5de35a52aafd9c177dc901d7931fcb426b75588a53a93ea3eeb4b7d5f5a08e6d

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
28/08/2024, 22:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5de35a52aafd9c177dc901d7931fcb426b75588a53a93ea3eeb4b7d5f5a08e6d.exe
Size

1.1MB
MD5

b12d64ca1702cc3948ad16cc66bc710e
SHA1

f5969bfbd9842199f893cba6643ab4d82bd6a230
SHA256

5de35a52aafd9c177dc901d7931fcb426b75588a53a93ea3eeb4b7d5f5a08e6d
SHA512

f7de9ac74778ecb244aa5f5e4a3669d4876aff02da8c16c17890d6343d5a94c3c91233cfd3bcd1dd3482df82552fc98803d85c127b8cca79f4ae447c3700daca
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5QE:acallSllG4ZM7QzMz

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1944	svchcst.exe

Executes dropped EXE 23 IoCs

pid	Process
1944	svchcst.exe
2160	svchcst.exe
1352	svchcst.exe
2344	svchcst.exe
1540	svchcst.exe
1044	svchcst.exe
1756	svchcst.exe
2888	svchcst.exe
2560	svchcst.exe
2796	svchcst.exe
2004	svchcst.exe
2964	svchcst.exe
1996	svchcst.exe
1032	svchcst.exe
2768	svchcst.exe
2156	svchcst.exe
1944	svchcst.exe
1864	svchcst.exe
1372	svchcst.exe
1036	svchcst.exe
952	svchcst.exe
2984	svchcst.exe
2324	svchcst.exe

Loads dropped DLL 39 IoCs

pid	Process
2388	WScript.exe
2388	WScript.exe
2640	WScript.exe
2004	WScript.exe
2004	WScript.exe
2964	WScript.exe
2964	WScript.exe
408	WScript.exe
896	WScript.exe
2916	WScript.exe
1824	WScript.exe
1824	WScript.exe
2656	WScript.exe
1068	WScript.exe
2816	WScript.exe
2816	WScript.exe
1664	WScript.exe
2404	WScript.exe
2404	WScript.exe
3016	WScript.exe
3016	WScript.exe
1852	WScript.exe
1852	WScript.exe
3032	WScript.exe
3032	WScript.exe
2400	WScript.exe
2400	WScript.exe
1660	WScript.exe
1660	WScript.exe
2308	WScript.exe
2308	WScript.exe
2836	WScript.exe
2836	WScript.exe
1068	WScript.exe
1068	WScript.exe
1664	WScript.exe
1664	WScript.exe
328	WScript.exe
328	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 48 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5de35a52aafd9c177dc901d7931fcb426b75588a53a93ea3eeb4b7d5f5a08e6d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2280	5de35a52aafd9c177dc901d7931fcb426b75588a53a93ea3eeb4b7d5f5a08e6d.exe
1944	svchcst.exe
1944	svchcst.exe
1944	svchcst.exe
1944	svchcst.exe
1944	svchcst.exe
1944	svchcst.exe
1944	svchcst.exe
1944	svchcst.exe
1944	svchcst.exe
1944	svchcst.exe
1944	svchcst.exe
1944	svchcst.exe
1944	svchcst.exe
1944	svchcst.exe
1944	svchcst.exe
1944	svchcst.exe
1944	svchcst.exe
1944	svchcst.exe
1944	svchcst.exe
1944	svchcst.exe
1944	svchcst.exe
1944	svchcst.exe
1944	svchcst.exe
1944	svchcst.exe
1944	svchcst.exe
1944	svchcst.exe
1944	svchcst.exe
1944	svchcst.exe
1944	svchcst.exe
1944	svchcst.exe
1944	svchcst.exe
1944	svchcst.exe
1944	svchcst.exe
1944	svchcst.exe
1944	svchcst.exe
1944	svchcst.exe
1944	svchcst.exe
1944	svchcst.exe
1944	svchcst.exe
1944	svchcst.exe
1944	svchcst.exe
1944	svchcst.exe
1944	svchcst.exe
1944	svchcst.exe
1944	svchcst.exe
1944	svchcst.exe
1944	svchcst.exe
1944	svchcst.exe
1944	svchcst.exe
1944	svchcst.exe
1944	svchcst.exe
1944	svchcst.exe
1944	svchcst.exe
1944	svchcst.exe
1944	svchcst.exe
1944	svchcst.exe
1944	svchcst.exe
1944	svchcst.exe
1944	svchcst.exe
1944	svchcst.exe
1944	svchcst.exe
1944	svchcst.exe
1944	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2280	5de35a52aafd9c177dc901d7931fcb426b75588a53a93ea3eeb4b7d5f5a08e6d.exe

Suspicious use of SetWindowsHookEx 48 IoCs

pid	Process
2280	5de35a52aafd9c177dc901d7931fcb426b75588a53a93ea3eeb4b7d5f5a08e6d.exe
2280	5de35a52aafd9c177dc901d7931fcb426b75588a53a93ea3eeb4b7d5f5a08e6d.exe
1944	svchcst.exe
1944	svchcst.exe
2160	svchcst.exe
2160	svchcst.exe
1352	svchcst.exe
1352	svchcst.exe
2344	svchcst.exe
2344	svchcst.exe
1540	svchcst.exe
1540	svchcst.exe
1044	svchcst.exe
1044	svchcst.exe
1756	svchcst.exe
1756	svchcst.exe
2888	svchcst.exe
2888	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2796	svchcst.exe
2796	svchcst.exe
2004	svchcst.exe
2004	svchcst.exe
2964	svchcst.exe
2964	svchcst.exe
1996	svchcst.exe
1996	svchcst.exe
1032	svchcst.exe
1032	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2156	svchcst.exe
2156	svchcst.exe
1944	svchcst.exe
1944	svchcst.exe
1864	svchcst.exe
1864	svchcst.exe
1372	svchcst.exe
1372	svchcst.exe
1036	svchcst.exe
1036	svchcst.exe
952	svchcst.exe
952	svchcst.exe
2984	svchcst.exe
2984	svchcst.exe
2324	svchcst.exe
2324	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2280 wrote to memory of 2388	2280	5de35a52aafd9c177dc901d7931fcb426b75588a53a93ea3eeb4b7d5f5a08e6d.exe	31
PID 2280 wrote to memory of 2388	2280	5de35a52aafd9c177dc901d7931fcb426b75588a53a93ea3eeb4b7d5f5a08e6d.exe	31
PID 2280 wrote to memory of 2388	2280	5de35a52aafd9c177dc901d7931fcb426b75588a53a93ea3eeb4b7d5f5a08e6d.exe	31
PID 2280 wrote to memory of 2388	2280	5de35a52aafd9c177dc901d7931fcb426b75588a53a93ea3eeb4b7d5f5a08e6d.exe	31
PID 2388 wrote to memory of 1944	2388	WScript.exe	33
PID 2388 wrote to memory of 1944	2388	WScript.exe	33
PID 2388 wrote to memory of 1944	2388	WScript.exe	33
PID 2388 wrote to memory of 1944	2388	WScript.exe	33
PID 1944 wrote to memory of 2640	1944	svchcst.exe	34
PID 1944 wrote to memory of 2640	1944	svchcst.exe	34
PID 1944 wrote to memory of 2640	1944	svchcst.exe	34
PID 1944 wrote to memory of 2640	1944	svchcst.exe	34
PID 2640 wrote to memory of 2160	2640	WScript.exe	35
PID 2640 wrote to memory of 2160	2640	WScript.exe	35
PID 2640 wrote to memory of 2160	2640	WScript.exe	35
PID 2640 wrote to memory of 2160	2640	WScript.exe	35
PID 2160 wrote to memory of 2004	2160	svchcst.exe	36
PID 2160 wrote to memory of 2004	2160	svchcst.exe	36
PID 2160 wrote to memory of 2004	2160	svchcst.exe	36
PID 2160 wrote to memory of 2004	2160	svchcst.exe	36
PID 2004 wrote to memory of 1352	2004	WScript.exe	37
PID 2004 wrote to memory of 1352	2004	WScript.exe	37
PID 2004 wrote to memory of 1352	2004	WScript.exe	37
PID 2004 wrote to memory of 1352	2004	WScript.exe	37
PID 1352 wrote to memory of 2964	1352	svchcst.exe	38
PID 1352 wrote to memory of 2964	1352	svchcst.exe	38
PID 1352 wrote to memory of 2964	1352	svchcst.exe	38
PID 1352 wrote to memory of 2964	1352	svchcst.exe	38
PID 2964 wrote to memory of 2344	2964	WScript.exe	39
PID 2964 wrote to memory of 2344	2964	WScript.exe	39
PID 2964 wrote to memory of 2344	2964	WScript.exe	39
PID 2964 wrote to memory of 2344	2964	WScript.exe	39
PID 2344 wrote to memory of 408	2344	svchcst.exe	40
PID 2344 wrote to memory of 408	2344	svchcst.exe	40
PID 2344 wrote to memory of 408	2344	svchcst.exe	40
PID 2344 wrote to memory of 408	2344	svchcst.exe	40
PID 408 wrote to memory of 1540	408	WScript.exe	41
PID 408 wrote to memory of 1540	408	WScript.exe	41
PID 408 wrote to memory of 1540	408	WScript.exe	41
PID 408 wrote to memory of 1540	408	WScript.exe	41
PID 1540 wrote to memory of 896	1540	svchcst.exe	42
PID 1540 wrote to memory of 896	1540	svchcst.exe	42
PID 1540 wrote to memory of 896	1540	svchcst.exe	42
PID 1540 wrote to memory of 896	1540	svchcst.exe	42
PID 896 wrote to memory of 1044	896	WScript.exe	43
PID 896 wrote to memory of 1044	896	WScript.exe	43
PID 896 wrote to memory of 1044	896	WScript.exe	43
PID 896 wrote to memory of 1044	896	WScript.exe	43
PID 1044 wrote to memory of 2916	1044	svchcst.exe	44
PID 1044 wrote to memory of 2916	1044	svchcst.exe	44
PID 1044 wrote to memory of 2916	1044	svchcst.exe	44
PID 1044 wrote to memory of 2916	1044	svchcst.exe	44
PID 2916 wrote to memory of 1756	2916	WScript.exe	45
PID 2916 wrote to memory of 1756	2916	WScript.exe	45
PID 2916 wrote to memory of 1756	2916	WScript.exe	45
PID 2916 wrote to memory of 1756	2916	WScript.exe	45
PID 1756 wrote to memory of 1824	1756	svchcst.exe	46
PID 1756 wrote to memory of 1824	1756	svchcst.exe	46
PID 1756 wrote to memory of 1824	1756	svchcst.exe	46
PID 1756 wrote to memory of 1824	1756	svchcst.exe	46
PID 1824 wrote to memory of 2888	1824	WScript.exe	47
PID 1824 wrote to memory of 2888	1824	WScript.exe	47
PID 1824 wrote to memory of 2888	1824	WScript.exe	47
PID 1824 wrote to memory of 2888	1824	WScript.exe	47

C:\Users\Admin\AppData\Local\Temp\5de35a52aafd9c177dc901d7931fcb426b75588a53a93ea3eeb4b7d5f5a08e6d.exe
"C:\Users\Admin\AppData\Local\Temp\5de35a52aafd9c177dc901d7931fcb426b75588a53a93ea3eeb4b7d5f5a08e6d.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2280
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2388
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1944
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2640
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2160
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2004
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1352
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2964
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2344
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:408
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1540
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:896
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1044
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2916
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1756
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1824
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2888
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2656
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2560
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1068
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2796
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2816
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2004
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1664
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2964
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2404
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1996
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3016
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1032
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1852
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2768
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3032
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2156
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2400
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1944
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1660
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1864
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2308
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1372
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2836
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1036
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1068
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:952
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        44⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1664
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2984
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        46⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:328
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2324
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        48⤵
        System Location Discovery: System Language Discovery
        
        PID:868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
31ca1dbb48b17fd7dc2fc0a5e2e0a1d8

SHA1
4b0666356ebf8d6073dee51cea751b110a1a4e36

SHA256
756c9ab159f49fe8d010d623308e8c665d79cac1ab03faffa8c956ee52b82b11

SHA512
6de3563f7eab269b2a49260a4014b06e2de436565804c0e0524b1238de2ae9dd62fb4a50011811c8d0e1b84c7c5fc6bf354ccbec827adf506d805b470b27d8ba

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
d7e57302723e6adcd36bc753c7cb3d1b

SHA1
24f5af99f2988b5fa7383dae1f53347b597956a3

SHA256
abf7ef48d31eaabd0227b0a91a44e8b53e9fbadff16ef2d9c2b131776898977e

SHA512
0aee51cab495d2df1e1957f85cbfa1a8ca95fad5fa669d2f0918a0e4be4d090c868582935136684d872695bdd075523ad1386639690e9d7016201b6985a9c8a6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
5ef4272f4d6f345fc8cc1b2f059c81b4

SHA1
78bcb559f775d70e10396e1d6d7b95c28d2645d1

SHA256
19f8d5209b4a5789cdfd5b67cb0b9f6c3546c62912bcb1ef1c69a15602beb652

SHA512
002693255c600456d965b5a7e36f780deec4d80cd9fe56f7f974b8762e2b140002a1dabf4b059d6163c9cc00a0e1e9da71899e13347fb4bb2985bbc7058469cb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
2af86d83545125b952334759f8554ae3

SHA1
ddfef7be6fbd8d8185c772a9a78eb18617a9637b

SHA256
7dd3660d7e87e64f451b4d1882d07c1733ce38d828770910453cc1b7f457d11d

SHA512
38d2854f941ff77a2fec871ba6513df9862fe4f86778b22053b4c3e25995b192f4ab943051a2c613cc3e78d275bc543b0dff09149cb4620e307809d20beae17b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
41bdc303960afcda8ebae4f3e29f0b52

SHA1
4cbf649fb04c836614138308a06ecd48dcb2882d

SHA256
da674cdbd4dd762cc32ce0bd2ec36929a626e0e87f7ab7a4a1b1e1ce0123d999

SHA512
800b5b01cc41e7633f203579e7f6ec0a9f6408f7af79dcfa74596be9264dbb8baade6b1439dedb5194496aa27b8b0e2680ce65ad91032138ea0ac2c8a0872cf1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
d6aef0b19d7d8dc2eda464cf358007b7

SHA1
c271fa23eee2c534cc862f7575df47f660c94d27

SHA256
70965d19e9afccec497ac21e98bfea9be46cf5df938982b3d19e6295aab3bb1d

SHA512
c547f50069f9f97dd9877bdb529f4ed49f9761d5cab1ff703e5185a6071e7591b98237834c6bd386b68b9c6504b76bdc581bf17a6fcef94e74b1483d47cf764a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
3353d1633bca569636039038a518d927

SHA1
780e7b0504ce0c3eb7a2d5ab9cc18b9d0596bd34

SHA256
6f9daffcca457b49869f9b22fe00e63b4c232c9e13998ab908b91909aa446b8d

SHA512
66a8b0877d6c6f196b85b4e8bf7d67da20fd3749543d65b54599233fc68f476445e70f9ad8e54cb3a71676c6b8a51957f11df2442883f1283c6d526884ec0c18

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
c5ae655707a21f6473c5f382a787e100

SHA1
1d2078ebfae286212eb90e60c9dbce5e70ac24f1

SHA256
baf83e476c96ab1af7a7482de26dae9909744fad6d12c6ae818f51b834cecb50

SHA512
af80731f380d75a643ab885ba152cb7118297ab4e70ff44dd96b7bae8542881f0d06cdbe0ac524cdc30ddca970c2b27adf6398f8efc6e510cea6cc0b2a59b34f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
bdff210bf33c9ed5f2b10773c8c98ff5

SHA1
fc4fbaca4c7f23506dc792dec89e640050ad62e9

SHA256
900ab6b8ac0df4e138335d9d8e283495f569bf9fa1f401a6f8122661104f8cf8

SHA512
45849b735796586ea2518bd4aec42377db54b2de01025df65e52d8d1561d7e26702051c945ac7257857e00d7ab9d2d7fbf87f178e1e606905e095b22d95e5b32

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
28167c064311357a30cc6de51b34120d

SHA1
cd6e8343bf5fa014ded5905fd8c6037eda277818

SHA256
e1a76a59c230fb740b85443e95d9db97f660e6d57f8f79060c51d3fb21f7af2a

SHA512
a8ca9a0804c9cb2c87148d82b2ffb169d766b6ea91b4106363b24d555c9a58594915364b6cb61a1757723e96f7095f06859ab83a6e1055d43c8e78e9b52c8b57

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
ae75c3a96c26ddc15e3c678434b18374

SHA1
7abb4cd173f5c8565c891bc5305922439e880fed

SHA256
1b84f073d7c021672b1951a420b183f570b94f4d7c14c86698b22bbd353bf965

SHA512
e817ab91d4d73840a290ff2e999a5136328b315afa16ec831b6ddabea08cf07d8dd61b332cbeded13bde712e7c87538228ff8d163c0f659da84134f04e5a3b7e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
b01deb2dadc8260c4bcb435df78599d9

SHA1
7ac78543d19aefbe54d4e7d12d045cff0e7934f0

SHA256
4f88b370f98b6357f72a7942c293827b72164112e87fbbb6c842d9b206ab53b0

SHA512
319c1925e74af3cace9d3c3fafb7ff3c28ae3240e1d67da7d05ed25b7ec523eec9a974f21ff9914e602334c192e5801a55695ad705dbaa2a32e3b08e7996bb4b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
5cd8aed5cc6a89e8b7d9d07bfd488d46

SHA1
e637c6cbb364266ae23635accaac2fb0224a0e91

SHA256
ff2d35bc80f8bea6fb007fe2bcbaef410008cf86821b25d34d02a629b864db38

SHA512
c1793a65161f752656e5edf0916429bd5296f93ddeda5ca0928f6bf1404ad7170b1a0c31ad12b86684bf09ab4b1e6f075f1888d70de67894fca1f9dc3f7b2028

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
62bdbc42d80d79ef2cb87a0e67697a1e

SHA1
c56d1da4fbf164e032673cb7f7bd7bc6fd3c6f41

SHA256
31f1b6df41f906df1e7d3f537ef74a369903a1741fe1a0393ed7350cb861061b

SHA512
4f1b464e1a3012eef754fa079067250a5a5bc103da192d98ac7cbd4b7d2c8d1c3029c4e3e1a2fecee669eecc038402a5a41b51c5d8a779b7655cdb566ab494ab

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
97ca7e6c0dd3ca8068d8966c332477a9

SHA1
3e6faeceef3e5b35dd482e26c9085d79f77d4b7a

SHA256
08a2421c215ce19d0ba1395a3f918f3065373134d83c835413b478e6848c7767

SHA512
3fb837e01a9f2ef9bd2e69bb2fbd0c18167b528602d5b15260daaa3c5a5c7c5aab4c5181d20859cda781d31116a3ef12950d264cd829658ab32eb8e39c323da8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
251dc7f604f2ec16b72e4d912e46577e

SHA1
6adcaa984dea3d7580d6e475496a17b1ca0d938e

SHA256
a6db8d2911abc7e5069668227befbc034dbce2cf032c6ff57f4c3c9d70e9158d

SHA512
4c72085ca2c19234206f11168a328babdeb1b3314778f601be286dc33d43b9910e8fe41cf70d0a208f8180ddb1c0d5f465a96b668ab16bf79d0335650aa75b3d

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
6d451868fbedd640680937e873c36c00

SHA1
46fb0b76c429bd059a1c620ee00a9408d147fe3c

SHA256
725ef64484dbac49b9f2b543b7f7d2ffb683a48ed7fe52df6707a2640ae2203d

SHA512
3a62cf5e12cda8a44869dc5949d73fc4c933c84e02de368debe9f0680f7dbf735c40403dae8b7a984540091308ddfb85b531fca912d0408daebcc7941aad7057

Download Submit
memory/328-245-0x0000000004950000-0x0000000004AAF000-memory.dmp

Filesize
1.4MB

Download
memory/408-72-0x00000000047A0000-0x00000000048FF000-memory.dmp

Filesize
1.4MB

Download
memory/896-82-0x00000000059E0000-0x0000000005B3F000-memory.dmp

Filesize
1.4MB

Download
memory/952-236-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/952-233-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1032-181-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1032-174-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1036-228-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1036-221-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1044-88-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1044-93-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1352-45-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1352-54-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1372-220-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1372-213-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1540-73-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1540-80-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1756-97-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1756-105-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1864-212-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1864-205-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1944-204-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1944-197-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1944-24-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1944-19-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1996-172-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2004-44-0x0000000005C20000-0x0000000005D7F000-memory.dmp

Filesize
1.4MB

Download
memory/2004-152-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2004-157-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2156-196-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2160-39-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2160-29-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2280-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2280-10-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2324-246-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2344-69-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2344-65-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2388-38-0x00000000045F0000-0x000000000474F000-memory.dmp

Filesize
1.4MB

Download
memory/2560-126-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2560-131-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2640-28-0x0000000004730000-0x000000000488F000-memory.dmp

Filesize
1.4MB

Download
memory/2768-189-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2768-182-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2796-134-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2796-143-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2888-120-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2888-115-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2964-165-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2964-64-0x00000000059D0000-0x0000000005B2F000-memory.dmp

Filesize
1.4MB

Download
memory/2964-63-0x00000000059D0000-0x0000000005B2F000-memory.dmp

Filesize
1.4MB

Download
memory/2964-158-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2984-237-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2984-244-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3016-173-0x0000000004860000-0x00000000049BF000-memory.dmp

Filesize
1.4MB

Download