a2b1ae60582d970fc55202a7d1cb2aff7236eecbc13c99678c0083d62950575e

Analysis

max time kernel
150s
max time network
119s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
12/09/2024, 18:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a2b1ae60582d970fc55202a7d1cb2aff7236eecbc13c99678c0083d62950575e.exe
Size

1.1MB
MD5

7618446ec2f789bf7ac8574974e8fc15
SHA1

2fbbdf47ead354d51ade6024376265ca33e4c968
SHA256

a2b1ae60582d970fc55202a7d1cb2aff7236eecbc13c99678c0083d62950575e
SHA512

c4a93d9d0c53e21313612f7a0b2779034d3e457f59da32069cd46f0027e768ecef0ba91b662aaa02aaf2443fe3acde10acf37afe80c86a21afaff58719d0ba4b
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5Qg:acallSllG4ZM7QzMn

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2552	svchcst.exe

Executes dropped EXE 23 IoCs

pid	Process
2552	svchcst.exe
2096	svchcst.exe
1524	svchcst.exe
2220	svchcst.exe
1888	svchcst.exe
2500	svchcst.exe
2480	svchcst.exe
2792	svchcst.exe
1560	svchcst.exe
2428	svchcst.exe
3060	svchcst.exe
2404	svchcst.exe
2252	svchcst.exe
2684	svchcst.exe
3028	svchcst.exe
2944	svchcst.exe
1672	svchcst.exe
752	svchcst.exe
2348	svchcst.exe
2444	svchcst.exe
2936	svchcst.exe
1340	svchcst.exe
1820	svchcst.exe

Loads dropped DLL 40 IoCs

pid	Process
2764	WScript.exe
2764	WScript.exe
1720	WScript.exe
1508	WScript.exe
1508	WScript.exe
1072	WScript.exe
2224	WScript.exe
2224	WScript.exe
1308	WScript.exe
1308	WScript.exe
2148	WScript.exe
2360	WScript.exe
2352	WScript.exe
1348	WScript.exe
3068	WScript.exe
3068	WScript.exe
2304	WScript.exe
2304	WScript.exe
848	WScript.exe
848	WScript.exe
1640	WScript.exe
1640	WScript.exe
2276	WScript.exe
2276	WScript.exe
2616	WScript.exe
2616	WScript.exe
2904	WScript.exe
2904	WScript.exe
444	WScript.exe
444	WScript.exe
2504	WScript.exe
2504	WScript.exe
2476	WScript.exe
2476	WScript.exe
1944	WScript.exe
1944	WScript.exe
2224	WScript.exe
2224	WScript.exe
2440	WScript.exe
2440	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 50 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a2b1ae60582d970fc55202a7d1cb2aff7236eecbc13c99678c0083d62950575e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2488	a2b1ae60582d970fc55202a7d1cb2aff7236eecbc13c99678c0083d62950575e.exe
2552	svchcst.exe
2552	svchcst.exe
2552	svchcst.exe
2552	svchcst.exe
2552	svchcst.exe
2552	svchcst.exe
2552	svchcst.exe
2552	svchcst.exe
2552	svchcst.exe
2552	svchcst.exe
2552	svchcst.exe
2552	svchcst.exe
2552	svchcst.exe
2552	svchcst.exe
2552	svchcst.exe
2552	svchcst.exe
2552	svchcst.exe
2552	svchcst.exe
2552	svchcst.exe
2552	svchcst.exe
2552	svchcst.exe
2552	svchcst.exe
2552	svchcst.exe
2552	svchcst.exe
2552	svchcst.exe
2552	svchcst.exe
2552	svchcst.exe
2552	svchcst.exe
2552	svchcst.exe
2552	svchcst.exe
2552	svchcst.exe
2552	svchcst.exe
2552	svchcst.exe
2552	svchcst.exe
2552	svchcst.exe
2552	svchcst.exe
2552	svchcst.exe
2552	svchcst.exe
2552	svchcst.exe
2552	svchcst.exe
2552	svchcst.exe
2552	svchcst.exe
2552	svchcst.exe
2552	svchcst.exe
2552	svchcst.exe
2552	svchcst.exe
2552	svchcst.exe
2552	svchcst.exe
2552	svchcst.exe
2552	svchcst.exe
2552	svchcst.exe
2552	svchcst.exe
2552	svchcst.exe
2552	svchcst.exe
2552	svchcst.exe
2552	svchcst.exe
2552	svchcst.exe
2552	svchcst.exe
2552	svchcst.exe
2552	svchcst.exe
2552	svchcst.exe
2552	svchcst.exe
2552	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2488	a2b1ae60582d970fc55202a7d1cb2aff7236eecbc13c99678c0083d62950575e.exe

Suspicious use of SetWindowsHookEx 48 IoCs

pid	Process
2488	a2b1ae60582d970fc55202a7d1cb2aff7236eecbc13c99678c0083d62950575e.exe
2488	a2b1ae60582d970fc55202a7d1cb2aff7236eecbc13c99678c0083d62950575e.exe
2552	svchcst.exe
2552	svchcst.exe
2096	svchcst.exe
2096	svchcst.exe
1524	svchcst.exe
1524	svchcst.exe
2220	svchcst.exe
2220	svchcst.exe
1888	svchcst.exe
1888	svchcst.exe
2500	svchcst.exe
2500	svchcst.exe
2480	svchcst.exe
2480	svchcst.exe
2792	svchcst.exe
2792	svchcst.exe
1560	svchcst.exe
1560	svchcst.exe
2428	svchcst.exe
2428	svchcst.exe
3060	svchcst.exe
3060	svchcst.exe
2404	svchcst.exe
2404	svchcst.exe
2252	svchcst.exe
2252	svchcst.exe
2684	svchcst.exe
2684	svchcst.exe
3028	svchcst.exe
3028	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
1672	svchcst.exe
1672	svchcst.exe
752	svchcst.exe
752	svchcst.exe
2348	svchcst.exe
2348	svchcst.exe
2444	svchcst.exe
2444	svchcst.exe
2936	svchcst.exe
2936	svchcst.exe
1340	svchcst.exe
1340	svchcst.exe
1820	svchcst.exe
1820	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2488 wrote to memory of 2764	2488	a2b1ae60582d970fc55202a7d1cb2aff7236eecbc13c99678c0083d62950575e.exe	30
PID 2488 wrote to memory of 2764	2488	a2b1ae60582d970fc55202a7d1cb2aff7236eecbc13c99678c0083d62950575e.exe	30
PID 2488 wrote to memory of 2764	2488	a2b1ae60582d970fc55202a7d1cb2aff7236eecbc13c99678c0083d62950575e.exe	30
PID 2488 wrote to memory of 2764	2488	a2b1ae60582d970fc55202a7d1cb2aff7236eecbc13c99678c0083d62950575e.exe	30
PID 2764 wrote to memory of 2552	2764	WScript.exe	32
PID 2764 wrote to memory of 2552	2764	WScript.exe	32
PID 2764 wrote to memory of 2552	2764	WScript.exe	32
PID 2764 wrote to memory of 2552	2764	WScript.exe	32
PID 2552 wrote to memory of 1720	2552	svchcst.exe	33
PID 2552 wrote to memory of 1720	2552	svchcst.exe	33
PID 2552 wrote to memory of 1720	2552	svchcst.exe	33
PID 2552 wrote to memory of 1720	2552	svchcst.exe	33
PID 1720 wrote to memory of 2096	1720	WScript.exe	34
PID 1720 wrote to memory of 2096	1720	WScript.exe	34
PID 1720 wrote to memory of 2096	1720	WScript.exe	34
PID 1720 wrote to memory of 2096	1720	WScript.exe	34
PID 2096 wrote to memory of 1508	2096	svchcst.exe	35
PID 2096 wrote to memory of 1508	2096	svchcst.exe	35
PID 2096 wrote to memory of 1508	2096	svchcst.exe	35
PID 2096 wrote to memory of 1508	2096	svchcst.exe	35
PID 1508 wrote to memory of 1524	1508	WScript.exe	36
PID 1508 wrote to memory of 1524	1508	WScript.exe	36
PID 1508 wrote to memory of 1524	1508	WScript.exe	36
PID 1508 wrote to memory of 1524	1508	WScript.exe	36
PID 1524 wrote to memory of 1072	1524	svchcst.exe	37
PID 1524 wrote to memory of 1072	1524	svchcst.exe	37
PID 1524 wrote to memory of 1072	1524	svchcst.exe	37
PID 1524 wrote to memory of 1072	1524	svchcst.exe	37
PID 1072 wrote to memory of 2220	1072	WScript.exe	38
PID 1072 wrote to memory of 2220	1072	WScript.exe	38
PID 1072 wrote to memory of 2220	1072	WScript.exe	38
PID 1072 wrote to memory of 2220	1072	WScript.exe	38
PID 2220 wrote to memory of 2100	2220	svchcst.exe	39
PID 2220 wrote to memory of 2100	2220	svchcst.exe	39
PID 2220 wrote to memory of 2100	2220	svchcst.exe	39
PID 2220 wrote to memory of 2100	2220	svchcst.exe	39
PID 2220 wrote to memory of 2224	2220	svchcst.exe	40
PID 2220 wrote to memory of 2224	2220	svchcst.exe	40
PID 2220 wrote to memory of 2224	2220	svchcst.exe	40
PID 2220 wrote to memory of 2224	2220	svchcst.exe	40
PID 2224 wrote to memory of 1888	2224	WScript.exe	41
PID 2224 wrote to memory of 1888	2224	WScript.exe	41
PID 2224 wrote to memory of 1888	2224	WScript.exe	41
PID 2224 wrote to memory of 1888	2224	WScript.exe	41
PID 1888 wrote to memory of 1308	1888	svchcst.exe	42
PID 1888 wrote to memory of 1308	1888	svchcst.exe	42
PID 1888 wrote to memory of 1308	1888	svchcst.exe	42
PID 1888 wrote to memory of 1308	1888	svchcst.exe	42
PID 1308 wrote to memory of 2500	1308	WScript.exe	43
PID 1308 wrote to memory of 2500	1308	WScript.exe	43
PID 1308 wrote to memory of 2500	1308	WScript.exe	43
PID 1308 wrote to memory of 2500	1308	WScript.exe	43
PID 2500 wrote to memory of 2148	2500	svchcst.exe	44
PID 2500 wrote to memory of 2148	2500	svchcst.exe	44
PID 2500 wrote to memory of 2148	2500	svchcst.exe	44
PID 2500 wrote to memory of 2148	2500	svchcst.exe	44
PID 2148 wrote to memory of 2480	2148	WScript.exe	45
PID 2148 wrote to memory of 2480	2148	WScript.exe	45
PID 2148 wrote to memory of 2480	2148	WScript.exe	45
PID 2148 wrote to memory of 2480	2148	WScript.exe	45
PID 2480 wrote to memory of 2360	2480	svchcst.exe	46
PID 2480 wrote to memory of 2360	2480	svchcst.exe	46
PID 2480 wrote to memory of 2360	2480	svchcst.exe	46
PID 2480 wrote to memory of 2360	2480	svchcst.exe	46

C:\Users\Admin\AppData\Local\Temp\a2b1ae60582d970fc55202a7d1cb2aff7236eecbc13c99678c0083d62950575e.exe
"C:\Users\Admin\AppData\Local\Temp\a2b1ae60582d970fc55202a7d1cb2aff7236eecbc13c99678c0083d62950575e.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2488
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2764
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2552
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1720
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2096
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1508
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1524
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1072
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2220
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2100
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2224
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1888
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1308
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2500
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2148
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2480
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2360
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2792
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2352
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1560
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1348
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2428
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3068
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3060
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2304
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2404
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:848
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2252
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1640
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2684
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2276
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3028
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2616
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2944
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2904
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1672
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:444
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:752
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2504
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2348
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2476
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2444
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1944
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2936
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        44⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2224
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1340
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        46⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2440
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1820
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        48⤵
        System Location Discovery: System Language Discovery
        
        PID:2764
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        44⤵
        System Location Discovery: System Language Discovery
        
        PID:1980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
bf97a81a324959b2f1f28a23a4d7c49e

SHA1
ab4f71f58af4e6c9605cf21d40410d9fc9f81741

SHA256
c2bc542dbcaae8251562e9f4eff4ff36164c324abdc9e5796170570826def2d4

SHA512
bfaae2ff0a75f0820a4b54607a45b0507be20a5e8352954a1924749aad59a223b42516e5366eb09eb3698e4471e93fd7a21b469cb3426625bf2c080e7b658db0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
5f2a40f410e1db471d583c90bb1bf208

SHA1
1e49ed23e02976dede24633c367ab8c92fb4fd9b

SHA256
03c04fafe55862423025fe6e16bbeda1dbded8150a0c0dd363164733051fe1e4

SHA512
98a4ba3960f66728d4a286c8cff2223742d701467a647b6d4a2f118a6e2c53c9a4f6c329a36c099b151d42279ba0823ff07a8df49c87d02a7470f595052f725c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
f8db619ebe2f315356d8a3c1cb7ce863

SHA1
6a7be253323ec01b077ec2632a10159e39c17b2b

SHA256
99940aede45164365f56d6948655491bf5e5eaf8cc50400fe99620b5d3cd29c8

SHA512
6abc38a731254105c4f336ef9954159d7711889c704002838872473450f9077a940b4817cf36ae7fa04f08439a2acb53c9ab37c85e21c2981eab353379bf431a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
75b8f60cfe6895a93f2d8f1b5568af94

SHA1
b80485bc82864b4e1bf0bcc44579eaa01776b1fb

SHA256
6ff47f7681e8f497470bd11b2cfd8156c5d8f1b01f48bfd89037cc4bfe0f34cc

SHA512
089e237c5309d36058e036f69d78deb4144749e91b3a8a8383f817af051a3452acfdf42227cc721517e93428cfd5d48b42e9750e9548762609e81917a4de29c2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
d6aef0b19d7d8dc2eda464cf358007b7

SHA1
c271fa23eee2c534cc862f7575df47f660c94d27

SHA256
70965d19e9afccec497ac21e98bfea9be46cf5df938982b3d19e6295aab3bb1d

SHA512
c547f50069f9f97dd9877bdb529f4ed49f9761d5cab1ff703e5185a6071e7591b98237834c6bd386b68b9c6504b76bdc581bf17a6fcef94e74b1483d47cf764a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
28167c064311357a30cc6de51b34120d

SHA1
cd6e8343bf5fa014ded5905fd8c6037eda277818

SHA256
e1a76a59c230fb740b85443e95d9db97f660e6d57f8f79060c51d3fb21f7af2a

SHA512
a8ca9a0804c9cb2c87148d82b2ffb169d766b6ea91b4106363b24d555c9a58594915364b6cb61a1757723e96f7095f06859ab83a6e1055d43c8e78e9b52c8b57

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
c0b5050d31a3c3086d56cf03dbf39e65

SHA1
2f16721133b7efffc3b7c495803a409b47223c1f

SHA256
4eed6a5c4f010b8604f822c91683ba0cf9c2c1f7fd803bcd9c05bfd36d84f37a

SHA512
be8a9ade498e5b54e7ca07bb3f9f114962847942d282e46e2b4f3e53704b27b47853c7bc60e5fdfc777b6e1fa2f8d34aa0d3321354c8a6b81d1640ce7780d9d5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
93bffb400f506fbd69421b6075802c65

SHA1
b9d8c4ea6a8fd739f6cf167e1f58412525f15784

SHA256
2e455d4d9ba6db3056e273b33c3cc67d60d76c4a750b98b2d4d0e2bcc6aa57b1

SHA512
e00a5d4ad19c488dc18e50150fcd50505133666e333f12f9e0cb3a894162951e4195886798de3531561ff99b4a3fbca6fb351f1ff0bcd0e1ac20cd685962ec23

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
4e9605159361f93230fef3cc5ad4301c

SHA1
64e6d5673487e049cc4e96650b507641062ca1bf

SHA256
2abd0c0ae088f6c911f23add50e985c447f1c62c8a45f848698b08d6e6dd20e7

SHA512
5cf02982826cc6e08ea33c4ce5d186ad4277493480cf08c2df56a7deea87e58a6df3a95097c96409a89317528933e0999d4ccddc2403024bd04b6e1c312f42fe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
4f1c3e04fe09c26eac61a6a5e73d41a6

SHA1
5d61ea8f22af3a41286cfd2e03bf0d5fe912527e

SHA256
fcea651549aa97e3646b2b5857daab87dfa90158918203ea713fbc3d8dc96d2b

SHA512
23a253717242040b3497cc5dd9736a2a19adac084ebdf17f578f11a3c07aa584c78a8155ece8de4317293c4b75fca53b4cc225d05785f69e01d18ef6582e01f5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
dabf4e9d32908d961aaffdd1c77d4879

SHA1
e41572d98b7452016fb004c843236377364ab1d3

SHA256
3488c64a6d2da3c00e50e954c495ac354ee504e54f3ed6dda6a991c5b9d33e19

SHA512
911d46aca8005857c86eddbb3cbbc4301ee5e173b2358a717053cf12727c06cc3b2d757ddf513f969dafe61c6b88d03b1478d8c483495f153e30bf64585195aa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
e57698eac239f2da74dd3b5a6016d0c4

SHA1
6a6381a5dce3726cda8265087332323e878ca23b

SHA256
8cf374f6dca921bf09d34c11c2ee6acfece5e55cfff9c9785a78f070dd8fd7d8

SHA512
b81c7f4cb8b8b52c2a531c5d2bf93318f6e841151956f9ba9666323a2daeff6a5f542ffbfd4d3281be92cb4550de79fefbb168c827c6dd3a8a40ac02823887e3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
2e542ec161aad87fcec1725584f214f1

SHA1
e01278017c6e039968918fa7251577e5d7908879

SHA256
db6574ee16197d9a55314789b29cce1b56354d3e82334f2308add1c648934f6e

SHA512
b392d588ca4e9161ca09180f12fed1eba67d3dc349e10d369d670e81f9eb2a06f4c84c8db40780185c2bc679422ef6cb0c5d97f5333a219c20f80278c59d8947

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
b47bbaf99d1509005b3a378197952be0

SHA1
a3cc4a3961769259280a79034569ee5b278730f4

SHA256
7ce1a18708b77a5b3270118312da3ee175c2d649f3a10a9dc970f7161db7142a

SHA512
5a81e1e5ae397197c5b6038127f6c8d84bb526f6ab19f40be50021b93a4b8b6a7eb1c912e7f816023363336020a8a8dae11bda467542b95318a305f439041f7e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
af80ed1a29999662ccf78b01e22b4015

SHA1
184bbb6f7d466e0edc97c2500abb12a8cfc82f54

SHA256
6071a698150e4ce126c9168f6e11826ac539eaac8779e609330d0f64217f3f72

SHA512
fafec6d74264ac5598061edb51094c30515bf07b9257168602a786eead7461dad8aa1d46946a67ab0bda5ffe4acf853f22210b8e368cd16e882c84d44ec6317c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
633437e708e90b61413e306c7a907123

SHA1
9e221acdf0395a6407448d0d37791f989521b9b2

SHA256
6c56b13e9f212aff718a82a85b2abfc4298e0a35157f2f3ab4bab334d6c8d0ea

SHA512
c327ed4f91ae315848577e26d17cc80e1cd0cf60de85d189a8505de4b4c74e25d6790e070f93577d877b29b9bdc7e7c64028dc45458c089dbfe282dd3b62e2e6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
3b39b23a597ebde4b2dd40736d5f7524

SHA1
b6bba5884da740a68af9cbfa851f8b9e4d931468

SHA256
79a76dc861100ceba488fd004d44dd17c8aac8e17eb08471d29f5c94f1528a99

SHA512
a39c5b8cb6065eb03cfbbda41b292f2babe3ad9f1f15202b3f9f85587acdc1d89f156046ebb3f70466dcbc3fc0e3cb187b84135002328e7f4d81e240320d9997

Download Submit
memory/752-212-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1072-54-0x0000000004610000-0x000000000476F000-memory.dmp

Filesize
1.4MB

Download
memory/1308-86-0x00000000048A0000-0x00000000049FF000-memory.dmp

Filesize
1.4MB

Download
memory/1308-87-0x00000000048A0000-0x00000000049FF000-memory.dmp

Filesize
1.4MB

Download
memory/1340-245-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1524-50-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1524-42-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1560-131-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1560-123-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1672-205-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1888-81-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1888-73-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2096-36-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2148-99-0x0000000004900000-0x0000000004A5F000-memory.dmp

Filesize
1.4MB

Download
memory/2220-66-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2220-55-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2224-72-0x0000000004920000-0x0000000004A7F000-memory.dmp

Filesize
1.4MB

Download
memory/2252-169-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2252-176-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2304-160-0x0000000004B20000-0x0000000004C7F000-memory.dmp

Filesize
1.4MB

Download
memory/2348-214-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2348-221-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2404-161-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2404-168-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2428-135-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2428-143-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2444-228-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2480-108-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2488-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2488-9-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2500-97-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2500-92-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2504-213-0x0000000004870000-0x00000000049CF000-memory.dmp

Filesize
1.4MB

Download
memory/2552-16-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2552-25-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2684-177-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2684-184-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2764-14-0x0000000004490000-0x00000000045EF000-memory.dmp

Filesize
1.4MB

Download
memory/2764-15-0x0000000004490000-0x00000000045EF000-memory.dmp

Filesize
1.4MB

Download
memory/2792-111-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2792-120-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2936-229-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2936-238-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2944-198-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3028-191-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3060-156-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3060-148-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download