db5292be0d0c71e6f8d088833bcaf8bd76987a10ba904206cc8c4e8bd3d2f421

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
14/09/2024, 21:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

db5292be0d0c71e6f8d088833bcaf8bd76987a10ba904206cc8c4e8bd3d2f421.exe
Size

1.1MB
MD5

1f528c5dbd1cde51c9efb6a8eb984a59
SHA1

371a7c55cdc20bea480598da3459326c20cf5d06
SHA256

db5292be0d0c71e6f8d088833bcaf8bd76987a10ba904206cc8c4e8bd3d2f421
SHA512

54f6faede966b89c884d688ac24335da395255fe23ed7374e7d2d736b661ab25bc7e63dae3158689779644e7d914f54001ee7e12fad1492f491ebfab68a010c6
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5Ql:acallSllG4ZM7QzMe

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2032	svchcst.exe

Executes dropped EXE 27 IoCs

pid	Process
2032	svchcst.exe
336	svchcst.exe
2764	svchcst.exe
2216	svchcst.exe
1592	svchcst.exe
1268	svchcst.exe
1760	svchcst.exe
2816	svchcst.exe
1920	svchcst.exe
1480	svchcst.exe
2416	svchcst.exe
2796	svchcst.exe
2968	svchcst.exe
1768	svchcst.exe
1512	svchcst.exe
2380	svchcst.exe
2932	svchcst.exe
868	svchcst.exe
2096	svchcst.exe
2556	svchcst.exe
1600	svchcst.exe
2000	svchcst.exe
1864	svchcst.exe
2868	svchcst.exe
2680	svchcst.exe
988	svchcst.exe
2756	svchcst.exe

Loads dropped DLL 42 IoCs

pid	Process
2636	WScript.exe
2636	WScript.exe
2008	WScript.exe
2008	WScript.exe
2504	WScript.exe
2380	WScript.exe
2380	WScript.exe
2380	WScript.exe
1312	WScript.exe
2464	WScript.exe
1312	WScript.exe
1312	WScript.exe
2464	WScript.exe
2452	WScript.exe
2832	WScript.exe
2452	WScript.exe
1636	WScript.exe
1636	WScript.exe
2972	WScript.exe
836	WScript.exe
836	WScript.exe
836	WScript.exe
2972	WScript.exe
2972	WScript.exe
2900	WScript.exe
2900	WScript.exe
2836	WScript.exe
2836	WScript.exe
2112	WScript.exe
2112	WScript.exe
2820	WScript.exe
2820	WScript.exe
2608	WScript.exe
2608	WScript.exe
2968	WScript.exe
2968	WScript.exe
1748	WScript.exe
1748	WScript.exe
2176	WScript.exe
2176	WScript.exe
2272	WScript.exe
2272	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 53 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	db5292be0d0c71e6f8d088833bcaf8bd76987a10ba904206cc8c4e8bd3d2f421.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2280	db5292be0d0c71e6f8d088833bcaf8bd76987a10ba904206cc8c4e8bd3d2f421.exe
2032	svchcst.exe
2032	svchcst.exe
2032	svchcst.exe
2032	svchcst.exe
2032	svchcst.exe
2032	svchcst.exe
2032	svchcst.exe
2032	svchcst.exe
2032	svchcst.exe
2032	svchcst.exe
2032	svchcst.exe
2032	svchcst.exe
2032	svchcst.exe
2032	svchcst.exe
2032	svchcst.exe
2032	svchcst.exe
2032	svchcst.exe
2032	svchcst.exe
2032	svchcst.exe
2032	svchcst.exe
2032	svchcst.exe
2032	svchcst.exe
2032	svchcst.exe
2032	svchcst.exe
2032	svchcst.exe
2032	svchcst.exe
2032	svchcst.exe
2032	svchcst.exe
2032	svchcst.exe
2032	svchcst.exe
2032	svchcst.exe
2032	svchcst.exe
2032	svchcst.exe
2032	svchcst.exe
2032	svchcst.exe
2032	svchcst.exe
2032	svchcst.exe
2032	svchcst.exe
2032	svchcst.exe
2032	svchcst.exe
2032	svchcst.exe
2032	svchcst.exe
2032	svchcst.exe
2032	svchcst.exe
2032	svchcst.exe
2032	svchcst.exe
2032	svchcst.exe
2032	svchcst.exe
2032	svchcst.exe
2032	svchcst.exe
2032	svchcst.exe
2032	svchcst.exe
2032	svchcst.exe
2032	svchcst.exe
2032	svchcst.exe
2032	svchcst.exe
2032	svchcst.exe
2032	svchcst.exe
2032	svchcst.exe
2032	svchcst.exe
2032	svchcst.exe
2032	svchcst.exe
2032	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2280	db5292be0d0c71e6f8d088833bcaf8bd76987a10ba904206cc8c4e8bd3d2f421.exe

Suspicious use of SetWindowsHookEx 56 IoCs

pid	Process
2280	db5292be0d0c71e6f8d088833bcaf8bd76987a10ba904206cc8c4e8bd3d2f421.exe
2280	db5292be0d0c71e6f8d088833bcaf8bd76987a10ba904206cc8c4e8bd3d2f421.exe
2032	svchcst.exe
2032	svchcst.exe
336	svchcst.exe
336	svchcst.exe
2764	svchcst.exe
2764	svchcst.exe
2216	svchcst.exe
2216	svchcst.exe
1592	svchcst.exe
1592	svchcst.exe
1268	svchcst.exe
1268	svchcst.exe
1760	svchcst.exe
1760	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
1920	svchcst.exe
1920	svchcst.exe
1480	svchcst.exe
1480	svchcst.exe
2416	svchcst.exe
2416	svchcst.exe
2796	svchcst.exe
2796	svchcst.exe
2968	svchcst.exe
2968	svchcst.exe
1768	svchcst.exe
1768	svchcst.exe
1512	svchcst.exe
1512	svchcst.exe
2380	svchcst.exe
2380	svchcst.exe
2932	svchcst.exe
2932	svchcst.exe
868	svchcst.exe
868	svchcst.exe
2096	svchcst.exe
2096	svchcst.exe
2556	svchcst.exe
2556	svchcst.exe
1600	svchcst.exe
1600	svchcst.exe
2000	svchcst.exe
2000	svchcst.exe
1864	svchcst.exe
1864	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2680	svchcst.exe
2680	svchcst.exe
988	svchcst.exe
988	svchcst.exe
2756	svchcst.exe
2756	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2280 wrote to memory of 2636	2280	db5292be0d0c71e6f8d088833bcaf8bd76987a10ba904206cc8c4e8bd3d2f421.exe	30
PID 2280 wrote to memory of 2636	2280	db5292be0d0c71e6f8d088833bcaf8bd76987a10ba904206cc8c4e8bd3d2f421.exe	30
PID 2280 wrote to memory of 2636	2280	db5292be0d0c71e6f8d088833bcaf8bd76987a10ba904206cc8c4e8bd3d2f421.exe	30
PID 2280 wrote to memory of 2636	2280	db5292be0d0c71e6f8d088833bcaf8bd76987a10ba904206cc8c4e8bd3d2f421.exe	30
PID 2636 wrote to memory of 2032	2636	WScript.exe	32
PID 2636 wrote to memory of 2032	2636	WScript.exe	32
PID 2636 wrote to memory of 2032	2636	WScript.exe	32
PID 2636 wrote to memory of 2032	2636	WScript.exe	32
PID 2032 wrote to memory of 2008	2032	svchcst.exe	33
PID 2032 wrote to memory of 2008	2032	svchcst.exe	33
PID 2032 wrote to memory of 2008	2032	svchcst.exe	33
PID 2032 wrote to memory of 2008	2032	svchcst.exe	33
PID 2008 wrote to memory of 336	2008	WScript.exe	34
PID 2008 wrote to memory of 336	2008	WScript.exe	34
PID 2008 wrote to memory of 336	2008	WScript.exe	34
PID 2008 wrote to memory of 336	2008	WScript.exe	34
PID 336 wrote to memory of 2504	336	svchcst.exe	35
PID 336 wrote to memory of 2504	336	svchcst.exe	35
PID 336 wrote to memory of 2504	336	svchcst.exe	35
PID 336 wrote to memory of 2504	336	svchcst.exe	35
PID 2504 wrote to memory of 2764	2504	WScript.exe	36
PID 2504 wrote to memory of 2764	2504	WScript.exe	36
PID 2504 wrote to memory of 2764	2504	WScript.exe	36
PID 2504 wrote to memory of 2764	2504	WScript.exe	36
PID 2764 wrote to memory of 2380	2764	svchcst.exe	37
PID 2764 wrote to memory of 2380	2764	svchcst.exe	37
PID 2764 wrote to memory of 2380	2764	svchcst.exe	37
PID 2764 wrote to memory of 2380	2764	svchcst.exe	37
PID 2380 wrote to memory of 2216	2380	WScript.exe	38
PID 2380 wrote to memory of 2216	2380	WScript.exe	38
PID 2380 wrote to memory of 2216	2380	WScript.exe	38
PID 2380 wrote to memory of 2216	2380	WScript.exe	38
PID 2216 wrote to memory of 820	2216	svchcst.exe	39
PID 2216 wrote to memory of 820	2216	svchcst.exe	39
PID 2216 wrote to memory of 820	2216	svchcst.exe	39
PID 2216 wrote to memory of 820	2216	svchcst.exe	39
PID 2380 wrote to memory of 1592	2380	WScript.exe	40
PID 2380 wrote to memory of 1592	2380	WScript.exe	40
PID 2380 wrote to memory of 1592	2380	WScript.exe	40
PID 2380 wrote to memory of 1592	2380	WScript.exe	40
PID 1592 wrote to memory of 1312	1592	svchcst.exe	41
PID 1592 wrote to memory of 1312	1592	svchcst.exe	41
PID 1592 wrote to memory of 1312	1592	svchcst.exe	41
PID 1592 wrote to memory of 1312	1592	svchcst.exe	41
PID 1312 wrote to memory of 1268	1312	WScript.exe	42
PID 1312 wrote to memory of 1268	1312	WScript.exe	42
PID 1312 wrote to memory of 1268	1312	WScript.exe	42
PID 1312 wrote to memory of 1268	1312	WScript.exe	42
PID 1268 wrote to memory of 2464	1268	svchcst.exe	43
PID 1268 wrote to memory of 2464	1268	svchcst.exe	43
PID 1268 wrote to memory of 2464	1268	svchcst.exe	43
PID 1268 wrote to memory of 2464	1268	svchcst.exe	43
PID 2464 wrote to memory of 1760	2464	WScript.exe	44
PID 2464 wrote to memory of 1760	2464	WScript.exe	44
PID 2464 wrote to memory of 1760	2464	WScript.exe	44
PID 2464 wrote to memory of 1760	2464	WScript.exe	44
PID 1760 wrote to memory of 2452	1760	svchcst.exe	45
PID 1760 wrote to memory of 2452	1760	svchcst.exe	45
PID 1760 wrote to memory of 2452	1760	svchcst.exe	45
PID 1760 wrote to memory of 2452	1760	svchcst.exe	45
PID 1312 wrote to memory of 2816	1312	WScript.exe	46
PID 1312 wrote to memory of 2816	1312	WScript.exe	46
PID 1312 wrote to memory of 2816	1312	WScript.exe	46
PID 1312 wrote to memory of 2816	1312	WScript.exe	46

C:\Users\Admin\AppData\Local\Temp\db5292be0d0c71e6f8d088833bcaf8bd76987a10ba904206cc8c4e8bd3d2f421.exe
"C:\Users\Admin\AppData\Local\Temp\db5292be0d0c71e6f8d088833bcaf8bd76987a10ba904206cc8c4e8bd3d2f421.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2280
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2636
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2032
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2008
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:336
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2504
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2764
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2380
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2216
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:820
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1592
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1312
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1268
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2464
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1760
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2452
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1480
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1636
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2968
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2972
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1512
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:2852
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:868
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2900
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2096
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2836
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2556
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2112
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1600
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2820
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2000
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2608
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1864
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2968
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2868
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1748
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2680
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2176
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:988
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2272
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2756
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        System Location Discovery: System Language Discovery
        
        PID:572
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        System Location Discovery: System Language Discovery
        
        PID:1236
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1768
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2796
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1920
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2816
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2832
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2416
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:836
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2380
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2932
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:2904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
94d220d2a0b3c3f437d86974d52d31ab

SHA1
b3f666415c4937fd7c24d19a8819269412c32f48

SHA256
1bf527a037b39bded1198b7e6908f0e7d3b853d7e6e6f4eb90aebcc9a06cad79

SHA512
debd838dabd43b39e5b49e49c116866d48918424fa2278d894c4deb0ec6c7f857c7ef1a5cc3d43174ebfb65574b295d0f03ed611e90929f30137f86b3263459e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
f68761d0622df41d256ee6fc39583d8a

SHA1
2dd40e574a86ff4b4be5e6aca6fda4d7fcc33d56

SHA256
b4bf1092c76497e935596e32fcb9119a44acab11e9b80b660ecea53867655245

SHA512
fd70e0b445bcd24117b449853c98a4996063d49f774a55bc5aca087b44cdb5381974551c4fcd2d3d1c82cd708fcb616009519f3914267ea5c37cdda4d31ea3a1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
1ca638ab56e1883ffe75969d1d8c4a61

SHA1
2f32fe1ad07a21f4aade2693ef174e30427e4f26

SHA256
ab716890ffa3b303c706ba2fc2ff48ba57e82b94b3bb3198cbb5700d74218c9d

SHA512
91f259046507902e077ac73aa23005f33cb3f93b6822e325bf3dd785b7616128bae36e13ba016f6a67cdddedef644d9cf44d49bba7d989dc5e59b93d446d626c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
a4e2d4727487955ad59bf2d1a6661981

SHA1
e52949b5d7226aaf75d3713ed2ff1283edab2259

SHA256
4b2d44fd28dcc86d4f73784cea9ac601d2e69574ea0fc6214b3481b10687e0e2

SHA512
f3c59196a57237caa7ad762e2e31bb3b95156eb33cdad7d7b28244842a733160a74c6568452252ce2add95980fe653dc5322a3d1722f9d798289557351b5ea55

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
1cd04c63c025f0297f2ae60e978d92a1

SHA1
047246564f4b2ab71494a82cef25f5bcdeb63469

SHA256
c5d481502d8e9429512066a0eb058459e0d7d60fbfc4aed5169b3ea47966c9ed

SHA512
dede45f2ae3b7da526e64e82f5e550d9f29d7ad0409fe97a0067bcd8ad70859a8f05441dcad0f2364710f8d9bf58997ffea6874b4797948b61486570394325a6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
56b642f742552f48c6b8b9c099412a21

SHA1
c3cf968546d550feddcded0747d331305147e1e3

SHA256
a91e4afb0d2f495e9c4fd5031514174673505464922192f9d87832fc21ef119b

SHA512
43edab26c4c27b9458d393f139895b68ce6b230685fd112658b4046094beac5479329f63c9c836dace1e76984fc22b96aecdf0c0252cf656e6d1fe639abf403a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
5c256ba320c7487a2c3cdb62bea97bb5

SHA1
2a28e5d7bd4483a40fb6035f1ec6fcf1d66cb2fc

SHA256
854aeaf6ba44537fc01088f8c336552a1aab4c6df84938d241c8616b6f0802e4

SHA512
bb55f293471dda9b074664d4cf2dad094f8f0c2479c1fd754dd85199d1d1b1012cfa3b050711ac0b59368d6bf1756cfcadcaff1e47d4f103a093a0b77782fdc0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
3fe126921f6537cf36cd507b1649ffbb

SHA1
445c8796d072bb5829f0af8421e3eb7da34add70

SHA256
b4af7c7ab452f12e0ea38532d00cfa19cf99247ef169e5e698acd882e72750a6

SHA512
5d8527210f01cc30bda93521cdbd9828d03f2af3e2810996ad8c60cf62a35e415c0e54a34e00847ae30bf2718e8c431b65ed4f509c11986a8eb54ed6ed64ac94

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
51b2348c37bbedcb127fa176820f5ea2

SHA1
6e70ca09179127890e64c4ffa345b2af573c39fa

SHA256
7b37f5580068bfba5583d762d9b64c8ee6468a9e064547f230757c4be595bd02

SHA512
0f9755ae0408b0dd6e1279bfa8c5dfbe63b3775a81a3c5b342c5e56e7521d292b0c4e94053e6fa0c3da233f3af60aae2dc28749f991ea81fd9bf2627698a343e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
6cc9dd78b42e2ca0e1deb237988b6ae2

SHA1
6ec16a7e43a4c558a19f125758d56ed9a180e6ee

SHA256
11367ac6f6a1b237ca69aeeb571a435181256f8836d6910f036beb90e160f7b2

SHA512
331f0ae896c0fb9906dd2fc2e3d58860073af97deb31cdb2184cc4bd104e2e066bfec6bdef0e16a8eda3d5605875fe7c03480b1e2d68bc9d7e3a2b237a3020a4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
b01deb2dadc8260c4bcb435df78599d9

SHA1
7ac78543d19aefbe54d4e7d12d045cff0e7934f0

SHA256
4f88b370f98b6357f72a7942c293827b72164112e87fbbb6c842d9b206ab53b0

SHA512
319c1925e74af3cace9d3c3fafb7ff3c28ae3240e1d67da7d05ed25b7ec523eec9a974f21ff9914e602334c192e5801a55695ad705dbaa2a32e3b08e7996bb4b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
c91530bbaec9815f2db19bd6645b8729

SHA1
ea901a28f06bfbfc1dc9c3391910a87bfaf07020

SHA256
7924a95b4fb309a069dcb92b65632f01f9db2560b224d4812ebb84130994ab8d

SHA512
7ebce2d0627561189c27073f3e43e84e6164c3c4a63fe4172d2c1214fe799795393573038fb3dd75359327e7cca4eec17889749411e289480580f568b02e6588

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
dabf4e9d32908d961aaffdd1c77d4879

SHA1
e41572d98b7452016fb004c843236377364ab1d3

SHA256
3488c64a6d2da3c00e50e954c495ac354ee504e54f3ed6dda6a991c5b9d33e19

SHA512
911d46aca8005857c86eddbb3cbbc4301ee5e173b2358a717053cf12727c06cc3b2d757ddf513f969dafe61c6b88d03b1478d8c483495f153e30bf64585195aa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
156603af1134cb3d6f36b45d4242f8ee

SHA1
3da8085ca2fbdc3804f28baa4d596a5c29acbd61

SHA256
ab07ebdf7ddf59b46f96bea29ae8463dbae96566aaca507772d6923109557b09

SHA512
eb20da6a983322aacbfe9c106a00325d487f22a528e24392e2e8fa8bf19cef6f4af5dbd408f940a8a518cbfd1ed466595c1dd9331f97022b5d4dfdb663eb889b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
8f793db411837f1da81238692ad88a58

SHA1
2cd9f534ea690460ec03e33d5208acbf8609a53b

SHA256
e4161f117173a54373b3552866bd812fa0995ded53643e084fa14cdcacfef8da

SHA512
12591c22c74da6360542bd686059d5fe3008e1d7409c9452f1cbebb413200e37efa236e3677901a15f72f8f596445a66c0b53a64f49f39ae464aacd40fa4102b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
69eae252cf4771904148218e0da06ebd

SHA1
5c508722a9c01b442fe9dff35135a96fdc76081c

SHA256
e38307f690c7e7784a8a6bbf221537da42a0b99ea2a4847c5a8ab1364a57e53b

SHA512
79bd7a886f211de1ba20283e5fa5480aa1b265e7babaa33917d64e3f3623cd49c0b67df432078d716c6d96e9137b5041fe57a64865b58015add8cd5311ab7cac

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
a82f2a38a9296a098c602a2b6f65d702

SHA1
feea3cf2947009123064c869c9cd34a0aaacf722

SHA256
a65d04a011196fa8578eb150b113b7a72468cf3d54c79bdabe7e9c17410e289b

SHA512
02295b7f9fc42c77a4467b6aa6b4229831e3b88c39125d34f2892bd69248f060cfcdedafc39598e17f3d93b586a32c4e604216771547cc26a16ec6ee54859e22

Download Submit
memory/336-30-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/336-38-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/836-159-0x0000000003CC0000-0x0000000003E1F000-memory.dmp

Filesize
1.4MB

Download
memory/868-182-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/868-175-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/988-246-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/988-239-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1268-77-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1268-84-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1480-125-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1480-117-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1512-164-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1512-158-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1592-74-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1592-70-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1600-204-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1636-151-0x0000000005C30000-0x0000000005D8F000-memory.dmp

Filesize
1.4MB

Download
memory/1748-230-0x00000000059B0000-0x0000000005B0F000-memory.dmp

Filesize
1.4MB

Download
memory/1760-96-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1760-88-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1768-161-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1768-152-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1864-212-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1864-219-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1920-109-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2000-211-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2008-28-0x0000000005CE0000-0x0000000005E3F000-memory.dmp

Filesize
1.4MB

Download
memory/2008-29-0x0000000005CE0000-0x0000000005E3F000-memory.dmp

Filesize
1.4MB

Download
memory/2032-22-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2096-189-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2176-253-0x0000000003EE0000-0x000000000403F000-memory.dmp

Filesize
1.4MB

Download
memory/2216-60-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2216-51-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2280-9-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2280-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2380-65-0x0000000005C60000-0x0000000005DBF000-memory.dmp

Filesize
1.4MB

Download
memory/2380-160-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2416-139-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2452-134-0x00000000048A0000-0x00000000049FF000-memory.dmp

Filesize
1.4MB

Download
memory/2464-101-0x0000000005D00000-0x0000000005E5F000-memory.dmp

Filesize
1.4MB

Download
memory/2504-59-0x0000000005E00000-0x0000000005F5F000-memory.dmp

Filesize
1.4MB

Download
memory/2556-197-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2556-190-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2680-231-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2680-238-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2764-44-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2764-48-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2796-135-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2816-102-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2816-113-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2868-220-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2868-229-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2932-165-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2932-172-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2968-149-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2972-173-0x0000000005AC0000-0x0000000005C1F000-memory.dmp

Filesize
1.4MB

Download
memory/2972-174-0x0000000005AC0000-0x0000000005C1F000-memory.dmp

Filesize
1.4MB

Download
memory/2972-157-0x0000000005AC0000-0x0000000005C1F000-memory.dmp

Filesize
1.4MB

Download