2bbb0824cc827b5f8123d2b019a2fc64cf5adea2e78f98e9e88f179231af3978

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
09-09-2024 14:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2bbb0824cc827b5f8123d2b019a2fc64cf5adea2e78f98e9e88f179231af3978.exe
Size

1.1MB
MD5

6d8189af494c28ac1e2e6a8ac334ef54
SHA1

816b68e8b8d128a3a4a2e5dd7caf594b46c147dd
SHA256

2bbb0824cc827b5f8123d2b019a2fc64cf5adea2e78f98e9e88f179231af3978
SHA512

6ada67f00be6483e1f961af5ae7613fbd809768f9a3e9d355c9636d8b42b99650e9c19818b4641275e70c3b5c7bde1e74ca1eef44da051ce227b258fc1ff37e4
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5Q3:acallSllG4ZM7QzMA

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2968	svchcst.exe

Executes dropped EXE 23 IoCs

pid	Process
2968	svchcst.exe
2092	svchcst.exe
2616	svchcst.exe
2064	svchcst.exe
1080	svchcst.exe
1628	svchcst.exe
1804	svchcst.exe
2192	svchcst.exe
2832	svchcst.exe
2384	svchcst.exe
2372	svchcst.exe
1356	svchcst.exe
1828	svchcst.exe
1756	svchcst.exe
1548	svchcst.exe
2588	svchcst.exe
2272	svchcst.exe
860	svchcst.exe
2604	svchcst.exe
2388	svchcst.exe
588	svchcst.exe
2052	svchcst.exe
1008	svchcst.exe

Loads dropped DLL 38 IoCs

pid	Process
2900	WScript.exe
2900	WScript.exe
1692	WScript.exe
2796	WScript.exe
2796	WScript.exe
2796	WScript.exe
968	WScript.exe
1800	WScript.exe
1800	WScript.exe
1924	WScript.exe
1924	WScript.exe
2976	WScript.exe
2908	WScript.exe
2908	WScript.exe
2908	WScript.exe
2156	WScript.exe
2156	WScript.exe
3064	WScript.exe
1992	WScript.exe
1992	WScript.exe
2408	WScript.exe
2408	WScript.exe
1804	WScript.exe
1804	WScript.exe
2608	WScript.exe
2608	WScript.exe
1776	WScript.exe
1776	WScript.exe
2416	WScript.exe
2416	WScript.exe
2916	WScript.exe
2916	WScript.exe
1644	WScript.exe
1644	WScript.exe
532	WScript.exe
532	WScript.exe
2508	WScript.exe
2508	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 48 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2bbb0824cc827b5f8123d2b019a2fc64cf5adea2e78f98e9e88f179231af3978.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2648	2bbb0824cc827b5f8123d2b019a2fc64cf5adea2e78f98e9e88f179231af3978.exe
2968	svchcst.exe
2968	svchcst.exe
2968	svchcst.exe
2968	svchcst.exe
2968	svchcst.exe
2968	svchcst.exe
2968	svchcst.exe
2968	svchcst.exe
2968	svchcst.exe
2968	svchcst.exe
2968	svchcst.exe
2968	svchcst.exe
2968	svchcst.exe
2968	svchcst.exe
2968	svchcst.exe
2968	svchcst.exe
2968	svchcst.exe
2968	svchcst.exe
2968	svchcst.exe
2968	svchcst.exe
2968	svchcst.exe
2968	svchcst.exe
2968	svchcst.exe
2968	svchcst.exe
2968	svchcst.exe
2968	svchcst.exe
2968	svchcst.exe
2968	svchcst.exe
2968	svchcst.exe
2968	svchcst.exe
2968	svchcst.exe
2968	svchcst.exe
2968	svchcst.exe
2968	svchcst.exe
2968	svchcst.exe
2968	svchcst.exe
2968	svchcst.exe
2968	svchcst.exe
2968	svchcst.exe
2968	svchcst.exe
2968	svchcst.exe
2968	svchcst.exe
2968	svchcst.exe
2968	svchcst.exe
2968	svchcst.exe
2968	svchcst.exe
2968	svchcst.exe
2968	svchcst.exe
2968	svchcst.exe
2968	svchcst.exe
2968	svchcst.exe
2968	svchcst.exe
2968	svchcst.exe
2968	svchcst.exe
2968	svchcst.exe
2968	svchcst.exe
2968	svchcst.exe
2968	svchcst.exe
2968	svchcst.exe
2968	svchcst.exe
2968	svchcst.exe
2968	svchcst.exe
2968	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2648	2bbb0824cc827b5f8123d2b019a2fc64cf5adea2e78f98e9e88f179231af3978.exe

Suspicious use of SetWindowsHookEx 48 IoCs

pid	Process
2648	2bbb0824cc827b5f8123d2b019a2fc64cf5adea2e78f98e9e88f179231af3978.exe
2648	2bbb0824cc827b5f8123d2b019a2fc64cf5adea2e78f98e9e88f179231af3978.exe
2968	svchcst.exe
2968	svchcst.exe
2092	svchcst.exe
2092	svchcst.exe
2616	svchcst.exe
2616	svchcst.exe
2064	svchcst.exe
2064	svchcst.exe
1080	svchcst.exe
1080	svchcst.exe
1628	svchcst.exe
1628	svchcst.exe
1804	svchcst.exe
1804	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2832	svchcst.exe
2832	svchcst.exe
2384	svchcst.exe
2384	svchcst.exe
2372	svchcst.exe
2372	svchcst.exe
1356	svchcst.exe
1356	svchcst.exe
1828	svchcst.exe
1828	svchcst.exe
1756	svchcst.exe
1756	svchcst.exe
1548	svchcst.exe
1548	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2272	svchcst.exe
2272	svchcst.exe
860	svchcst.exe
860	svchcst.exe
2604	svchcst.exe
2604	svchcst.exe
2388	svchcst.exe
2388	svchcst.exe
588	svchcst.exe
588	svchcst.exe
2052	svchcst.exe
2052	svchcst.exe
1008	svchcst.exe
1008	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2648 wrote to memory of 2900	2648	2bbb0824cc827b5f8123d2b019a2fc64cf5adea2e78f98e9e88f179231af3978.exe	30
PID 2648 wrote to memory of 2900	2648	2bbb0824cc827b5f8123d2b019a2fc64cf5adea2e78f98e9e88f179231af3978.exe	30
PID 2648 wrote to memory of 2900	2648	2bbb0824cc827b5f8123d2b019a2fc64cf5adea2e78f98e9e88f179231af3978.exe	30
PID 2648 wrote to memory of 2900	2648	2bbb0824cc827b5f8123d2b019a2fc64cf5adea2e78f98e9e88f179231af3978.exe	30
PID 2900 wrote to memory of 2968	2900	WScript.exe	32
PID 2900 wrote to memory of 2968	2900	WScript.exe	32
PID 2900 wrote to memory of 2968	2900	WScript.exe	32
PID 2900 wrote to memory of 2968	2900	WScript.exe	32
PID 2968 wrote to memory of 1692	2968	svchcst.exe	33
PID 2968 wrote to memory of 1692	2968	svchcst.exe	33
PID 2968 wrote to memory of 1692	2968	svchcst.exe	33
PID 2968 wrote to memory of 1692	2968	svchcst.exe	33
PID 1692 wrote to memory of 2092	1692	WScript.exe	34
PID 1692 wrote to memory of 2092	1692	WScript.exe	34
PID 1692 wrote to memory of 2092	1692	WScript.exe	34
PID 1692 wrote to memory of 2092	1692	WScript.exe	34
PID 2092 wrote to memory of 2796	2092	svchcst.exe	35
PID 2092 wrote to memory of 2796	2092	svchcst.exe	35
PID 2092 wrote to memory of 2796	2092	svchcst.exe	35
PID 2092 wrote to memory of 2796	2092	svchcst.exe	35
PID 2796 wrote to memory of 2616	2796	WScript.exe	36
PID 2796 wrote to memory of 2616	2796	WScript.exe	36
PID 2796 wrote to memory of 2616	2796	WScript.exe	36
PID 2796 wrote to memory of 2616	2796	WScript.exe	36
PID 2616 wrote to memory of 968	2616	svchcst.exe	37
PID 2616 wrote to memory of 968	2616	svchcst.exe	37
PID 2616 wrote to memory of 968	2616	svchcst.exe	37
PID 2616 wrote to memory of 968	2616	svchcst.exe	37
PID 2796 wrote to memory of 2064	2796	WScript.exe	38
PID 2796 wrote to memory of 2064	2796	WScript.exe	38
PID 2796 wrote to memory of 2064	2796	WScript.exe	38
PID 2796 wrote to memory of 2064	2796	WScript.exe	38
PID 2064 wrote to memory of 2456	2064	svchcst.exe	39
PID 2064 wrote to memory of 2456	2064	svchcst.exe	39
PID 2064 wrote to memory of 2456	2064	svchcst.exe	39
PID 2064 wrote to memory of 2456	2064	svchcst.exe	39
PID 968 wrote to memory of 1080	968	WScript.exe	40
PID 968 wrote to memory of 1080	968	WScript.exe	40
PID 968 wrote to memory of 1080	968	WScript.exe	40
PID 968 wrote to memory of 1080	968	WScript.exe	40
PID 1080 wrote to memory of 1800	1080	svchcst.exe	41
PID 1080 wrote to memory of 1800	1080	svchcst.exe	41
PID 1080 wrote to memory of 1800	1080	svchcst.exe	41
PID 1080 wrote to memory of 1800	1080	svchcst.exe	41
PID 1800 wrote to memory of 1628	1800	WScript.exe	42
PID 1800 wrote to memory of 1628	1800	WScript.exe	42
PID 1800 wrote to memory of 1628	1800	WScript.exe	42
PID 1800 wrote to memory of 1628	1800	WScript.exe	42
PID 1628 wrote to memory of 2472	1628	svchcst.exe	43
PID 1628 wrote to memory of 2472	1628	svchcst.exe	43
PID 1628 wrote to memory of 2472	1628	svchcst.exe	43
PID 1628 wrote to memory of 2472	1628	svchcst.exe	43
PID 1800 wrote to memory of 1804	1800	WScript.exe	44
PID 1800 wrote to memory of 1804	1800	WScript.exe	44
PID 1800 wrote to memory of 1804	1800	WScript.exe	44
PID 1800 wrote to memory of 1804	1800	WScript.exe	44
PID 1804 wrote to memory of 1924	1804	svchcst.exe	45
PID 1804 wrote to memory of 1924	1804	svchcst.exe	45
PID 1804 wrote to memory of 1924	1804	svchcst.exe	45
PID 1804 wrote to memory of 1924	1804	svchcst.exe	45
PID 1924 wrote to memory of 2192	1924	WScript.exe	46
PID 1924 wrote to memory of 2192	1924	WScript.exe	46
PID 1924 wrote to memory of 2192	1924	WScript.exe	46
PID 1924 wrote to memory of 2192	1924	WScript.exe	46

C:\Users\Admin\AppData\Local\Temp\2bbb0824cc827b5f8123d2b019a2fc64cf5adea2e78f98e9e88f179231af3978.exe
"C:\Users\Admin\AppData\Local\Temp\2bbb0824cc827b5f8123d2b019a2fc64cf5adea2e78f98e9e88f179231af3978.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2648
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2900
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2968
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1692
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2092
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2796
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2616
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:968
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1080
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1800
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1628
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2472
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1804
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1924
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2192
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2976
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2832
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2908
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2384
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:568
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2372
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2156
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1356
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3064
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1828
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1992
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1756
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2408
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1548
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1804
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2588
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2608
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2272
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1776
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:860
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2416
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2604
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2916
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2388
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1644
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:588
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:532
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2052
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2508
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1008
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        System Location Discovery: System Language Discovery
        
        PID:2504
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        43⤵
        
        PID:544
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        44⤵
        
        PID:1792
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2064
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
3108706e53b3aa99013695ab8008a6f1

SHA1
e476a7b07430f9e32accce19d6a642828bf65dfe

SHA256
7a3feb4dd147780226f35cfe520c6a5810bb4f9023bcdb240c400bddd9922f58

SHA512
84de0059b7d76bdd85522a08aa7e8bbd63042865b6ec2cbe7a627a44a4cddb935fc7cc5126296f271021a214dc6490d57a9f9234242255c8832017a898456790

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
57e51d7e4374cd875109b11b9b8deb29

SHA1
aa5554bdcf8417f4b5fc9242f1de625e2fb820bf

SHA256
054ccb4671ec5693715c290f0bed875878cda62addcb38ef21257c59037fe30a

SHA512
6f58d52a71466d92d7da68e1bfdd91db03619d810eae2622b4e5623d2ad4e30e294d885c8c5405b775aa3256e3acbd0442a3bb2a4b6eb50001ee5f8848d66da3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
418e489a61f524eb101168676ee507c0

SHA1
c2d403388bfdccf0d75b4ef92dd8a453c413057c

SHA256
2ec2f981acbd3a091e05e93f06c952fdf6372e4d4d4ad78e7ddfe60043b1ad3c

SHA512
56033db0322098091059ab662f14f51c8bd98fc6784e3a5c553428c3c91d160fa5f784e43020fde5630515f87a2dbd7dff88865a5ecc4f349f6482eaef1b522a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
0deab118abcf8e078322ee46edd4cfd3

SHA1
b0f46f2ca33e8ea264812838f6c7a98d0c55a0bf

SHA256
344ce7e23c768177547510b0627c60667804530f220048e11f21e1cda521c502

SHA512
e7e4c041addbecf42ec91877dac6c89a207a3c1eb0247d56c6e4844852a3c7a3a716809d5040d01b03ab332bd155a4f4fb014abc896b9598ac52218c74a1f3c0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
aac0fba8016aa15609aa7abb5db077ae

SHA1
f8afa6ff11a91f46eb961727ec6a5fad360fa1c9

SHA256
76a6ce5f2e579dc37db23bb0e1ef5ebdd8b02e6b22b6f8da1a17964db237a8a0

SHA512
26a4910f08563b7c4b1e1abba82fefdefcb43b7d1149d5e6c7dda36db4aa142c4b74bc64263f23a5177804e2191696795e0de5d5368ea6903b398415d435962e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
c1f667683c1809dc2fa81d863ea10a4e

SHA1
dc9fdbeca32f2afbcfdc5363769ebb594fc93e44

SHA256
a0afd04975f7f5cf26533640020a9533d4dcf1b152143e69196f93bd5b49fa1e

SHA512
e4c894530934444cb97392b0180e5b6040b84ab5c639412c6b9e5355a13152412da8d881403832c2f3c601624465b16242ebd8710f6e6a4666a27e15ce759b2f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
067a3458406fce1e0caec803b21a2c58

SHA1
1277d2a3236100a0758d4f4f279cd02d537e626b

SHA256
35c0d5d7757b50c61a708107c8e2ab5df872fdc25516f8003d9d58d3ae5ec9e3

SHA512
99918a35f93140231d63a17c97bb9ef66a5744dc044c7e48034c3d2fcc49c3b97fe0d37a32ae6307a7b7e772b8016a6727672d2844b5ed7dcf20c31dd01724e4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
a66ca64afe431b7c50358bd05ba54e34

SHA1
f34d905ac06b3c07f936352bff4db70469f5057c

SHA256
3a2a423d9df888fadef3786fdbf7fb0125eb8e1d08b22a707b6efa4bc00b7f43

SHA512
90ea8413b1fce013f8e902e0e3efbbfd1ec30c7f26ca2fb05e390a847d22a1181eeb60dccf6e3f8fec5aeff2568506977ab47018a54d328078ab14407f3eeb09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
e0e0a1f6d22e3905753a9c1ed053cbff

SHA1
52c11b8049f4015d7825fc1fcbd0d5eadb29a6e4

SHA256
2eca9ba67f160c00268003e7239f9cfc5da0f10b6a0b3c82538ef2a0874b871d

SHA512
3eb98287cc8115cb648626272eaa6cc77cb57fcd614f0e969d3af3977a8e09e0f7f6f3ee6ef9322e096bf0cec546f681a6983030a10e972b538d42e2bd17740c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
f9d25791d9949ef33ed0c208f3d11851

SHA1
1cdf525209a1d7ade65168011e4de530de7bdc5a

SHA256
d3592a18c2a195dba2db76e25fb1516b2a9ef5297e9d72716e232d3540bc4481

SHA512
efb6f3882b9c75aa5193cf1bfeeb430b0a963681bf5367f535e3eb9c4e7c796c0aa1d0e3df9803c635ba6d863dc129a9ab30c954c6d4af27803036859d3d3113

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
d7e57302723e6adcd36bc753c7cb3d1b

SHA1
24f5af99f2988b5fa7383dae1f53347b597956a3

SHA256
abf7ef48d31eaabd0227b0a91a44e8b53e9fbadff16ef2d9c2b131776898977e

SHA512
0aee51cab495d2df1e1957f85cbfa1a8ca95fad5fa669d2f0918a0e4be4d090c868582935136684d872695bdd075523ad1386639690e9d7016201b6985a9c8a6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
c0b5050d31a3c3086d56cf03dbf39e65

SHA1
2f16721133b7efffc3b7c495803a409b47223c1f

SHA256
4eed6a5c4f010b8604f822c91683ba0cf9c2c1f7fd803bcd9c05bfd36d84f37a

SHA512
be8a9ade498e5b54e7ca07bb3f9f114962847942d282e46e2b4f3e53704b27b47853c7bc60e5fdfc777b6e1fa2f8d34aa0d3321354c8a6b81d1640ce7780d9d5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
41b701aebef53d1179ba5b25a0fd12d1

SHA1
14316dba763205d05dea0aad3885d999291d1af5

SHA256
0312cdc6cd4c51b0b6e8dd731a8c2680501ff39c25203d0976e3bb6f8e627101

SHA512
cd81d6c40c539068a13f7617073d715c8f69378be435760334720733656e7fbaf177dd8ceff339e49581c1c47dc6c4e8dca0939b65602acffb04a5e96999e3f1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
e000211cbe95469123d4d22737b4779d

SHA1
2ff034c75d50a9b4edac2f8aea398ef288386ca7

SHA256
90d602cdf28fad2967118eb06cedbbbe91603101f2341a5fd3fb2d8a468e225d

SHA512
952bfd5cd26a9e097c7b3fdac18b69373b9faff34626aed0fddd9f5ee67b87176afc60f3a97864ae24a08972f78e5cafa498e30de84740434c10fb8be61dcce1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
1799c5140d791c60acf13031efd49f51

SHA1
60c5985612850b6a979d254d2d8c109e0e50ca5b

SHA256
6a66577b618a07181a3e841b9c743a265a9d9eac19b9317030c38760485f3efc

SHA512
d7b1889d9ab0e249a5b5127f00ed9fc21b161b5ba77bbbb42f4cc3b6a41ad6e9287f965d304212a52b019af3d57793b6d8ed0173d2578ef0ff3a3e9687c6381f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
51bbf4c902dc3aa630a5cc94aa999b99

SHA1
c80eb23ecde4f4cbea2e4360b761da3455f68074

SHA256
6993b717ab9f6b214b452d601f147e912d92dfc258a0e3545dfa5ab34686440e

SHA512
ccce7677f665303e6c2917a8a009c51f88a8b23774a038bd33c1f4445ffb2d440ecb483beff36b820649e2ce15bf2d7920cecbd98a287be821299af23d6981b0

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
c9573cafd33483c80b4cc0ba28c819de

SHA1
6c288408e1b919868c816c17cef7c250e78481d6

SHA256
1bf077b8a560ede68016e0904e8969818b782182a4a01635edea71082ca06880

SHA512
f207c3d1efc497091b3632548c77ae3f0518f8549cdd98ccdcec1cf7e2d25a55fb20742aac287d6428e7cdbaa99cbf8de700b008ad0560f85acf00cbeced6843

Download Submit
memory/532-238-0x0000000004400000-0x000000000455F000-memory.dmp

Filesize
1.4MB

Download
memory/544-258-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/588-234-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/588-237-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/860-209-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/860-205-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1008-256-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1008-249-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1080-71-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1080-62-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1356-153-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1356-160-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1548-181-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1548-184-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1628-74-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1628-83-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1644-239-0x0000000005980000-0x0000000005ADF000-memory.dmp

Filesize
1.4MB

Download
memory/1644-229-0x0000000005980000-0x0000000005ADF000-memory.dmp

Filesize
1.4MB

Download
memory/1644-228-0x0000000005980000-0x0000000005ADF000-memory.dmp

Filesize
1.4MB

Download
memory/1756-175-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1776-217-0x0000000004950000-0x0000000004AAF000-memory.dmp

Filesize
1.4MB

Download
memory/1800-85-0x0000000005A30000-0x0000000005B8F000-memory.dmp

Filesize
1.4MB

Download
memory/1804-96-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1804-88-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1828-167-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1924-101-0x00000000045F0000-0x000000000474F000-memory.dmp

Filesize
1.4MB

Download
memory/1924-102-0x00000000045F0000-0x000000000474F000-memory.dmp

Filesize
1.4MB

Download
memory/1992-168-0x0000000004530000-0x000000000468F000-memory.dmp

Filesize
1.4MB

Download
memory/2052-240-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2052-247-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2064-59-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2064-55-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2092-35-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2092-28-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2156-152-0x00000000058D0000-0x0000000005A2F000-memory.dmp

Filesize
1.4MB

Download
memory/2192-111-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2192-103-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2272-200-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2272-193-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2372-148-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2384-126-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2384-134-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2388-227-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2388-224-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2408-180-0x0000000005C00000-0x0000000005D5F000-memory.dmp

Filesize
1.4MB

Download
memory/2504-257-0x0000000005C20000-0x0000000005D7F000-memory.dmp

Filesize
1.4MB

Download
memory/2508-248-0x0000000003F80000-0x00000000040DF000-memory.dmp

Filesize
1.4MB

Download
memory/2588-192-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2588-185-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2604-210-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2604-218-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2608-208-0x0000000005FF0000-0x000000000614F000-memory.dmp

Filesize
1.4MB

Download
memory/2616-46-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2648-9-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2648-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2796-70-0x0000000005EB0000-0x000000000600F000-memory.dmp

Filesize
1.4MB

Download
memory/2832-122-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2900-14-0x0000000004010000-0x000000000416F000-memory.dmp

Filesize
1.4MB

Download
memory/2908-139-0x0000000005A10000-0x0000000005B6F000-memory.dmp

Filesize
1.4MB

Download
memory/2908-125-0x0000000005A10000-0x0000000005B6F000-memory.dmp

Filesize
1.4MB

Download
memory/2908-138-0x0000000005A10000-0x0000000005B6F000-memory.dmp

Filesize
1.4MB

Download
memory/2916-219-0x0000000004750000-0x00000000048AF000-memory.dmp

Filesize
1.4MB

Download
memory/2968-15-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2968-25-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2976-114-0x0000000005DB0000-0x0000000005F0F000-memory.dmp

Filesize
1.4MB

Download