f943c243bd83dfa38202635dfbccd9581cc851878f3fd2a3ec417ae552046480

Analysis

max time kernel
149s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
14/09/2024, 22:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f943c243bd83dfa38202635dfbccd9581cc851878f3fd2a3ec417ae552046480.exe
Size

1.1MB
MD5

a985c545e6324033154ab4d7067d12fb
SHA1

a13201d93b396b1d9d29a3e5fd6e36c56d280624
SHA256

f943c243bd83dfa38202635dfbccd9581cc851878f3fd2a3ec417ae552046480
SHA512

e7baa61b6d29667e28ad3b06683728a2c03e6e9cefd0cdc6634c3ae1aed7a67e608c18e25a60e0d0c9c22bca82666b639ef92e1031c5152ef81faab0370f2203
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5Q4:acallSllG4ZM7QzMP

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1456	svchcst.exe

Executes dropped EXE 23 IoCs

pid	Process
1456	svchcst.exe
1036	svchcst.exe
3020	svchcst.exe
3036	svchcst.exe
968	svchcst.exe
1744	svchcst.exe
2104	svchcst.exe
2612	svchcst.exe
2888	svchcst.exe
1760	svchcst.exe
2220	svchcst.exe
1836	svchcst.exe
3052	svchcst.exe
2276	svchcst.exe
3004	svchcst.exe
2232	svchcst.exe
2408	svchcst.exe
2740	svchcst.exe
2180	svchcst.exe
1028	svchcst.exe
1792	svchcst.exe
1996	svchcst.exe
1708	svchcst.exe

Loads dropped DLL 45 IoCs

pid	Process
2684	WScript.exe
2684	WScript.exe
2408	WScript.exe
2408	WScript.exe
2968	WScript.exe
2968	WScript.exe
2352	WScript.exe
2352	WScript.exe
1692	WScript.exe
1692	WScript.exe
1584	WScript.exe
1584	WScript.exe
900	WScript.exe
900	WScript.exe
2836	WScript.exe
2836	WScript.exe
2044	WScript.exe
2908	WScript.exe
2908	WScript.exe
1008	WScript.exe
1008	WScript.exe
1088	WScript.exe
1088	WScript.exe
2516	WScript.exe
2516	WScript.exe
2336	WScript.exe
2336	WScript.exe
2460	WScript.exe
2460	WScript.exe
2580	WScript.exe
2580	WScript.exe
2884	WScript.exe
2884	WScript.exe
2796	WScript.exe
2796	WScript.exe
1780	WScript.exe
1780	WScript.exe
2208	WScript.exe
2208	WScript.exe
2316	WScript.exe
2316	WScript.exe
3032	WScript.exe
3032	WScript.exe
1976	WScript.exe
1976	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 49 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f943c243bd83dfa38202635dfbccd9581cc851878f3fd2a3ec417ae552046480.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2756	f943c243bd83dfa38202635dfbccd9581cc851878f3fd2a3ec417ae552046480.exe
1456	svchcst.exe
1456	svchcst.exe
1456	svchcst.exe
1456	svchcst.exe
1456	svchcst.exe
1456	svchcst.exe
1456	svchcst.exe
1456	svchcst.exe
1456	svchcst.exe
1456	svchcst.exe
1456	svchcst.exe
1456	svchcst.exe
1456	svchcst.exe
1456	svchcst.exe
1456	svchcst.exe
1456	svchcst.exe
1456	svchcst.exe
1456	svchcst.exe
1456	svchcst.exe
1456	svchcst.exe
1456	svchcst.exe
1456	svchcst.exe
1456	svchcst.exe
1456	svchcst.exe
1456	svchcst.exe
1456	svchcst.exe
1456	svchcst.exe
1456	svchcst.exe
1456	svchcst.exe
1456	svchcst.exe
1456	svchcst.exe
1456	svchcst.exe
1456	svchcst.exe
1456	svchcst.exe
1456	svchcst.exe
1456	svchcst.exe
1456	svchcst.exe
1456	svchcst.exe
1456	svchcst.exe
1456	svchcst.exe
1456	svchcst.exe
1456	svchcst.exe
1456	svchcst.exe
1456	svchcst.exe
1456	svchcst.exe
1456	svchcst.exe
1456	svchcst.exe
1456	svchcst.exe
1456	svchcst.exe
1456	svchcst.exe
1456	svchcst.exe
1456	svchcst.exe
1456	svchcst.exe
1456	svchcst.exe
1456	svchcst.exe
1456	svchcst.exe
1456	svchcst.exe
1456	svchcst.exe
1456	svchcst.exe
1456	svchcst.exe
1456	svchcst.exe
1456	svchcst.exe
1456	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2756	f943c243bd83dfa38202635dfbccd9581cc851878f3fd2a3ec417ae552046480.exe

Suspicious use of SetWindowsHookEx 48 IoCs

pid	Process
2756	f943c243bd83dfa38202635dfbccd9581cc851878f3fd2a3ec417ae552046480.exe
2756	f943c243bd83dfa38202635dfbccd9581cc851878f3fd2a3ec417ae552046480.exe
1456	svchcst.exe
1456	svchcst.exe
1036	svchcst.exe
1036	svchcst.exe
3020	svchcst.exe
3020	svchcst.exe
3036	svchcst.exe
3036	svchcst.exe
968	svchcst.exe
968	svchcst.exe
1744	svchcst.exe
1744	svchcst.exe
2104	svchcst.exe
2104	svchcst.exe
2612	svchcst.exe
2612	svchcst.exe
2888	svchcst.exe
2888	svchcst.exe
1760	svchcst.exe
1760	svchcst.exe
2220	svchcst.exe
2220	svchcst.exe
1836	svchcst.exe
1836	svchcst.exe
3052	svchcst.exe
3052	svchcst.exe
2276	svchcst.exe
2276	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
2232	svchcst.exe
2232	svchcst.exe
2408	svchcst.exe
2408	svchcst.exe
2740	svchcst.exe
2740	svchcst.exe
2180	svchcst.exe
2180	svchcst.exe
1028	svchcst.exe
1028	svchcst.exe
1792	svchcst.exe
1792	svchcst.exe
1996	svchcst.exe
1996	svchcst.exe
1708	svchcst.exe
1708	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2756 wrote to memory of 2684	2756	f943c243bd83dfa38202635dfbccd9581cc851878f3fd2a3ec417ae552046480.exe	30
PID 2756 wrote to memory of 2684	2756	f943c243bd83dfa38202635dfbccd9581cc851878f3fd2a3ec417ae552046480.exe	30
PID 2756 wrote to memory of 2684	2756	f943c243bd83dfa38202635dfbccd9581cc851878f3fd2a3ec417ae552046480.exe	30
PID 2756 wrote to memory of 2684	2756	f943c243bd83dfa38202635dfbccd9581cc851878f3fd2a3ec417ae552046480.exe	30
PID 2684 wrote to memory of 1456	2684	WScript.exe	32
PID 2684 wrote to memory of 1456	2684	WScript.exe	32
PID 2684 wrote to memory of 1456	2684	WScript.exe	32
PID 2684 wrote to memory of 1456	2684	WScript.exe	32
PID 1456 wrote to memory of 2408	1456	svchcst.exe	33
PID 1456 wrote to memory of 2408	1456	svchcst.exe	33
PID 1456 wrote to memory of 2408	1456	svchcst.exe	33
PID 1456 wrote to memory of 2408	1456	svchcst.exe	33
PID 2408 wrote to memory of 1036	2408	WScript.exe	34
PID 2408 wrote to memory of 1036	2408	WScript.exe	34
PID 2408 wrote to memory of 1036	2408	WScript.exe	34
PID 2408 wrote to memory of 1036	2408	WScript.exe	34
PID 1036 wrote to memory of 2968	1036	svchcst.exe	35
PID 1036 wrote to memory of 2968	1036	svchcst.exe	35
PID 1036 wrote to memory of 2968	1036	svchcst.exe	35
PID 1036 wrote to memory of 2968	1036	svchcst.exe	35
PID 2968 wrote to memory of 3020	2968	WScript.exe	36
PID 2968 wrote to memory of 3020	2968	WScript.exe	36
PID 2968 wrote to memory of 3020	2968	WScript.exe	36
PID 2968 wrote to memory of 3020	2968	WScript.exe	36
PID 3020 wrote to memory of 2352	3020	svchcst.exe	37
PID 3020 wrote to memory of 2352	3020	svchcst.exe	37
PID 3020 wrote to memory of 2352	3020	svchcst.exe	37
PID 3020 wrote to memory of 2352	3020	svchcst.exe	37
PID 2352 wrote to memory of 3036	2352	WScript.exe	38
PID 2352 wrote to memory of 3036	2352	WScript.exe	38
PID 2352 wrote to memory of 3036	2352	WScript.exe	38
PID 2352 wrote to memory of 3036	2352	WScript.exe	38
PID 3036 wrote to memory of 1692	3036	svchcst.exe	39
PID 3036 wrote to memory of 1692	3036	svchcst.exe	39
PID 3036 wrote to memory of 1692	3036	svchcst.exe	39
PID 3036 wrote to memory of 1692	3036	svchcst.exe	39
PID 1692 wrote to memory of 968	1692	WScript.exe	40
PID 1692 wrote to memory of 968	1692	WScript.exe	40
PID 1692 wrote to memory of 968	1692	WScript.exe	40
PID 1692 wrote to memory of 968	1692	WScript.exe	40
PID 968 wrote to memory of 1584	968	svchcst.exe	41
PID 968 wrote to memory of 1584	968	svchcst.exe	41
PID 968 wrote to memory of 1584	968	svchcst.exe	41
PID 968 wrote to memory of 1584	968	svchcst.exe	41
PID 1584 wrote to memory of 1744	1584	WScript.exe	42
PID 1584 wrote to memory of 1744	1584	WScript.exe	42
PID 1584 wrote to memory of 1744	1584	WScript.exe	42
PID 1584 wrote to memory of 1744	1584	WScript.exe	42
PID 1744 wrote to memory of 900	1744	svchcst.exe	43
PID 1744 wrote to memory of 900	1744	svchcst.exe	43
PID 1744 wrote to memory of 900	1744	svchcst.exe	43
PID 1744 wrote to memory of 900	1744	svchcst.exe	43
PID 900 wrote to memory of 2104	900	WScript.exe	44
PID 900 wrote to memory of 2104	900	WScript.exe	44
PID 900 wrote to memory of 2104	900	WScript.exe	44
PID 900 wrote to memory of 2104	900	WScript.exe	44
PID 2104 wrote to memory of 2836	2104	svchcst.exe	45
PID 2104 wrote to memory of 2836	2104	svchcst.exe	45
PID 2104 wrote to memory of 2836	2104	svchcst.exe	45
PID 2104 wrote to memory of 2836	2104	svchcst.exe	45
PID 2836 wrote to memory of 2612	2836	WScript.exe	46
PID 2836 wrote to memory of 2612	2836	WScript.exe	46
PID 2836 wrote to memory of 2612	2836	WScript.exe	46
PID 2836 wrote to memory of 2612	2836	WScript.exe	46

C:\Users\Admin\AppData\Local\Temp\f943c243bd83dfa38202635dfbccd9581cc851878f3fd2a3ec417ae552046480.exe
"C:\Users\Admin\AppData\Local\Temp\f943c243bd83dfa38202635dfbccd9581cc851878f3fd2a3ec417ae552046480.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2756
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2684
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1456
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2408
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1036
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2968
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3020
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2352
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3036
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1692
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:968
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1584
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1744
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:900
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2104
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2836
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2612
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2044
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2888
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2908
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1760
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1008
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2220
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1088
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1836
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2516
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3052
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2336
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2276
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2460
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3004
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2580
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2232
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2884
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2408
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2796
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2740
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1780
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2180
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2208
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1028
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2316
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1792
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        44⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3032
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1996
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        46⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1976
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1708
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        48⤵
        System Location Discovery: System Language Discovery
        
        PID:644
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        System Location Discovery: System Language Discovery
        
        PID:2032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
60b9d3297f6a8062261b201c444856fc

SHA1
18554b39e5132bda81de6bf127717ef911e9f2d4

SHA256
aadd2e49759a81389e1a82a64cb52b76f00d07ea8e314ab10b3354aa4f54d3db

SHA512
f3ef7d0575890a3e49613ae76058b533e57a08f3de0b0e7c0b0d5027ad578f79d09c8f75f14ffb291a7e9aa154db88454f14daf7cfa97ba9a0483e10638658e1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
0192d17fea0102bde8e142aabd30379e

SHA1
f625075beef58c06ca68d43a3ba5cc1caa8efdfd

SHA256
98e8ea7a93d93f491f56d4026b5683e7fdeff25fe26f518e2e81a1319ef49719

SHA512
43002329c61c0fedc908a1838c1868573a5f6f64b4bad3295182b341562cd4b17710ce021e75157830b5b29d29141ae394b3addae4f8c180259f02cb44648163

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
1af246ca0660faf0fa7da4b4c9c61316

SHA1
c050b0bd311f2e5240cd7e9df583e41b133e9521

SHA256
2b84bcefb62d7564e2e7d1be8105a26f798b4c73cca142c054da02262f61ede8

SHA512
3fadf6605620aea1f9c9e94d62193fc416af6d5272bc675d399ea1ea96a070b4de69cab61736cea89c744ce3b203f0790d617789d25811a6ca535fc9f6159793

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
9627e3850f4f7495f6d36ebae56aa594

SHA1
001694633bc632a7ae2812ed74828335bec77531

SHA256
0aeaf02fb74a0799c8eccaa37e1586435318608e7945b8084fe87f956822cb25

SHA512
03986ee3b4faf96fdb2bdeb1c41e216c81e1c0f7d4403b69c7e7e39baa45e2806d57fad32904bdf04728eb9db7570d94341e73bf8a1f6ba1964072a65de4e894

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
f2d2f31794455ef80ea8a41b0b218045

SHA1
926c4e45922f43c6afc2cb31d96b5b35d4db3cae

SHA256
698e3bc7681704e68728030dcceb12377aae02f71e91a5fd15c12b686ba00141

SHA512
36cc2c9bd29c6bd97c2bd7eef7b9bffc512ebabf43d089a2866a66efc4f4f3f7d92b2d0719ae61ad07c38b89b1c0a4b59df57f84beef76c88bd376125048d714

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
80ebf5d44551af5680e6faa0b57e8c8b

SHA1
2e17219fbf9ac0ffaf25efb6a11dfe6e9e404798

SHA256
ca82157de4bf3edea1ce728fea480f64259153ea391b2be7b5f59864c0ae7a53

SHA512
a96c9d64087a4b9eccb235e9e1b19da6adfa1adc40ea11eca5cca69cc7b57eb4c3a299eb2103768398d99aee534c3eced7e76099917c52d1499ea9af07ba2ca8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
dabf4e9d32908d961aaffdd1c77d4879

SHA1
e41572d98b7452016fb004c843236377364ab1d3

SHA256
3488c64a6d2da3c00e50e954c495ac354ee504e54f3ed6dda6a991c5b9d33e19

SHA512
911d46aca8005857c86eddbb3cbbc4301ee5e173b2358a717053cf12727c06cc3b2d757ddf513f969dafe61c6b88d03b1478d8c483495f153e30bf64585195aa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
85fa416be0b995c6e53ce5e2df106d8a

SHA1
bcffe6d0eb7594897fb6c1c1e6e409bacd04f009

SHA256
f08a191ea7850c2d2e0fa0cd1f40254eecb8dcb63a9dfa94cc8a97f609c49293

SHA512
5d92938d833d0555e94027148d0d9fc064274885bb4992f4e5840e7be03b629a3d2dc3703f9a7aa7614cb46ee19f9cfe26c69cc2e3a162f4be9045e5da18efbf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
c94fda6716d92036e02a0e70b433735f

SHA1
eb4e57b1461e03a201dbfd20dd308ca88694e55d

SHA256
ca8d32856a5ad76e2bf41249ee83a498c238f51d9d3addbd5ca456ee6a6108ba

SHA512
bf4b3613a4d6d2854f7750a73f84579a3022c2aaae770c392c3d4b273cbb2b493028f8109856ba66ee4636bcfac53b61b7f9b689002858a040b62b47d097d24f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
e21bd9f48357a7ad60a8c8a24359246d

SHA1
99f9bb0f3dbd879f6b73fae470f21e0e86d7bb0c

SHA256
68514197a0c2c4450b891730f761b4a1e643e6959a78ef75de2ff87bb2f48121

SHA512
9d46c7363e0dcdb4a2ca3a55f3250472f3831a3e21041bdeaaffef67e3471e4ae5eeb40628250ab202d1479c20f7dabd9b0d973c366738da2eab0042f1b4be9f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
5475e943bdc0ffa02f19252e3e685e9a

SHA1
e526ba12966b1dfb3985a9d30dc25028557ccc2b

SHA256
ac59382dfbc1d912caee14803c0339b8fb1f8e8f55fba4d7e3b55074dfd0636c

SHA512
83c6ae04e89c84aa6626215bcfc41c0c38c0a09b7b01f7af4a434979dad1d68e796de35c3d8d247621cd5d7c36360051f4076adc7bb6468fd86c2323146267aa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
188198caabdc11e778ba938ae3fa5941

SHA1
7021cf61965115fa60bfc2b8b608cca32d62f935

SHA256
b11be833106a333fb0420d39da90faca61d5940ce856f1347260d0d758d1d6b8

SHA512
dd984e78c3bc4d6e9a828c95ee0eb45167dc10a8f7fbd5d7d21c0d778b6e8767873c41f1534d7b8e36b9c6629fb9c81a157d18e52f813c7ee581b1cabc84f189

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
0554456918d09eacac37896e2c6f96ff

SHA1
5417a743bcb6159de855ec83a4821193493a8ab4

SHA256
0f9f849a20026c9ba29fe140fccc030ad32d2988dbbb1dc90323d53bf2410415

SHA512
70bb50f5b4aa4634bcd08f7550ccb442344e945290214c69881f0b867d515b80b44325053d91a4ecf3e897d3de09ce80c2035077d32d1d30ef7dbaa3d7100635

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
11c592f9cf6779816cc51b30e7bcc5b3

SHA1
59386358736b43384d35e3471c7755fcf986bb56

SHA256
7a2378d7232cdb30496dbd475af266dd92598bef6efd457699945dfc0263ba22

SHA512
8fe5e9d7e8ac41d273080926d0f8097e9857a8f09ddeeb16dd07b967241c223bb149235ac9294df191f80fd70422f6c34fdeb6a4992c2f5fd219e6f03f1ed544

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
b4b2f35c3818c28ecfdb077a75ec50f7

SHA1
00d244d7c07f3fa714998596eeb664ca2591c326

SHA256
509b267020adc95faf8698ce1a1d426500245c4b6a1e6f49147d41dae5929a13

SHA512
67d8572ec959423d9a5b22a770dc3969ebca4f1a25d25d5376880fb4da7447381ef93a4cd30af1584fdecf44374593a5f892a6f2984fa6ab7ade4591e5675de8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
ed32ea8f855630cfd54421771e13ad88

SHA1
30c9285567b0dc8a4b7119e56eb652cb1b9af242

SHA256
e57df5c8d9d3454d438365dc295c03fe4952e28185a32ec65b82ced19c877f18

SHA512
2bb91bbafa088262c7148044afb9691511ec54f736f3d567e2a93c90b153f7b52d99eb48843ec8dd539b215465497457da91a7c49a6fad7d140f706fda661f8a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
704562e0281418563fd66a4bd04cbd9c

SHA1
cf0261075c92c4922b353122b6ff730e159d0a7b

SHA256
e229b8466f3e0920922ec5ff2825cadc82da9601a24b512a32984e59704f4f59

SHA512
ad2458c157c39341a7102b8f54f3724d02818bdc4dacddc631e3141aa0a48a2372723c4ebb5b2912d7e08e559340ac642f563a77edf072b8335c57d3668bf7ea

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
9d45f928d312ddf7efa7027cab13b7ca

SHA1
8e6a72d9a01f1354e9cb43e353a1870f5dd1dc9f

SHA256
19661c3c379ddc35102feb4c6874562d03766979275e6fc0677a806f309b48da

SHA512
bb3b0d452565aaf6d5a9356b88e6b57b8745f11a17ff9bdd3cea1eda3e2a8527fab5fe05862aea9f1c2bb5241fb7ad6920999b79a9220f4a171f6fe615723412

Download Submit
memory/968-77-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/968-69-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1008-142-0x0000000005C40000-0x0000000005D9F000-memory.dmp

Filesize
1.4MB

Download
memory/1028-231-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1028-223-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1036-29-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1036-37-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1088-150-0x0000000004630000-0x000000000478F000-memory.dmp

Filesize
1.4MB

Download
memory/1456-23-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1692-68-0x0000000004880000-0x00000000049DF000-memory.dmp

Filesize
1.4MB

Download
memory/1708-250-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1744-83-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1744-91-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1760-133-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1760-140-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1780-230-0x00000000046A0000-0x00000000047FF000-memory.dmp

Filesize
1.4MB

Download
memory/1780-214-0x00000000046A0000-0x00000000047FF000-memory.dmp

Filesize
1.4MB

Download
memory/1792-233-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1792-240-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1836-158-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1836-151-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1996-249-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2104-103-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2180-221-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2180-213-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2208-222-0x0000000005AB0000-0x0000000005C0F000-memory.dmp

Filesize
1.4MB

Download
memory/2220-149-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2220-141-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2232-194-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2276-167-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2276-174-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2316-232-0x0000000005B80000-0x0000000005CDF000-memory.dmp

Filesize
1.4MB

Download
memory/2336-166-0x0000000004500000-0x000000000465F000-memory.dmp

Filesize
1.4MB

Download
memory/2408-203-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2408-196-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2408-27-0x0000000005BF0000-0x0000000005D4F000-memory.dmp

Filesize
1.4MB

Download
memory/2460-175-0x0000000004550000-0x00000000046AF000-memory.dmp

Filesize
1.4MB

Download
memory/2580-187-0x0000000005D90000-0x0000000005EEF000-memory.dmp

Filesize
1.4MB

Download
memory/2580-186-0x0000000005D90000-0x0000000005EEF000-memory.dmp

Filesize
1.4MB

Download
memory/2612-115-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2740-205-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2740-212-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2756-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2756-9-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2796-204-0x00000000046D0000-0x000000000482F000-memory.dmp

Filesize
1.4MB

Download
memory/2884-195-0x00000000046F0000-0x000000000484F000-memory.dmp

Filesize
1.4MB

Download
memory/2888-128-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2968-41-0x0000000005A90000-0x0000000005BEF000-memory.dmp

Filesize
1.4MB

Download
memory/3004-176-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3004-185-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3020-50-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3032-242-0x0000000005CE0000-0x0000000005E3F000-memory.dmp

Filesize
1.4MB

Download
memory/3032-241-0x0000000005CE0000-0x0000000005E3F000-memory.dmp

Filesize
1.4MB

Download
memory/3036-62-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3052-165-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download