9e918075400afdb249542454a0b700d9f0e88f3c1d4c8053d81b0f2c3b6e8207

Analysis

max time kernel
148s
max time network
118s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
12/09/2024, 23:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9e918075400afdb249542454a0b700d9f0e88f3c1d4c8053d81b0f2c3b6e8207.exe
Size

1.1MB
MD5

e0608aa6ff2b004c9e62926b12b65c55
SHA1

33ead8da20f7c1dd6981a7bfb3967c6f3919657f
SHA256

9e918075400afdb249542454a0b700d9f0e88f3c1d4c8053d81b0f2c3b6e8207
SHA512

10219ceb8eb0f95c7e4b47690defe841fe76d183285a1af57c1c73f4cb2428c84e4d50cca93623551a8ea04d5204caa03c118340f97603fc93e40a55c1be905d
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5QN:acallSllG4ZM7QzM2

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
584	svchcst.exe

Executes dropped EXE 24 IoCs

pid	Process
584	svchcst.exe
656	svchcst.exe
2936	svchcst.exe
2220	svchcst.exe
1784	svchcst.exe
632	svchcst.exe
2188	svchcst.exe
1968	svchcst.exe
1792	svchcst.exe
1976	svchcst.exe
2004	svchcst.exe
1132	svchcst.exe
980	svchcst.exe
2408	svchcst.exe
2564	svchcst.exe
2716	svchcst.exe
2720	svchcst.exe
1572	svchcst.exe
772	svchcst.exe
2796	svchcst.exe
2380	svchcst.exe
1992	svchcst.exe
2084	svchcst.exe
2516	svchcst.exe

Loads dropped DLL 42 IoCs

pid	Process
2404	WScript.exe
2404	WScript.exe
2648	WScript.exe
2648	WScript.exe
2948	WScript.exe
2948	WScript.exe
1944	WScript.exe
2352	WScript.exe
1904	WScript.exe
1764	WScript.exe
1568	WScript.exe
1568	WScript.exe
2140	WScript.exe
2140	WScript.exe
680	WScript.exe
848	WScript.exe
848	WScript.exe
848	WScript.exe
3052	WScript.exe
3052	WScript.exe
1484	WScript.exe
1484	WScript.exe
376	WScript.exe
376	WScript.exe
1816	WScript.exe
1816	WScript.exe
2724	WScript.exe
2724	WScript.exe
2660	WScript.exe
2660	WScript.exe
1736	WScript.exe
1736	WScript.exe
2336	WScript.exe
2336	WScript.exe
2804	WScript.exe
2804	WScript.exe
2696	WScript.exe
2696	WScript.exe
264	WScript.exe
264	WScript.exe
3012	WScript.exe
3012	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 49 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9e918075400afdb249542454a0b700d9f0e88f3c1d4c8053d81b0f2c3b6e8207.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2900	9e918075400afdb249542454a0b700d9f0e88f3c1d4c8053d81b0f2c3b6e8207.exe
584	svchcst.exe
584	svchcst.exe
584	svchcst.exe
584	svchcst.exe
584	svchcst.exe
584	svchcst.exe
584	svchcst.exe
584	svchcst.exe
584	svchcst.exe
584	svchcst.exe
584	svchcst.exe
584	svchcst.exe
584	svchcst.exe
584	svchcst.exe
584	svchcst.exe
584	svchcst.exe
584	svchcst.exe
584	svchcst.exe
584	svchcst.exe
584	svchcst.exe
584	svchcst.exe
584	svchcst.exe
584	svchcst.exe
584	svchcst.exe
584	svchcst.exe
584	svchcst.exe
584	svchcst.exe
584	svchcst.exe
584	svchcst.exe
584	svchcst.exe
584	svchcst.exe
584	svchcst.exe
584	svchcst.exe
584	svchcst.exe
584	svchcst.exe
584	svchcst.exe
584	svchcst.exe
584	svchcst.exe
584	svchcst.exe
584	svchcst.exe
584	svchcst.exe
584	svchcst.exe
584	svchcst.exe
584	svchcst.exe
584	svchcst.exe
584	svchcst.exe
584	svchcst.exe
584	svchcst.exe
584	svchcst.exe
584	svchcst.exe
584	svchcst.exe
584	svchcst.exe
584	svchcst.exe
584	svchcst.exe
584	svchcst.exe
584	svchcst.exe
584	svchcst.exe
584	svchcst.exe
584	svchcst.exe
584	svchcst.exe
584	svchcst.exe
584	svchcst.exe
584	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2900	9e918075400afdb249542454a0b700d9f0e88f3c1d4c8053d81b0f2c3b6e8207.exe

Suspicious use of SetWindowsHookEx 50 IoCs

pid	Process
2900	9e918075400afdb249542454a0b700d9f0e88f3c1d4c8053d81b0f2c3b6e8207.exe
2900	9e918075400afdb249542454a0b700d9f0e88f3c1d4c8053d81b0f2c3b6e8207.exe
584	svchcst.exe
584	svchcst.exe
656	svchcst.exe
656	svchcst.exe
2936	svchcst.exe
2936	svchcst.exe
2220	svchcst.exe
2220	svchcst.exe
1784	svchcst.exe
1784	svchcst.exe
632	svchcst.exe
632	svchcst.exe
2188	svchcst.exe
2188	svchcst.exe
1968	svchcst.exe
1968	svchcst.exe
1792	svchcst.exe
1792	svchcst.exe
1976	svchcst.exe
1976	svchcst.exe
2004	svchcst.exe
2004	svchcst.exe
1132	svchcst.exe
1132	svchcst.exe
980	svchcst.exe
980	svchcst.exe
2408	svchcst.exe
2408	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2720	svchcst.exe
2720	svchcst.exe
1572	svchcst.exe
1572	svchcst.exe
772	svchcst.exe
772	svchcst.exe
2796	svchcst.exe
2796	svchcst.exe
2380	svchcst.exe
2380	svchcst.exe
1992	svchcst.exe
1992	svchcst.exe
2084	svchcst.exe
2084	svchcst.exe
2516	svchcst.exe
2516	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2900 wrote to memory of 2404	2900	9e918075400afdb249542454a0b700d9f0e88f3c1d4c8053d81b0f2c3b6e8207.exe	30
PID 2900 wrote to memory of 2404	2900	9e918075400afdb249542454a0b700d9f0e88f3c1d4c8053d81b0f2c3b6e8207.exe	30
PID 2900 wrote to memory of 2404	2900	9e918075400afdb249542454a0b700d9f0e88f3c1d4c8053d81b0f2c3b6e8207.exe	30
PID 2900 wrote to memory of 2404	2900	9e918075400afdb249542454a0b700d9f0e88f3c1d4c8053d81b0f2c3b6e8207.exe	30
PID 2404 wrote to memory of 584	2404	WScript.exe	33
PID 2404 wrote to memory of 584	2404	WScript.exe	33
PID 2404 wrote to memory of 584	2404	WScript.exe	33
PID 2404 wrote to memory of 584	2404	WScript.exe	33
PID 584 wrote to memory of 2648	584	svchcst.exe	34
PID 584 wrote to memory of 2648	584	svchcst.exe	34
PID 584 wrote to memory of 2648	584	svchcst.exe	34
PID 584 wrote to memory of 2648	584	svchcst.exe	34
PID 2648 wrote to memory of 656	2648	WScript.exe	35
PID 2648 wrote to memory of 656	2648	WScript.exe	35
PID 2648 wrote to memory of 656	2648	WScript.exe	35
PID 2648 wrote to memory of 656	2648	WScript.exe	35
PID 656 wrote to memory of 2948	656	svchcst.exe	36
PID 656 wrote to memory of 2948	656	svchcst.exe	36
PID 656 wrote to memory of 2948	656	svchcst.exe	36
PID 656 wrote to memory of 2948	656	svchcst.exe	36
PID 2948 wrote to memory of 2936	2948	WScript.exe	37
PID 2948 wrote to memory of 2936	2948	WScript.exe	37
PID 2948 wrote to memory of 2936	2948	WScript.exe	37
PID 2948 wrote to memory of 2936	2948	WScript.exe	37
PID 2936 wrote to memory of 1944	2936	svchcst.exe	38
PID 2936 wrote to memory of 1944	2936	svchcst.exe	38
PID 2936 wrote to memory of 1944	2936	svchcst.exe	38
PID 2936 wrote to memory of 1944	2936	svchcst.exe	38
PID 1944 wrote to memory of 2220	1944	WScript.exe	39
PID 1944 wrote to memory of 2220	1944	WScript.exe	39
PID 1944 wrote to memory of 2220	1944	WScript.exe	39
PID 1944 wrote to memory of 2220	1944	WScript.exe	39
PID 2220 wrote to memory of 2352	2220	svchcst.exe	40
PID 2220 wrote to memory of 2352	2220	svchcst.exe	40
PID 2220 wrote to memory of 2352	2220	svchcst.exe	40
PID 2220 wrote to memory of 2352	2220	svchcst.exe	40
PID 2352 wrote to memory of 1784	2352	WScript.exe	41
PID 2352 wrote to memory of 1784	2352	WScript.exe	41
PID 2352 wrote to memory of 1784	2352	WScript.exe	41
PID 2352 wrote to memory of 1784	2352	WScript.exe	41
PID 1784 wrote to memory of 1904	1784	svchcst.exe	42
PID 1784 wrote to memory of 1904	1784	svchcst.exe	42
PID 1784 wrote to memory of 1904	1784	svchcst.exe	42
PID 1784 wrote to memory of 1904	1784	svchcst.exe	42
PID 1904 wrote to memory of 632	1904	WScript.exe	43
PID 1904 wrote to memory of 632	1904	WScript.exe	43
PID 1904 wrote to memory of 632	1904	WScript.exe	43
PID 1904 wrote to memory of 632	1904	WScript.exe	43
PID 632 wrote to memory of 1764	632	svchcst.exe	44
PID 632 wrote to memory of 1764	632	svchcst.exe	44
PID 632 wrote to memory of 1764	632	svchcst.exe	44
PID 632 wrote to memory of 1764	632	svchcst.exe	44
PID 1764 wrote to memory of 2188	1764	WScript.exe	45
PID 1764 wrote to memory of 2188	1764	WScript.exe	45
PID 1764 wrote to memory of 2188	1764	WScript.exe	45
PID 1764 wrote to memory of 2188	1764	WScript.exe	45
PID 2188 wrote to memory of 1568	2188	svchcst.exe	46
PID 2188 wrote to memory of 1568	2188	svchcst.exe	46
PID 2188 wrote to memory of 1568	2188	svchcst.exe	46
PID 2188 wrote to memory of 1568	2188	svchcst.exe	46
PID 1568 wrote to memory of 1968	1568	WScript.exe	47
PID 1568 wrote to memory of 1968	1568	WScript.exe	47
PID 1568 wrote to memory of 1968	1568	WScript.exe	47
PID 1568 wrote to memory of 1968	1568	WScript.exe	47

C:\Users\Admin\AppData\Local\Temp\9e918075400afdb249542454a0b700d9f0e88f3c1d4c8053d81b0f2c3b6e8207.exe
"C:\Users\Admin\AppData\Local\Temp\9e918075400afdb249542454a0b700d9f0e88f3c1d4c8053d81b0f2c3b6e8207.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2900
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2404
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:584
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2648
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:656
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2948
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2936
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1944
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2220
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2352
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1784
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1904
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:632
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1764
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2188
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1568
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1968
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2140
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1792
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:680
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1976
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:848
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2004
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        System Location Discovery: System Language Discovery
        
        PID:2640
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1132
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3052
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:980
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1484
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2408
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:376
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2564
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1816
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2716
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2724
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2720
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2660
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1572
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1736
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:772
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2336
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2796
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2804
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2380
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2696
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1992
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        44⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:264
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2084
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        46⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3012
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2516
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        48⤵
        
        PID:2744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
c8af42d8aaef2cfbe074a838613e8eb2

SHA1
97dfefd6457c800beb7f9e7b8203535211a8c7c7

SHA256
c4ee2003befbb853e0f1589bc65dd30efe233daf9f9554c9ea55c07600463f4b

SHA512
9b142c22185408cf3973f799ec27fed9666484046051969dd6d3fde2265968e2bb422724b147932f739d744c0fd463bf7074ee59e667cc1e53612111c9ce12a0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
0192d17fea0102bde8e142aabd30379e

SHA1
f625075beef58c06ca68d43a3ba5cc1caa8efdfd

SHA256
98e8ea7a93d93f491f56d4026b5683e7fdeff25fe26f518e2e81a1319ef49719

SHA512
43002329c61c0fedc908a1838c1868573a5f6f64b4bad3295182b341562cd4b17710ce021e75157830b5b29d29141ae394b3addae4f8c180259f02cb44648163

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
0deab118abcf8e078322ee46edd4cfd3

SHA1
b0f46f2ca33e8ea264812838f6c7a98d0c55a0bf

SHA256
344ce7e23c768177547510b0627c60667804530f220048e11f21e1cda521c502

SHA512
e7e4c041addbecf42ec91877dac6c89a207a3c1eb0247d56c6e4844852a3c7a3a716809d5040d01b03ab332bd155a4f4fb014abc896b9598ac52218c74a1f3c0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
c91530bbaec9815f2db19bd6645b8729

SHA1
ea901a28f06bfbfc1dc9c3391910a87bfaf07020

SHA256
7924a95b4fb309a069dcb92b65632f01f9db2560b224d4812ebb84130994ab8d

SHA512
7ebce2d0627561189c27073f3e43e84e6164c3c4a63fe4172d2c1214fe799795393573038fb3dd75359327e7cca4eec17889749411e289480580f568b02e6588

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
03088ab16e4136b8d3a3366505b767ed

SHA1
e1d73c9dc7e6009659519b33b3dd80f3011adad8

SHA256
b31956814f1bc7c1e47a025622160df37664a3ee8e6d2016ce8919f1fba63a59

SHA512
0c841cc8236b405951c5bdf0ea7c620ef32ab930077442e5c1f2eca9fe474c113e1377829e8072afdbfd9a0f0b2797cf156b2f861395d14b851abc7b365ec11a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
d32955f30e8aad52247ece470e41d5ad

SHA1
ac6775ee1d2cccafe3baeb722ca57bf16953f173

SHA256
bbd8749995b7f218975a3955fac72a16d1f5a3fd3826f7bb98d0b4fe537d6697

SHA512
1a00595cdfca51c9c95101a1d04a15089aded3fc687de721d882c6ef57697a943c0a99d917167e76d55040c5d8607e01fe5a206054112635a642f6364d3fdcaf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
56b642f742552f48c6b8b9c099412a21

SHA1
c3cf968546d550feddcded0747d331305147e1e3

SHA256
a91e4afb0d2f495e9c4fd5031514174673505464922192f9d87832fc21ef119b

SHA512
43edab26c4c27b9458d393f139895b68ce6b230685fd112658b4046094beac5479329f63c9c836dace1e76984fc22b96aecdf0c0252cf656e6d1fe639abf403a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
70e226fbd8b4b3f2ddf8a8753a77586a

SHA1
a81a39d08f77479d0ee65599dd2749031c32fc19

SHA256
3eb2bfca11e83ada63c9e426764e07267c058964f959ca5e0c3f0f8933e40026

SHA512
f8c3f2f4172e8cabb856cbc2527dae48cba6d740a8ad9844bb32013ccba200b4c03dfdbe3713d9caa5f7416b8729cba4d516a73989b388c952ab08205b3cd4b8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
c4e7c6e63669b7ac19a2abc4d482e577

SHA1
0b715c1b8c52526a168c5972ce10621deb7454cb

SHA256
44ce88ac30afb018736ddeb48d6592af936aa52a424f3630ed07f9ff016b3a58

SHA512
f95b66230ceb77d9ce412c472376233324766a3b31adcfe85797f5628b933811c970a7c538ebb06e5c66418656766704206c178745f71bec63bbbabab46af747

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
619955d43a58558c766025119a5a66cb

SHA1
cfb43d2b9cb68699667ca8d4929e71b25ed115ab

SHA256
a129bff17a859b7b2d6681f519c985c661797dd508ac249d30f02a0a78858cee

SHA512
20f9499cddf2fb824365830736255a1dce689da0e94fa8e999ee4e28883e65637410710ea01204b5f3d48213f697461288da2b7a535511da87f848b1e6e83bc6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
aa6578debd9e5045ad239d59ebeb6d15

SHA1
2a25e6293914cd6ada6649f34506c8bcf35494aa

SHA256
7acb095ca5298eb1d1e2ba7f02c1b876d7d28684762a9d180ae2ed8c9e68beb2

SHA512
150796c7aad73d1732103e41bd01d3c181b4a0afd37b673d184d5c6c643622704e7692b668e231a319549c2bb378f4d83c7ede82caf81dd15c934b81936e22b2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
379619305716718fbeeab2f364946c39

SHA1
b663cf106c4673549692fa39d25e9e8f4561cd64

SHA256
c844bc25686320e65c1b5259a6d0d6d47f61709f46e2c8eb2ad3f9c3b9333d84

SHA512
b2c91d0f1cbc9e253bb3bb339acbab0e31eef31188cc00132c423fee2a85c7a91132c9259b99b23a149f6ba1172b8522e2d8350f88dbb735ad8d7a32f71e2ed8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
ac377d80fb702f7dcc45422be446d514

SHA1
48a5e963e996484c4979cd5e34746b3dda5e5460

SHA256
a27d53269913d43c4c48baa87b1131c4adcf3f394b52b3913ee38c67194d6902

SHA512
d2eb9d6b1f7441ca19de72c3e5ae5eae46e79bf45069cda227c73134f8f6c7fb3f757c05269e707e810b1859125d1934ed7ef64aa23f274ae4c1c5a8c0da30c7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
347d1ab374eb5339bfcba755af829c9f

SHA1
e9acd7712308202a0a2dd971dcdb75c5b659f3a4

SHA256
14b1e6e60888ad4bd403bdc4b06ac96ca8f785c59efce40eb3ceb2f4e8643606

SHA512
7844c7f86a1a54c1b688c7f120dd05e802ca183a59e4c6656f5da5fec7eb5867d07f01d226c90f16a065df20f36581a2b7a6e23a64996547635ef4e64cd2f77b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
151a85bb78662eb6b264a91e8449a8cc

SHA1
311a0229b6656255d76854fba1280ea9789ff6d9

SHA256
a3d1966f0be0eb9310d577f54ee04b574b10ece85db58a99ec364bb7a4619ae8

SHA512
9b89e1068bdef452f1184938b46fe9e5ded4cec2167261d3024f2f2dc010cb4a98f0f1643352d0e42b8f76a19d52948ed281e0343fa38f86550484c376aed449

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
9bb4de21d595f756951920218f1a8097

SHA1
c457d0aefdbaa6a7908e07366b791da4396d93f8

SHA256
e8eca5d88c59914503b8e9c19a192af5a9bf78138fe33a2debc47c24dfb0da83

SHA512
a3f9121f01149216c343808b4b486e5511589920c04630fa085feadc6610a10ee55aceea0b7a1082fa15577387169eb817e7e2b5ea48801bec9b15bbb0946ea5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
a5c9270ccd0adcd4821b054af8d069e5

SHA1
0a9396a5090b938b2ece5ca7a3a0df7e375e5d5c

SHA256
9484095f40c5b5321575e47ff207359f4f9c3cec21e00731fe232cd8d653362e

SHA512
ec8c4d98ae2f2852cd6d17bdcd9682144459402cde050d77151b3e031e1c140363944b9503e549830fa92066c65ef6d6ef9f01bef02cde8823a0dcf8c37ecb23

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
3dcf44d55a9303d807db3ef49eafed1a

SHA1
c4009bc6fae9ed7917921a7232522e842ead078d

SHA256
212b8460f64c78a1921d2f4dfd765f853089b088cc869cba5fcd0ab48c5a63c8

SHA512
48165539197f3a9ebc8c62182dbc79e75629c6d96b1b0f6b02413cfc9a2ad09d46d6783e5d238a3903b8d345a8199f7fb1e58f11b0e0d4f69139129700268355

Download Submit
memory/264-243-0x0000000005DE0000-0x0000000005F3F000-memory.dmp

Filesize
1.4MB

Download
memory/584-22-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/632-88-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/632-81-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/656-28-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/656-37-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/772-215-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/772-212-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/980-166-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/980-159-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1132-157-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1484-167-0x0000000005870000-0x00000000059CF000-memory.dmp

Filesize
1.4MB

Download
memory/1568-105-0x0000000005B70000-0x0000000005CCF000-memory.dmp

Filesize
1.4MB

Download
memory/1572-200-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1572-207-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1764-91-0x0000000005B50000-0x0000000005CAF000-memory.dmp

Filesize
1.4MB

Download
memory/1784-68-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1784-76-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1792-128-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1792-120-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1816-183-0x0000000004620000-0x000000000477F000-memory.dmp

Filesize
1.4MB

Download
memory/1904-79-0x00000000046E0000-0x000000000483F000-memory.dmp

Filesize
1.4MB

Download
memory/1944-56-0x0000000005F00000-0x000000000605F000-memory.dmp

Filesize
1.4MB

Download
memory/1968-114-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1968-106-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1976-131-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1976-138-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1992-242-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1992-235-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2004-141-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2004-149-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2084-251-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2084-244-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2140-119-0x0000000005D20000-0x0000000005E7F000-memory.dmp

Filesize
1.4MB

Download
memory/2188-92-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2188-100-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2220-57-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2220-64-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2336-216-0x00000000046D0000-0x000000000482F000-memory.dmp

Filesize
1.4MB

Download
memory/2380-233-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2380-226-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2408-168-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2408-175-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2564-182-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2648-27-0x00000000043A0000-0x00000000044FF000-memory.dmp

Filesize
1.4MB

Download
memory/2696-234-0x00000000048A0000-0x00000000049FF000-memory.dmp

Filesize
1.4MB

Download
memory/2716-191-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2716-184-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2720-199-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2724-192-0x00000000045B0000-0x000000000470F000-memory.dmp

Filesize
1.4MB

Download
memory/2796-224-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2796-217-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2804-225-0x0000000004480000-0x00000000045DF000-memory.dmp

Filesize
1.4MB

Download
memory/2900-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2900-9-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2936-48-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2936-52-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2948-42-0x0000000004840000-0x000000000499F000-memory.dmp

Filesize
1.4MB

Download
memory/2948-43-0x0000000004840000-0x000000000499F000-memory.dmp

Filesize
1.4MB

Download
memory/3052-158-0x00000000059D0000-0x0000000005B2F000-memory.dmp

Filesize
1.4MB

Download