6b0eb652fdabe1d3cf2de66b4919081d0b6a07726edc0297389fe2a33b73d7a6

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12/09/2024, 23:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6b0eb652fdabe1d3cf2de66b4919081d0b6a07726edc0297389fe2a33b73d7a6.exe
Size

1.1MB
MD5

072c30e5cdcf12e2b2ac68736968d14b
SHA1

950ab18b79a54c1098bdd8d4df1b9fb02da0f44a
SHA256

6b0eb652fdabe1d3cf2de66b4919081d0b6a07726edc0297389fe2a33b73d7a6
SHA512

66de7bedd1d467148cd65073fb5093bfa1e5ffcb42f5038c5dc474453866386c18268997b19b98b80e5a700703903618135ff3bd48f39234d404cc4b57bf6c79
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5QD:acallSllG4ZM7QzM0

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2104	svchcst.exe

Executes dropped EXE 23 IoCs

pid	Process
2104	svchcst.exe
2724	svchcst.exe
2988	svchcst.exe
2088	svchcst.exe
2000	svchcst.exe
1576	svchcst.exe
2040	svchcst.exe
2668	svchcst.exe
3024	svchcst.exe
2972	svchcst.exe
2400	svchcst.exe
932	svchcst.exe
2180	svchcst.exe
2792	svchcst.exe
1996	svchcst.exe
2096	svchcst.exe
2940	svchcst.exe
2844	svchcst.exe
996	svchcst.exe
2400	svchcst.exe
684	svchcst.exe
2180	svchcst.exe
2484	svchcst.exe

Loads dropped DLL 44 IoCs

pid	Process
3024	WScript.exe
3024	WScript.exe
840	WScript.exe
2776	WScript.exe
2776	WScript.exe
2188	WScript.exe
2044	WScript.exe
2044	WScript.exe
1464	WScript.exe
1464	WScript.exe
2384	WScript.exe
2384	WScript.exe
2364	WScript.exe
2364	WScript.exe
560	WScript.exe
560	WScript.exe
1976	WScript.exe
1976	WScript.exe
2612	WScript.exe
2612	WScript.exe
1140	WScript.exe
1140	WScript.exe
756	WScript.exe
756	WScript.exe
2484	WScript.exe
2484	WScript.exe
2592	WScript.exe
2592	WScript.exe
2604	WScript.exe
2604	WScript.exe
2104	WScript.exe
2104	WScript.exe
2176	WScript.exe
2176	WScript.exe
2520	WScript.exe
2520	WScript.exe
2168	WScript.exe
2168	WScript.exe
2480	WScript.exe
2480	WScript.exe
2460	WScript.exe
2460	WScript.exe
2192	WScript.exe
2192	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 48 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6b0eb652fdabe1d3cf2de66b4919081d0b6a07726edc0297389fe2a33b73d7a6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2744	6b0eb652fdabe1d3cf2de66b4919081d0b6a07726edc0297389fe2a33b73d7a6.exe
2104	svchcst.exe
2104	svchcst.exe
2104	svchcst.exe
2104	svchcst.exe
2104	svchcst.exe
2104	svchcst.exe
2104	svchcst.exe
2104	svchcst.exe
2104	svchcst.exe
2104	svchcst.exe
2104	svchcst.exe
2104	svchcst.exe
2104	svchcst.exe
2104	svchcst.exe
2104	svchcst.exe
2104	svchcst.exe
2104	svchcst.exe
2104	svchcst.exe
2104	svchcst.exe
2104	svchcst.exe
2104	svchcst.exe
2104	svchcst.exe
2104	svchcst.exe
2104	svchcst.exe
2104	svchcst.exe
2104	svchcst.exe
2104	svchcst.exe
2104	svchcst.exe
2104	svchcst.exe
2104	svchcst.exe
2104	svchcst.exe
2104	svchcst.exe
2104	svchcst.exe
2104	svchcst.exe
2104	svchcst.exe
2104	svchcst.exe
2104	svchcst.exe
2104	svchcst.exe
2104	svchcst.exe
2104	svchcst.exe
2104	svchcst.exe
2104	svchcst.exe
2104	svchcst.exe
2104	svchcst.exe
2104	svchcst.exe
2104	svchcst.exe
2104	svchcst.exe
2104	svchcst.exe
2104	svchcst.exe
2104	svchcst.exe
2104	svchcst.exe
2104	svchcst.exe
2104	svchcst.exe
2104	svchcst.exe
2104	svchcst.exe
2104	svchcst.exe
2104	svchcst.exe
2104	svchcst.exe
2104	svchcst.exe
2104	svchcst.exe
2104	svchcst.exe
2104	svchcst.exe
2104	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2744	6b0eb652fdabe1d3cf2de66b4919081d0b6a07726edc0297389fe2a33b73d7a6.exe

Suspicious use of SetWindowsHookEx 48 IoCs

pid	Process
2744	6b0eb652fdabe1d3cf2de66b4919081d0b6a07726edc0297389fe2a33b73d7a6.exe
2744	6b0eb652fdabe1d3cf2de66b4919081d0b6a07726edc0297389fe2a33b73d7a6.exe
2104	svchcst.exe
2104	svchcst.exe
2724	svchcst.exe
2724	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2088	svchcst.exe
2088	svchcst.exe
2000	svchcst.exe
2000	svchcst.exe
1576	svchcst.exe
1576	svchcst.exe
2040	svchcst.exe
2040	svchcst.exe
2668	svchcst.exe
2668	svchcst.exe
3024	svchcst.exe
3024	svchcst.exe
2972	svchcst.exe
2972	svchcst.exe
2400	svchcst.exe
2400	svchcst.exe
932	svchcst.exe
932	svchcst.exe
2180	svchcst.exe
2180	svchcst.exe
2792	svchcst.exe
2792	svchcst.exe
1996	svchcst.exe
1996	svchcst.exe
2096	svchcst.exe
2096	svchcst.exe
2940	svchcst.exe
2940	svchcst.exe
2844	svchcst.exe
2844	svchcst.exe
996	svchcst.exe
996	svchcst.exe
2400	svchcst.exe
2400	svchcst.exe
684	svchcst.exe
684	svchcst.exe
2180	svchcst.exe
2180	svchcst.exe
2484	svchcst.exe
2484	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2744 wrote to memory of 3024	2744	6b0eb652fdabe1d3cf2de66b4919081d0b6a07726edc0297389fe2a33b73d7a6.exe	31
PID 2744 wrote to memory of 3024	2744	6b0eb652fdabe1d3cf2de66b4919081d0b6a07726edc0297389fe2a33b73d7a6.exe	31
PID 2744 wrote to memory of 3024	2744	6b0eb652fdabe1d3cf2de66b4919081d0b6a07726edc0297389fe2a33b73d7a6.exe	31
PID 2744 wrote to memory of 3024	2744	6b0eb652fdabe1d3cf2de66b4919081d0b6a07726edc0297389fe2a33b73d7a6.exe	31
PID 3024 wrote to memory of 2104	3024	WScript.exe	33
PID 3024 wrote to memory of 2104	3024	WScript.exe	33
PID 3024 wrote to memory of 2104	3024	WScript.exe	33
PID 3024 wrote to memory of 2104	3024	WScript.exe	33
PID 2104 wrote to memory of 840	2104	svchcst.exe	34
PID 2104 wrote to memory of 840	2104	svchcst.exe	34
PID 2104 wrote to memory of 840	2104	svchcst.exe	34
PID 2104 wrote to memory of 840	2104	svchcst.exe	34
PID 840 wrote to memory of 2724	840	WScript.exe	35
PID 840 wrote to memory of 2724	840	WScript.exe	35
PID 840 wrote to memory of 2724	840	WScript.exe	35
PID 840 wrote to memory of 2724	840	WScript.exe	35
PID 2724 wrote to memory of 2776	2724	svchcst.exe	36
PID 2724 wrote to memory of 2776	2724	svchcst.exe	36
PID 2724 wrote to memory of 2776	2724	svchcst.exe	36
PID 2724 wrote to memory of 2776	2724	svchcst.exe	36
PID 2776 wrote to memory of 2988	2776	WScript.exe	37
PID 2776 wrote to memory of 2988	2776	WScript.exe	37
PID 2776 wrote to memory of 2988	2776	WScript.exe	37
PID 2776 wrote to memory of 2988	2776	WScript.exe	37
PID 2988 wrote to memory of 2188	2988	svchcst.exe	38
PID 2988 wrote to memory of 2188	2988	svchcst.exe	38
PID 2988 wrote to memory of 2188	2988	svchcst.exe	38
PID 2988 wrote to memory of 2188	2988	svchcst.exe	38
PID 2188 wrote to memory of 2088	2188	WScript.exe	39
PID 2188 wrote to memory of 2088	2188	WScript.exe	39
PID 2188 wrote to memory of 2088	2188	WScript.exe	39
PID 2188 wrote to memory of 2088	2188	WScript.exe	39
PID 2088 wrote to memory of 2044	2088	svchcst.exe	40
PID 2088 wrote to memory of 2044	2088	svchcst.exe	40
PID 2088 wrote to memory of 2044	2088	svchcst.exe	40
PID 2088 wrote to memory of 2044	2088	svchcst.exe	40
PID 2044 wrote to memory of 2000	2044	WScript.exe	41
PID 2044 wrote to memory of 2000	2044	WScript.exe	41
PID 2044 wrote to memory of 2000	2044	WScript.exe	41
PID 2044 wrote to memory of 2000	2044	WScript.exe	41
PID 2000 wrote to memory of 1464	2000	svchcst.exe	42
PID 2000 wrote to memory of 1464	2000	svchcst.exe	42
PID 2000 wrote to memory of 1464	2000	svchcst.exe	42
PID 2000 wrote to memory of 1464	2000	svchcst.exe	42
PID 1464 wrote to memory of 1576	1464	WScript.exe	43
PID 1464 wrote to memory of 1576	1464	WScript.exe	43
PID 1464 wrote to memory of 1576	1464	WScript.exe	43
PID 1464 wrote to memory of 1576	1464	WScript.exe	43
PID 1576 wrote to memory of 2384	1576	svchcst.exe	44
PID 1576 wrote to memory of 2384	1576	svchcst.exe	44
PID 1576 wrote to memory of 2384	1576	svchcst.exe	44
PID 1576 wrote to memory of 2384	1576	svchcst.exe	44
PID 2384 wrote to memory of 2040	2384	WScript.exe	45
PID 2384 wrote to memory of 2040	2384	WScript.exe	45
PID 2384 wrote to memory of 2040	2384	WScript.exe	45
PID 2384 wrote to memory of 2040	2384	WScript.exe	45
PID 2040 wrote to memory of 2364	2040	svchcst.exe	46
PID 2040 wrote to memory of 2364	2040	svchcst.exe	46
PID 2040 wrote to memory of 2364	2040	svchcst.exe	46
PID 2040 wrote to memory of 2364	2040	svchcst.exe	46
PID 2364 wrote to memory of 2668	2364	WScript.exe	47
PID 2364 wrote to memory of 2668	2364	WScript.exe	47
PID 2364 wrote to memory of 2668	2364	WScript.exe	47
PID 2364 wrote to memory of 2668	2364	WScript.exe	47

C:\Users\Admin\AppData\Local\Temp\6b0eb652fdabe1d3cf2de66b4919081d0b6a07726edc0297389fe2a33b73d7a6.exe
"C:\Users\Admin\AppData\Local\Temp\6b0eb652fdabe1d3cf2de66b4919081d0b6a07726edc0297389fe2a33b73d7a6.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2744
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3024
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2104
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:840
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2724
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2776
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2988
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2188
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2088
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2044
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2000
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1464
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1576
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2384
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2040
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2364
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2668
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:560
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3024
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1976
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2972
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2612
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2400
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1140
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:932
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:756
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2180
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2484
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2792
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2592
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1996
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2604
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2096
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2104
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2940
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2176
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2844
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2520
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:996
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2168
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2400
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2480
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:684
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        44⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2460
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2180
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        46⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2192
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2484
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        48⤵
        System Location Discovery: System Language Discovery
        
        PID:1672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
2cb0d4e1d2a13440e6f5b877a3906e5a

SHA1
f5a93b2f7381bd4de41fe91b06542abe08b0ead6

SHA256
66c0012fbde870644a109c1d54a081b572f7d6e2d3cc5f7679e2477a406a2da9

SHA512
1d644396f98806c66a108b7da1a2b20bd99b1645a64b83a96734d1d0c654f86ceb30b9c063e6cf9a31fb90edcfa4707c6e817fbef390670a896da9f9beeeec73

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
067a3458406fce1e0caec803b21a2c58

SHA1
1277d2a3236100a0758d4f4f279cd02d537e626b

SHA256
35c0d5d7757b50c61a708107c8e2ab5df872fdc25516f8003d9d58d3ae5ec9e3

SHA512
99918a35f93140231d63a17c97bb9ef66a5744dc044c7e48034c3d2fcc49c3b97fe0d37a32ae6307a7b7e772b8016a6727672d2844b5ed7dcf20c31dd01724e4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
44c38fa25d3a9963483b583388b6f47b

SHA1
e9b37eb8bcbe2ddda96178ee7502616660cfce57

SHA256
004b640ccc72e36c16e85661847b12fff228d63de834042accadde333aa33e36

SHA512
c39bd240b263314169cef9af85a8e8a89146e96400026936b68a69a7c732d301c16561971dbeaee752e2618f2a592bff5a6a91ee75893522e77f574176887905

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
24e4a44b907089d788280d647e33c77e

SHA1
ac5a4e397dea243c0022c55319e7c7035d013905

SHA256
7fcd076a55f0b7c8e9407217aee7e68893461d15cb8d2946ac5250af35137211

SHA512
c4a8dac1c1d5dfa976cc3e8fd299e423ab620463983b8c602be8a83ecc6598eb3f1d60a7370806e1f85a52dd91e4f1337a6dff2e99459f9a1e429a1ffb65a00b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
8cb32754e88999ece2a392d94875313e

SHA1
da0ef4e297872b82db206ebdc4cafefeed2a4e3d

SHA256
3dc5ae697f3f5a3ffe053412e05a646883c49be29b179039ceadf5f71a595f9d

SHA512
a331a2472d0ef04f4d6a9b41a147020a688c96977feec8d61878f31382af8c27b8e990dc404137475d48f0155d600cc0d6ebe0a5d1cbb60b1fecf364301ebaa7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
1ac4421f71447c6f92ce3ac17a3d9d38

SHA1
97f4ebc5875af7ee54f93ba70089361ca88da8af

SHA256
615df52b00308d2a7f8aed927fd28d1e40b5ac6cf5e6da78ec69acd149618d59

SHA512
3d7d6a0124324731462a5e71d797c77e9942371fbdda8b870cb9d035db293ef1765e1890737fd89fd1b9d56941bd04745f93c95c844057830605365367ea410e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
d7e57302723e6adcd36bc753c7cb3d1b

SHA1
24f5af99f2988b5fa7383dae1f53347b597956a3

SHA256
abf7ef48d31eaabd0227b0a91a44e8b53e9fbadff16ef2d9c2b131776898977e

SHA512
0aee51cab495d2df1e1957f85cbfa1a8ca95fad5fa669d2f0918a0e4be4d090c868582935136684d872695bdd075523ad1386639690e9d7016201b6985a9c8a6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
6a10838e65cf3aedda11230ee7f407b7

SHA1
7878e96feb82d309b74e4fe98ad256d3bfd63d08

SHA256
79b9776ab8d5f525f63ccab50ff6d79e7a7daeb47894ce971b63ab072314009e

SHA512
7fd419656935cef9e30f36f618df90399b015dc281dea6b30f12ba7bf2c07a58e7aa570ea5fd1f04b3643be33eb1d8521787c94384cb7ef0ec8d5459a8c50eaa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
3436c1c6420b4dd3e950884257e8b45d

SHA1
4889f8460c4c1b1fc3f357a03df6ca7fac272fbf

SHA256
88d11bc6a0ed417ee8dbbc8ec0894c9b616480afec00a30256ca41150aab17b8

SHA512
7960190b3738a018b0c04804e673662b6227bc397fa6a6ca2b1b1041ed7403f4dbe80f7aa6d63484f1f49c98361f27dd425b95b4c6fafedafb5f1e864b3adeb1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
2c3b5340da071ac89dded61dffd49fb5

SHA1
77a880658d0b70e5455379099427bfdae8cc0ae8

SHA256
d7433fbea40ea3f87e991ce54c73436c110cfbb83748d554aea8d94051a5224e

SHA512
7e69f14c55afec39149491531c2a499b6253aa71ad448e722912f239fde055826b34383bd8d14773af08ef475b5fe53451a0a93e0bcc46fbeba3872198200f3c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
344b0286b823cd492e5ca9c83c00ba11

SHA1
b76dbac9b5724f5b1e11a10ed7a2125edb16259b

SHA256
04ea89515062031f99eb08fad07de798532e0adea7ff18c0c9a8b1e3a1d4dbbd

SHA512
9aba17235e4f1bd62f45545cfa0e4f302c0471732b33a8398b462e334126c5a3e74fdcbe17db70029184cc1207f558efc46b868475fb607ad536288b0796bb80

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
b566d7eff04805caea6dcfd63cda88d9

SHA1
ffbba6e5473f23feeef3f140ee1a1473e00b75c9

SHA256
6e5d89ebc7885a127e0e97cdb8bbe53d1f7c3a593bff9b3046aceb11ba1dd64f

SHA512
94a9989b2c8048eec008111f0c23f5169f298400ec5137ccb978953e5a05d074f5635139574802f728fd23ebf6d9ec76f24097ca117c382699b18d74be3df8c2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
49c5eb99698766087e699e113a302367

SHA1
5f944e675fc4961ba1f41ed2efd49a0a2e6fd572

SHA256
9178a57892a8b99a8e69d93ebfbc87c36d616a847768b714467231e13bc8bf51

SHA512
be879f0cbf116399c69b20d78c75b412f14c6b07ceb52ebee7b5233e60a8cd8e617d45b81cf84c53f487b31461e85ace6450e2f37830309d0fb634b4240319d1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
30fdd2bee309222dc9f73d355a3dd1af

SHA1
a20147e7cd6a9406f31e9158693a00aafd1c08fc

SHA256
18a6fbac763a39da4057ca20c9ec0853d413125324a86ca91d02c21165a80e66

SHA512
87d4020e2c428e3db0ca1312ce60053b750dfc76957f46a73dd190b1e49a23139a833a4951c4ed16856a5e0228f0dd2b4ada64834ae55c1aa82346c81d5d6a44

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
da71da86978d65b94b74933ac117f225

SHA1
ee70c77b0b120dab31e2076fd4e7bcbaffb973df

SHA256
87ddae00259e387812a3907dfa2f4af720350f1889a2b084136ce82ca21a527e

SHA512
dd1a016b94f16c18ac6d49de87a25f44eaa2b5aee11e22815284fe15d686f976bc31aded19d1f0939e23e3f1750123864f7300014ca9156de8897ddb224d4209

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
3ed30e0bc5700d28a2bcd8c6d0868b4e

SHA1
13c4f13e101ca19ae2217d5e2627764f8633c3ee

SHA256
34a333945255b3f035a75a3626527ee7e4cf90d814ae63043cae7244f98e72ad

SHA512
3fbc4b86f28018f50a8db4eea90405befcf46a3892ce352b3c9f347da727daac13cf941d07e42c1dbeae403b66993e07b1ad13bf9a3e251a64da6f6cc3298256

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
c832f22e59b03c33163552609c4be50d

SHA1
69cd7229fa15defb75df49c9068a0f61c6e08b8d

SHA256
65da8db96e79f8e4ec0cedff27d7000dbce59e4976c12da277414cd4d5a820cf

SHA512
3c439b5d0d32420773190792d091d367effbc6161a69fb5e7367ee742f144d52be204f71415b774883498269fea9879f788b0a1a6a25ca90b02f66614bd9d6d8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
c1eeb93a830dbdc3d8ea63e973e90685

SHA1
b36af884a2a2d1384732521741178b6276eb0872

SHA256
dea61646191402f00a0732a0f5d22ae351bdc521588c238bfa03a2fec73399d2

SHA512
d6c359bfe6ee82e5859045baa3aafc4a08a1c7b5720aaec7fe57ca5e4be011faa4f8b2143120d2de9a99cab910aec43c65717e3c9648f0b6699c7d1fd6222b43

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
b2fe492a145b7954e769b41a34a56ce8

SHA1
7f6cb5bc4a8b69997555f5035deff9e545cb2f75

SHA256
309192ac8c3f2af7e2341b78756fdae4e46f53b288ea2e1e66f818f48bc861ff

SHA512
d72bade9453c48b34ab66cea67356713534b707a93d614c02f5c168d6c466ea888052a7abb0c93a29f2e6333c696155d8e4b0ca59e4f8d40d046923ce9e71b40

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
b83976493d2cce0ca1bbeb08a1740776

SHA1
420ad6ea2825634d586b0bac5ba871ed67908421

SHA256
dac59592be04de0b1e3bdd881672188f081a546f79e7a4672310f6799858fa1e

SHA512
250c8269e99a90354bc43430ccb5704397b3f29984b3ec33d048c20b089b9a7dd2b158a1cd8b4dfdd9eb4111883080f14fd9949c858ae24fc9d63bb5880e4854

Download Submit
memory/560-124-0x0000000005C60000-0x0000000005DBF000-memory.dmp

Filesize
1.4MB

Download
memory/560-123-0x0000000005C60000-0x0000000005DBF000-memory.dmp

Filesize
1.4MB

Download
memory/684-241-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/684-244-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/756-167-0x0000000005B10000-0x0000000005C6F000-memory.dmp

Filesize
1.4MB

Download
memory/932-159-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/932-166-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/996-220-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/996-227-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1464-82-0x0000000004700000-0x000000000485F000-memory.dmp

Filesize
1.4MB

Download
memory/1576-91-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1976-139-0x00000000045C0000-0x000000000471F000-memory.dmp

Filesize
1.4MB

Download
memory/1996-190-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1996-193-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2000-69-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2000-77-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2040-105-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2088-64-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2096-200-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2104-201-0x00000000048B0000-0x0000000004A0F000-memory.dmp

Filesize
1.4MB

Download
memory/2104-26-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2104-16-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2168-228-0x00000000046B0000-0x000000000480F000-memory.dmp

Filesize
1.4MB

Download
memory/2176-210-0x0000000005CC0000-0x0000000005E1F000-memory.dmp

Filesize
1.4MB

Download
memory/2180-168-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2180-246-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2180-253-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2180-175-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2192-254-0x0000000005AA0000-0x0000000005BFF000-memory.dmp

Filesize
1.4MB

Download
memory/2384-96-0x00000000048A0000-0x00000000049FF000-memory.dmp

Filesize
1.4MB

Download
memory/2400-236-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2400-158-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2400-229-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2480-245-0x0000000005C10000-0x0000000005D6F000-memory.dmp

Filesize
1.4MB

Download
memory/2484-176-0x0000000005C30000-0x0000000005D8F000-memory.dmp

Filesize
1.4MB

Download
memory/2484-255-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2520-219-0x0000000004740000-0x000000000489F000-memory.dmp

Filesize
1.4MB

Download
memory/2592-185-0x0000000005A60000-0x0000000005BBF000-memory.dmp

Filesize
1.4MB

Download
memory/2612-151-0x0000000005ED0000-0x000000000602F000-memory.dmp

Filesize
1.4MB

Download
memory/2668-118-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2724-39-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2724-29-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2744-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2744-9-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2776-43-0x00000000045E0000-0x000000000473F000-memory.dmp

Filesize
1.4MB

Download
memory/2792-184-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2792-177-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2844-218-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2844-211-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2940-209-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2940-202-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2972-148-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2972-140-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2988-53-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3024-14-0x0000000005AC0000-0x0000000005C1F000-memory.dmp

Filesize
1.4MB

Download
memory/3024-15-0x0000000005AC0000-0x0000000005C1F000-memory.dmp

Filesize
1.4MB

Download
memory/3024-133-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3024-125-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download