421fc39dce298d73ac739e402202db028c324a5126c626ceb14e8e751a5984cd

Analysis

max time kernel
149s
max time network
117s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
29/09/2024, 20:35

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

421fc39dce298d73ac739e402202db028c324a5126c626ceb14e8e751a5984cd.exe
Size

1.1MB
MD5

dfa37193158468ddf717d0ac2c1ee70c
SHA1

5daf0dba58174ee7cc9f5d097ed77c1dd360ad87
SHA256

421fc39dce298d73ac739e402202db028c324a5126c626ceb14e8e751a5984cd
SHA512

5cac4b8841caf71abf5831dc0dc49067f7b2a49c92a3ee77cf09401047f6103083576078209e5a0920c07c7e03a723729eec6d376efbf05d0728fe541da2ba5d
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5Q7:acallSllG4ZM7QzMs

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2948	svchcst.exe

Executes dropped EXE 25 IoCs

pid	Process
2948	svchcst.exe
616	svchcst.exe
1232	svchcst.exe
1000	svchcst.exe
2972	svchcst.exe
768	svchcst.exe
1676	svchcst.exe
1780	svchcst.exe
2944	svchcst.exe
2572	svchcst.exe
1232	svchcst.exe
1696	svchcst.exe
2836	svchcst.exe
1552	svchcst.exe
2484	svchcst.exe
1924	svchcst.exe
2916	svchcst.exe
2424	svchcst.exe
944	svchcst.exe
636	svchcst.exe
2180	svchcst.exe
2480	svchcst.exe
948	svchcst.exe
2896	svchcst.exe
2860	svchcst.exe

Loads dropped DLL 46 IoCs

pid	Process
2640	WScript.exe
2640	WScript.exe
2376	WScript.exe
2376	WScript.exe
2364	WScript.exe
2376	WScript.exe
2376	WScript.exe
2376	WScript.exe
2460	WScript.exe
2460	WScript.exe
2268	WScript.exe
2268	WScript.exe
1800	WScript.exe
2628	WScript.exe
2804	WScript.exe
2804	WScript.exe
2804	WScript.exe
2804	WScript.exe
2428	WScript.exe
2428	WScript.exe
2512	WScript.exe
2512	WScript.exe
3016	WScript.exe
3016	WScript.exe
1512	WScript.exe
1512	WScript.exe
2976	WScript.exe
2976	WScript.exe
2932	WScript.exe
2932	WScript.exe
1980	WScript.exe
1980	WScript.exe
2640	WScript.exe
2640	WScript.exe
2872	WScript.exe
2872	WScript.exe
1700	WScript.exe
1700	WScript.exe
2168	WScript.exe
2168	WScript.exe
816	WScript.exe
816	WScript.exe
2268	WScript.exe
2268	WScript.exe
352	WScript.exe
352	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 51 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	421fc39dce298d73ac739e402202db028c324a5126c626ceb14e8e751a5984cd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2132	421fc39dce298d73ac739e402202db028c324a5126c626ceb14e8e751a5984cd.exe
2948	svchcst.exe
2948	svchcst.exe
2948	svchcst.exe
2948	svchcst.exe
2948	svchcst.exe
2948	svchcst.exe
2948	svchcst.exe
2948	svchcst.exe
2948	svchcst.exe
2948	svchcst.exe
2948	svchcst.exe
2948	svchcst.exe
2948	svchcst.exe
2948	svchcst.exe
2948	svchcst.exe
2948	svchcst.exe
2948	svchcst.exe
2948	svchcst.exe
2948	svchcst.exe
2948	svchcst.exe
2948	svchcst.exe
2948	svchcst.exe
2948	svchcst.exe
2948	svchcst.exe
2948	svchcst.exe
2948	svchcst.exe
2948	svchcst.exe
2948	svchcst.exe
2948	svchcst.exe
2948	svchcst.exe
2948	svchcst.exe
2948	svchcst.exe
2948	svchcst.exe
2948	svchcst.exe
2948	svchcst.exe
2948	svchcst.exe
2948	svchcst.exe
2948	svchcst.exe
2948	svchcst.exe
2948	svchcst.exe
2948	svchcst.exe
2948	svchcst.exe
2948	svchcst.exe
2948	svchcst.exe
2948	svchcst.exe
2948	svchcst.exe
2948	svchcst.exe
2948	svchcst.exe
2948	svchcst.exe
2948	svchcst.exe
2948	svchcst.exe
2948	svchcst.exe
2948	svchcst.exe
2948	svchcst.exe
2948	svchcst.exe
2948	svchcst.exe
2948	svchcst.exe
2948	svchcst.exe
2948	svchcst.exe
2948	svchcst.exe
2948	svchcst.exe
2948	svchcst.exe
2948	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2132	421fc39dce298d73ac739e402202db028c324a5126c626ceb14e8e751a5984cd.exe

Suspicious use of SetWindowsHookEx 52 IoCs

pid	Process
2132	421fc39dce298d73ac739e402202db028c324a5126c626ceb14e8e751a5984cd.exe
2132	421fc39dce298d73ac739e402202db028c324a5126c626ceb14e8e751a5984cd.exe
2948	svchcst.exe
2948	svchcst.exe
616	svchcst.exe
616	svchcst.exe
1232	svchcst.exe
1232	svchcst.exe
1000	svchcst.exe
1000	svchcst.exe
2972	svchcst.exe
2972	svchcst.exe
768	svchcst.exe
768	svchcst.exe
1676	svchcst.exe
1676	svchcst.exe
1780	svchcst.exe
1780	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
1232	svchcst.exe
1232	svchcst.exe
1696	svchcst.exe
1696	svchcst.exe
2836	svchcst.exe
2836	svchcst.exe
1552	svchcst.exe
1552	svchcst.exe
2484	svchcst.exe
2484	svchcst.exe
1924	svchcst.exe
1924	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2424	svchcst.exe
2424	svchcst.exe
944	svchcst.exe
944	svchcst.exe
636	svchcst.exe
636	svchcst.exe
2180	svchcst.exe
2180	svchcst.exe
2480	svchcst.exe
2480	svchcst.exe
948	svchcst.exe
948	svchcst.exe
2896	svchcst.exe
2896	svchcst.exe
2860	svchcst.exe
2860	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2132 wrote to memory of 2640	2132	421fc39dce298d73ac739e402202db028c324a5126c626ceb14e8e751a5984cd.exe	30
PID 2132 wrote to memory of 2640	2132	421fc39dce298d73ac739e402202db028c324a5126c626ceb14e8e751a5984cd.exe	30
PID 2132 wrote to memory of 2640	2132	421fc39dce298d73ac739e402202db028c324a5126c626ceb14e8e751a5984cd.exe	30
PID 2132 wrote to memory of 2640	2132	421fc39dce298d73ac739e402202db028c324a5126c626ceb14e8e751a5984cd.exe	30
PID 2640 wrote to memory of 2948	2640	WScript.exe	32
PID 2640 wrote to memory of 2948	2640	WScript.exe	32
PID 2640 wrote to memory of 2948	2640	WScript.exe	32
PID 2640 wrote to memory of 2948	2640	WScript.exe	32
PID 2948 wrote to memory of 2376	2948	svchcst.exe	34
PID 2948 wrote to memory of 2376	2948	svchcst.exe	34
PID 2948 wrote to memory of 2376	2948	svchcst.exe	34
PID 2948 wrote to memory of 2376	2948	svchcst.exe	34
PID 2948 wrote to memory of 2364	2948	svchcst.exe	33
PID 2948 wrote to memory of 2364	2948	svchcst.exe	33
PID 2948 wrote to memory of 2364	2948	svchcst.exe	33
PID 2948 wrote to memory of 2364	2948	svchcst.exe	33
PID 2376 wrote to memory of 616	2376	WScript.exe	35
PID 2376 wrote to memory of 616	2376	WScript.exe	35
PID 2376 wrote to memory of 616	2376	WScript.exe	35
PID 2376 wrote to memory of 616	2376	WScript.exe	35
PID 2364 wrote to memory of 1232	2364	WScript.exe	36
PID 2364 wrote to memory of 1232	2364	WScript.exe	36
PID 2364 wrote to memory of 1232	2364	WScript.exe	36
PID 2364 wrote to memory of 1232	2364	WScript.exe	36
PID 2376 wrote to memory of 1000	2376	WScript.exe	37
PID 2376 wrote to memory of 1000	2376	WScript.exe	37
PID 2376 wrote to memory of 1000	2376	WScript.exe	37
PID 2376 wrote to memory of 1000	2376	WScript.exe	37
PID 1000 wrote to memory of 1732	1000	svchcst.exe	38
PID 1000 wrote to memory of 1732	1000	svchcst.exe	38
PID 1000 wrote to memory of 1732	1000	svchcst.exe	38
PID 1000 wrote to memory of 1732	1000	svchcst.exe	38
PID 2376 wrote to memory of 2972	2376	WScript.exe	39
PID 2376 wrote to memory of 2972	2376	WScript.exe	39
PID 2376 wrote to memory of 2972	2376	WScript.exe	39
PID 2376 wrote to memory of 2972	2376	WScript.exe	39
PID 2972 wrote to memory of 2460	2972	svchcst.exe	40
PID 2972 wrote to memory of 2460	2972	svchcst.exe	40
PID 2972 wrote to memory of 2460	2972	svchcst.exe	40
PID 2972 wrote to memory of 2460	2972	svchcst.exe	40
PID 2460 wrote to memory of 768	2460	WScript.exe	41
PID 2460 wrote to memory of 768	2460	WScript.exe	41
PID 2460 wrote to memory of 768	2460	WScript.exe	41
PID 2460 wrote to memory of 768	2460	WScript.exe	41
PID 768 wrote to memory of 2268	768	svchcst.exe	42
PID 768 wrote to memory of 2268	768	svchcst.exe	42
PID 768 wrote to memory of 2268	768	svchcst.exe	42
PID 768 wrote to memory of 2268	768	svchcst.exe	42
PID 2268 wrote to memory of 1676	2268	WScript.exe	43
PID 2268 wrote to memory of 1676	2268	WScript.exe	43
PID 2268 wrote to memory of 1676	2268	WScript.exe	43
PID 2268 wrote to memory of 1676	2268	WScript.exe	43
PID 1676 wrote to memory of 1800	1676	svchcst.exe	44
PID 1676 wrote to memory of 1800	1676	svchcst.exe	44
PID 1676 wrote to memory of 1800	1676	svchcst.exe	44
PID 1676 wrote to memory of 1800	1676	svchcst.exe	44
PID 1800 wrote to memory of 1780	1800	WScript.exe	45
PID 1800 wrote to memory of 1780	1800	WScript.exe	45
PID 1800 wrote to memory of 1780	1800	WScript.exe	45
PID 1800 wrote to memory of 1780	1800	WScript.exe	45
PID 1780 wrote to memory of 2628	1780	svchcst.exe	46
PID 1780 wrote to memory of 2628	1780	svchcst.exe	46
PID 1780 wrote to memory of 2628	1780	svchcst.exe	46
PID 1780 wrote to memory of 2628	1780	svchcst.exe	46

C:\Users\Admin\AppData\Local\Temp\421fc39dce298d73ac739e402202db028c324a5126c626ceb14e8e751a5984cd.exe
"C:\Users\Admin\AppData\Local\Temp\421fc39dce298d73ac739e402202db028c324a5126c626ceb14e8e751a5984cd.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2132
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2640
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2948
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2364
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1232
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2376
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:616
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1000
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1732
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2972
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2460
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:768
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2268
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1676
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1800
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1780
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2628
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2944
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2804
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2572
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:2936
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1232
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2428
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1696
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2512
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2836
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3016
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1552
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1512
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2484
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2976
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1924
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2932
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2916
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1980
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2424
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2640
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:944
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2872
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:636
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1700
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2180
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2168
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2480
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:816
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:948
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2268
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2896
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:352
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2860
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        44⤵
        System Location Discovery: System Language Discovery
        
        PID:1048
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        45⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        46⤵
        
        PID:2160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
1e654528464b03d54088f43500da4eb0

SHA1
6e42e9e484a96b764a032c9cf11e99c580629c70

SHA256
20a13c7649e398fee993c13b3e8f079f31a2c2701c19f08176d55f9c52bbf6c2

SHA512
abb5ad336f89e5ed25c58ca726e7907946472fd5e066070af6ef12363a7040e5f3d307cd5e725976f8e7a0de6f0d18b8de5ebecce7134acee01351a065c63ae2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
24e4a44b907089d788280d647e33c77e

SHA1
ac5a4e397dea243c0022c55319e7c7035d013905

SHA256
7fcd076a55f0b7c8e9407217aee7e68893461d15cb8d2946ac5250af35137211

SHA512
c4a8dac1c1d5dfa976cc3e8fd299e423ab620463983b8c602be8a83ecc6598eb3f1d60a7370806e1f85a52dd91e4f1337a6dff2e99459f9a1e429a1ffb65a00b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
a4e2d4727487955ad59bf2d1a6661981

SHA1
e52949b5d7226aaf75d3713ed2ff1283edab2259

SHA256
4b2d44fd28dcc86d4f73784cea9ac601d2e69574ea0fc6214b3481b10687e0e2

SHA512
f3c59196a57237caa7ad762e2e31bb3b95156eb33cdad7d7b28244842a733160a74c6568452252ce2add95980fe653dc5322a3d1722f9d798289557351b5ea55

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
1ef0f0b572c2f4293cad723d25d00c42

SHA1
21070aedce103ee5e41ef411b732699f04623804

SHA256
92f0114d24a1bf7f670197c1b6e8cecc445559bbf6b12e1a82538aa9213fe4a3

SHA512
0af8482f8df004ae0534ab1d23addd55149209ab50bfb1ecbfc4d9ee49c7cce91b53fd3ed3b155e020286772eaa8396c89b8f67befe3ca5d9804b7871add0c4c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
f8db619ebe2f315356d8a3c1cb7ce863

SHA1
6a7be253323ec01b077ec2632a10159e39c17b2b

SHA256
99940aede45164365f56d6948655491bf5e5eaf8cc50400fe99620b5d3cd29c8

SHA512
6abc38a731254105c4f336ef9954159d7711889c704002838872473450f9077a940b4817cf36ae7fa04f08439a2acb53c9ab37c85e21c2981eab353379bf431a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
5200291c61f8a54498d5ea3882597c4f

SHA1
7faf4fa36d25b6e6a25fa637cd4d565bacfc98c9

SHA256
370d3f0009b4f5179e917aaf335aa8267dd7e03688f0fff18f72d7d7af43d55f

SHA512
7fab6730403115fe4a56ca1d5d9056a0796ca40f75c0499cb0a1d7cb77ad696163f960414f3248c7893a1cc99dadcdb73251603bca50a54668b45b79bc62b06e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
06a252a9516053e44ec8e64f1ebf0533

SHA1
29ac97e0cdade946c4feb81ad3f78d70953a2277

SHA256
6b8a799c3d4b977adb7220f6790b2ac09080ca3ccde5a2c33c83b33ea905928c

SHA512
0775aabeef7c910e03efc40f96143025a2ee3544dd656c78d09ef63c85d040037752aabe72fdf3b636ee31422ae8de01b73c85e27247203d5efc1635eaf15b2d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
02bec440e11bdc76b5de3232abd91f03

SHA1
2118a1f2249848ea084c7d98709f7ba7906e43a3

SHA256
4382e8d6fd98aeb7c574b195019c1687ac6628e8f97485614ad743ae5a0616b0

SHA512
f86e900e6bd38151fad12b160c0489823bd18d15609346172ca1f815593e69f9269cb28a0eaea6a588a29d41343f3b9d4c6489cc3c50e2b24a31720de26e0411

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
a66ca64afe431b7c50358bd05ba54e34

SHA1
f34d905ac06b3c07f936352bff4db70469f5057c

SHA256
3a2a423d9df888fadef3786fdbf7fb0125eb8e1d08b22a707b6efa4bc00b7f43

SHA512
90ea8413b1fce013f8e902e0e3efbbfd1ec30c7f26ca2fb05e390a847d22a1181eeb60dccf6e3f8fec5aeff2568506977ab47018a54d328078ab14407f3eeb09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
c91530bbaec9815f2db19bd6645b8729

SHA1
ea901a28f06bfbfc1dc9c3391910a87bfaf07020

SHA256
7924a95b4fb309a069dcb92b65632f01f9db2560b224d4812ebb84130994ab8d

SHA512
7ebce2d0627561189c27073f3e43e84e6164c3c4a63fe4172d2c1214fe799795393573038fb3dd75359327e7cca4eec17889749411e289480580f568b02e6588

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
f262d0722b88145e786399f42047785d

SHA1
9f4426b6ac52bb0456945b0619fcd355d118a0b7

SHA256
f20592c5d5216a153e7d9fc67c87e2d3346f3781014162462e824a5dbc4c7aef

SHA512
da8aa8fd4f84c224f7c6f3fe483b030e2307f3313c003f17f6b9c943f9ea9d052d9d9297f93fdf49428eedd235ef6d7efe0199e1620e55cb052f2ca3cb492eb1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
b8fafd2eed2c89d2154836fafeced15e

SHA1
568928bbb231c66468d4f427db5b40b4d78dcfa1

SHA256
7ae7df98eff0071cfd23914b104f2490f72f359da8f38928234940c2096624fd

SHA512
fd18dddbeb039637db03e368fa0ecea54f1a0167464df88bec48de5a27e2c1567d1d6d6587bdc5e1edf613b39343578677a4038f98ab0fb769f1bc0c90c0ed7b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
ac0cd8a29f0a4c2ef4a95dba07b92d89

SHA1
5ca95348edafff182221472401c83ff64f28d0cc

SHA256
ab62f7b2cafa32ba69a94d7d5e342d8ee398f037b06668d6679ec73d8e072584

SHA512
08d8f1a2eb0fe4ae59bad3eaf46910a5ab00cc20c67090ea02756cb5f118b1014bf37d392c83a9b1245fa5350ba771ec467f75a9c9e9a16f36977da260dbd42d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
d7c480d20dd7251d9cf3ac960e2fd9af

SHA1
1cfa7aeae3fe16049948f35d4db80474d08d7dd8

SHA256
8ccb67ee68f0a0e02f9e4fd6ac30104779873be9cd54f9843df0f91a121920c9

SHA512
eaffd4d401f01fb915cd20c7dab3f0456b6460cdbd5c5d54ddfc32ecbcfa0f26795e7af1890cf8eb91223aa07a36ad173dab5a2fb1d2aa4f664071e6459edc78

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
0cfc6aceb4c1c94b5debc409da1c968d

SHA1
adacd44a771aed42a9077c7a6de3b1e6af04dddb

SHA256
5237d70be8b7e9fdd7776ce0a80a59cfe5cc81e9af05d0865518d74f79033b39

SHA512
5fddc097bc9fa6b0cd9f81090aa365e4340002ae94bb24bbf1bb925c62cee30f01b0cadd5bf9d86e8daadcc3ab31d8b0ebd26562c973e641a4abf1732dbab478

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
5a68b8355bd10235ac462163c181185b

SHA1
c1c94052307c5682de401eacb9df6ab5b33d3071

SHA256
20705904638a4dd18b6ce8ddc2a02c6116ca0215d5492a1ca1f0c5437dd81380

SHA512
06d7f5f345def71db17a12d592abaed9a7fe7241199183ce54b2a49f81ca309679fc730ee61f228bacc25927d134c65743205fcc0fefc67078b026d1b4310523

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
a43e23b9e19bc44f2631fb9f89db8be5

SHA1
302ba078d8f46336e6237d1b5542dd9522010a6d

SHA256
a54c5d54074dcb9a391d77ac2d2419c03f8d76c14a7e34a647bb6675ad247f80

SHA512
adaf234b52a25449842b1abcde8b5548a375817dd57ded66df96ac5efccd40a8d3d458ca44c510f690038b1078b9ce3146fdd5b07fc2f679a07997c68141d13c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
9a762b8ae6fc9473938807c81d17d04a

SHA1
71c13692ba60276fba26c4c31e72050de8efa93f

SHA256
c3114929208ca18000b97bdcfffc3b58dd94e88396cb659729a084dcb9a8a3f1

SHA512
d343102caf950f890bb9b8e4e2f39d68302aadb8e00221165d06707c3830486b6b579e574921dee5b443dc8e5c3ae509751f53b51f250c09c3be2e050b39e1c4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
1bd2bdbdba6d968334500c01daae4692

SHA1
a5f129e70cd60f4c08623aa82bb0fe55d4c4f99b

SHA256
31e3cfca617dcdb88480acaf7462dddeed7c475ea7272603c29d2d6cf790013e

SHA512
e158f22c07b4237f2d0cb639668c8f946bd624dc204e7586b1134b39e6b76c007e65282d01a4c0a131da5b398a755989f778c7a0b20908d5bf41dd3b3fdeddf0

Download Submit
memory/616-32-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/616-37-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/636-214-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/768-67-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/768-76-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/944-207-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/948-237-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/948-230-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1000-49-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1232-35-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1232-36-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1232-138-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1512-169-0x0000000005E70000-0x0000000005FCF000-memory.dmp

Filesize
1.4MB

Download
memory/1552-168-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1552-165-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1676-91-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1676-86-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1696-152-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1696-145-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1780-101-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1780-97-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1924-186-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1924-179-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2132-9-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2132-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2180-221-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2268-85-0x0000000005E70000-0x0000000005FCF000-memory.dmp

Filesize
1.4MB

Download
memory/2376-39-0x0000000005D20000-0x0000000005E7F000-memory.dmp

Filesize
1.4MB

Download
memory/2376-48-0x00000000059C0000-0x0000000005B1F000-memory.dmp

Filesize
1.4MB

Download
memory/2424-200-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2428-144-0x0000000003D40000-0x0000000003E9F000-memory.dmp

Filesize
1.4MB

Download
memory/2480-222-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2480-229-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2484-170-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2484-177-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2572-126-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2572-118-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2640-15-0x0000000003F10000-0x000000000406F000-memory.dmp

Filesize
1.4MB

Download
memory/2640-14-0x0000000003F10000-0x000000000406F000-memory.dmp

Filesize
1.4MB

Download
memory/2836-157-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2836-160-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2860-252-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2896-238-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2896-245-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2916-193-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2944-113-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2944-105-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2948-27-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2948-16-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2972-61-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2976-178-0x0000000005EA0000-0x0000000005FFF000-memory.dmp

Filesize
1.4MB

Download