51c2f951960330b5ed53bb4823aeea37e80e2ee5dc47a5d40fc0262cdd43041d

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13/09/2024, 22:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

51c2f951960330b5ed53bb4823aeea37e80e2ee5dc47a5d40fc0262cdd43041d.exe
Size

1.1MB
MD5

8664995f98dfb1f0f9f8ff3343b2cd78
SHA1

002185a2882a3fc3170ca8bfd134a2bca5093d6a
SHA256

51c2f951960330b5ed53bb4823aeea37e80e2ee5dc47a5d40fc0262cdd43041d
SHA512

70a8502a48c94b91a868754526231e37fdd0d166b86d8f47c39fa33294000db43226863b8f5c51ba172751437880fe425e2fcc015e6cc29306f9ce8bb4f62f82
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5Qo:acallSllG4ZM7QzM/

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2996	svchcst.exe

Executes dropped EXE 22 IoCs

pid	Process
2996	svchcst.exe
2040	svchcst.exe
2796	svchcst.exe
2196	svchcst.exe
292	svchcst.exe
1040	svchcst.exe
1968	svchcst.exe
2756	svchcst.exe
2996	svchcst.exe
1236	svchcst.exe
2964	svchcst.exe
1528	svchcst.exe
2688	svchcst.exe
1988	svchcst.exe
2448	svchcst.exe
536	svchcst.exe
2092	svchcst.exe
588	svchcst.exe
1320	svchcst.exe
1424	svchcst.exe
2320	svchcst.exe
572	svchcst.exe

Loads dropped DLL 41 IoCs

pid	Process
2660	WScript.exe
2660	WScript.exe
1816	WScript.exe
1816	WScript.exe
2416	WScript.exe
340	WScript.exe
1120	WScript.exe
1120	WScript.exe
1120	WScript.exe
2424	WScript.exe
2424	WScript.exe
1584	WScript.exe
1584	WScript.exe
2632	WScript.exe
2632	WScript.exe
1596	WScript.exe
1596	WScript.exe
2100	WScript.exe
2100	WScript.exe
1824	WScript.exe
1824	WScript.exe
1076	WScript.exe
1076	WScript.exe
2956	WScript.exe
2956	WScript.exe
2932	WScript.exe
2932	WScript.exe
2328	WScript.exe
2328	WScript.exe
2040	WScript.exe
2040	WScript.exe
1944	WScript.exe
1944	WScript.exe
2980	WScript.exe
2980	WScript.exe
1640	WScript.exe
1640	WScript.exe
1156	WScript.exe
1156	WScript.exe
1752	WScript.exe
1752	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 48 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	51c2f951960330b5ed53bb4823aeea37e80e2ee5dc47a5d40fc0262cdd43041d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1688	51c2f951960330b5ed53bb4823aeea37e80e2ee5dc47a5d40fc0262cdd43041d.exe
2996	svchcst.exe
2996	svchcst.exe
2996	svchcst.exe
2996	svchcst.exe
2996	svchcst.exe
2996	svchcst.exe
2996	svchcst.exe
2996	svchcst.exe
2996	svchcst.exe
2996	svchcst.exe
2996	svchcst.exe
2996	svchcst.exe
2996	svchcst.exe
2996	svchcst.exe
2996	svchcst.exe
2996	svchcst.exe
2996	svchcst.exe
2996	svchcst.exe
2996	svchcst.exe
2996	svchcst.exe
2996	svchcst.exe
2996	svchcst.exe
2996	svchcst.exe
2996	svchcst.exe
2996	svchcst.exe
2996	svchcst.exe
2996	svchcst.exe
2996	svchcst.exe
2996	svchcst.exe
2996	svchcst.exe
2996	svchcst.exe
2996	svchcst.exe
2996	svchcst.exe
2996	svchcst.exe
2996	svchcst.exe
2996	svchcst.exe
2996	svchcst.exe
2996	svchcst.exe
2996	svchcst.exe
2996	svchcst.exe
2996	svchcst.exe
2996	svchcst.exe
2996	svchcst.exe
2996	svchcst.exe
2996	svchcst.exe
2996	svchcst.exe
2996	svchcst.exe
2996	svchcst.exe
2996	svchcst.exe
2996	svchcst.exe
2996	svchcst.exe
2996	svchcst.exe
2996	svchcst.exe
2996	svchcst.exe
2996	svchcst.exe
2996	svchcst.exe
2996	svchcst.exe
2996	svchcst.exe
2996	svchcst.exe
2996	svchcst.exe
2996	svchcst.exe
2996	svchcst.exe
2996	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1688	51c2f951960330b5ed53bb4823aeea37e80e2ee5dc47a5d40fc0262cdd43041d.exe

Suspicious use of SetWindowsHookEx 46 IoCs

pid	Process
1688	51c2f951960330b5ed53bb4823aeea37e80e2ee5dc47a5d40fc0262cdd43041d.exe
1688	51c2f951960330b5ed53bb4823aeea37e80e2ee5dc47a5d40fc0262cdd43041d.exe
2996	svchcst.exe
2996	svchcst.exe
2040	svchcst.exe
2040	svchcst.exe
2796	svchcst.exe
2796	svchcst.exe
2196	svchcst.exe
2196	svchcst.exe
292	svchcst.exe
292	svchcst.exe
1040	svchcst.exe
1040	svchcst.exe
1968	svchcst.exe
1968	svchcst.exe
2756	svchcst.exe
2756	svchcst.exe
2996	svchcst.exe
2996	svchcst.exe
1236	svchcst.exe
1236	svchcst.exe
2964	svchcst.exe
2964	svchcst.exe
1528	svchcst.exe
1528	svchcst.exe
2688	svchcst.exe
2688	svchcst.exe
1988	svchcst.exe
1988	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
536	svchcst.exe
536	svchcst.exe
2092	svchcst.exe
2092	svchcst.exe
588	svchcst.exe
588	svchcst.exe
1320	svchcst.exe
1320	svchcst.exe
1424	svchcst.exe
1424	svchcst.exe
2320	svchcst.exe
2320	svchcst.exe
572	svchcst.exe
572	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1688 wrote to memory of 2660	1688	51c2f951960330b5ed53bb4823aeea37e80e2ee5dc47a5d40fc0262cdd43041d.exe	30
PID 1688 wrote to memory of 2660	1688	51c2f951960330b5ed53bb4823aeea37e80e2ee5dc47a5d40fc0262cdd43041d.exe	30
PID 1688 wrote to memory of 2660	1688	51c2f951960330b5ed53bb4823aeea37e80e2ee5dc47a5d40fc0262cdd43041d.exe	30
PID 1688 wrote to memory of 2660	1688	51c2f951960330b5ed53bb4823aeea37e80e2ee5dc47a5d40fc0262cdd43041d.exe	30
PID 2660 wrote to memory of 2996	2660	WScript.exe	32
PID 2660 wrote to memory of 2996	2660	WScript.exe	32
PID 2660 wrote to memory of 2996	2660	WScript.exe	32
PID 2660 wrote to memory of 2996	2660	WScript.exe	32
PID 2996 wrote to memory of 1816	2996	svchcst.exe	33
PID 2996 wrote to memory of 1816	2996	svchcst.exe	33
PID 2996 wrote to memory of 1816	2996	svchcst.exe	33
PID 2996 wrote to memory of 1816	2996	svchcst.exe	33
PID 1816 wrote to memory of 2040	1816	WScript.exe	34
PID 1816 wrote to memory of 2040	1816	WScript.exe	34
PID 1816 wrote to memory of 2040	1816	WScript.exe	34
PID 1816 wrote to memory of 2040	1816	WScript.exe	34
PID 2040 wrote to memory of 2416	2040	svchcst.exe	35
PID 2040 wrote to memory of 2416	2040	svchcst.exe	35
PID 2040 wrote to memory of 2416	2040	svchcst.exe	35
PID 2040 wrote to memory of 2416	2040	svchcst.exe	35
PID 2416 wrote to memory of 2796	2416	WScript.exe	36
PID 2416 wrote to memory of 2796	2416	WScript.exe	36
PID 2416 wrote to memory of 2796	2416	WScript.exe	36
PID 2416 wrote to memory of 2796	2416	WScript.exe	36
PID 2796 wrote to memory of 340	2796	svchcst.exe	37
PID 2796 wrote to memory of 340	2796	svchcst.exe	37
PID 2796 wrote to memory of 340	2796	svchcst.exe	37
PID 2796 wrote to memory of 340	2796	svchcst.exe	37
PID 340 wrote to memory of 2196	340	WScript.exe	38
PID 340 wrote to memory of 2196	340	WScript.exe	38
PID 340 wrote to memory of 2196	340	WScript.exe	38
PID 340 wrote to memory of 2196	340	WScript.exe	38
PID 2196 wrote to memory of 1120	2196	svchcst.exe	39
PID 2196 wrote to memory of 1120	2196	svchcst.exe	39
PID 2196 wrote to memory of 1120	2196	svchcst.exe	39
PID 2196 wrote to memory of 1120	2196	svchcst.exe	39
PID 1120 wrote to memory of 292	1120	WScript.exe	40
PID 1120 wrote to memory of 292	1120	WScript.exe	40
PID 1120 wrote to memory of 292	1120	WScript.exe	40
PID 1120 wrote to memory of 292	1120	WScript.exe	40
PID 292 wrote to memory of 3036	292	svchcst.exe	41
PID 292 wrote to memory of 3036	292	svchcst.exe	41
PID 292 wrote to memory of 3036	292	svchcst.exe	41
PID 292 wrote to memory of 3036	292	svchcst.exe	41
PID 1120 wrote to memory of 1040	1120	WScript.exe	42
PID 1120 wrote to memory of 1040	1120	WScript.exe	42
PID 1120 wrote to memory of 1040	1120	WScript.exe	42
PID 1120 wrote to memory of 1040	1120	WScript.exe	42
PID 1040 wrote to memory of 2424	1040	svchcst.exe	43
PID 1040 wrote to memory of 2424	1040	svchcst.exe	43
PID 1040 wrote to memory of 2424	1040	svchcst.exe	43
PID 1040 wrote to memory of 2424	1040	svchcst.exe	43
PID 2424 wrote to memory of 1968	2424	WScript.exe	44
PID 2424 wrote to memory of 1968	2424	WScript.exe	44
PID 2424 wrote to memory of 1968	2424	WScript.exe	44
PID 2424 wrote to memory of 1968	2424	WScript.exe	44
PID 1968 wrote to memory of 1584	1968	svchcst.exe	45
PID 1968 wrote to memory of 1584	1968	svchcst.exe	45
PID 1968 wrote to memory of 1584	1968	svchcst.exe	45
PID 1968 wrote to memory of 1584	1968	svchcst.exe	45
PID 1584 wrote to memory of 2756	1584	WScript.exe	46
PID 1584 wrote to memory of 2756	1584	WScript.exe	46
PID 1584 wrote to memory of 2756	1584	WScript.exe	46
PID 1584 wrote to memory of 2756	1584	WScript.exe	46

C:\Users\Admin\AppData\Local\Temp\51c2f951960330b5ed53bb4823aeea37e80e2ee5dc47a5d40fc0262cdd43041d.exe
"C:\Users\Admin\AppData\Local\Temp\51c2f951960330b5ed53bb4823aeea37e80e2ee5dc47a5d40fc0262cdd43041d.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1688
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2660
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2996
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1816
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2040
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2416
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2796
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:340
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2196
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1120
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:292
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:3036
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1040
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2424
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1968
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1584
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2756
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2632
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2996
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1596
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1236
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2100
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2964
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1824
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1528
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1076
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2688
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2956
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1988
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2932
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2448
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        System Location Discovery: System Language Discovery
        
        PID:2724
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2588
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2328
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:536
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2040
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2092
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1944
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:588
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2980
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1320
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1640
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1424
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1156
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2320
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        44⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1752
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:572
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        46⤵
        System Location Discovery: System Language Discovery
        
        PID:2712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
851b0656abe935bee686cbba879635da

SHA1
7f578263d48d308bb931617d8ead2bd40e7a10ad

SHA256
1d5e0c7eea09a29a1314465a2b577fd5eb1aa4cfc7cbe4a93ce0b7d7f3c581e8

SHA512
5b24eae30cbcf260ec529af407d5b33f4249549c88a8954a3fae30d390b1fd0ede6c496b408d633e0d137d78d51787bcbdade03b231c3ca2b0db7c20ac42b914

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
d32955f30e8aad52247ece470e41d5ad

SHA1
ac6775ee1d2cccafe3baeb722ca57bf16953f173

SHA256
bbd8749995b7f218975a3955fac72a16d1f5a3fd3826f7bb98d0b4fe537d6697

SHA512
1a00595cdfca51c9c95101a1d04a15089aded3fc687de721d882c6ef57697a943c0a99d917167e76d55040c5d8607e01fe5a206054112635a642f6364d3fdcaf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
0297693238c8d2753940dd61243ddfd8

SHA1
c5e61e727061ecb2475cfd052102d1ec3f837ad8

SHA256
2c553c736dbf82875ba83b712b4d0a0e5b63b0e4089f0882755bbf078c22c0a5

SHA512
042527b1ea8d7e3cc25f8cc72c357e39ef822e78eb9c5802613ff806f9869fff49e63ebd0d8e52754c5a918fd76640dd0bc7a1a1dfd5e82cecfcfcc13c8579cd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
a4e2d4727487955ad59bf2d1a6661981

SHA1
e52949b5d7226aaf75d3713ed2ff1283edab2259

SHA256
4b2d44fd28dcc86d4f73784cea9ac601d2e69574ea0fc6214b3481b10687e0e2

SHA512
f3c59196a57237caa7ad762e2e31bb3b95156eb33cdad7d7b28244842a733160a74c6568452252ce2add95980fe653dc5322a3d1722f9d798289557351b5ea55

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
5465e98b54b47d65941e5d12deb27c9d

SHA1
50e5e6ced6e5e332b303de4fa146482fbdf782d5

SHA256
38f339c2f4c0d7ea1ba1500460c63bc626a2465b3ca48c4d63ee2b0f3eafb82a

SHA512
50c6bc8c7da8c036c909672ade71b08aea49bc58474c40e660d7dc23c3a9869cfad82b4dc96335057ecd5bd1011f3db712f667b4085555e3dc6fb90de56b1c3a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
1a94fff9bade36e4d067e0fcefb1a8f5

SHA1
1713c3fc499a56cd97035e44405e0b5e1a0a586b

SHA256
1977a5ac15e88252efdd11b9aace6de92383e71132a94273b0e890e92ae91048

SHA512
89a7dd6811f9491a14bf49f1cbce3e869107d2e0d410fa3d3c867ce68d573d6f8e6ada98ac3635fc620c96c61676b5cef2563b5fbea14f617c1fa61bce4f3ac7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
06a252a9516053e44ec8e64f1ebf0533

SHA1
29ac97e0cdade946c4feb81ad3f78d70953a2277

SHA256
6b8a799c3d4b977adb7220f6790b2ac09080ca3ccde5a2c33c83b33ea905928c

SHA512
0775aabeef7c910e03efc40f96143025a2ee3544dd656c78d09ef63c85d040037752aabe72fdf3b636ee31422ae8de01b73c85e27247203d5efc1635eaf15b2d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
5ef4272f4d6f345fc8cc1b2f059c81b4

SHA1
78bcb559f775d70e10396e1d6d7b95c28d2645d1

SHA256
19f8d5209b4a5789cdfd5b67cb0b9f6c3546c62912bcb1ef1c69a15602beb652

SHA512
002693255c600456d965b5a7e36f780deec4d80cd9fe56f7f974b8762e2b140002a1dabf4b059d6163c9cc00a0e1e9da71899e13347fb4bb2985bbc7058469cb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
8ff9269f0a87aaf29e707ac354505e61

SHA1
68c900e567a236096ac8c812cb14dec97e3e088c

SHA256
ed84c3ff01194f8f55c30fb4f5685d4f74c186732e01e20d9909fb7a63ebb7d1

SHA512
5980c8ca52c3c047380b9aabced91699a68228bf8e5d545ff3105bdc5c469f30f7e490f459e2e8bc57f088d904ae0fb3e3167dfa0cd84b83b3d8e78402e8ae9d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
0746413c017663c2889cbadf684741eb

SHA1
6a61f92238e17b83adba719b52d2f3d9cd205b8a

SHA256
5e9eb3cc7e536ea1249b6bdb65b934565018fa760198e2b2c8f5537de84b86bd

SHA512
e222a18584aadd15f5c4706601acc6fa30d6a08325f2679724eba4b2952e56d4d7e1a97c42ae88aefacfa59b87723118d2dd28c1541204715dc1e11b4867b05c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
03088ab16e4136b8d3a3366505b767ed

SHA1
e1d73c9dc7e6009659519b33b3dd80f3011adad8

SHA256
b31956814f1bc7c1e47a025622160df37664a3ee8e6d2016ce8919f1fba63a59

SHA512
0c841cc8236b405951c5bdf0ea7c620ef32ab930077442e5c1f2eca9fe474c113e1377829e8072afdbfd9a0f0b2797cf156b2f861395d14b851abc7b365ec11a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
aa6578debd9e5045ad239d59ebeb6d15

SHA1
2a25e6293914cd6ada6649f34506c8bcf35494aa

SHA256
7acb095ca5298eb1d1e2ba7f02c1b876d7d28684762a9d180ae2ed8c9e68beb2

SHA512
150796c7aad73d1732103e41bd01d3c181b4a0afd37b673d184d5c6c643622704e7692b668e231a319549c2bb378f4d83c7ede82caf81dd15c934b81936e22b2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
b80e64a84f22d05c1da6e47ce54973aa

SHA1
5cad9390328f2c7439c775fabb7a0456663085d9

SHA256
9dd0f5f176d3fad7c0eb3bdd6f14036a878cbce9fd50fb1a47318da147bfd82e

SHA512
983affb7f9189c1eb80982438c288ee607e7ee91675b6a6e854873c476961b39ddec66801e0a09bedd0f133a0132693a5fed5c8ff0f8c3d3aa4f470fdb8c39b9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
4bb264ebf68d3a0c56f58ef2bb0574c4

SHA1
6d2b53980e4c8f3b162445f0ad7c0701d29a392b

SHA256
8602a084f9f31d0fee01350328df5a0ec10f9c4a950e878fee12c00028451fe1

SHA512
c04202da4060d07ed36dda60c0534bcf52ae03dbf58511457f5340c35f7b899e7f1c362bfdb30c2c46aa9c469a32222d0ec38ac6baf0c14cc884fc8ae477130b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
89e2b53455441846264dba2c1c3650d1

SHA1
89360a5363caa5d94e2d620a8467ea7837821c19

SHA256
da933c28af3b758336dfba24514544fc2cba9d252a7de62a38de8150852c0c05

SHA512
938dc396c6eb8c675e111dfebdc64b144c0cf60292eed368c1501ccbb9091cba30f0fb6f258b7e4aa832c684cac2c191cbcc36736fda101618f8de01f6af1f91

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
1671885944dbc29efdc2ff98579fae19

SHA1
ef10615c401144a5d58ade000caeab1c11c0f36f

SHA256
afa4ba4f13807886fd66c1dcc932bc58cf0a950b28ca0d5c74881d1342ec3aa9

SHA512
09c9421f3cca0c74b91b43f7232bbf03fbe7995834b597459c868391bcfc4ba7d2acc0f7c5deb3409afce96f42c3dcadb1486b7c4caf7a93eec0160631460a88

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
dddd5a86d8f09aa23100fb792539b131

SHA1
c075b1b14a0ada9699832a946bbabdf8f36a72f7

SHA256
249b0d0ddbd2f44782e75fe92e7af5e1e26395c0e49b79bd4a79332e32b643eb

SHA512
275c647f8f5d3883c4ca3c6e536422b5ff65d10802b6b30749c08e157632411f1de6e233df7840eeca798a5ed6f5eec3199c3a39dbc564c8ea2939e0c6cc4f73

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
a3894c25e8c62131f6b4030b2a5daf94

SHA1
8a6e84c5305ec365765de85de32603f1256285c6

SHA256
397ee66e57302b3449586f33f2d1005a46de3480ee85f00a51da97267b896962

SHA512
1fcf28ea1368dc21ea1d1d7dbd152e7107955d5afb377031d1f445a63894247cc0731753f5bb9a0040d816769cfca176fdeb649c8bf0871a47c04a8d3c14c480

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
35ad30aa788f89d20c7354153e5aead2

SHA1
f0695ac85895023e3ff724d635bdd686d3deac07

SHA256
03512d33863cf6896a068a3c8d35c41e34cd5d62e158be743621dde4d3357356

SHA512
079f9b421b1be12403f71a75e90e6e5a54993949d89ae915b31a2e98a21e8908c4153cfc22d5011eab13ec96d1c43869c805ebd7e456b9e9c2b29d4a9abe909f

Download Submit
C:\Users\Admin\AppData\Roaming\svchcst.exe

Filesize
1.1MB

MD5
cd4adee5dc316251104dcc2771ce371b

SHA1
0bcc2e35c1355d0e268b745dc956fca3140b4d5b

SHA256
d05cb8964851b7aa9698f5ef6900b4e4b9342ae182c2e8476fd97002c36e86ee

SHA512
fe7269fec3291c485758553d86dca2ad182d5640116d8ac54a625560de0f543ac900af20cdd88b71933442314cb0c277f20ae18014877aa026c370a40f73e544

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
0a78af52a7c70722744a3dcad6cfcbdd

SHA1
2347ec5beee129dc8b9f26588197645bdc6b59a8

SHA256
1b89d81619bb4e49a184bfe87adb93f3e9e1b5186195b4e8728604aa52a2d88e

SHA512
987eada082a46171fd94e7c6a7d1d2d9d990bfe9d975b5e51d012c19042a6b63d838c0722dbe17079192106e35b80c07549cdcdeaf9ed4f567372664d32e079e

Download Submit
memory/292-65-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/292-74-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/536-209-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/536-202-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/588-218-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/588-225-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1040-87-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1040-79-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1120-77-0x00000000046F0000-0x000000000484F000-memory.dmp

Filesize
1.4MB

Download
memory/1236-147-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1320-226-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1320-233-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1424-240-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1528-170-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1528-167-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1584-108-0x0000000005930000-0x0000000005A8F000-memory.dmp

Filesize
1.4MB

Download
memory/1596-138-0x0000000005C30000-0x0000000005D8F000-memory.dmp

Filesize
1.4MB

Download
memory/1688-9-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1688-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1824-162-0x0000000004840000-0x000000000499F000-memory.dmp

Filesize
1.4MB

Download
memory/1968-104-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1968-95-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1988-185-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1988-178-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2040-38-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2092-217-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2092-210-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2100-152-0x0000000005930000-0x0000000005A8F000-memory.dmp

Filesize
1.4MB

Download
memory/2196-60-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2320-248-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2320-241-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2424-94-0x00000000049C0000-0x0000000004B1F000-memory.dmp

Filesize
1.4MB

Download
memory/2424-93-0x00000000049C0000-0x0000000004B1F000-memory.dmp

Filesize
1.4MB

Download
memory/2448-186-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2448-192-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2588-194-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2588-201-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2632-123-0x0000000005C30000-0x0000000005D8F000-memory.dmp

Filesize
1.4MB

Download
memory/2660-14-0x0000000005C60000-0x0000000005DBF000-memory.dmp

Filesize
1.4MB

Download
memory/2660-13-0x0000000005C60000-0x0000000005DBF000-memory.dmp

Filesize
1.4MB

Download
memory/2688-177-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2724-193-0x00000000044F0000-0x000000000464F000-memory.dmp

Filesize
1.4MB

Download
memory/2756-118-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2756-110-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2796-41-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2796-49-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2964-161-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2996-25-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2996-133-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2996-124-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download