5373ca36f93b4010eb347541e352699ff82ac28fe1b547724186edd8bc81a519

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
06/09/2024, 22:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5373ca36f93b4010eb347541e352699ff82ac28fe1b547724186edd8bc81a519.exe
Size

1.1MB
MD5

b37f2f26b80fce7ae09a9eb4a07b78f0
SHA1

ae7e46d39d9453177d1b03a2697f756ff5a14066
SHA256

5373ca36f93b4010eb347541e352699ff82ac28fe1b547724186edd8bc81a519
SHA512

da185bb8651c69a7130024ed2c55c5bc374cf3b25a128b06478190af3cc64b59d38bc4e7dca702bcd48aaf18bf60be215f37b89755ec3bfe077d6959b3ba798a
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5QI:acallSllG4ZM7QzMP

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2636	svchcst.exe

Executes dropped EXE 23 IoCs

pid	Process
2636	svchcst.exe
2064	svchcst.exe
2012	svchcst.exe
1188	svchcst.exe
924	svchcst.exe
2412	svchcst.exe
2568	svchcst.exe
1992	svchcst.exe
2224	svchcst.exe
2064	svchcst.exe
1800	svchcst.exe
1048	svchcst.exe
1796	svchcst.exe
2144	svchcst.exe
1624	svchcst.exe
2720	svchcst.exe
1828	svchcst.exe
1712	svchcst.exe
2532	svchcst.exe
1404	svchcst.exe
996	svchcst.exe
1664	svchcst.exe
1968	svchcst.exe

Loads dropped DLL 42 IoCs

pid	Process
2292	WScript.exe
2292	WScript.exe
2672	WScript.exe
2672	WScript.exe
2916	WScript.exe
876	WScript.exe
876	WScript.exe
876	WScript.exe
684	WScript.exe
2284	WScript.exe
2284	WScript.exe
1652	WScript.exe
2964	WScript.exe
2964	WScript.exe
660	WScript.exe
660	WScript.exe
1404	WScript.exe
1404	WScript.exe
996	WScript.exe
996	WScript.exe
3044	WScript.exe
3044	WScript.exe
3052	WScript.exe
3052	WScript.exe
2440	WScript.exe
2440	WScript.exe
2252	WScript.exe
2252	WScript.exe
1140	WScript.exe
1140	WScript.exe
1728	WScript.exe
1728	WScript.exe
2520	WScript.exe
2520	WScript.exe
2424	WScript.exe
2424	WScript.exe
2100	WScript.exe
2100	WScript.exe
1008	WScript.exe
1008	WScript.exe
840	WScript.exe
840	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 50 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5373ca36f93b4010eb347541e352699ff82ac28fe1b547724186edd8bc81a519.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1352	5373ca36f93b4010eb347541e352699ff82ac28fe1b547724186edd8bc81a519.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1352	5373ca36f93b4010eb347541e352699ff82ac28fe1b547724186edd8bc81a519.exe

Suspicious use of SetWindowsHookEx 48 IoCs

pid	Process
1352	5373ca36f93b4010eb347541e352699ff82ac28fe1b547724186edd8bc81a519.exe
1352	5373ca36f93b4010eb347541e352699ff82ac28fe1b547724186edd8bc81a519.exe
2636	svchcst.exe
2636	svchcst.exe
2064	svchcst.exe
2064	svchcst.exe
2012	svchcst.exe
2012	svchcst.exe
1188	svchcst.exe
1188	svchcst.exe
924	svchcst.exe
924	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
1992	svchcst.exe
1992	svchcst.exe
2224	svchcst.exe
2224	svchcst.exe
2064	svchcst.exe
2064	svchcst.exe
1800	svchcst.exe
1800	svchcst.exe
1048	svchcst.exe
1048	svchcst.exe
1796	svchcst.exe
1796	svchcst.exe
2144	svchcst.exe
2144	svchcst.exe
1624	svchcst.exe
1624	svchcst.exe
2720	svchcst.exe
2720	svchcst.exe
1828	svchcst.exe
1828	svchcst.exe
1712	svchcst.exe
1712	svchcst.exe
2532	svchcst.exe
2532	svchcst.exe
1404	svchcst.exe
1404	svchcst.exe
996	svchcst.exe
996	svchcst.exe
1664	svchcst.exe
1664	svchcst.exe
1968	svchcst.exe
1968	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1352 wrote to memory of 2292	1352	5373ca36f93b4010eb347541e352699ff82ac28fe1b547724186edd8bc81a519.exe	30
PID 1352 wrote to memory of 2292	1352	5373ca36f93b4010eb347541e352699ff82ac28fe1b547724186edd8bc81a519.exe	30
PID 1352 wrote to memory of 2292	1352	5373ca36f93b4010eb347541e352699ff82ac28fe1b547724186edd8bc81a519.exe	30
PID 1352 wrote to memory of 2292	1352	5373ca36f93b4010eb347541e352699ff82ac28fe1b547724186edd8bc81a519.exe	30
PID 2292 wrote to memory of 2636	2292	WScript.exe	32
PID 2292 wrote to memory of 2636	2292	WScript.exe	32
PID 2292 wrote to memory of 2636	2292	WScript.exe	32
PID 2292 wrote to memory of 2636	2292	WScript.exe	32
PID 2636 wrote to memory of 2672	2636	svchcst.exe	33
PID 2636 wrote to memory of 2672	2636	svchcst.exe	33
PID 2636 wrote to memory of 2672	2636	svchcst.exe	33
PID 2636 wrote to memory of 2672	2636	svchcst.exe	33
PID 2636 wrote to memory of 2500	2636	svchcst.exe	34
PID 2636 wrote to memory of 2500	2636	svchcst.exe	34
PID 2636 wrote to memory of 2500	2636	svchcst.exe	34
PID 2636 wrote to memory of 2500	2636	svchcst.exe	34
PID 2672 wrote to memory of 2064	2672	WScript.exe	35
PID 2672 wrote to memory of 2064	2672	WScript.exe	35
PID 2672 wrote to memory of 2064	2672	WScript.exe	35
PID 2672 wrote to memory of 2064	2672	WScript.exe	35
PID 2064 wrote to memory of 2916	2064	svchcst.exe	36
PID 2064 wrote to memory of 2916	2064	svchcst.exe	36
PID 2064 wrote to memory of 2916	2064	svchcst.exe	36
PID 2064 wrote to memory of 2916	2064	svchcst.exe	36
PID 2916 wrote to memory of 2012	2916	WScript.exe	38
PID 2916 wrote to memory of 2012	2916	WScript.exe	38
PID 2916 wrote to memory of 2012	2916	WScript.exe	38
PID 2916 wrote to memory of 2012	2916	WScript.exe	38
PID 2012 wrote to memory of 876	2012	svchcst.exe	39
PID 2012 wrote to memory of 876	2012	svchcst.exe	39
PID 2012 wrote to memory of 876	2012	svchcst.exe	39
PID 2012 wrote to memory of 876	2012	svchcst.exe	39
PID 876 wrote to memory of 1188	876	WScript.exe	40
PID 876 wrote to memory of 1188	876	WScript.exe	40
PID 876 wrote to memory of 1188	876	WScript.exe	40
PID 876 wrote to memory of 1188	876	WScript.exe	40
PID 1188 wrote to memory of 2276	1188	svchcst.exe	41
PID 1188 wrote to memory of 2276	1188	svchcst.exe	41
PID 1188 wrote to memory of 2276	1188	svchcst.exe	41
PID 1188 wrote to memory of 2276	1188	svchcst.exe	41
PID 876 wrote to memory of 924	876	WScript.exe	42
PID 876 wrote to memory of 924	876	WScript.exe	42
PID 876 wrote to memory of 924	876	WScript.exe	42
PID 876 wrote to memory of 924	876	WScript.exe	42
PID 924 wrote to memory of 684	924	svchcst.exe	43
PID 924 wrote to memory of 684	924	svchcst.exe	43
PID 924 wrote to memory of 684	924	svchcst.exe	43
PID 924 wrote to memory of 684	924	svchcst.exe	43
PID 684 wrote to memory of 2412	684	WScript.exe	44
PID 684 wrote to memory of 2412	684	WScript.exe	44
PID 684 wrote to memory of 2412	684	WScript.exe	44
PID 684 wrote to memory of 2412	684	WScript.exe	44
PID 2412 wrote to memory of 2284	2412	svchcst.exe	45
PID 2412 wrote to memory of 2284	2412	svchcst.exe	45
PID 2412 wrote to memory of 2284	2412	svchcst.exe	45
PID 2412 wrote to memory of 2284	2412	svchcst.exe	45
PID 2284 wrote to memory of 2568	2284	WScript.exe	46
PID 2284 wrote to memory of 2568	2284	WScript.exe	46
PID 2284 wrote to memory of 2568	2284	WScript.exe	46
PID 2284 wrote to memory of 2568	2284	WScript.exe	46
PID 2568 wrote to memory of 1652	2568	svchcst.exe	47
PID 2568 wrote to memory of 1652	2568	svchcst.exe	47
PID 2568 wrote to memory of 1652	2568	svchcst.exe	47
PID 2568 wrote to memory of 1652	2568	svchcst.exe	47

C:\Users\Admin\AppData\Local\Temp\5373ca36f93b4010eb347541e352699ff82ac28fe1b547724186edd8bc81a519.exe
"C:\Users\Admin\AppData\Local\Temp\5373ca36f93b4010eb347541e352699ff82ac28fe1b547724186edd8bc81a519.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1352
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2292
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2636
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2672
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2064
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2916
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2012
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:876
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1188
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2276
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:924
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:684
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2412
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2284
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2568
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1652
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1992
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2964
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2224
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:660
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2064
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1404
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1800
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:996
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1048
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3044
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1796
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3052
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2144
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2440
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1624
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2252
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2720
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1140
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1828
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1728
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1712
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2520
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2532
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2424
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1404
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2100
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:996
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1008
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1664
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        44⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:840
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1968
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        46⤵
        System Location Discovery: System Language Discovery
        
        PID:2680
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        46⤵
        System Location Discovery: System Language Discovery
        
        PID:1928
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
0c5ccb497f11d77c9e7babaa1175360c

SHA1
a209844d03b02fef3f0534e846f69a5b93a672e6

SHA256
ad091ac3cb06969f40c041ac944a44ff2e831e564162c4ca487a3d98daa5c507

SHA512
ebae75829608d061a7d03f7aed56fd8683092b2e573a33c72d3b0954009b4ef46538a3198eb20a02161ae60ed647e1c3a4c9096cd2ff76c1f962510fdc24401f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
2af86d83545125b952334759f8554ae3

SHA1
ddfef7be6fbd8d8185c772a9a78eb18617a9637b

SHA256
7dd3660d7e87e64f451b4d1882d07c1733ce38d828770910453cc1b7f457d11d

SHA512
38d2854f941ff77a2fec871ba6513df9862fe4f86778b22053b4c3e25995b192f4ab943051a2c613cc3e78d275bc543b0dff09149cb4620e307809d20beae17b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
55765ba68da8820ee35d2d4d1dedeac0

SHA1
19f5f147056f3d837a11d6b08a7fc9544f9927f6

SHA256
1eb237d283717ac45bdfef217d3d09fb4ef73db3838859057c94e488b329c522

SHA512
61b6361b8dfef2067016c50e830db1fc768d0654a3f643cf4b4cb1193de722f74401e73f719d8cff5a443058adfa7e3cd0dfc502f25dd249cdc36a7056c81c18

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
1af246ca0660faf0fa7da4b4c9c61316

SHA1
c050b0bd311f2e5240cd7e9df583e41b133e9521

SHA256
2b84bcefb62d7564e2e7d1be8105a26f798b4c73cca142c054da02262f61ede8

SHA512
3fadf6605620aea1f9c9e94d62193fc416af6d5272bc675d399ea1ea96a070b4de69cab61736cea89c744ce3b203f0790d617789d25811a6ca535fc9f6159793

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
344b0286b823cd492e5ca9c83c00ba11

SHA1
b76dbac9b5724f5b1e11a10ed7a2125edb16259b

SHA256
04ea89515062031f99eb08fad07de798532e0adea7ff18c0c9a8b1e3a1d4dbbd

SHA512
9aba17235e4f1bd62f45545cfa0e4f302c0471732b33a8398b462e334126c5a3e74fdcbe17db70029184cc1207f558efc46b868475fb607ad536288b0796bb80

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
379619305716718fbeeab2f364946c39

SHA1
b663cf106c4673549692fa39d25e9e8f4561cd64

SHA256
c844bc25686320e65c1b5259a6d0d6d47f61709f46e2c8eb2ad3f9c3b9333d84

SHA512
b2c91d0f1cbc9e253bb3bb339acbab0e31eef31188cc00132c423fee2a85c7a91132c9259b99b23a149f6ba1172b8522e2d8350f88dbb735ad8d7a32f71e2ed8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
297aff64991480fd92a4ce9fb4d40807

SHA1
c586f7003f854f442db26448516e59826dfe41e9

SHA256
5137a62e031c71093a7d6c2684519614bb5eed80fd8daa92912f085a6ab82b8a

SHA512
f7a2fae80f26e6fb846ec9675c5a03932c8bd842d75f68cdb05c2f18e9397ed32774ce0a1f495e5618a5ce1b37e088c8991a69fb999559d1e2b0dd360cc96b4f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
70e226fbd8b4b3f2ddf8a8753a77586a

SHA1
a81a39d08f77479d0ee65599dd2749031c32fc19

SHA256
3eb2bfca11e83ada63c9e426764e07267c058964f959ca5e0c3f0f8933e40026

SHA512
f8c3f2f4172e8cabb856cbc2527dae48cba6d740a8ad9844bb32013ccba200b4c03dfdbe3713d9caa5f7416b8729cba4d516a73989b388c952ab08205b3cd4b8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
ebf405e49dade13da94f737cdc03dba1

SHA1
8a0c39e59beed0deb4e726566b235c42c70942bb

SHA256
d15af3885670c4fea9dd97da21025faa5fd2b42bddc310bad2893e23a3ed2bef

SHA512
bbdef781757a387898665650d8f951e7fc495770d34595d9badbe5a39d46ec49a06ec00cbe28ed5e2677e5eeea518241fb638580668baca8d7728c44f2069ea2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
99c6d3daae7cb362152020047cb956dc

SHA1
4d70b60a43d37fbfea1be333aad269606ae3d3a7

SHA256
b35a71753d085b170fca9949910d93671a298e1fcc05cf0cdff308dba4d12324

SHA512
37098e0594a21439720df6adc851063d275020c7a337326cf0f83c8fce79ac210bd42c5458e49e560c4641b569be88b34ee5ee99dccba5c2655fee127c21e110

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
b80e64a84f22d05c1da6e47ce54973aa

SHA1
5cad9390328f2c7439c775fabb7a0456663085d9

SHA256
9dd0f5f176d3fad7c0eb3bdd6f14036a878cbce9fd50fb1a47318da147bfd82e

SHA512
983affb7f9189c1eb80982438c288ee607e7ee91675b6a6e854873c476961b39ddec66801e0a09bedd0f133a0132693a5fed5c8ff0f8c3d3aa4f470fdb8c39b9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
463784728a0ab2b8cc52ee1ed0e5258e

SHA1
620a618c31439d36e8539e50359713befcc28e92

SHA256
a34e1ed304dca4f58275bdd5daaf071d1767db7bb7ccc6bf2aea2df5e2be023b

SHA512
52f9736297fbaf65179d35e01c7a15d516d2ff8b5c949a45046bc668bbe94b5da63aea4d5920ebfc1a884721f16fdcae75ea08ca9a6aa78297a44051ed979c7f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
aeedcd351ccad83274658a315747dfc4

SHA1
93cf25131a98bb6dab0629e91d2e7bb148924310

SHA256
dd26f1a9f8ccdc3b2bb92322425ab1de5ce05f8bfd62f8c6e88bddec80c1597b

SHA512
8801a1f17cd648bc6b34bf482aac686d29f1e8e3fbf4a9cde38c71a8d02276a4201854a78d8fd63fe9c2583cde8e087f74a0a8e4f1d2c09d96d3ced6c2c79288

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
7c5483c61a9c2a7ba6f5e01401c23189

SHA1
c2b04916e3d7d2475eb852c03408a62717a86a10

SHA256
dff9cfa7686399e8a85372322d7e88e493685d7ad1f12e1a7944aeede3ce5366

SHA512
aa81b6ff8139a2729990222f26e4f2953dfc9d2d3e5f024396241db61103db43a9f1ef1b5699ace37397d68a9b9e8b51dc6d70f2e535c6d4fa62611c811f08c6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
b51ab6aec6ca2dfae136507153511290

SHA1
5891f40733d2a3b92d38ab66393b81989f015ac4

SHA256
6569d24c6eb46a8ba2f9653a11c3b6c6d6dee80210b0a95b7928c4d65986ba6a

SHA512
ad995b8a323c49721be1593db3e44839517feb1789e6c1348af18c860b6f47ae4b0e0c94029657814308b58cc5863f7d9b1f6ed64b609192c635df6b7f3e7aaf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
dd95ebf62e2394dfb5afdae2e9f1e2f4

SHA1
342946d977d890cfc0dc596bbad7fe2c22ff4c96

SHA256
72abbf7dca611bb7635c2398d8c461e8905b6e261c4cedb83c58615674d4543d

SHA512
20bc3b824ef3553cf87534f71a546eae923d375074af394f2162cb621c8e6481b371482dccb4e2dbb9ff325060884ac366f106dbcb16f87999b49aefffd0a981

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
e0053bb9837c6c098d51bec26f837861

SHA1
cc8c4de6bda25af5eb67ba7e60f9e8059327b41b

SHA256
67ced98f709e5961ecf0658fc14f620e066b7dfee8181c2703253f6cf2e44378

SHA512
0163b43bfbeb600b3339f8f47e603f03764457af4a14e182d13182f1b83465a6ccc9e4ba847c4cd68f8b9f7d0176058e66cf50dec4bfd9911da207502768f47f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
bff90fbd23f056efdd7967d2506add41

SHA1
58b05820f18909f9dadd1b0cf7d1dc805942718e

SHA256
eff8addf85f8820f311fef1cce544b22efb3ee16f0245a474de48f1b32c91fe9

SHA512
e263c292f9cd3c6393624f48708cb58d987ed4aadf61cca6bb714832dbb901dabe7c41da3bf8305a1c0a1dc64aee6083d4d3490e992d5f995e159e1d6184d8b7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
bab824493be184c46038b9c80f1e3bf4

SHA1
f160c42f1d57c5c3f0f2e615f632f1ef86a85bb1

SHA256
31fa3fcdebe12faa153e4ee2dac209beaa11b93a40204a66daf1431d240cbb68

SHA512
1886541b0deeeefe0e30a946f6b6a3b3b29bad42f392612b9777f656b1e142fcbde50986f43a0b22ad96d16fa253ec7e51d0995c67ccf0ec1632e76eac1aa2c8

Download Submit
memory/876-71-0x00000000059F0000-0x0000000005B4F000-memory.dmp

Filesize
1.4MB

Download
memory/876-55-0x00000000059F0000-0x0000000005B4F000-memory.dmp

Filesize
1.4MB

Download
memory/876-69-0x0000000005BE0000-0x0000000005D3F000-memory.dmp

Filesize
1.4MB

Download
memory/924-80-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/924-72-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/996-238-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/996-231-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1048-168-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1188-65-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1188-56-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1352-9-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1352-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1404-229-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1624-192-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1624-185-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1664-246-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1664-239-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1712-208-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1712-215-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1796-169-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1796-176-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1800-161-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1828-207-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1968-247-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1992-110-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1992-119-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2012-52-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2064-140-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2064-149-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2064-33-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2064-41-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2100-230-0x0000000005CA0000-0x0000000005DFF000-memory.dmp

Filesize
1.4MB

Download
memory/2144-177-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2144-184-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2224-127-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2224-135-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2284-95-0x0000000004780000-0x00000000048DF000-memory.dmp

Filesize
1.4MB

Download
memory/2284-97-0x0000000004780000-0x00000000048DF000-memory.dmp

Filesize
1.4MB

Download
memory/2292-14-0x0000000005CD0000-0x0000000005E2F000-memory.dmp

Filesize
1.4MB

Download
memory/2292-15-0x0000000005CD0000-0x0000000005E2F000-memory.dmp

Filesize
1.4MB

Download
memory/2412-91-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2532-222-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2568-106-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2636-27-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2636-16-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2720-193-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2720-200-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2916-44-0x0000000005950000-0x0000000005AAF000-memory.dmp

Filesize
1.4MB

Download
memory/2964-124-0x0000000005AB0000-0x0000000005C0F000-memory.dmp

Filesize
1.4MB

Download
memory/2964-125-0x0000000005AB0000-0x0000000005C0F000-memory.dmp

Filesize
1.4MB

Download