32104c00261724ade56b3921c9a1b2af6c3e69d445dd8021495ae03b1a22cfaf

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
25-09-2024 19:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

32104c00261724ade56b3921c9a1b2af6c3e69d445dd8021495ae03b1a22cfaf.exe
Size

1.1MB
MD5

a1d8d460c3aea7b2b7c8242aa8da353a
SHA1

901b77b2e300a6c6a46fd48cf3fa4aa7468339f2
SHA256

32104c00261724ade56b3921c9a1b2af6c3e69d445dd8021495ae03b1a22cfaf
SHA512

ac37ea1c63abe447be18953cd710fb3ee5505d810d7dc564081a437b15339e94b18195d87f535de2cf6fd7a164d57c5535c01335b268a8e27cb72d967722a5c5
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5Qu:acallSllG4ZM7QzMF

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2212	svchcst.exe

Executes dropped EXE 23 IoCs

pid	Process
2212	svchcst.exe
2880	svchcst.exe
2960	svchcst.exe
3028	svchcst.exe
440	svchcst.exe
2964	svchcst.exe
556	svchcst.exe
2280	svchcst.exe
2652	svchcst.exe
2720	svchcst.exe
1200	svchcst.exe
2888	svchcst.exe
3024	svchcst.exe
2080	svchcst.exe
1524	svchcst.exe
2568	svchcst.exe
1224	svchcst.exe
876	svchcst.exe
2644	svchcst.exe
2696	svchcst.exe
1644	svchcst.exe
2236	svchcst.exe
2064	svchcst.exe

Loads dropped DLL 40 IoCs

pid	Process
3068	WScript.exe
3068	WScript.exe
2764	WScript.exe
2888	WScript.exe
2888	WScript.exe
1988	WScript.exe
1356	WScript.exe
1356	WScript.exe
1396	WScript.exe
1396	WScript.exe
2244	WScript.exe
2244	WScript.exe
2544	WScript.exe
1564	WScript.exe
1564	WScript.exe
1564	WScript.exe
2688	WScript.exe
2688	WScript.exe
1752	WScript.exe
1752	WScript.exe
1460	WScript.exe
1460	WScript.exe
1952	WScript.exe
1952	WScript.exe
1840	WScript.exe
1840	WScript.exe
2232	WScript.exe
2232	WScript.exe
2868	WScript.exe
2868	WScript.exe
2292	WScript.exe
2292	WScript.exe
2332	WScript.exe
2332	WScript.exe
2948	WScript.exe
2948	WScript.exe
1692	WScript.exe
1692	WScript.exe
1292	WScript.exe
1292	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 48 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	32104c00261724ade56b3921c9a1b2af6c3e69d445dd8021495ae03b1a22cfaf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2568	32104c00261724ade56b3921c9a1b2af6c3e69d445dd8021495ae03b1a22cfaf.exe
2212	svchcst.exe
2212	svchcst.exe
2212	svchcst.exe
2212	svchcst.exe
2212	svchcst.exe
2212	svchcst.exe
2212	svchcst.exe
2212	svchcst.exe
2212	svchcst.exe
2212	svchcst.exe
2212	svchcst.exe
2212	svchcst.exe
2212	svchcst.exe
2212	svchcst.exe
2212	svchcst.exe
2212	svchcst.exe
2212	svchcst.exe
2212	svchcst.exe
2212	svchcst.exe
2212	svchcst.exe
2212	svchcst.exe
2212	svchcst.exe
2212	svchcst.exe
2212	svchcst.exe
2212	svchcst.exe
2212	svchcst.exe
2212	svchcst.exe
2212	svchcst.exe
2212	svchcst.exe
2212	svchcst.exe
2212	svchcst.exe
2212	svchcst.exe
2212	svchcst.exe
2212	svchcst.exe
2212	svchcst.exe
2212	svchcst.exe
2212	svchcst.exe
2212	svchcst.exe
2212	svchcst.exe
2212	svchcst.exe
2212	svchcst.exe
2212	svchcst.exe
2212	svchcst.exe
2212	svchcst.exe
2212	svchcst.exe
2212	svchcst.exe
2212	svchcst.exe
2212	svchcst.exe
2212	svchcst.exe
2212	svchcst.exe
2212	svchcst.exe
2212	svchcst.exe
2212	svchcst.exe
2212	svchcst.exe
2212	svchcst.exe
2212	svchcst.exe
2212	svchcst.exe
2212	svchcst.exe
2212	svchcst.exe
2212	svchcst.exe
2212	svchcst.exe
2212	svchcst.exe
2212	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2568	32104c00261724ade56b3921c9a1b2af6c3e69d445dd8021495ae03b1a22cfaf.exe

Suspicious use of SetWindowsHookEx 48 IoCs

pid	Process
2568	32104c00261724ade56b3921c9a1b2af6c3e69d445dd8021495ae03b1a22cfaf.exe
2568	32104c00261724ade56b3921c9a1b2af6c3e69d445dd8021495ae03b1a22cfaf.exe
2212	svchcst.exe
2212	svchcst.exe
2880	svchcst.exe
2880	svchcst.exe
2960	svchcst.exe
2960	svchcst.exe
3028	svchcst.exe
3028	svchcst.exe
440	svchcst.exe
440	svchcst.exe
2964	svchcst.exe
2964	svchcst.exe
556	svchcst.exe
556	svchcst.exe
2280	svchcst.exe
2280	svchcst.exe
2652	svchcst.exe
2652	svchcst.exe
2720	svchcst.exe
2720	svchcst.exe
1200	svchcst.exe
1200	svchcst.exe
2888	svchcst.exe
2888	svchcst.exe
3024	svchcst.exe
3024	svchcst.exe
2080	svchcst.exe
2080	svchcst.exe
1524	svchcst.exe
1524	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
1224	svchcst.exe
1224	svchcst.exe
876	svchcst.exe
876	svchcst.exe
2644	svchcst.exe
2644	svchcst.exe
2696	svchcst.exe
2696	svchcst.exe
1644	svchcst.exe
1644	svchcst.exe
2236	svchcst.exe
2236	svchcst.exe
2064	svchcst.exe
2064	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2568 wrote to memory of 3068	2568	32104c00261724ade56b3921c9a1b2af6c3e69d445dd8021495ae03b1a22cfaf.exe	30
PID 2568 wrote to memory of 3068	2568	32104c00261724ade56b3921c9a1b2af6c3e69d445dd8021495ae03b1a22cfaf.exe	30
PID 2568 wrote to memory of 3068	2568	32104c00261724ade56b3921c9a1b2af6c3e69d445dd8021495ae03b1a22cfaf.exe	30
PID 2568 wrote to memory of 3068	2568	32104c00261724ade56b3921c9a1b2af6c3e69d445dd8021495ae03b1a22cfaf.exe	30
PID 3068 wrote to memory of 2212	3068	WScript.exe	33
PID 3068 wrote to memory of 2212	3068	WScript.exe	33
PID 3068 wrote to memory of 2212	3068	WScript.exe	33
PID 3068 wrote to memory of 2212	3068	WScript.exe	33
PID 2212 wrote to memory of 2764	2212	svchcst.exe	34
PID 2212 wrote to memory of 2764	2212	svchcst.exe	34
PID 2212 wrote to memory of 2764	2212	svchcst.exe	34
PID 2212 wrote to memory of 2764	2212	svchcst.exe	34
PID 2764 wrote to memory of 2880	2764	WScript.exe	35
PID 2764 wrote to memory of 2880	2764	WScript.exe	35
PID 2764 wrote to memory of 2880	2764	WScript.exe	35
PID 2764 wrote to memory of 2880	2764	WScript.exe	35
PID 2880 wrote to memory of 2888	2880	svchcst.exe	36
PID 2880 wrote to memory of 2888	2880	svchcst.exe	36
PID 2880 wrote to memory of 2888	2880	svchcst.exe	36
PID 2880 wrote to memory of 2888	2880	svchcst.exe	36
PID 2888 wrote to memory of 2960	2888	WScript.exe	37
PID 2888 wrote to memory of 2960	2888	WScript.exe	37
PID 2888 wrote to memory of 2960	2888	WScript.exe	37
PID 2888 wrote to memory of 2960	2888	WScript.exe	37
PID 2960 wrote to memory of 1988	2960	svchcst.exe	38
PID 2960 wrote to memory of 1988	2960	svchcst.exe	38
PID 2960 wrote to memory of 1988	2960	svchcst.exe	38
PID 2960 wrote to memory of 1988	2960	svchcst.exe	38
PID 2888 wrote to memory of 3028	2888	WScript.exe	39
PID 2888 wrote to memory of 3028	2888	WScript.exe	39
PID 2888 wrote to memory of 3028	2888	WScript.exe	39
PID 2888 wrote to memory of 3028	2888	WScript.exe	39
PID 3028 wrote to memory of 1356	3028	svchcst.exe	40
PID 3028 wrote to memory of 1356	3028	svchcst.exe	40
PID 3028 wrote to memory of 1356	3028	svchcst.exe	40
PID 3028 wrote to memory of 1356	3028	svchcst.exe	40
PID 1988 wrote to memory of 440	1988	WScript.exe	41
PID 1988 wrote to memory of 440	1988	WScript.exe	41
PID 1988 wrote to memory of 440	1988	WScript.exe	41
PID 1988 wrote to memory of 440	1988	WScript.exe	41
PID 440 wrote to memory of 664	440	svchcst.exe	42
PID 440 wrote to memory of 664	440	svchcst.exe	42
PID 440 wrote to memory of 664	440	svchcst.exe	42
PID 440 wrote to memory of 664	440	svchcst.exe	42
PID 1356 wrote to memory of 2964	1356	WScript.exe	43
PID 1356 wrote to memory of 2964	1356	WScript.exe	43
PID 1356 wrote to memory of 2964	1356	WScript.exe	43
PID 1356 wrote to memory of 2964	1356	WScript.exe	43
PID 2964 wrote to memory of 1396	2964	svchcst.exe	44
PID 2964 wrote to memory of 1396	2964	svchcst.exe	44
PID 2964 wrote to memory of 1396	2964	svchcst.exe	44
PID 2964 wrote to memory of 1396	2964	svchcst.exe	44
PID 1396 wrote to memory of 556	1396	WScript.exe	45
PID 1396 wrote to memory of 556	1396	WScript.exe	45
PID 1396 wrote to memory of 556	1396	WScript.exe	45
PID 1396 wrote to memory of 556	1396	WScript.exe	45
PID 556 wrote to memory of 2244	556	svchcst.exe	46
PID 556 wrote to memory of 2244	556	svchcst.exe	46
PID 556 wrote to memory of 2244	556	svchcst.exe	46
PID 556 wrote to memory of 2244	556	svchcst.exe	46
PID 2244 wrote to memory of 2280	2244	WScript.exe	47
PID 2244 wrote to memory of 2280	2244	WScript.exe	47
PID 2244 wrote to memory of 2280	2244	WScript.exe	47
PID 2244 wrote to memory of 2280	2244	WScript.exe	47

C:\Users\Admin\AppData\Local\Temp\32104c00261724ade56b3921c9a1b2af6c3e69d445dd8021495ae03b1a22cfaf.exe
"C:\Users\Admin\AppData\Local\Temp\32104c00261724ade56b3921c9a1b2af6c3e69d445dd8021495ae03b1a22cfaf.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2568
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3068
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2212
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2764
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2880
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2888
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2960
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1988
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:440
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:664
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3028
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1356
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2964
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1396
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:556
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2244
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2280
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2544
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2652
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1564
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2720
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2688
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2888
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1752
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3024
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1460
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2080
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1952
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1524
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1840
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2568
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2232
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1224
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2868
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:876
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2292
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2644
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2332
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2696
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2948
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1644
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1692
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2236
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1292
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2064
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        System Location Discovery: System Language Discovery
        
        PID:1008
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1200
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:3020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
cb5e082fcb65829d71390a5b4f0942b2

SHA1
83147e11afec4b6fc99e270b2236535e6cd21813

SHA256
086f9c6362abd590d7f5d59eda77d25f0fb394c63722938372099247ab3fd6af

SHA512
48f8f4bd694ae8a5c4e0deac22c4dbed3aa9151c1c0d004daa53e8686b5d5dcf104a71b4e3db95af2dc3c20429f6d42fb46d0fc4076d6b76d88a027bcd0ebec2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
f8db619ebe2f315356d8a3c1cb7ce863

SHA1
6a7be253323ec01b077ec2632a10159e39c17b2b

SHA256
99940aede45164365f56d6948655491bf5e5eaf8cc50400fe99620b5d3cd29c8

SHA512
6abc38a731254105c4f336ef9954159d7711889c704002838872473450f9077a940b4817cf36ae7fa04f08439a2acb53c9ab37c85e21c2981eab353379bf431a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
9d9867376c8284245aea97643987cadf

SHA1
fe6a7bd23577feb841e3cbeae6aebd38a742b0a5

SHA256
b31c91bdbe14673b004567163ddea094dd6bd903f62c5a57c3b3f79268021fb4

SHA512
2dc179cf9f71aae049072f62e06951537e38c6070d79d98aaaa94d2b1b53edd6550f6d1c61a2ffc117ed53791689b59c50826bb506cf22cb01235da522d623a1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
9627e3850f4f7495f6d36ebae56aa594

SHA1
001694633bc632a7ae2812ed74828335bec77531

SHA256
0aeaf02fb74a0799c8eccaa37e1586435318608e7945b8084fe87f956822cb25

SHA512
03986ee3b4faf96fdb2bdeb1c41e216c81e1c0f7d4403b69c7e7e39baa45e2806d57fad32904bdf04728eb9db7570d94341e73bf8a1f6ba1964072a65de4e894

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
344b0286b823cd492e5ca9c83c00ba11

SHA1
b76dbac9b5724f5b1e11a10ed7a2125edb16259b

SHA256
04ea89515062031f99eb08fad07de798532e0adea7ff18c0c9a8b1e3a1d4dbbd

SHA512
9aba17235e4f1bd62f45545cfa0e4f302c0471732b33a8398b462e334126c5a3e74fdcbe17db70029184cc1207f558efc46b868475fb607ad536288b0796bb80

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
379619305716718fbeeab2f364946c39

SHA1
b663cf106c4673549692fa39d25e9e8f4561cd64

SHA256
c844bc25686320e65c1b5259a6d0d6d47f61709f46e2c8eb2ad3f9c3b9333d84

SHA512
b2c91d0f1cbc9e253bb3bb339acbab0e31eef31188cc00132c423fee2a85c7a91132c9259b99b23a149f6ba1172b8522e2d8350f88dbb735ad8d7a32f71e2ed8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
308b7da7ec377746fab239c88940c7ea

SHA1
62356f1d6078f5587c1e0fa2201b199ebfdd0372

SHA256
3c6e5a89529248f6074cab8ca705d7f399c2808e185a451f2520d767e7aecd77

SHA512
bfd886261d3c9ae90f40968acb30b229e8d6754768bee5430f246594b5f81952de101a572cedb84bd1ab9a39cb607ec981287e9e03ea45b829744c47ee9bc877

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
463784728a0ab2b8cc52ee1ed0e5258e

SHA1
620a618c31439d36e8539e50359713befcc28e92

SHA256
a34e1ed304dca4f58275bdd5daaf071d1767db7bb7ccc6bf2aea2df5e2be023b

SHA512
52f9736297fbaf65179d35e01c7a15d516d2ff8b5c949a45046bc668bbe94b5da63aea4d5920ebfc1a884721f16fdcae75ea08ca9a6aa78297a44051ed979c7f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
2caa2e102cde23b48c1d5a47d901c3ff

SHA1
715fcb390ad3d9016885ab48ea99b2e204d1989b

SHA256
8e1f14065ac316ee2fcefab057390fe8b1ec88d9c35536f0755204ddf0d84ada

SHA512
9f6b298b5becff9b0af67c3181177876366db57d8d48ad3974dffa4f61fe7512b68d770e518d08d59c58d2707c52bd78930d2e36f00ef06f0a26d208e5372ae3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
1ef0f0b572c2f4293cad723d25d00c42

SHA1
21070aedce103ee5e41ef411b732699f04623804

SHA256
92f0114d24a1bf7f670197c1b6e8cecc445559bbf6b12e1a82538aa9213fe4a3

SHA512
0af8482f8df004ae0534ab1d23addd55149209ab50bfb1ecbfc4d9ee49c7cce91b53fd3ed3b155e020286772eaa8396c89b8f67befe3ca5d9804b7871add0c4c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
e5bba46683440caa1508061b6e638120

SHA1
538ff5b7cb3ca90cee3e60bae0b487f4b78912de

SHA256
9b324dbd185a14c0ebfd2cd2731f6bb32c501dfefa7aef4f65b137357502c65d

SHA512
466f00fee10e323273e5d1151062e9fcc36f5657a404c6dd3c0c9ecb56e5205930087e612b13a9c6d1a56df7e05a2bd9c14e95debd5e5aed96ad2ef867e8de4d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
067a3458406fce1e0caec803b21a2c58

SHA1
1277d2a3236100a0758d4f4f279cd02d537e626b

SHA256
35c0d5d7757b50c61a708107c8e2ab5df872fdc25516f8003d9d58d3ae5ec9e3

SHA512
99918a35f93140231d63a17c97bb9ef66a5744dc044c7e48034c3d2fcc49c3b97fe0d37a32ae6307a7b7e772b8016a6727672d2844b5ed7dcf20c31dd01724e4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
7d2c3f227d42fae4a5b7fbcb491b74e3

SHA1
c1271bbd86747cc709b694ba9579a68b5e75a17c

SHA256
9353a2f27a61e571c5bc92ccc1046c1059c5fad8e1e2cafe63a9cc73e1169c33

SHA512
50330ad733975966b32fbedffb99a25cd13004d685e5788ef11f1f0fedfc62658e3e8f5ed0030fe60ecb02ba95ffa7d440c067a1e164cc3bc02ac5008b6a27d3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
0b8dc0256e93795ab1916ef1e8d5ab6d

SHA1
0e5ec3dcaf12d4db97ea8e89d44c94c3dc0abef3

SHA256
fb8186c6a4131e2e8862bf88d8116588f559fea7122d6e5c77ec076194332e2b

SHA512
c4e070e6137ee43304a6b13c6131a9f0e515fda7e9eb07931f0a8209e06ce4e40039a13d31bf1d475b2f5248480e2f232ed8f2542374e163ebcf458e02951d21

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
2926f78e8d31fe2d2b1516ffac4f220d

SHA1
b08e215eb300dc05958d4cb8d582d59327c4f2b8

SHA256
3b661ddf521f50e441541a615150baa718ee3d33e36d04df77151547b9c0bb17

SHA512
79a1da26b9354f93ab0e0feb5bb39b378a073674153d181f776617864e804bf151d3384892d3f5ebed5843eca825d5a5ffb8518cf721f8953ac6ce14245be976

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
7eca90fb52116047b6c4a7170dbd856b

SHA1
c52dfad7a73b6f73e237afcf6352ca6541c7bc11

SHA256
87c67faa0b55f5160371b0b1585317c8234e6fc0f79196cfb3cd5dd5a3492381

SHA512
d7b73922dcd32ae2acb67e0f4388f5c18e3e97953c0390802057652cf24d40839915a4e48f2d236289084033f613af9a3f7f2437ae9b959838c1a825a997be9b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
212c549f447fa1fb05a1f54f30291707

SHA1
6f7f703d4e25c51c9a948b47d7b769f93c243813

SHA256
f922637d931f8dcc92c2bcbd4a47437504bb9ad6c3631ab6aebdfff8658cc60f

SHA512
3ef5884d5ba5e2b8d67fc0a0468febe006bd9b26d451a287b9f159e35c105421e7a5fe40cf18ccc3ff9268bb9aa167299e9bca011aff5bccbaad044e48ea2097

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
471695266690dd50bdd3ef3e58bb7f8e

SHA1
404e7d5927ad1b558706c91d4c55ad02767ee268

SHA256
90c7a25a6f96e7409aeb3c0207f04b9d8199e7701c1789103d93ad2c9b56db30

SHA512
f46241d13c9f50a38cef6963d4b67ee118f6b35a1483385e4e44e5ce4e1245c0c78ee7cb162e5b97e40f22dad364ca6247446b31245b19d75199a567c509a4fc

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
ad4c44885ffd2014cf14918d9cc89cbe

SHA1
b44cdcff6dbafc3de46e0a674e982611d60d664e

SHA256
84b956a0ecdcae5f122c2f9d83f54281b8d3de196fac5c931757615776dd282f

SHA512
0cfa1200d8e1726aaf8ee948ab1a2b91288917d51fc8371f6493ac378fc36c3bd4141d805c6f7dc06b8e4e544cba959535edc294d583620884665aa82979e490

Download Submit
memory/440-63-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/440-68-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/556-87-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/556-95-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/876-202-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1200-144-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1200-136-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1224-188-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1224-195-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1292-244-0x00000000048A0000-0x00000000049FF000-memory.dmp

Filesize
1.4MB

Download
memory/1524-178-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1644-223-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1644-230-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1692-231-0x0000000005AB0000-0x0000000005C0F000-memory.dmp

Filesize
1.4MB

Download
memory/1752-155-0x0000000004860000-0x00000000049BF000-memory.dmp

Filesize
1.4MB

Download
memory/1840-187-0x0000000005E10000-0x0000000005F6F000-memory.dmp

Filesize
1.4MB

Download
memory/1952-171-0x0000000006060000-0x00000000061BF000-memory.dmp

Filesize
1.4MB

Download
memory/2064-245-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2080-170-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2212-25-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2212-18-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2236-232-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2236-239-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2244-99-0x0000000005D70000-0x0000000005ECF000-memory.dmp

Filesize
1.4MB

Download
memory/2280-101-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2280-109-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2292-203-0x0000000004010000-0x000000000416F000-memory.dmp

Filesize
1.4MB

Download
memory/2332-216-0x00000000047D0000-0x000000000492F000-memory.dmp

Filesize
1.4MB

Download
memory/2568-9-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2568-183-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2568-186-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2568-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2644-204-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2644-211-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2652-119-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2652-113-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2688-162-0x0000000005BB0000-0x0000000005D0F000-memory.dmp

Filesize
1.4MB

Download
memory/2688-150-0x0000000005BB0000-0x0000000005D0F000-memory.dmp

Filesize
1.4MB

Download
memory/2696-220-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2696-217-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2720-122-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2720-131-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2880-35-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2880-31-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2888-154-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2888-151-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2948-222-0x0000000005B70000-0x0000000005CCF000-memory.dmp

Filesize
1.4MB

Download
memory/2948-221-0x0000000005B70000-0x0000000005CCF000-memory.dmp

Filesize
1.4MB

Download
memory/2960-47-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2960-39-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2964-73-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2964-81-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3024-163-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3028-56-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3068-14-0x0000000004530000-0x000000000468F000-memory.dmp

Filesize
1.4MB

Download
memory/3068-15-0x0000000004530000-0x000000000468F000-memory.dmp

Filesize
1.4MB

Download