1dad7bf7816c4d2f0a5c059fcd735c1dd37d545e6bdc96d7181170cf44f3d16e

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
29/09/2024, 19:10

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

1dad7bf7816c4d2f0a5c059fcd735c1dd37d545e6bdc96d7181170cf44f3d16e.exe
Size

1.1MB
MD5

00664a8abbceb2449988e77f8c2201e3
SHA1

200ce64e950ab791c32c54335328e344ac1366b4
SHA256

1dad7bf7816c4d2f0a5c059fcd735c1dd37d545e6bdc96d7181170cf44f3d16e
SHA512

7e0831203faf6c350f2bfd9840eec3e6f2efc45f8369ac575fd368eb730d18beb19cb53e97f2c7f13f9b294e58e480099657b842f04aa014a84a0a1611379ecd
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5Qd:acallSllG4ZM7QzMG

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2464	svchcst.exe

Executes dropped EXE 23 IoCs

pid	Process
2464	svchcst.exe
1580	svchcst.exe
852	svchcst.exe
1884	svchcst.exe
2300	svchcst.exe
1660	svchcst.exe
2708	svchcst.exe
2724	svchcst.exe
2508	svchcst.exe
2816	svchcst.exe
1460	svchcst.exe
1620	svchcst.exe
1364	svchcst.exe
2540	svchcst.exe
2204	svchcst.exe
2632	svchcst.exe
2472	svchcst.exe
2936	svchcst.exe
1684	svchcst.exe
996	svchcst.exe
1524	svchcst.exe
924	svchcst.exe
1608	svchcst.exe

Loads dropped DLL 40 IoCs

pid	Process
2740	WScript.exe
2740	WScript.exe
2944	WScript.exe
676	WScript.exe
676	WScript.exe
1932	WScript.exe
2120	WScript.exe
2120	WScript.exe
2120	WScript.exe
1724	WScript.exe
1724	WScript.exe
2192	WScript.exe
2192	WScript.exe
1744	WScript.exe
332	WScript.exe
1720	WScript.exe
2144	WScript.exe
2144	WScript.exe
596	WScript.exe
596	WScript.exe
2316	WScript.exe
2316	WScript.exe
1220	WScript.exe
1220	WScript.exe
1724	WScript.exe
1724	WScript.exe
756	WScript.exe
756	WScript.exe
2828	WScript.exe
2828	WScript.exe
2648	WScript.exe
2648	WScript.exe
1856	WScript.exe
1856	WScript.exe
2344	WScript.exe
2344	WScript.exe
1812	WScript.exe
1812	WScript.exe
1320	WScript.exe
1320	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 48 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1dad7bf7816c4d2f0a5c059fcd735c1dd37d545e6bdc96d7181170cf44f3d16e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2996	1dad7bf7816c4d2f0a5c059fcd735c1dd37d545e6bdc96d7181170cf44f3d16e.exe
2464	svchcst.exe
2464	svchcst.exe
2464	svchcst.exe
2464	svchcst.exe
2464	svchcst.exe
2464	svchcst.exe
2464	svchcst.exe
2464	svchcst.exe
2464	svchcst.exe
2464	svchcst.exe
2464	svchcst.exe
2464	svchcst.exe
2464	svchcst.exe
2464	svchcst.exe
2464	svchcst.exe
2464	svchcst.exe
2464	svchcst.exe
2464	svchcst.exe
2464	svchcst.exe
2464	svchcst.exe
2464	svchcst.exe
2464	svchcst.exe
2464	svchcst.exe
2464	svchcst.exe
2464	svchcst.exe
2464	svchcst.exe
2464	svchcst.exe
2464	svchcst.exe
2464	svchcst.exe
2464	svchcst.exe
2464	svchcst.exe
2464	svchcst.exe
2464	svchcst.exe
2464	svchcst.exe
2464	svchcst.exe
2464	svchcst.exe
2464	svchcst.exe
2464	svchcst.exe
2464	svchcst.exe
2464	svchcst.exe
2464	svchcst.exe
2464	svchcst.exe
2464	svchcst.exe
2464	svchcst.exe
2464	svchcst.exe
2464	svchcst.exe
2464	svchcst.exe
2464	svchcst.exe
2464	svchcst.exe
2464	svchcst.exe
2464	svchcst.exe
2464	svchcst.exe
2464	svchcst.exe
2464	svchcst.exe
2464	svchcst.exe
2464	svchcst.exe
2464	svchcst.exe
2464	svchcst.exe
2464	svchcst.exe
2464	svchcst.exe
1580	svchcst.exe
1580	svchcst.exe
1580	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2996	1dad7bf7816c4d2f0a5c059fcd735c1dd37d545e6bdc96d7181170cf44f3d16e.exe

Suspicious use of SetWindowsHookEx 48 IoCs

pid	Process
2996	1dad7bf7816c4d2f0a5c059fcd735c1dd37d545e6bdc96d7181170cf44f3d16e.exe
2996	1dad7bf7816c4d2f0a5c059fcd735c1dd37d545e6bdc96d7181170cf44f3d16e.exe
2464	svchcst.exe
2464	svchcst.exe
1580	svchcst.exe
1580	svchcst.exe
852	svchcst.exe
852	svchcst.exe
1884	svchcst.exe
1884	svchcst.exe
2300	svchcst.exe
2300	svchcst.exe
1660	svchcst.exe
1660	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2724	svchcst.exe
2724	svchcst.exe
2508	svchcst.exe
2508	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
1460	svchcst.exe
1460	svchcst.exe
1620	svchcst.exe
1620	svchcst.exe
1364	svchcst.exe
1364	svchcst.exe
2540	svchcst.exe
2540	svchcst.exe
2204	svchcst.exe
2204	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2472	svchcst.exe
2472	svchcst.exe
2936	svchcst.exe
2936	svchcst.exe
1684	svchcst.exe
1684	svchcst.exe
996	svchcst.exe
996	svchcst.exe
1524	svchcst.exe
1524	svchcst.exe
924	svchcst.exe
924	svchcst.exe
1608	svchcst.exe
1608	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2996 wrote to memory of 2740	2996	1dad7bf7816c4d2f0a5c059fcd735c1dd37d545e6bdc96d7181170cf44f3d16e.exe	28
PID 2996 wrote to memory of 2740	2996	1dad7bf7816c4d2f0a5c059fcd735c1dd37d545e6bdc96d7181170cf44f3d16e.exe	28
PID 2996 wrote to memory of 2740	2996	1dad7bf7816c4d2f0a5c059fcd735c1dd37d545e6bdc96d7181170cf44f3d16e.exe	28
PID 2996 wrote to memory of 2740	2996	1dad7bf7816c4d2f0a5c059fcd735c1dd37d545e6bdc96d7181170cf44f3d16e.exe	28
PID 2740 wrote to memory of 2464	2740	WScript.exe	30
PID 2740 wrote to memory of 2464	2740	WScript.exe	30
PID 2740 wrote to memory of 2464	2740	WScript.exe	30
PID 2740 wrote to memory of 2464	2740	WScript.exe	30
PID 2464 wrote to memory of 2944	2464	svchcst.exe	31
PID 2464 wrote to memory of 2944	2464	svchcst.exe	31
PID 2464 wrote to memory of 2944	2464	svchcst.exe	31
PID 2464 wrote to memory of 2944	2464	svchcst.exe	31
PID 2944 wrote to memory of 1580	2944	WScript.exe	32
PID 2944 wrote to memory of 1580	2944	WScript.exe	32
PID 2944 wrote to memory of 1580	2944	WScript.exe	32
PID 2944 wrote to memory of 1580	2944	WScript.exe	32
PID 1580 wrote to memory of 676	1580	svchcst.exe	33
PID 1580 wrote to memory of 676	1580	svchcst.exe	33
PID 1580 wrote to memory of 676	1580	svchcst.exe	33
PID 1580 wrote to memory of 676	1580	svchcst.exe	33
PID 676 wrote to memory of 852	676	WScript.exe	34
PID 676 wrote to memory of 852	676	WScript.exe	34
PID 676 wrote to memory of 852	676	WScript.exe	34
PID 676 wrote to memory of 852	676	WScript.exe	34
PID 852 wrote to memory of 1932	852	svchcst.exe	35
PID 852 wrote to memory of 1932	852	svchcst.exe	35
PID 852 wrote to memory of 1932	852	svchcst.exe	35
PID 852 wrote to memory of 1932	852	svchcst.exe	35
PID 1932 wrote to memory of 1884	1932	WScript.exe	36
PID 1932 wrote to memory of 1884	1932	WScript.exe	36
PID 1932 wrote to memory of 1884	1932	WScript.exe	36
PID 1932 wrote to memory of 1884	1932	WScript.exe	36
PID 1884 wrote to memory of 2120	1884	svchcst.exe	37
PID 1884 wrote to memory of 2120	1884	svchcst.exe	37
PID 1884 wrote to memory of 2120	1884	svchcst.exe	37
PID 1884 wrote to memory of 2120	1884	svchcst.exe	37
PID 2120 wrote to memory of 2300	2120	WScript.exe	40
PID 2120 wrote to memory of 2300	2120	WScript.exe	40
PID 2120 wrote to memory of 2300	2120	WScript.exe	40
PID 2120 wrote to memory of 2300	2120	WScript.exe	40
PID 2300 wrote to memory of 1220	2300	svchcst.exe	41
PID 2300 wrote to memory of 1220	2300	svchcst.exe	41
PID 2300 wrote to memory of 1220	2300	svchcst.exe	41
PID 2300 wrote to memory of 1220	2300	svchcst.exe	41
PID 2120 wrote to memory of 1660	2120	WScript.exe	42
PID 2120 wrote to memory of 1660	2120	WScript.exe	42
PID 2120 wrote to memory of 1660	2120	WScript.exe	42
PID 2120 wrote to memory of 1660	2120	WScript.exe	42
PID 1660 wrote to memory of 1724	1660	svchcst.exe	43
PID 1660 wrote to memory of 1724	1660	svchcst.exe	43
PID 1660 wrote to memory of 1724	1660	svchcst.exe	43
PID 1660 wrote to memory of 1724	1660	svchcst.exe	43
PID 1724 wrote to memory of 2708	1724	WScript.exe	44
PID 1724 wrote to memory of 2708	1724	WScript.exe	44
PID 1724 wrote to memory of 2708	1724	WScript.exe	44
PID 1724 wrote to memory of 2708	1724	WScript.exe	44
PID 2708 wrote to memory of 2192	2708	svchcst.exe	45
PID 2708 wrote to memory of 2192	2708	svchcst.exe	45
PID 2708 wrote to memory of 2192	2708	svchcst.exe	45
PID 2708 wrote to memory of 2192	2708	svchcst.exe	45
PID 2192 wrote to memory of 2724	2192	WScript.exe	46
PID 2192 wrote to memory of 2724	2192	WScript.exe	46
PID 2192 wrote to memory of 2724	2192	WScript.exe	46
PID 2192 wrote to memory of 2724	2192	WScript.exe	46

C:\Users\Admin\AppData\Local\Temp\1dad7bf7816c4d2f0a5c059fcd735c1dd37d545e6bdc96d7181170cf44f3d16e.exe
"C:\Users\Admin\AppData\Local\Temp\1dad7bf7816c4d2f0a5c059fcd735c1dd37d545e6bdc96d7181170cf44f3d16e.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2996
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2740
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2464
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2944
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1580
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:676
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:852
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1932
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1884
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2120
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2300
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1220
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1660
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1724
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2708
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2192
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2724
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1744
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2508
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:332
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2816
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1720
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1460
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2144
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1620
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:596
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1364
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2316
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2540
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1220
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2204
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1724
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2632
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:756
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2472
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2828
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2936
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2648
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1684
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1856
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:996
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2344
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1524
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1812
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:924
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        44⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1320
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1608
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        46⤵
        System Location Discovery: System Language Discovery
        
        PID:1752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
f75a3846f9a773787a208938154c941f

SHA1
fe9bb8884ad08bb57a24221134d139fe8395f40d

SHA256
90dbc858f6e288993c4fcfd00749ca737d52f6de65e97995ea541acb6129da7b

SHA512
2e4c55fce85e65988e469fe81cd8510223a971ded1a16a988c25b61bfcbfa4398df1c4d2dab833555938b52c11af68e242e1491b7bbd70a6d849753e38f8f3a8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
6a10838e65cf3aedda11230ee7f407b7

SHA1
7878e96feb82d309b74e4fe98ad256d3bfd63d08

SHA256
79b9776ab8d5f525f63ccab50ff6d79e7a7daeb47894ce971b63ab072314009e

SHA512
7fd419656935cef9e30f36f618df90399b015dc281dea6b30f12ba7bf2c07a58e7aa570ea5fd1f04b3643be33eb1d8521787c94384cb7ef0ec8d5459a8c50eaa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
9d9867376c8284245aea97643987cadf

SHA1
fe6a7bd23577feb841e3cbeae6aebd38a742b0a5

SHA256
b31c91bdbe14673b004567163ddea094dd6bd903f62c5a57c3b3f79268021fb4

SHA512
2dc179cf9f71aae049072f62e06951537e38c6070d79d98aaaa94d2b1b53edd6550f6d1c61a2ffc117ed53791689b59c50826bb506cf22cb01235da522d623a1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
a6723d81dd75369a43431bd61814ac74

SHA1
c3d950a8d9f5738222594d01dcaae3fcb467d548

SHA256
add1a22f571c2dfbfda508d6ad632223ab81690c73a376500e56855afeb1752b

SHA512
d7a42037066b1b1d1dffbc792aef400ca374665b012f02de40a6ff118482acd14555edabd6750defb402a6cf4e273a132c1856103202e47aa090119546718727

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
73dd42e0ba8cff47f0542d7d8aa40f90

SHA1
ffbb1b56415be5abcf4613aed3136768f2edbc38

SHA256
c73b4e554a4ae515ae3aa320a19d752e3d848d00ed0cd8f084081ed530b8fc3d

SHA512
efd0075f9e70dd557271bdbcd782a083ae2cde8cd5674bf7f8cf63064847951adfcbaa9c9cff91c57d19c7308d0b7bf4754bfbe8fce6ec0e41d920bde7f5a67e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
3f88ed4a802ff96db44e34ad53ac06c2

SHA1
446fe4e265af02ea012b5a8d5d0e7a0c9867f1ed

SHA256
04a5abb92c689fa7b9d768a067b1d9bd16c0a5d856c67c7f7881d62662ae0911

SHA512
f1afaf53ee96969d58902836b841ca7feed9769c81d9b2d63b72db5d7cf04d6a659b50869f8dba0d650aa6833d892261c0c3dd918e8bfbed13237e6333c47fdf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
66073a2944d79129b28645fed6bc1286

SHA1
2cbba938ab66f7f5c9b0cb2a5c58940e2e14599b

SHA256
87d79920ed0fb49971153bdcb8a8ca003a247e5937d8cc3dc3b871e91ef79042

SHA512
95b8dffed82c126394ce16db0af1874ade41cca2b096d9ffe388e9c6a462c86e21723f811c0fb8c8445047906b0dfe035f5a421b5d406b8e8d3e6a1ad5d4351b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
7d2c3f227d42fae4a5b7fbcb491b74e3

SHA1
c1271bbd86747cc709b694ba9579a68b5e75a17c

SHA256
9353a2f27a61e571c5bc92ccc1046c1059c5fad8e1e2cafe63a9cc73e1169c33

SHA512
50330ad733975966b32fbedffb99a25cd13004d685e5788ef11f1f0fedfc62658e3e8f5ed0030fe60ecb02ba95ffa7d440c067a1e164cc3bc02ac5008b6a27d3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
5d0d203da02edb604545d3d826c88b42

SHA1
9be0cfd40b48d4e6041e00827047a8b0d877d4a1

SHA256
5f341c2f1ff381eecedbf6fcbe549724323c30c05728132a98ea55f607bc3e81

SHA512
a3e01552a9576ba8dd9aa9f65211f74a69588a316d984b8887e740c6c174e19df2056dc0138d5af26bd927e192ec2c7d355fc8b4092e30d55de910e932fbd49f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
8e2ae053ceb7062fca84af2a4b776842

SHA1
e0efd0b54009a60e3682ed38deaddd833c8652b6

SHA256
58391f462883b293fdb398c52afb015698a4aa455fde921d706159ccccc6375f

SHA512
71b28f16bbcd83fd3cd69c985cc7482ddb167f287f6f331fc6c2f71b5b9759d6692ad93eb45e3a4039e5234f795076cd090e46c80b2661a00327a19b0ceab7b3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
dabf4e9d32908d961aaffdd1c77d4879

SHA1
e41572d98b7452016fb004c843236377364ab1d3

SHA256
3488c64a6d2da3c00e50e954c495ac354ee504e54f3ed6dda6a991c5b9d33e19

SHA512
911d46aca8005857c86eddbb3cbbc4301ee5e173b2358a717053cf12727c06cc3b2d757ddf513f969dafe61c6b88d03b1478d8c483495f153e30bf64585195aa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
634236ec312c0cdc45b55ff7c1297d13

SHA1
76623a83df235bd873fdc0995607a831745f6e62

SHA256
8f6726efb71da1c2bcef728bad4fc41fc5a5a5800bc64a0fc0db0bb7e8bc946a

SHA512
c2395937c1b3c8b0d2c2d898fb98fb78f714d6996742dae11c4fd973636c355f5c63addfc7ec1809e27eae3ae529ee746acfe13cab86f32f1831562c0dfa26f4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
6a62ecbc3610019378b5a45e405be136

SHA1
3f62c63dc3633d9a4d8f70285bb5f5cee6f7b5fb

SHA256
fe1bc4c1fefe41448775d3be9b945d85a6169d60eb6d5d8b92fec41db4d2107e

SHA512
d576d3f7aa5dfcf2f96229ec09e64aace5f69462bfc18391f958a41be912f97d3cc89342f92246c198085356fa1b6c64796b58df9040ec4e4699ae94e8409dc4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
13accecbee70dfb9bbd4e93ff6c379d6

SHA1
836b3fb03588fa94be8026effa1c774eef3efb07

SHA256
b6598e9b93cb705bce8e015aca6bd745437634dca917888102c2c3991adfcbfa

SHA512
8df25e11d024e1d07afa21f7e3d8f6b28a84cd5ec014351e1e67c2cd789e96009e363f3f2b8f4b43b1b263e0750e14de84d43e74c15213d15e25036beb422501

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
ff43c2f37d17383708ec4e0f8351544a

SHA1
fc0a3c65cf0b5b444d79d2b8efff3f4f7dd970ac

SHA256
2e7fc771e42ffea2fd466001b22c5564cb8b9b343824ab7d145912661754d08d

SHA512
3094cf312be1ad719650d8821ca7e6c108be6c0a2c339c0db505ebc2a88f426104f86384faf5d9760eb1a6bc3fcb00f64c5970b5733b45d685ccec42d4107f46

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
41a3ce5b8bb4f0d62d894265b714fb1d

SHA1
10b026ace5feac1806596bce6fe32263bcf858c1

SHA256
010aa64d7e424d11bef6945a37699444c13ea7c24cec2da455359bc393b53e56

SHA512
5f453117f9eec4bb87c273ee56d075fe169dd2f2a6270894ab5469cd4032eaf264078e4f056587f1759a98bcdde45047d431b3d5cc9b3e41682cebe1857e0be2

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
3ff1b3c811dc8d4a4943dc40bddc24f4

SHA1
a0adc27f6dd2133a336c0a751503276bd20dedb1

SHA256
0bd65a8a616f99539110722313c42ba88b1d998cebf505072c60c3361215f229

SHA512
249d05f6e1fdf9e4a22c031ed928be125003f20b213605f3f5df0481dd70252449f766023f5a350dd6c9982d2b72895daa165a666f4a617b7dad13510218ca25

Download Submit
memory/596-179-0x0000000004460000-0x00000000045BF000-memory.dmp

Filesize
1.4MB

Download
memory/756-204-0x0000000005B10000-0x0000000005C6F000-memory.dmp

Filesize
1.4MB

Download
memory/852-52-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/852-45-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/924-246-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/924-254-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/996-234-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/996-237-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1220-188-0x0000000005AC0000-0x0000000005C1F000-memory.dmp

Filesize
1.4MB

Download
memory/1364-175-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1364-178-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1460-158-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1524-238-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1524-245-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1580-38-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1580-30-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1608-255-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1620-170-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1620-163-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1660-91-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1660-83-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1684-225-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1684-228-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1720-162-0x0000000004560000-0x00000000046BF000-memory.dmp

Filesize
1.4MB

Download
memory/1720-147-0x0000000004560000-0x00000000046BF000-memory.dmp

Filesize
1.4MB

Download
memory/1724-96-0x0000000005A80000-0x0000000005BDF000-memory.dmp

Filesize
1.4MB

Download
memory/1724-94-0x0000000005A80000-0x0000000005BDF000-memory.dmp

Filesize
1.4MB

Download
memory/1812-247-0x0000000005A50000-0x0000000005BAF000-memory.dmp

Filesize
1.4MB

Download
memory/1856-233-0x0000000005AF0000-0x0000000005C4F000-memory.dmp

Filesize
1.4MB

Download
memory/1884-56-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1884-63-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1932-55-0x0000000005D60000-0x0000000005EBF000-memory.dmp

Filesize
1.4MB

Download
memory/2120-79-0x0000000004690000-0x00000000047EF000-memory.dmp

Filesize
1.4MB

Download
memory/2120-80-0x0000000004690000-0x00000000047EF000-memory.dmp

Filesize
1.4MB

Download
memory/2120-82-0x0000000004620000-0x000000000477F000-memory.dmp

Filesize
1.4MB

Download
memory/2144-161-0x0000000005B20000-0x0000000005C7F000-memory.dmp

Filesize
1.4MB

Download
memory/2192-113-0x0000000005BC0000-0x0000000005D1F000-memory.dmp

Filesize
1.4MB

Download
memory/2192-112-0x0000000005BC0000-0x0000000005D1F000-memory.dmp

Filesize
1.4MB

Download
memory/2204-189-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2204-196-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2300-75-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2300-66-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2464-20-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2464-25-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2472-211-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2508-126-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2508-133-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2540-184-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2540-187-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2632-203-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2648-224-0x0000000004800000-0x000000000495F000-memory.dmp

Filesize
1.4MB

Download
memory/2708-106-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2724-122-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2724-114-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2740-14-0x00000000043F0000-0x000000000454F000-memory.dmp

Filesize
1.4MB

Download
memory/2740-15-0x00000000043F0000-0x000000000454F000-memory.dmp

Filesize
1.4MB

Download
memory/2816-145-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2816-136-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2936-219-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2936-212-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2996-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2996-9-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download