8f14f9e017dd1a35f5666bed55b80fd2d164cc239c70b2ec8bac1d82a3f1c565

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08/09/2024, 20:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8f14f9e017dd1a35f5666bed55b80fd2d164cc239c70b2ec8bac1d82a3f1c565.exe
Size

1.1MB
MD5

e710470a86d201257e0c4f31bde5b68e
SHA1

75a6d513a86045f934b6a3cc036eaaffab5aed7b
SHA256

8f14f9e017dd1a35f5666bed55b80fd2d164cc239c70b2ec8bac1d82a3f1c565
SHA512

393bc12e2d0eb9241ce9af1c39a79bc5e4f64b152e22153f2c02e1db4078174e2aecbe7e72e8b6599153e25e3a00eb9e47318d6d24458f52bb6470e85ef07ca4
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5QJ:acallSllG4ZM7QzMK

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2428	svchcst.exe

Executes dropped EXE 23 IoCs

pid	Process
2428	svchcst.exe
2176	svchcst.exe
1004	svchcst.exe
2276	svchcst.exe
2292	svchcst.exe
1232	svchcst.exe
2800	svchcst.exe
3040	svchcst.exe
2028	svchcst.exe
1868	svchcst.exe
2784	svchcst.exe
2132	svchcst.exe
624	svchcst.exe
2836	svchcst.exe
2712	svchcst.exe
2452	svchcst.exe
2788	svchcst.exe
3064	svchcst.exe
2192	svchcst.exe
2248	svchcst.exe
1704	svchcst.exe
960	svchcst.exe
2676	svchcst.exe

Loads dropped DLL 40 IoCs

pid	Process
2384	WScript.exe
2384	WScript.exe
1064	WScript.exe
2892	WScript.exe
2892	WScript.exe
2968	WScript.exe
1788	WScript.exe
1788	WScript.exe
1788	WScript.exe
2504	WScript.exe
2504	WScript.exe
3044	WScript.exe
3044	WScript.exe
2384	WScript.exe
2384	WScript.exe
1740	WScript.exe
1776	WScript.exe
1776	WScript.exe
1940	WScript.exe
1940	WScript.exe
2364	WScript.exe
2364	WScript.exe
2344	WScript.exe
2344	WScript.exe
2760	WScript.exe
2760	WScript.exe
2352	WScript.exe
2352	WScript.exe
2796	WScript.exe
2796	WScript.exe
2088	WScript.exe
2088	WScript.exe
2968	WScript.exe
2968	WScript.exe
1736	WScript.exe
1736	WScript.exe
1468	WScript.exe
1468	WScript.exe
1592	WScript.exe
1592	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 49 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8f14f9e017dd1a35f5666bed55b80fd2d164cc239c70b2ec8bac1d82a3f1c565.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2748	8f14f9e017dd1a35f5666bed55b80fd2d164cc239c70b2ec8bac1d82a3f1c565.exe
2428	svchcst.exe
2428	svchcst.exe
2428	svchcst.exe
2428	svchcst.exe
2428	svchcst.exe
2428	svchcst.exe
2428	svchcst.exe
2428	svchcst.exe
2428	svchcst.exe
2428	svchcst.exe
2428	svchcst.exe
2428	svchcst.exe
2428	svchcst.exe
2428	svchcst.exe
2428	svchcst.exe
2428	svchcst.exe
2428	svchcst.exe
2428	svchcst.exe
2428	svchcst.exe
2428	svchcst.exe
2428	svchcst.exe
2428	svchcst.exe
2428	svchcst.exe
2428	svchcst.exe
2428	svchcst.exe
2428	svchcst.exe
2428	svchcst.exe
2428	svchcst.exe
2428	svchcst.exe
2428	svchcst.exe
2428	svchcst.exe
2428	svchcst.exe
2428	svchcst.exe
2428	svchcst.exe
2428	svchcst.exe
2428	svchcst.exe
2428	svchcst.exe
2428	svchcst.exe
2428	svchcst.exe
2428	svchcst.exe
2428	svchcst.exe
2428	svchcst.exe
2428	svchcst.exe
2428	svchcst.exe
2428	svchcst.exe
2428	svchcst.exe
2428	svchcst.exe
2428	svchcst.exe
2428	svchcst.exe
2428	svchcst.exe
2428	svchcst.exe
2428	svchcst.exe
2428	svchcst.exe
2428	svchcst.exe
2428	svchcst.exe
2428	svchcst.exe
2428	svchcst.exe
2428	svchcst.exe
2428	svchcst.exe
2428	svchcst.exe
2428	svchcst.exe
2428	svchcst.exe
2428	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2748	8f14f9e017dd1a35f5666bed55b80fd2d164cc239c70b2ec8bac1d82a3f1c565.exe

Suspicious use of SetWindowsHookEx 48 IoCs

pid	Process
2748	8f14f9e017dd1a35f5666bed55b80fd2d164cc239c70b2ec8bac1d82a3f1c565.exe
2748	8f14f9e017dd1a35f5666bed55b80fd2d164cc239c70b2ec8bac1d82a3f1c565.exe
2428	svchcst.exe
2428	svchcst.exe
2176	svchcst.exe
2176	svchcst.exe
1004	svchcst.exe
1004	svchcst.exe
2276	svchcst.exe
2276	svchcst.exe
2292	svchcst.exe
2292	svchcst.exe
1232	svchcst.exe
1232	svchcst.exe
2800	svchcst.exe
2800	svchcst.exe
3040	svchcst.exe
3040	svchcst.exe
2028	svchcst.exe
2028	svchcst.exe
1868	svchcst.exe
1868	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
624	svchcst.exe
624	svchcst.exe
2836	svchcst.exe
2836	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2452	svchcst.exe
2452	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
3064	svchcst.exe
3064	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2248	svchcst.exe
2248	svchcst.exe
1704	svchcst.exe
1704	svchcst.exe
960	svchcst.exe
960	svchcst.exe
2676	svchcst.exe
2676	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2748 wrote to memory of 2384	2748	8f14f9e017dd1a35f5666bed55b80fd2d164cc239c70b2ec8bac1d82a3f1c565.exe	30
PID 2748 wrote to memory of 2384	2748	8f14f9e017dd1a35f5666bed55b80fd2d164cc239c70b2ec8bac1d82a3f1c565.exe	30
PID 2748 wrote to memory of 2384	2748	8f14f9e017dd1a35f5666bed55b80fd2d164cc239c70b2ec8bac1d82a3f1c565.exe	30
PID 2748 wrote to memory of 2384	2748	8f14f9e017dd1a35f5666bed55b80fd2d164cc239c70b2ec8bac1d82a3f1c565.exe	30
PID 2384 wrote to memory of 2428	2384	WScript.exe	32
PID 2384 wrote to memory of 2428	2384	WScript.exe	32
PID 2384 wrote to memory of 2428	2384	WScript.exe	32
PID 2384 wrote to memory of 2428	2384	WScript.exe	32
PID 2428 wrote to memory of 1064	2428	svchcst.exe	33
PID 2428 wrote to memory of 1064	2428	svchcst.exe	33
PID 2428 wrote to memory of 1064	2428	svchcst.exe	33
PID 2428 wrote to memory of 1064	2428	svchcst.exe	33
PID 1064 wrote to memory of 2176	1064	WScript.exe	34
PID 1064 wrote to memory of 2176	1064	WScript.exe	34
PID 1064 wrote to memory of 2176	1064	WScript.exe	34
PID 1064 wrote to memory of 2176	1064	WScript.exe	34
PID 2176 wrote to memory of 2892	2176	svchcst.exe	35
PID 2176 wrote to memory of 2892	2176	svchcst.exe	35
PID 2176 wrote to memory of 2892	2176	svchcst.exe	35
PID 2176 wrote to memory of 2892	2176	svchcst.exe	35
PID 2176 wrote to memory of 2924	2176	svchcst.exe	36
PID 2176 wrote to memory of 2924	2176	svchcst.exe	36
PID 2176 wrote to memory of 2924	2176	svchcst.exe	36
PID 2176 wrote to memory of 2924	2176	svchcst.exe	36
PID 2892 wrote to memory of 1004	2892	WScript.exe	37
PID 2892 wrote to memory of 1004	2892	WScript.exe	37
PID 2892 wrote to memory of 1004	2892	WScript.exe	37
PID 2892 wrote to memory of 1004	2892	WScript.exe	37
PID 1004 wrote to memory of 2968	1004	svchcst.exe	38
PID 1004 wrote to memory of 2968	1004	svchcst.exe	38
PID 1004 wrote to memory of 2968	1004	svchcst.exe	38
PID 1004 wrote to memory of 2968	1004	svchcst.exe	38
PID 2968 wrote to memory of 2276	2968	WScript.exe	39
PID 2968 wrote to memory of 2276	2968	WScript.exe	39
PID 2968 wrote to memory of 2276	2968	WScript.exe	39
PID 2968 wrote to memory of 2276	2968	WScript.exe	39
PID 2276 wrote to memory of 1788	2276	svchcst.exe	40
PID 2276 wrote to memory of 1788	2276	svchcst.exe	40
PID 2276 wrote to memory of 1788	2276	svchcst.exe	40
PID 2276 wrote to memory of 1788	2276	svchcst.exe	40
PID 1788 wrote to memory of 2292	1788	WScript.exe	41
PID 1788 wrote to memory of 2292	1788	WScript.exe	41
PID 1788 wrote to memory of 2292	1788	WScript.exe	41
PID 1788 wrote to memory of 2292	1788	WScript.exe	41
PID 2292 wrote to memory of 1324	2292	svchcst.exe	42
PID 2292 wrote to memory of 1324	2292	svchcst.exe	42
PID 2292 wrote to memory of 1324	2292	svchcst.exe	42
PID 2292 wrote to memory of 1324	2292	svchcst.exe	42
PID 1788 wrote to memory of 1232	1788	WScript.exe	44
PID 1788 wrote to memory of 1232	1788	WScript.exe	44
PID 1788 wrote to memory of 1232	1788	WScript.exe	44
PID 1788 wrote to memory of 1232	1788	WScript.exe	44
PID 1232 wrote to memory of 2504	1232	svchcst.exe	45
PID 1232 wrote to memory of 2504	1232	svchcst.exe	45
PID 1232 wrote to memory of 2504	1232	svchcst.exe	45
PID 1232 wrote to memory of 2504	1232	svchcst.exe	45
PID 2504 wrote to memory of 2800	2504	WScript.exe	46
PID 2504 wrote to memory of 2800	2504	WScript.exe	46
PID 2504 wrote to memory of 2800	2504	WScript.exe	46
PID 2504 wrote to memory of 2800	2504	WScript.exe	46
PID 2800 wrote to memory of 3044	2800	svchcst.exe	47
PID 2800 wrote to memory of 3044	2800	svchcst.exe	47
PID 2800 wrote to memory of 3044	2800	svchcst.exe	47
PID 2800 wrote to memory of 3044	2800	svchcst.exe	47

C:\Users\Admin\AppData\Local\Temp\8f14f9e017dd1a35f5666bed55b80fd2d164cc239c70b2ec8bac1d82a3f1c565.exe
"C:\Users\Admin\AppData\Local\Temp\8f14f9e017dd1a35f5666bed55b80fd2d164cc239c70b2ec8bac1d82a3f1c565.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2748
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2384
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2428
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1064
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2176
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2892
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1004
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2968
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2276
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1788
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2292
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1324
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1232
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2504
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2800
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3044
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3040
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2384
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2028
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1740
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1868
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1776
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2784
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:108
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2132
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1940
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:624
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2364
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2836
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2344
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2712
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2760
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2452
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2352
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2788
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2796
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3064
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2088
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2192
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2968
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2248
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1736
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1704
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1468
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:960
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1592
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2676
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        44⤵
        System Location Discovery: System Language Discovery
        
        PID:2552
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
30eafc82ac9962314c98d54ef2588957

SHA1
3bf1e1f24264448ba2688366b10b083c808e1e7a

SHA256
fc93c94af2daa9c8b70b9f6104f613a1cf0ac39bf1856542a3dbb6f828d2bee6

SHA512
5cd90109e61e06fda91874fd3cd28d83b42b6e586446ce99cf69a611f0015f56010937fadca4accef57ab47b5bca54b4171479a9a989ab5b1a015d491f985fb5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
ddedc43b3dbf5764d2331c902ece6da3

SHA1
2f326c7377c1d3852ce31805f458d41a85a8ad68

SHA256
16cd80e13f34813b8ff67f63dc2a3fc53c44065c19dd8562caecbbd6d3d2401b

SHA512
16eda244b68cca50b8c64c3f27a92baee18cd00e8656c728291d09ccf7d9d029d963ba98c241002244c4faecfb3191facfa58777d945fc7252396384454f08eb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
7e30bbf5f589f6ae6e5daf322f9f4c63

SHA1
4078c36ab68538c4d3aa3996b3a218fa786e5813

SHA256
9ed68f0cb63b2fca99956af2a550eb26ac99a883afef4ea6dc1236c14593266b

SHA512
63bb07bfbef6c96b50bbcb60d7f805930aaeefd6eadaa39dcb3e591c84636c670257a7f544bb0565174578a517d06de29a6c086812ef5cfb3039aea1917fb4b8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
73dd42e0ba8cff47f0542d7d8aa40f90

SHA1
ffbb1b56415be5abcf4613aed3136768f2edbc38

SHA256
c73b4e554a4ae515ae3aa320a19d752e3d848d00ed0cd8f084081ed530b8fc3d

SHA512
efd0075f9e70dd557271bdbcd782a083ae2cde8cd5674bf7f8cf63064847951adfcbaa9c9cff91c57d19c7308d0b7bf4754bfbe8fce6ec0e41d920bde7f5a67e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
427acf0d31e4c051a5ecca486df18aaa

SHA1
66ed2e8e5533846366375ce855fb7b5d574d97fc

SHA256
397aa2536df328968f7006d3c5a2d0e7e53ab1e6d2deae8bb5bc7a242b4ba012

SHA512
aa2fe9a10550076d478762ed2043437460bfa1d81c3e6b793127d1235f8a6e75dc6002aad415f8086387faf7dc75a83f1790662cdfa58aa66596c640ed35b778

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
b80e64a84f22d05c1da6e47ce54973aa

SHA1
5cad9390328f2c7439c775fabb7a0456663085d9

SHA256
9dd0f5f176d3fad7c0eb3bdd6f14036a878cbce9fd50fb1a47318da147bfd82e

SHA512
983affb7f9189c1eb80982438c288ee607e7ee91675b6a6e854873c476961b39ddec66801e0a09bedd0f133a0132693a5fed5c8ff0f8c3d3aa4f470fdb8c39b9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
6491ffe6ef75436d9e660280f5c7fa8f

SHA1
aa563dfffa849153924e8a50f5b562663d1549b5

SHA256
61926578340a542bb64c6abd62437790f27fe9f3c91f6e7bc3268fe318333382

SHA512
7caf0a3528181a867f6a7d1e705531db6eb12a82faa881fde4693b6d1f57be05e589c9276fc6364204494cd9c65f355a35d1dafb0d02582346057b5c4b8c2193

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
152cdcb10a0dcbdcaeb00bd4b08b2f94

SHA1
d957bd7eff64e6b13d3a088c0ae764eaeedf0ad2

SHA256
5525126f60e1b6cf4d353d30db46873836712e3964020d1dbca2694b6dc3d599

SHA512
c2e61516af9e5c14978792ec3b5e20aa84d5f6d9607322575d2f0448a67b6a10911ebf350f51e24e19f40840897251c891cda2c651c0881fccc9e0006d1a2f99

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
18daeaff7fc134fc2edabbaea7e7e9f0

SHA1
a6a3002f7828141bac042e08241df957ef348bb4

SHA256
56a26505482cb65715785a972070bd6b72ad56c09ec26f7a97d7b0ac5bf52303

SHA512
6a91ececa4ca5ffbd12c7ca83888a63a7baf2be281610d9b0d83ee9dfcb8f6d04c1466de5ac1b53abe3daaf2998ec40b4b3a1a1d6fc271f35d25523358bd3df0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
8364c7b31d7cc2ff033d43e692633d35

SHA1
8c51dd902e1739104aff48093aecb669522fea1f

SHA256
7ac0c74de647ef78ef6fffba49310f3c9c1b7d9ad19121d3502ec03c6e412a42

SHA512
0615c03be93f2b8cadfa7f0fca0ec6a790728d61980a9cd5edc372c99d3d73c5bdd1e6abfc055d4bd7ff2a2aa67f6fd5221c0d0479e33ac6736522fdc0572571

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
5d250b3772390926c7174b76df500008

SHA1
b7304a6c7998b2aa61fa883071f4b2824a720d98

SHA256
d7ce0dfdedb6188202ace4817af67190ce56e52db547b891c5a98bc19c31696b

SHA512
678dc709a77a9117241b24495aa661b86e49a83fecc79788a38da2442480540cb2d12db263bd3521f0ddd0e62ed830ac01b3c248342d65adf59a39afa190127e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
6d0dfe8b6ec26626d95a4da375a83b27

SHA1
c4bf7e1f7989291fc7d582ae0d3b01c73478058a

SHA256
af2881099ad73aa3c2f445eb5591d369bea66b181bd40979392808e3ac29da1e

SHA512
422c750b4f7daa52c0b0a7c8799b752b0f5523487427110451a46cc18c6e25aba629df060984c9340cc7ed7741bb6c773b6f105a1a514da8cad7b5fff0297b45

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
9279f7572e81fad6557dd7830f846d06

SHA1
dfee8792639957d6feded484f76ba5e54f84cfaa

SHA256
f6d622bcf81dce6f0d2f6888e511a611aa5a7e5537b4f9f6cef9cb2a0d1ab4d0

SHA512
b82f70f44e7a11f112eda81e53492ee4975c5569e5177ea659821555b497add80ee6fdf06b85b618eeb6a357aee6e3a096784230b758721d8904f48add244c38

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
19fc80c2555013bb3d202228f8c37a2b

SHA1
6f35ecc79d5e38c7b6dc2527fb8cb288ab027c19

SHA256
661e74b82b9516f3ad16384ce5386ae4fb285592322f310fc2f3fa4723e51c0f

SHA512
76763ae9479dce9e0eebdbd62c70c5ef3b022b0644b5f9521cbc47a138634f88ee872e91aa3bcc699c21a66f4ef3cd3d59897b14f2b8f5d8727a5c2991b1d6bd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
ba909c6fbc954eb1881169850b155009

SHA1
d8eb161fb106388c3e7b19da8f1e49378eee84f7

SHA256
614b37dab8570298e108d877ec8d8d7626e244e17271b01db5f5d5f3a6429e30

SHA512
8d7425ca61241c7b7a7442b47bad30f921d160000c997dddb9b40f052bcb2ace5cf2aad60dbfdb7307c6ec4a10a4430424f5934cc6935f56ee92b5c2375826c8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
6b592cfea0490d6d30026f439096283e

SHA1
230a00378ec8e61f86bb5255e9405aa758422244

SHA256
4c666d46c2f7b587571dbc9feab0fd46687879737a788b61e486a6177fdd8940

SHA512
46a1d2673464adac28ec0a0b5c414ba2da6cf507aaf87b0c4797fe064c95a6e747dfc3b1f315197ad9cff6d0259e2f69ebc67d6c847205a8cc14231d39bbf8eb

Download Submit
memory/624-160-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/624-167-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/960-235-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/960-242-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1004-53-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1004-49-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1232-89-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1468-234-0x0000000003D60000-0x0000000003EBF000-memory.dmp

Filesize
1.4MB

Download
memory/1592-243-0x0000000005920000-0x0000000005A7F000-memory.dmp

Filesize
1.4MB

Download
memory/1704-233-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1736-226-0x0000000005B20000-0x0000000005C7F000-memory.dmp

Filesize
1.4MB

Download
memory/1788-80-0x00000000047A0000-0x00000000048FF000-memory.dmp

Filesize
1.4MB

Download
memory/1868-140-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1940-159-0x00000000044A0000-0x00000000045FF000-memory.dmp

Filesize
1.4MB

Download
memory/2028-131-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2028-122-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2132-158-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2176-38-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2192-217-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2192-210-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2248-225-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2276-59-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2276-63-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2292-66-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2292-75-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2344-176-0x00000000045C0000-0x000000000471F000-memory.dmp

Filesize
1.4MB

Download
memory/2352-193-0x0000000004780000-0x00000000048DF000-memory.dmp

Filesize
1.4MB

Download
memory/2384-13-0x00000000058E0000-0x0000000005A3F000-memory.dmp

Filesize
1.4MB

Download
memory/2384-14-0x00000000058E0000-0x0000000005A3F000-memory.dmp

Filesize
1.4MB

Download
memory/2428-24-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2452-192-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2452-185-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2676-244-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2712-184-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2712-177-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2748-9-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2748-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2784-151-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2784-143-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2788-200-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2796-201-0x00000000040B0000-0x000000000420F000-memory.dmp

Filesize
1.4MB

Download
memory/2800-102-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2800-94-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2836-175-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2836-168-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2892-47-0x0000000003C50000-0x0000000003DAF000-memory.dmp

Filesize
1.4MB

Download
memory/2892-48-0x0000000003C50000-0x0000000003DAF000-memory.dmp

Filesize
1.4MB

Download
memory/2968-218-0x0000000005C70000-0x0000000005DCF000-memory.dmp

Filesize
1.4MB

Download
memory/2968-74-0x0000000005DA0000-0x0000000005EFF000-memory.dmp

Filesize
1.4MB

Download
memory/3040-117-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3040-109-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3044-108-0x0000000005C40000-0x0000000005D9F000-memory.dmp

Filesize
1.4MB

Download
memory/3064-209-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3064-202-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download