Filesize
1.4MB

Download
memory/2008-279-0x0000000005040000-0x000000000519F000-memory.dmp

Filesize
1.4MB

Download
memory/2056-56-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2056-46-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2100-86-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2100-88-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2120-135-0x0000000003CA0000-0x0000000003DFF000-memory.dmp

Filesize
1.4MB

Download
memory/2120-125-0x0000000005170000-0x00000000052CF000-memory.dmp

Filesize
1.4MB

Download
memory/2184-291-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2184-298-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2232-258-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2240-270-0x0000000005220000-0x000000000537F000-memory.dmp

Filesize
1.4MB

Download
memory/2256-243-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2256-249-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2324-154-0x0000000004E50000-0x0000000004FAF000-memory.dmp

Filesize
1.4MB

Download
memory/2324-43-0x0000000005180000-0x00000000052DF000-memory.dmp

Filesize
1.4MB

Download
memory/2324-44-0x0000000005180000-0x00000000052DF000-memory.dmp

Filesize
1.4MB

Download
memory/2324-167-0x0000000004E50000-0x0000000004FAF000-memory.dmp

Filesize
1.4MB

Download
memory/2324-157-0x0000000004F50000-0x00000000050AF000-memory.dmp

Filesize
1.4MB

Download
memory/2328-205-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2328-212-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2448-289-0x0000000005250000-0x00000000053AF000-memory.dmp

Filesize
1.4MB

Download
memory/2448-290-0x0000000005250000-0x00000000053AF000-memory.dmp

Filesize
1.4MB

Download
memory/2468-104-0x0000000003BA0000-0x0000000003CFF000-memory.dmp

Filesize
1.4MB

Download
memory/2484-13-0x0000000005010000-0x000000000516F000-memory.dmp

Filesize
1.4MB

Download
memory/2492-127-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2492-128-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2524-250-0x0000000003CD0000-0x0000000003E2F000-memory.dmp

Filesize
1.4MB

Download
memory/2524-268-0x0000000003CD0000-0x0000000003E2F000-memory.dmp

Filesize
1.4MB

Download
memory/2560-288-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2560-281-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2568-117-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2568-132-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2592-30-0x00000000039D0000-0x0000000003B2F000-memory.dmp

Filesize
1.4MB

Download
memory/2668-114-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2668-105-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2728-62-0x00000000052A0000-0x00000000053FF000-memory.dmp

Filesize
1.4MB

Download
memory/2788-16-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2788-26-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2824-192-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2824-197-0x0000000003E10000-0x0000000003E39000-memory.dmp

Filesize
164KB

Download
memory/2824-202-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2836-204-0x00000000053F0000-0x000000000554F000-memory.dmp

Filesize
1.4MB

Download
memory/2836-203-0x00000000053F0000-0x000000000554F000-memory.dmp

Filesize
1.4MB

Download
memory/2880-223-0x0000000003D40000-0x0000000003E9F000-memory.dmp

Filesize
1.4MB

Download
memory/2880-225-0x0000000003D40000-0x0000000003E9F000-memory.dmp

Filesize
1.4MB

Download
memory/2928-191-0x0000000005030000-0x000000000518F000-memory.dmp

Filesize
1.4MB

Download
memory/2928-190-0x0000000005030000-0x000000000518F000-memory.dmp

Filesize
1.4MB

Download
memory/3008-259-0x0000000003990000-0x0000000003AEF000-memory.dmp

Filesize
1.4MB

Download
memory/3008-261-0x0000000003990000-0x0000000003AEF000-memory.dmp

Filesize
1.4MB

Download
memory/3016-242-0x0000000003BE0000-0x0000000003D3F000-memory.dmp

Filesize
1.4MB

Download
memory/3016-257-0x0000000003BE0000-0x0000000003D3F000-memory.dmp

Filesize
1.4MB

Download