51fff0f004903f62d08a9980dad98ba937ebed7b82c06783c124a58a82370faa

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
09-08-2024 06:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

51fff0f004903f62d08a9980dad98ba937ebed7b82c06783c124a58a82370faa.exe
Size

1.1MB
MD5

e290bd8806761a77b1d6463c37e5eb34
SHA1

673bfa67e8a97c03b7a20c0f42123e65068ed0f5
SHA256

51fff0f004903f62d08a9980dad98ba937ebed7b82c06783c124a58a82370faa
SHA512

43caaf15108c38e745e06ae351685e2b036b4da3f36d98581625ed288f40a59cb2237ea804362b0c842ff7ea4009a3650578ab96f3d3c864457a9fa4ddc4fc8f
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5QZ:acallSllG4ZM7QzM6

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2928	svchcst.exe

Executes dropped EXE 24 IoCs

pid	Process
2928	svchcst.exe
264	svchcst.exe
2860	svchcst.exe
1164	svchcst.exe
1340	svchcst.exe
1952	svchcst.exe
892	svchcst.exe
1300	svchcst.exe
2688	svchcst.exe
2760	svchcst.exe
3048	svchcst.exe
1764	svchcst.exe
2840	svchcst.exe
1924	svchcst.exe
304	svchcst.exe
1480	svchcst.exe
2920	svchcst.exe
2848	svchcst.exe
3000	svchcst.exe
1244	svchcst.exe
1080	svchcst.exe
2100	svchcst.exe
2156	svchcst.exe
2012	svchcst.exe

Loads dropped DLL 42 IoCs

pid	Process
1100	WScript.exe
1100	WScript.exe
3000	WScript.exe
2044	WScript.exe
2840	WScript.exe
2840	WScript.exe
2412	WScript.exe
2412	WScript.exe
912	WScript.exe
912	WScript.exe
572	WScript.exe
1720	WScript.exe
1720	WScript.exe
2708	WScript.exe
2708	WScript.exe
2708	WScript.exe
1548	WScript.exe
1548	WScript.exe
524	WScript.exe
524	WScript.exe
1748	WScript.exe
1748	WScript.exe
2540	WScript.exe
2540	WScript.exe
2548	WScript.exe
2548	WScript.exe
2008	WScript.exe
2008	WScript.exe
1668	WScript.exe
1668	WScript.exe
2052	WScript.exe
2052	WScript.exe
2632	WScript.exe
2632	WScript.exe
1916	WScript.exe
1916	WScript.exe
1868	WScript.exe
1868	WScript.exe
1048	WScript.exe
1048	WScript.exe
1996	WScript.exe
1996	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 50 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	51fff0f004903f62d08a9980dad98ba937ebed7b82c06783c124a58a82370faa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2564	51fff0f004903f62d08a9980dad98ba937ebed7b82c06783c124a58a82370faa.exe
2928	svchcst.exe
2928	svchcst.exe
2928	svchcst.exe
2928	svchcst.exe
2928	svchcst.exe
2928	svchcst.exe
2928	svchcst.exe
2928	svchcst.exe
2928	svchcst.exe
2928	svchcst.exe
2928	svchcst.exe
2928	svchcst.exe
2928	svchcst.exe
2928	svchcst.exe
2928	svchcst.exe
2928	svchcst.exe
2928	svchcst.exe
2928	svchcst.exe
2928	svchcst.exe
2928	svchcst.exe
2928	svchcst.exe
2928	svchcst.exe
2928	svchcst.exe
2928	svchcst.exe
2928	svchcst.exe
2928	svchcst.exe
2928	svchcst.exe
2928	svchcst.exe
2928	svchcst.exe
2928	svchcst.exe
2928	svchcst.exe
2928	svchcst.exe
2928	svchcst.exe
2928	svchcst.exe
2928	svchcst.exe
2928	svchcst.exe
2928	svchcst.exe
2928	svchcst.exe
2928	svchcst.exe
2928	svchcst.exe
2928	svchcst.exe
2928	svchcst.exe
2928	svchcst.exe
2928	svchcst.exe
2928	svchcst.exe
2928	svchcst.exe
2928	svchcst.exe
2928	svchcst.exe
2928	svchcst.exe
2928	svchcst.exe
2928	svchcst.exe
2928	svchcst.exe
2928	svchcst.exe
2928	svchcst.exe
2928	svchcst.exe
2928	svchcst.exe
2928	svchcst.exe
2928	svchcst.exe
2928	svchcst.exe
2928	svchcst.exe
2928	svchcst.exe
2928	svchcst.exe
2928	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2564	51fff0f004903f62d08a9980dad98ba937ebed7b82c06783c124a58a82370faa.exe

Suspicious use of SetWindowsHookEx 50 IoCs

pid	Process
2564	51fff0f004903f62d08a9980dad98ba937ebed7b82c06783c124a58a82370faa.exe
2564	51fff0f004903f62d08a9980dad98ba937ebed7b82c06783c124a58a82370faa.exe
2928	svchcst.exe
2928	svchcst.exe
264	svchcst.exe
264	svchcst.exe
2860	svchcst.exe
2860	svchcst.exe
1164	svchcst.exe
1164	svchcst.exe
1340	svchcst.exe
1340	svchcst.exe
1952	svchcst.exe
1952	svchcst.exe
892	svchcst.exe
892	svchcst.exe
1300	svchcst.exe
1300	svchcst.exe
2688	svchcst.exe
2688	svchcst.exe
2760	svchcst.exe
2760	svchcst.exe
3048	svchcst.exe
3048	svchcst.exe
1764	svchcst.exe
1764	svchcst.exe
2840	svchcst.exe
2840	svchcst.exe
1924	svchcst.exe
1924	svchcst.exe
304	svchcst.exe
304	svchcst.exe
1480	svchcst.exe
1480	svchcst.exe
2920	svchcst.exe
2920	svchcst.exe
2848	svchcst.exe
2848	svchcst.exe
3000	svchcst.exe
3000	svchcst.exe
1244	svchcst.exe
1244	svchcst.exe
1080	svchcst.exe
1080	svchcst.exe
2100	svchcst.exe
2100	svchcst.exe
2156	svchcst.exe
2156	svchcst.exe
2012	svchcst.exe
2012	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2564 wrote to memory of 1100	2564	51fff0f004903f62d08a9980dad98ba937ebed7b82c06783c124a58a82370faa.exe	30
PID 2564 wrote to memory of 1100	2564	51fff0f004903f62d08a9980dad98ba937ebed7b82c06783c124a58a82370faa.exe	30
PID 2564 wrote to memory of 1100	2564	51fff0f004903f62d08a9980dad98ba937ebed7b82c06783c124a58a82370faa.exe	30
PID 2564 wrote to memory of 1100	2564	51fff0f004903f62d08a9980dad98ba937ebed7b82c06783c124a58a82370faa.exe	30
PID 1100 wrote to memory of 2928	1100	WScript.exe	33
PID 1100 wrote to memory of 2928	1100	WScript.exe	33
PID 1100 wrote to memory of 2928	1100	WScript.exe	33
PID 1100 wrote to memory of 2928	1100	WScript.exe	33
PID 2928 wrote to memory of 3000	2928	svchcst.exe	34
PID 2928 wrote to memory of 3000	2928	svchcst.exe	34
PID 2928 wrote to memory of 3000	2928	svchcst.exe	34
PID 2928 wrote to memory of 3000	2928	svchcst.exe	34
PID 3000 wrote to memory of 264	3000	WScript.exe	35
PID 3000 wrote to memory of 264	3000	WScript.exe	35
PID 3000 wrote to memory of 264	3000	WScript.exe	35
PID 3000 wrote to memory of 264	3000	WScript.exe	35
PID 264 wrote to memory of 2044	264	svchcst.exe	36
PID 264 wrote to memory of 2044	264	svchcst.exe	36
PID 264 wrote to memory of 2044	264	svchcst.exe	36
PID 264 wrote to memory of 2044	264	svchcst.exe	36
PID 2044 wrote to memory of 2860	2044	WScript.exe	37
PID 2044 wrote to memory of 2860	2044	WScript.exe	37
PID 2044 wrote to memory of 2860	2044	WScript.exe	37
PID 2044 wrote to memory of 2860	2044	WScript.exe	37
PID 2860 wrote to memory of 2840	2860	svchcst.exe	38
PID 2860 wrote to memory of 2840	2860	svchcst.exe	38
PID 2860 wrote to memory of 2840	2860	svchcst.exe	38
PID 2860 wrote to memory of 2840	2860	svchcst.exe	38
PID 2840 wrote to memory of 1164	2840	WScript.exe	39
PID 2840 wrote to memory of 1164	2840	WScript.exe	39
PID 2840 wrote to memory of 1164	2840	WScript.exe	39
PID 2840 wrote to memory of 1164	2840	WScript.exe	39
PID 1164 wrote to memory of 2412	1164	svchcst.exe	40
PID 1164 wrote to memory of 2412	1164	svchcst.exe	40
PID 1164 wrote to memory of 2412	1164	svchcst.exe	40
PID 1164 wrote to memory of 2412	1164	svchcst.exe	40
PID 2412 wrote to memory of 1340	2412	WScript.exe	41
PID 2412 wrote to memory of 1340	2412	WScript.exe	41
PID 2412 wrote to memory of 1340	2412	WScript.exe	41
PID 2412 wrote to memory of 1340	2412	WScript.exe	41
PID 1340 wrote to memory of 912	1340	svchcst.exe	42
PID 1340 wrote to memory of 912	1340	svchcst.exe	42
PID 1340 wrote to memory of 912	1340	svchcst.exe	42
PID 1340 wrote to memory of 912	1340	svchcst.exe	42
PID 912 wrote to memory of 1952	912	WScript.exe	43
PID 912 wrote to memory of 1952	912	WScript.exe	43
PID 912 wrote to memory of 1952	912	WScript.exe	43
PID 912 wrote to memory of 1952	912	WScript.exe	43
PID 1952 wrote to memory of 572	1952	svchcst.exe	44
PID 1952 wrote to memory of 572	1952	svchcst.exe	44
PID 1952 wrote to memory of 572	1952	svchcst.exe	44
PID 1952 wrote to memory of 572	1952	svchcst.exe	44
PID 572 wrote to memory of 892	572	WScript.exe	45
PID 572 wrote to memory of 892	572	WScript.exe	45
PID 572 wrote to memory of 892	572	WScript.exe	45
PID 572 wrote to memory of 892	572	WScript.exe	45
PID 892 wrote to memory of 1720	892	svchcst.exe	46
PID 892 wrote to memory of 1720	892	svchcst.exe	46
PID 892 wrote to memory of 1720	892	svchcst.exe	46
PID 892 wrote to memory of 1720	892	svchcst.exe	46
PID 1720 wrote to memory of 1300	1720	WScript.exe	47
PID 1720 wrote to memory of 1300	1720	WScript.exe	47
PID 1720 wrote to memory of 1300	1720	WScript.exe	47
PID 1720 wrote to memory of 1300	1720	WScript.exe	47

C:\Users\Admin\AppData\Local\Temp\51fff0f004903f62d08a9980dad98ba937ebed7b82c06783c124a58a82370faa.exe
"C:\Users\Admin\AppData\Local\Temp\51fff0f004903f62d08a9980dad98ba937ebed7b82c06783c124a58a82370faa.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2564
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1100
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2928
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3000
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:264
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2044
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2860
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2840
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1164
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2412
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1340
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:912
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1952
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:572
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:892
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1720
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1300
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:2672
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2688
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2708
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2760
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1548
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1764
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:524
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2840
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1748
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1924
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2540
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:304
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2548
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1480
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2008
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2920
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1668
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2848
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2052
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3000
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2632
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1244
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1916
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1080
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1868
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2100
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1048
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2156
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        44⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1996
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2012
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        46⤵
        System Location Discovery: System Language Discovery
        
        PID:2084
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        47⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        48⤵
        
        PID:340
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        System Location Discovery: System Language Discovery
        
        PID:1372
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
5771c014296ebb077452c34a3ea54708

SHA1
6e6ff6d4e62db0f7295883fcdf1b10a4f69b2b58

SHA256
8abb3ec990928dfb09f067bb1f8b7e99a9487f039c9a5f80ab5306006c746859

SHA512
642db2534af82e398285770d5b6564603b457e1e4e0853cb46322aa24f7a880223a839875e7022d5c21f5eb01730df4e4dffdb426ef6e6c81defeb5f5f774ac5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
4d76ccea4475111a14a85e3190f6c3fc

SHA1
1339b15765cfdeb4f6475205601faaece8b06a50

SHA256
22293d2cec4f8af0c12e25e754846f327203f1a1836c1acab09e4d088eb85701

SHA512
fc7a8ef4d7edbacdaa786529a11bfe04b8350f32bb3cf9f15d1ab4ca97574adbf0eb4934bfe0523ffd9b154a166d85816f5ed67a78f25358732233e9dd77888c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
57e51d7e4374cd875109b11b9b8deb29

SHA1
aa5554bdcf8417f4b5fc9242f1de625e2fb820bf

SHA256
054ccb4671ec5693715c290f0bed875878cda62addcb38ef21257c59037fe30a

SHA512
6f58d52a71466d92d7da68e1bfdd91db03619d810eae2622b4e5623d2ad4e30e294d885c8c5405b775aa3256e3acbd0442a3bb2a4b6eb50001ee5f8848d66da3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
5ef4272f4d6f345fc8cc1b2f059c81b4

SHA1
78bcb559f775d70e10396e1d6d7b95c28d2645d1

SHA256
19f8d5209b4a5789cdfd5b67cb0b9f6c3546c62912bcb1ef1c69a15602beb652

SHA512
002693255c600456d965b5a7e36f780deec4d80cd9fe56f7f974b8762e2b140002a1dabf4b059d6163c9cc00a0e1e9da71899e13347fb4bb2985bbc7058469cb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
2c3b5340da071ac89dded61dffd49fb5

SHA1
77a880658d0b70e5455379099427bfdae8cc0ae8

SHA256
d7433fbea40ea3f87e991ce54c73436c110cfbb83748d554aea8d94051a5224e

SHA512
7e69f14c55afec39149491531c2a499b6253aa71ad448e722912f239fde055826b34383bd8d14773af08ef475b5fe53451a0a93e0bcc46fbeba3872198200f3c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
a3b1a2435db9006df38c9e78df96e2f2

SHA1
a8a6d302d102686610f54547bdf0245b177a752f

SHA256
8ca1784265581709551e81326c9733c10ac943c899070bee9b799f88dad7870e

SHA512
fe8a0d2a67e28fcf1b31e640132a669186ddb33302b135d11c0706a5c9e98548d53d51be0d2ecc9d20c43efbe393d7865c57ca9b6c651deca93f67aff0968210

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
66dec81d7f7dc4e36f9d8151fe38056a

SHA1
fc169994b2239eb407778d28d35025f7c9a1658e

SHA256
a09a3c722b494400011829c5645415020d39c8e6ec90f466fc3109a1ba49db2a

SHA512
3e8af1d301ba9228d5afcfaa1e1d3e6f931c5f0ba5e19c74f73b88ddf7c4baa7b24f13533679096f6c94871985de9e47d0f91362ec2ee9132b1e1b772d56fbcc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
7d2c3f227d42fae4a5b7fbcb491b74e3

SHA1
c1271bbd86747cc709b694ba9579a68b5e75a17c

SHA256
9353a2f27a61e571c5bc92ccc1046c1059c5fad8e1e2cafe63a9cc73e1169c33

SHA512
50330ad733975966b32fbedffb99a25cd13004d685e5788ef11f1f0fedfc62658e3e8f5ed0030fe60ecb02ba95ffa7d440c067a1e164cc3bc02ac5008b6a27d3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
faa8ef2e758448ccba58a486794e0699

SHA1
85bd05023b75335ca0ff084efcd02e7e9e447e88

SHA256
f4c0222febb3104b66ec8578be36697e28bc8956d3606e711c39b3ad7fcf6b8b

SHA512
8a1074670bbf7942ba1cef24d474aa26b9a66c378cc790a5577bc3d487f7174dad7890d2fdd43eccad42c4da28e282e5909a8f9de120a3ba81ee2847b44a328e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
bf8c66bc238068346f8bc94f6763b894

SHA1
43019b1b9d3d7e90719747856103a1af12d024ef

SHA256
de7fa3ae16d70f789b4d0aa427b017215cdb51f141038688ca5ba2cbb4060b5d

SHA512
a5d2d1662be29ceebb5d9441b537804722646c7ee3974d89d87bb37d1563bdbcac709f29e3251cf9d45845bdedd518bca99e203102b5c7f0e3657eca406277c6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
d32955f30e8aad52247ece470e41d5ad

SHA1
ac6775ee1d2cccafe3baeb722ca57bf16953f173

SHA256
bbd8749995b7f218975a3955fac72a16d1f5a3fd3826f7bb98d0b4fe537d6697

SHA512
1a00595cdfca51c9c95101a1d04a15089aded3fc687de721d882c6ef57697a943c0a99d917167e76d55040c5d8607e01fe5a206054112635a642f6364d3fdcaf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
5ba8c208c5700f7f25c2e24e00d50ac8

SHA1
9838a0ab093ed94bc85a80b1feee14b68e4df8d1

SHA256
213371c33e19f6f9e28f089e3206fe50c39b190548b0500f7ba8aff869a68cd6

SHA512
065e45ebe4197cdf7e13b799928dfb29e17d4a1741e3e103000b147288b34f16300b72874ec85aefa2c04cc939df115a9fb383d5c95982c1371e75605d1a9b17

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
d44632a3e4cce7689f6de0096ea7b712

SHA1
62726ae2641d71b6a218793f1ca8c00c81443eda

SHA256
013ba01f27689a865f4497bdab298b8914e8c235beac2311020fa928649a7603

SHA512
ed9934194e0211fca3d30bb16802ae080086a71d4b8b065afecea339f06f4d5dc43f51786059d6ccaf7718a54dde8b050268068ed6a416dacfa6c79a8ba0881a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
152b2182e91cba013b133ca9d6b05b52

SHA1
d4c9181ed419262da70722f98d22d9f4d49c1c58

SHA256
fb15f35e12aab0f9be94bddcf4bfa52f32cc7853652f269a46371cfa7a127af2

SHA512
dd75ec1411aa49919fa5b20517f312468213c0fe2d850bbd0178d3b2b30cf36a913d886846746ce35fded0994450a85f5d5f6730876089f28c792545c3d64c0a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
0b59cf6e79ee60e3111ca9584a94ce5e

SHA1
3738e6e92d9ce8112db7cc51f441b1b8bd9d08a0

SHA256
af75cc261de3d491dff9d5948882df7f596d6267d0407b88215bb116566a4ec6

SHA512
5230f99ba588f143dee2991b97d89a813d5c9c1c4e61a35d1cd43f37d1a842f725e8e08680776eada9cb59a935d93a1e60e36d6f47dace92dfef9e792c5b7ee9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
a0cf86e0d284b9230929c7c712c1c2de

SHA1
137635232c33f281ee55c7cbd541606058452822

SHA256
2613246a9200aba51a61774d5f382fd73d961615d024f6d6b7e828d6498e2e90

SHA512
8079adb953d66dd76634cb62e8c75f7983916a8f854db87a38e4f86fcb8b076cb2ac9476d54b54b5622fa08f5a3d412b2164f947557f2215c286e8260bdaabc2

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
1a461e4623928b456d6abc4414a9dc8a

SHA1
94186b7c627020cc880e886a67f166a50cb66114

SHA256
22fff2b46c5338ef900f59eecb2f6fbba3f79cb03083579616d07c21c5fce6ef

SHA512
faad6d31a2304e3824e9448f68769d1753508c8841bc761ffb2dca5a79731ff4456540c7368adb11710b00f3d77f0b29f18999fd7cb9376d849d70b1aed4fede

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
fcab8adcfeeae910973e8ec457e6ea41

SHA1
8dc4a8648f60a1d1fca6965678b6df7aba64befe

SHA256
bc5fe5b96507724ddd09d417cf98087fd37ab8e135bee8afd019cbc112b05964

SHA512
8c04b251fc1a394b7893893de3eb6b0a0d1de34db0f6090c9caa346761babb622602201758899897cf65549e5370c1ce5eb0b2a6e4ea1e09c27f683b7f8c0b74

Download Submit
memory/264-37-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/264-29-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/304-175-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/304-178-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/892-100-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/892-96-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1048-240-0x0000000004600000-0x000000000475F000-memory.dmp

Filesize
1.4MB

Download
memory/1080-226-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1080-230-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1100-14-0x00000000047D0000-0x000000000492F000-memory.dmp

Filesize
1.4MB

Download
memory/1100-15-0x00000000047D0000-0x000000000492F000-memory.dmp

Filesize
1.4MB

Download
memory/1164-63-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1164-54-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1244-220-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1244-217-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1300-103-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1300-111-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1340-77-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1340-69-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1480-184-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1480-187-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1764-151-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1764-143-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1868-231-0x0000000004550000-0x00000000046AF000-memory.dmp

Filesize
1.4MB

Download
memory/1916-221-0x0000000004560000-0x00000000046BF000-memory.dmp

Filesize
1.4MB

Download
memory/1924-166-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1924-169-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1952-90-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1952-86-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2008-212-0x00000000044D0000-0x000000000462F000-memory.dmp

Filesize
1.4MB

Download
memory/2012-256-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2012-249-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2052-229-0x00000000059B0000-0x0000000005B0F000-memory.dmp

Filesize
1.4MB

Download
memory/2084-261-0x00000000046F0000-0x000000000484F000-memory.dmp

Filesize
1.4MB

Download
memory/2100-232-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2100-239-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2156-241-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2156-248-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2540-170-0x0000000005A40000-0x0000000005B9F000-memory.dmp

Filesize
1.4MB

Download
memory/2548-179-0x0000000006030000-0x000000000618F000-memory.dmp

Filesize
1.4MB

Download
memory/2564-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2564-9-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2640-262-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2688-121-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2688-114-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2760-129-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2760-134-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2840-161-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2840-53-0x00000000049F0000-0x0000000004B4F000-memory.dmp

Filesize
1.4MB

Download
memory/2840-152-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2848-200-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2848-203-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2860-44-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2860-48-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2920-192-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2920-195-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2928-25-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2928-16-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3000-208-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3000-211-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3048-142-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download