4ab5d0da80f59647be4ee8717d4c195a3f136fa48d38671da1304b3918617068

Analysis

max time kernel
149s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13/09/2024, 22:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4ab5d0da80f59647be4ee8717d4c195a3f136fa48d38671da1304b3918617068.exe
Size

1.1MB
MD5

237cd8d412fdf74c62321918632adc01
SHA1

4266dafd3fca28f943a25862e1a21e6347003817
SHA256

4ab5d0da80f59647be4ee8717d4c195a3f136fa48d38671da1304b3918617068
SHA512

1be7db88db5dccc437e6846294892831306b8fd664b76334f0de579566f4e935494d24c8c68ff64ea4c914dd8a3e64235ad109e40d485d480671dd69a14b8bf5
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5QT:acallSllG4ZM7QzMk

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1484	svchcst.exe

Executes dropped EXE 25 IoCs

pid	Process
1484	svchcst.exe
2328	svchcst.exe
2672	svchcst.exe
2240	svchcst.exe
1288	svchcst.exe
1772	svchcst.exe
2292	svchcst.exe
1956	svchcst.exe
2060	svchcst.exe
2788	svchcst.exe
2136	svchcst.exe
568	svchcst.exe
1628	svchcst.exe
2144	svchcst.exe
1932	svchcst.exe
2064	svchcst.exe
2856	svchcst.exe
668	svchcst.exe
2600	svchcst.exe
1848	svchcst.exe
824	svchcst.exe
2988	svchcst.exe
1628	svchcst.exe
1772	svchcst.exe
2020	svchcst.exe

Loads dropped DLL 38 IoCs

pid	Process
2116	WScript.exe
2116	WScript.exe
2640	WScript.exe
2348	WScript.exe
544	WScript.exe
1476	WScript.exe
1476	WScript.exe
868	WScript.exe
868	WScript.exe
868	WScript.exe
1184	WScript.exe
2084	WScript.exe
2084	WScript.exe
2084	WScript.exe
2004	WScript.exe
2004	WScript.exe
2028	WScript.exe
2028	WScript.exe
2028	WScript.exe
1556	WScript.exe
1556	WScript.exe
1556	WScript.exe
2880	WScript.exe
2880	WScript.exe
1592	WScript.exe
1592	WScript.exe
2704	WScript.exe
2704	WScript.exe
532	WScript.exe
532	WScript.exe
2140	WScript.exe
2140	WScript.exe
1292	WScript.exe
1292	WScript.exe
2816	WScript.exe
2816	WScript.exe
2040	WScript.exe
2040	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 50 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4ab5d0da80f59647be4ee8717d4c195a3f136fa48d38671da1304b3918617068.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2088	4ab5d0da80f59647be4ee8717d4c195a3f136fa48d38671da1304b3918617068.exe
1484	svchcst.exe
1484	svchcst.exe
1484	svchcst.exe
1484	svchcst.exe
1484	svchcst.exe
1484	svchcst.exe
1484	svchcst.exe
1484	svchcst.exe
1484	svchcst.exe
1484	svchcst.exe
1484	svchcst.exe
1484	svchcst.exe
1484	svchcst.exe
1484	svchcst.exe
1484	svchcst.exe
1484	svchcst.exe
1484	svchcst.exe
1484	svchcst.exe
1484	svchcst.exe
1484	svchcst.exe
1484	svchcst.exe
1484	svchcst.exe
1484	svchcst.exe
1484	svchcst.exe
1484	svchcst.exe
1484	svchcst.exe
1484	svchcst.exe
1484	svchcst.exe
1484	svchcst.exe
1484	svchcst.exe
1484	svchcst.exe
1484	svchcst.exe
1484	svchcst.exe
1484	svchcst.exe
1484	svchcst.exe
1484	svchcst.exe
1484	svchcst.exe
1484	svchcst.exe
1484	svchcst.exe
1484	svchcst.exe
1484	svchcst.exe
1484	svchcst.exe
1484	svchcst.exe
1484	svchcst.exe
1484	svchcst.exe
1484	svchcst.exe
1484	svchcst.exe
1484	svchcst.exe
1484	svchcst.exe
1484	svchcst.exe
1484	svchcst.exe
1484	svchcst.exe
1484	svchcst.exe
1484	svchcst.exe
1484	svchcst.exe
1484	svchcst.exe
1484	svchcst.exe
1484	svchcst.exe
1484	svchcst.exe
1484	svchcst.exe
1484	svchcst.exe
1484	svchcst.exe
1484	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2088	4ab5d0da80f59647be4ee8717d4c195a3f136fa48d38671da1304b3918617068.exe

Suspicious use of SetWindowsHookEx 52 IoCs

pid	Process
2088	4ab5d0da80f59647be4ee8717d4c195a3f136fa48d38671da1304b3918617068.exe
2088	4ab5d0da80f59647be4ee8717d4c195a3f136fa48d38671da1304b3918617068.exe
1484	svchcst.exe
1484	svchcst.exe
2328	svchcst.exe
2328	svchcst.exe
2672	svchcst.exe
2672	svchcst.exe
2240	svchcst.exe
2240	svchcst.exe
1288	svchcst.exe
1288	svchcst.exe
1772	svchcst.exe
1772	svchcst.exe
2292	svchcst.exe
2292	svchcst.exe
1956	svchcst.exe
1956	svchcst.exe
2060	svchcst.exe
2060	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2136	svchcst.exe
2136	svchcst.exe
568	svchcst.exe
568	svchcst.exe
1628	svchcst.exe
1628	svchcst.exe
2144	svchcst.exe
2144	svchcst.exe
1932	svchcst.exe
1932	svchcst.exe
2064	svchcst.exe
2064	svchcst.exe
2856	svchcst.exe
2856	svchcst.exe
668	svchcst.exe
668	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
1848	svchcst.exe
1848	svchcst.exe
824	svchcst.exe
824	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
1628	svchcst.exe
1628	svchcst.exe
1772	svchcst.exe
1772	svchcst.exe
2020	svchcst.exe
2020	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2088 wrote to memory of 2116	2088	4ab5d0da80f59647be4ee8717d4c195a3f136fa48d38671da1304b3918617068.exe	30
PID 2088 wrote to memory of 2116	2088	4ab5d0da80f59647be4ee8717d4c195a3f136fa48d38671da1304b3918617068.exe	30
PID 2088 wrote to memory of 2116	2088	4ab5d0da80f59647be4ee8717d4c195a3f136fa48d38671da1304b3918617068.exe	30
PID 2088 wrote to memory of 2116	2088	4ab5d0da80f59647be4ee8717d4c195a3f136fa48d38671da1304b3918617068.exe	30
PID 2116 wrote to memory of 1484	2116	WScript.exe	33
PID 2116 wrote to memory of 1484	2116	WScript.exe	33
PID 2116 wrote to memory of 1484	2116	WScript.exe	33
PID 2116 wrote to memory of 1484	2116	WScript.exe	33
PID 1484 wrote to memory of 2640	1484	svchcst.exe	34
PID 1484 wrote to memory of 2640	1484	svchcst.exe	34
PID 1484 wrote to memory of 2640	1484	svchcst.exe	34
PID 1484 wrote to memory of 2640	1484	svchcst.exe	34
PID 2640 wrote to memory of 2328	2640	WScript.exe	35
PID 2640 wrote to memory of 2328	2640	WScript.exe	35
PID 2640 wrote to memory of 2328	2640	WScript.exe	35
PID 2640 wrote to memory of 2328	2640	WScript.exe	35
PID 2328 wrote to memory of 2348	2328	svchcst.exe	36
PID 2328 wrote to memory of 2348	2328	svchcst.exe	36
PID 2328 wrote to memory of 2348	2328	svchcst.exe	36
PID 2328 wrote to memory of 2348	2328	svchcst.exe	36
PID 2348 wrote to memory of 2672	2348	WScript.exe	37
PID 2348 wrote to memory of 2672	2348	WScript.exe	37
PID 2348 wrote to memory of 2672	2348	WScript.exe	37
PID 2348 wrote to memory of 2672	2348	WScript.exe	37
PID 2672 wrote to memory of 544	2672	svchcst.exe	38
PID 2672 wrote to memory of 544	2672	svchcst.exe	38
PID 2672 wrote to memory of 544	2672	svchcst.exe	38
PID 2672 wrote to memory of 544	2672	svchcst.exe	38
PID 544 wrote to memory of 2240	544	WScript.exe	39
PID 544 wrote to memory of 2240	544	WScript.exe	39
PID 544 wrote to memory of 2240	544	WScript.exe	39
PID 544 wrote to memory of 2240	544	WScript.exe	39
PID 2240 wrote to memory of 1476	2240	svchcst.exe	40
PID 2240 wrote to memory of 1476	2240	svchcst.exe	40
PID 2240 wrote to memory of 1476	2240	svchcst.exe	40
PID 2240 wrote to memory of 1476	2240	svchcst.exe	40
PID 1476 wrote to memory of 1288	1476	WScript.exe	41
PID 1476 wrote to memory of 1288	1476	WScript.exe	41
PID 1476 wrote to memory of 1288	1476	WScript.exe	41
PID 1476 wrote to memory of 1288	1476	WScript.exe	41
PID 1288 wrote to memory of 1184	1288	svchcst.exe	42
PID 1288 wrote to memory of 1184	1288	svchcst.exe	42
PID 1288 wrote to memory of 1184	1288	svchcst.exe	42
PID 1288 wrote to memory of 1184	1288	svchcst.exe	42
PID 1476 wrote to memory of 1772	1476	WScript.exe	43
PID 1476 wrote to memory of 1772	1476	WScript.exe	43
PID 1476 wrote to memory of 1772	1476	WScript.exe	43
PID 1476 wrote to memory of 1772	1476	WScript.exe	43
PID 1772 wrote to memory of 868	1772	svchcst.exe	44
PID 1772 wrote to memory of 868	1772	svchcst.exe	44
PID 1772 wrote to memory of 868	1772	svchcst.exe	44
PID 1772 wrote to memory of 868	1772	svchcst.exe	44
PID 868 wrote to memory of 2292	868	WScript.exe	45
PID 868 wrote to memory of 2292	868	WScript.exe	45
PID 868 wrote to memory of 2292	868	WScript.exe	45
PID 868 wrote to memory of 2292	868	WScript.exe	45
PID 2292 wrote to memory of 2248	2292	svchcst.exe	46
PID 2292 wrote to memory of 2248	2292	svchcst.exe	46
PID 2292 wrote to memory of 2248	2292	svchcst.exe	46
PID 2292 wrote to memory of 2248	2292	svchcst.exe	46
PID 868 wrote to memory of 1956	868	WScript.exe	47
PID 868 wrote to memory of 1956	868	WScript.exe	47
PID 868 wrote to memory of 1956	868	WScript.exe	47
PID 868 wrote to memory of 1956	868	WScript.exe	47

C:\Users\Admin\AppData\Local\Temp\4ab5d0da80f59647be4ee8717d4c195a3f136fa48d38671da1304b3918617068.exe
"C:\Users\Admin\AppData\Local\Temp\4ab5d0da80f59647be4ee8717d4c195a3f136fa48d38671da1304b3918617068.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2088
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2116
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1484
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2640
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2328
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2348
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2672
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:544
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2240
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1476
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1288
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1184
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2060
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2084
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2788
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:2968
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2136
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2004
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:568
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:1712
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1628
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2028
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2144
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1556
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2064
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2856
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2880
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:668
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1592
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2600
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2704
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1848
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:532
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:824
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2140
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2988
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1292
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1628
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2816
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1772
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2040
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2020
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        System Location Discovery: System Language Discovery
        
        PID:1688
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1932
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:2272
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1772
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:868
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2292
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:2248
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
951aaea1269f2a203f3dd7cd181c5d34

SHA1
3623d216764b24aa0b02cbc136287252bf5b412a

SHA256
228b66ed4c4a1270fe5a6655cdd849de937351e95974b96acafa59b8107b7dd4

SHA512
cd84967ad43a13c3cd57cc80f6533a9e9fd93a5eddf4807825b8d19883da4acda3e7b4ff963f23209c579050fedf834382d8e718386c852ceaf350b2b0f91816

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
efd9fe9f1ae2562949d0cf32d77226ed

SHA1
1087a4816e6656538d9cd496fc150972107ce6a8

SHA256
25caf497ea9a99ab16372ea620fa5109fdcf35ff48cafc51a2784648d83917cf

SHA512
6a8602004c7d1fefa4be305623b3f4ca868c2a362001f674440934d7ea42dbd5f1173ae6bd2bbf0f0d25e3459920b746fb9268efe8ac03909aa96851998e325d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
f3159db8bd483868144429c5909d280a

SHA1
a3698b1ebb0e43a564357bb77c3462539a114f87

SHA256
f31b8921a342ba1eecff8852bd1904a17e94e544a1975106b9b5533155ed044c

SHA512
328e166bbd706c7e6848c246909d96779ee2efcdf7bdb0ff47eed24e0267dcca005bb41651b60393ffafbb7b7467d94b22454e8c4be57108ffeb6238e88db916

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
ad7007ed9542468662553e405df66821

SHA1
757c5ee287a113d689f2d370176fcf9c9e1223a3

SHA256
12967e637928b853b708430671e1b72f6ca847a2af2680f8f15da98efb31161e

SHA512
812220b05239ebb0e14f3cd738e58274deb60624eacc360d2b3be6c5010dc418f2587f5f6736a1d80a3a5f52ae9887a492e8934e64af66c89b45a9b47d3069c9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
619955d43a58558c766025119a5a66cb

SHA1
cfb43d2b9cb68699667ca8d4929e71b25ed115ab

SHA256
a129bff17a859b7b2d6681f519c985c661797dd508ac249d30f02a0a78858cee

SHA512
20f9499cddf2fb824365830736255a1dce689da0e94fa8e999ee4e28883e65637410710ea01204b5f3d48213f697461288da2b7a535511da87f848b1e6e83bc6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
24e4a44b907089d788280d647e33c77e

SHA1
ac5a4e397dea243c0022c55319e7c7035d013905

SHA256
7fcd076a55f0b7c8e9407217aee7e68893461d15cb8d2946ac5250af35137211

SHA512
c4a8dac1c1d5dfa976cc3e8fd299e423ab620463983b8c602be8a83ecc6598eb3f1d60a7370806e1f85a52dd91e4f1337a6dff2e99459f9a1e429a1ffb65a00b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
f9d25791d9949ef33ed0c208f3d11851

SHA1
1cdf525209a1d7ade65168011e4de530de7bdc5a

SHA256
d3592a18c2a195dba2db76e25fb1516b2a9ef5297e9d72716e232d3540bc4481

SHA512
efb6f3882b9c75aa5193cf1bfeeb430b0a963681bf5367f535e3eb9c4e7c796c0aa1d0e3df9803c635ba6d863dc129a9ab30c954c6d4af27803036859d3d3113

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
1a94fff9bade36e4d067e0fcefb1a8f5

SHA1
1713c3fc499a56cd97035e44405e0b5e1a0a586b

SHA256
1977a5ac15e88252efdd11b9aace6de92383e71132a94273b0e890e92ae91048

SHA512
89a7dd6811f9491a14bf49f1cbce3e869107d2e0d410fa3d3c867ce68d573d6f8e6ada98ac3635fc620c96c61676b5cef2563b5fbea14f617c1fa61bce4f3ac7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
6491ffe6ef75436d9e660280f5c7fa8f

SHA1
aa563dfffa849153924e8a50f5b562663d1549b5

SHA256
61926578340a542bb64c6abd62437790f27fe9f3c91f6e7bc3268fe318333382

SHA512
7caf0a3528181a867f6a7d1e705531db6eb12a82faa881fde4693b6d1f57be05e589c9276fc6364204494cd9c65f355a35d1dafb0d02582346057b5c4b8c2193

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
d9ab21af2046aedc3484d569036c3ef7

SHA1
ade5e9eb5b1180a77a2164e61f74beb411cdfb56

SHA256
90b8f17e573879b63c512e7c0dd6ff9454d177163e2d95d0090b2ef22ae5ec79

SHA512
cb8c202cd3d66ee897982e42257320dfef0a23eb96b9a3189869e9a0ce030d4baaa8c0a6fc5e197d2d19d742b0d7b3f34adb12933192dd6e4b1388433755d1ac

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
5d0d203da02edb604545d3d826c88b42

SHA1
9be0cfd40b48d4e6041e00827047a8b0d877d4a1

SHA256
5f341c2f1ff381eecedbf6fcbe549724323c30c05728132a98ea55f607bc3e81

SHA512
a3e01552a9576ba8dd9aa9f65211f74a69588a316d984b8887e740c6c174e19df2056dc0138d5af26bd927e192ec2c7d355fc8b4092e30d55de910e932fbd49f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
067a3458406fce1e0caec803b21a2c58

SHA1
1277d2a3236100a0758d4f4f279cd02d537e626b

SHA256
35c0d5d7757b50c61a708107c8e2ab5df872fdc25516f8003d9d58d3ae5ec9e3

SHA512
99918a35f93140231d63a17c97bb9ef66a5744dc044c7e48034c3d2fcc49c3b97fe0d37a32ae6307a7b7e772b8016a6727672d2844b5ed7dcf20c31dd01724e4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
308b7da7ec377746fab239c88940c7ea

SHA1
62356f1d6078f5587c1e0fa2201b199ebfdd0372

SHA256
3c6e5a89529248f6074cab8ca705d7f399c2808e185a451f2520d767e7aecd77

SHA512
bfd886261d3c9ae90f40968acb30b229e8d6754768bee5430f246594b5f81952de101a572cedb84bd1ab9a39cb607ec981287e9e03ea45b829744c47ee9bc877

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
18daeaff7fc134fc2edabbaea7e7e9f0

SHA1
a6a3002f7828141bac042e08241df957ef348bb4

SHA256
56a26505482cb65715785a972070bd6b72ad56c09ec26f7a97d7b0ac5bf52303

SHA512
6a91ececa4ca5ffbd12c7ca83888a63a7baf2be281610d9b0d83ee9dfcb8f6d04c1466de5ac1b53abe3daaf2998ec40b4b3a1a1d6fc271f35d25523358bd3df0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
2234778c5d246f695668a3bc4a2f2d7a

SHA1
dd26c3c3c7d0543ba8c007a92451f3169d500430

SHA256
8fa7a2c10c17fddc006338aca9426fa4a3acf094aa37cb9f5f50ac4f3d4d3090

SHA512
dcc4623499aa672d4283f39cef7dc09a3f0731dd6e1dcb52b5d31cea0fd6b11aa55a76b25276be27a99cdb95e7778a71e6eb1b20b61702b30511078e1a45bd05

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
e8decba2ed4d61d03398f546919c61e1

SHA1
f8cad05879017c5dfbfcf7d8dcc26af100d164d1

SHA256
bbef364b0c9b06724ac8aa3895035ccb4e54311dd816aceaa2b9b81e0afc0bd1

SHA512
6b99d58ddf6844c8eef300349059eeca9ef5ecdb484a87faff3ff43acf89ef7b54ab96ad6a3a15892873bbc6c6b1a1376d997f54d321fccfff364d8a50b72435

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
a6f52702202f7b388066e06991f1329e

SHA1
b84f3fa905248fd4e8483afcb98ab07893db402f

SHA256
6599dc9579c32f922a7a47bd8247c6845c45014b0d7641c0e680d439b53bc997

SHA512
df913f0f4463856d620ab216119273a6ef4e5d5efcd23b75086fc74298305a4d8982da2d59b914df3d6e9ee99e84d96c79888a637cce9fba3c0a4849080be5bb

Download Submit
memory/568-149-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/668-195-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/668-192-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/824-221-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/868-117-0x0000000004540000-0x000000000469F000-memory.dmp

Filesize
1.4MB

Download
memory/868-100-0x0000000004510000-0x000000000466F000-memory.dmp

Filesize
1.4MB

Download
memory/1288-62-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1288-70-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1292-233-0x0000000005C20000-0x0000000005D7F000-memory.dmp

Filesize
1.4MB

Download
memory/1476-73-0x0000000005E00000-0x0000000005F5F000-memory.dmp

Filesize
1.4MB

Download
memory/1484-21-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1484-26-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1556-175-0x0000000005660000-0x00000000057BF000-memory.dmp

Filesize
1.4MB

Download
memory/1556-173-0x0000000005660000-0x00000000057BF000-memory.dmp

Filesize
1.4MB

Download
memory/1592-196-0x0000000005D00000-0x0000000005E5F000-memory.dmp

Filesize
1.4MB

Download
memory/1592-197-0x0000000005D00000-0x0000000005E5F000-memory.dmp

Filesize
1.4MB

Download
memory/1628-234-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1628-160-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1628-152-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1628-237-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1772-246-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1772-77-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1772-82-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1772-243-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1848-207-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1848-214-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1932-179-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1932-172-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1956-104-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1956-101-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2004-141-0x0000000005CE0000-0x0000000005E3F000-memory.dmp

Filesize
1.4MB

Download
memory/2040-247-0x0000000005930000-0x0000000005A8F000-memory.dmp

Filesize
1.4MB

Download
memory/2060-112-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2060-103-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2064-176-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2064-174-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2084-118-0x0000000005D20000-0x0000000005E7F000-memory.dmp

Filesize
1.4MB

Download
memory/2084-130-0x0000000005D20000-0x0000000005E7F000-memory.dmp

Filesize
1.4MB

Download
memory/2088-10-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2088-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2116-20-0x0000000005A80000-0x0000000005BDF000-memory.dmp

Filesize
1.4MB

Download
memory/2116-15-0x0000000005A80000-0x0000000005BDF000-memory.dmp

Filesize
1.4MB

Download
memory/2136-138-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2136-131-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2144-167-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2240-59-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2240-52-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2292-94-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2292-86-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2328-38-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2328-33-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2600-205-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2600-198-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2672-49-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2672-41-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2704-206-0x0000000005950000-0x0000000005AAF000-memory.dmp

Filesize
1.4MB

Download
memory/2788-127-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2816-242-0x0000000005AD0000-0x0000000005C2F000-memory.dmp

Filesize
1.4MB

Download
memory/2856-187-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2856-180-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2988-228-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download