0df718ef49acc3ee46aceec41f8b06a0d0d41b985a3fe287d473bc0640496a32

Analysis

max time kernel
149s
max time network
18s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
08/08/2024, 22:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0df718ef49acc3ee46aceec41f8b06a0d0d41b985a3fe287d473bc0640496a32.exe
Size

1.1MB
MD5

be17ccffeb17c629e416a833997cb12f
SHA1

97cf5cf344404afa904daf4708833ade17a46208
SHA256

0df718ef49acc3ee46aceec41f8b06a0d0d41b985a3fe287d473bc0640496a32
SHA512

672081768c6efebbcc60318f5db09caa6bec079cd5157b11c43a7d960028945a0a8786b8ec1adb14b609696e8723086146cd08a9ddcaf620e76020958a91e99e
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5Qa:acallSllG4ZM7QzM5

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2540	svchcst.exe

Executes dropped EXE 23 IoCs

pid	Process
2540	svchcst.exe
1268	svchcst.exe
2028	svchcst.exe
2092	svchcst.exe
1456	svchcst.exe
2132	svchcst.exe
1708	svchcst.exe
3064	svchcst.exe
2852	svchcst.exe
1236	svchcst.exe
2500	svchcst.exe
840	svchcst.exe
1844	svchcst.exe
744	svchcst.exe
872	svchcst.exe
1136	svchcst.exe
1636	svchcst.exe
812	svchcst.exe
2364	svchcst.exe
2220	svchcst.exe
1664	svchcst.exe
1512	svchcst.exe
1620	svchcst.exe

Loads dropped DLL 40 IoCs

pid	Process
2736	WScript.exe
2736	WScript.exe
1120	WScript.exe
1120	WScript.exe
1480	WScript.exe
1480	WScript.exe
2164	WScript.exe
2164	WScript.exe
2032	WScript.exe
1780	WScript.exe
2444	WScript.exe
2128	WScript.exe
2444	WScript.exe
2444	WScript.exe
1032	WScript.exe
2240	WScript.exe
2240	WScript.exe
2240	WScript.exe
1944	WScript.exe
1944	WScript.exe
1976	WScript.exe
1976	WScript.exe
1900	WScript.exe
1900	WScript.exe
1748	WScript.exe
1748	WScript.exe
1556	WScript.exe
1556	WScript.exe
2444	WScript.exe
2444	WScript.exe
532	WScript.exe
532	WScript.exe
2360	WScript.exe
2360	WScript.exe
1552	WScript.exe
1552	WScript.exe
1484	WScript.exe
1484	WScript.exe
924	WScript.exe
924	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 49 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0df718ef49acc3ee46aceec41f8b06a0d0d41b985a3fe287d473bc0640496a32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2716	0df718ef49acc3ee46aceec41f8b06a0d0d41b985a3fe287d473bc0640496a32.exe
2540	svchcst.exe
2540	svchcst.exe
2540	svchcst.exe
2540	svchcst.exe
2540	svchcst.exe
2540	svchcst.exe
2540	svchcst.exe
2540	svchcst.exe
2540	svchcst.exe
2540	svchcst.exe
2540	svchcst.exe
2540	svchcst.exe
2540	svchcst.exe
2540	svchcst.exe
2540	svchcst.exe
2540	svchcst.exe
2540	svchcst.exe
2540	svchcst.exe
2540	svchcst.exe
2540	svchcst.exe
2540	svchcst.exe
2540	svchcst.exe
2540	svchcst.exe
2540	svchcst.exe
2540	svchcst.exe
2540	svchcst.exe
2540	svchcst.exe
2540	svchcst.exe
2540	svchcst.exe
2540	svchcst.exe
2540	svchcst.exe
2540	svchcst.exe
2540	svchcst.exe
2540	svchcst.exe
2540	svchcst.exe
2540	svchcst.exe
2540	svchcst.exe
2540	svchcst.exe
2540	svchcst.exe
2540	svchcst.exe
2540	svchcst.exe
2540	svchcst.exe
2540	svchcst.exe
2540	svchcst.exe
2540	svchcst.exe
2540	svchcst.exe
2540	svchcst.exe
2540	svchcst.exe
2540	svchcst.exe
2540	svchcst.exe
2540	svchcst.exe
2540	svchcst.exe
2540	svchcst.exe
2540	svchcst.exe
2540	svchcst.exe
2540	svchcst.exe
2540	svchcst.exe
2540	svchcst.exe
2540	svchcst.exe
2540	svchcst.exe
2540	svchcst.exe
2540	svchcst.exe
2540	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2716	0df718ef49acc3ee46aceec41f8b06a0d0d41b985a3fe287d473bc0640496a32.exe

Suspicious use of SetWindowsHookEx 48 IoCs

pid	Process
2716	0df718ef49acc3ee46aceec41f8b06a0d0d41b985a3fe287d473bc0640496a32.exe
2716	0df718ef49acc3ee46aceec41f8b06a0d0d41b985a3fe287d473bc0640496a32.exe
2540	svchcst.exe
2540	svchcst.exe
1268	svchcst.exe
1268	svchcst.exe
2028	svchcst.exe
2028	svchcst.exe
2092	svchcst.exe
2092	svchcst.exe
1456	svchcst.exe
1456	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
1708	svchcst.exe
1708	svchcst.exe
3064	svchcst.exe
3064	svchcst.exe
2852	svchcst.exe
2852	svchcst.exe
1236	svchcst.exe
1236	svchcst.exe
2500	svchcst.exe
2500	svchcst.exe
840	svchcst.exe
840	svchcst.exe
1844	svchcst.exe
1844	svchcst.exe
744	svchcst.exe
744	svchcst.exe
872	svchcst.exe
872	svchcst.exe
1136	svchcst.exe
1136	svchcst.exe
1636	svchcst.exe
1636	svchcst.exe
812	svchcst.exe
812	svchcst.exe
2364	svchcst.exe
2364	svchcst.exe
2220	svchcst.exe
2220	svchcst.exe
1664	svchcst.exe
1664	svchcst.exe
1512	svchcst.exe
1512	svchcst.exe
1620	svchcst.exe
1620	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2716 wrote to memory of 2736	2716	0df718ef49acc3ee46aceec41f8b06a0d0d41b985a3fe287d473bc0640496a32.exe	30
PID 2716 wrote to memory of 2736	2716	0df718ef49acc3ee46aceec41f8b06a0d0d41b985a3fe287d473bc0640496a32.exe	30
PID 2716 wrote to memory of 2736	2716	0df718ef49acc3ee46aceec41f8b06a0d0d41b985a3fe287d473bc0640496a32.exe	30
PID 2716 wrote to memory of 2736	2716	0df718ef49acc3ee46aceec41f8b06a0d0d41b985a3fe287d473bc0640496a32.exe	30
PID 2736 wrote to memory of 2540	2736	WScript.exe	32
PID 2736 wrote to memory of 2540	2736	WScript.exe	32
PID 2736 wrote to memory of 2540	2736	WScript.exe	32
PID 2736 wrote to memory of 2540	2736	WScript.exe	32
PID 2540 wrote to memory of 1120	2540	svchcst.exe	33
PID 2540 wrote to memory of 1120	2540	svchcst.exe	33
PID 2540 wrote to memory of 1120	2540	svchcst.exe	33
PID 2540 wrote to memory of 1120	2540	svchcst.exe	33
PID 2540 wrote to memory of 748	2540	svchcst.exe	34
PID 2540 wrote to memory of 748	2540	svchcst.exe	34
PID 2540 wrote to memory of 748	2540	svchcst.exe	34
PID 2540 wrote to memory of 748	2540	svchcst.exe	34
PID 1120 wrote to memory of 1268	1120	WScript.exe	35
PID 1120 wrote to memory of 1268	1120	WScript.exe	35
PID 1120 wrote to memory of 1268	1120	WScript.exe	35
PID 1120 wrote to memory of 1268	1120	WScript.exe	35
PID 1268 wrote to memory of 1480	1268	svchcst.exe	36
PID 1268 wrote to memory of 1480	1268	svchcst.exe	36
PID 1268 wrote to memory of 1480	1268	svchcst.exe	36
PID 1268 wrote to memory of 1480	1268	svchcst.exe	36
PID 1480 wrote to memory of 2028	1480	WScript.exe	37
PID 1480 wrote to memory of 2028	1480	WScript.exe	37
PID 1480 wrote to memory of 2028	1480	WScript.exe	37
PID 1480 wrote to memory of 2028	1480	WScript.exe	37
PID 2028 wrote to memory of 2164	2028	svchcst.exe	38
PID 2028 wrote to memory of 2164	2028	svchcst.exe	38
PID 2028 wrote to memory of 2164	2028	svchcst.exe	38
PID 2028 wrote to memory of 2164	2028	svchcst.exe	38
PID 2164 wrote to memory of 2092	2164	WScript.exe	39
PID 2164 wrote to memory of 2092	2164	WScript.exe	39
PID 2164 wrote to memory of 2092	2164	WScript.exe	39
PID 2164 wrote to memory of 2092	2164	WScript.exe	39
PID 2092 wrote to memory of 2032	2092	svchcst.exe	40
PID 2092 wrote to memory of 2032	2092	svchcst.exe	40
PID 2092 wrote to memory of 2032	2092	svchcst.exe	40
PID 2092 wrote to memory of 2032	2092	svchcst.exe	40
PID 2032 wrote to memory of 1456	2032	WScript.exe	41
PID 2032 wrote to memory of 1456	2032	WScript.exe	41
PID 2032 wrote to memory of 1456	2032	WScript.exe	41
PID 2032 wrote to memory of 1456	2032	WScript.exe	41
PID 1456 wrote to memory of 1780	1456	svchcst.exe	42
PID 1456 wrote to memory of 1780	1456	svchcst.exe	42
PID 1456 wrote to memory of 1780	1456	svchcst.exe	42
PID 1456 wrote to memory of 1780	1456	svchcst.exe	42
PID 1780 wrote to memory of 2132	1780	WScript.exe	43
PID 1780 wrote to memory of 2132	1780	WScript.exe	43
PID 1780 wrote to memory of 2132	1780	WScript.exe	43
PID 1780 wrote to memory of 2132	1780	WScript.exe	43
PID 2132 wrote to memory of 2444	2132	svchcst.exe	44
PID 2132 wrote to memory of 2444	2132	svchcst.exe	44
PID 2132 wrote to memory of 2444	2132	svchcst.exe	44
PID 2132 wrote to memory of 2444	2132	svchcst.exe	44
PID 2444 wrote to memory of 1708	2444	WScript.exe	45
PID 2444 wrote to memory of 1708	2444	WScript.exe	45
PID 2444 wrote to memory of 1708	2444	WScript.exe	45
PID 2444 wrote to memory of 1708	2444	WScript.exe	45
PID 1708 wrote to memory of 2128	1708	svchcst.exe	46
PID 1708 wrote to memory of 2128	1708	svchcst.exe	46
PID 1708 wrote to memory of 2128	1708	svchcst.exe	46
PID 1708 wrote to memory of 2128	1708	svchcst.exe	46

C:\Users\Admin\AppData\Local\Temp\0df718ef49acc3ee46aceec41f8b06a0d0d41b985a3fe287d473bc0640496a32.exe
"C:\Users\Admin\AppData\Local\Temp\0df718ef49acc3ee46aceec41f8b06a0d0d41b985a3fe287d473bc0640496a32.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2716
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2736
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2540
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1120
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1268
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1480
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2028
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2164
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2092
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2032
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1456
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1780
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2132
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2444
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1708
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2128
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3064
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1032
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1236
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2240
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2500
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:2324
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:840
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1944
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1844
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1976
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:744
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1900
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:872
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1748
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1136
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1556
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1636
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2444
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:812
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:532
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2364
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2360
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2220
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1552
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1664
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1484
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1512
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:924
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1620
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        44⤵
        System Location Discovery: System Language Discovery
        
        PID:2604
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2852
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:2800
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      System Location Discovery: System Language Discovery
      PID:748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
f8c6683aaf3a6b88acb69cedc34157a0

SHA1
566bdeb02f3ef9dee05cc61b952196a57c41e150

SHA256
be69dc6eafc9df344fb335a6d2457f0717ed953a4e501654727e0c2b05036db0

SHA512
5bc36559b43940fb4b015762eb1556428c5ed6ae897cf2c75fa679e53a7f6a1e713979dbd31644bc31f6dbf9a1f8c363b4310b17c211651b0c0b86614603d9ce

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
379619305716718fbeeab2f364946c39

SHA1
b663cf106c4673549692fa39d25e9e8f4561cd64

SHA256
c844bc25686320e65c1b5259a6d0d6d47f61709f46e2c8eb2ad3f9c3b9333d84

SHA512
b2c91d0f1cbc9e253bb3bb339acbab0e31eef31188cc00132c423fee2a85c7a91132c9259b99b23a149f6ba1172b8522e2d8350f88dbb735ad8d7a32f71e2ed8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
780c5b88f55c3463a252f361d53f98db

SHA1
244e739c7401ce41027d7786f4a48f4806a9939b

SHA256
d8b383df125f83a39c299a3134c88e981cf47755ddd6b44310f70231305c6bb0

SHA512
b12e3266edea4f9dff105ed8617c81a29f9873d646b6b326c5c29c0c590049dd85458b8ff7541957f9ab995896e7bfd08b171959e592ccc6edbedf998fdf1045

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
1ef0f0b572c2f4293cad723d25d00c42

SHA1
21070aedce103ee5e41ef411b732699f04623804

SHA256
92f0114d24a1bf7f670197c1b6e8cecc445559bbf6b12e1a82538aa9213fe4a3

SHA512
0af8482f8df004ae0534ab1d23addd55149209ab50bfb1ecbfc4d9ee49c7cce91b53fd3ed3b155e020286772eaa8396c89b8f67befe3ca5d9804b7871add0c4c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
aac0fba8016aa15609aa7abb5db077ae

SHA1
f8afa6ff11a91f46eb961727ec6a5fad360fa1c9

SHA256
76a6ce5f2e579dc37db23bb0e1ef5ebdd8b02e6b22b6f8da1a17964db237a8a0

SHA512
26a4910f08563b7c4b1e1abba82fefdefcb43b7d1149d5e6c7dda36db4aa142c4b74bc64263f23a5177804e2191696795e0de5d5368ea6903b398415d435962e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
f76c7cf504b872903a1325a57e8baaf9

SHA1
896ac9d8338b41c7673781f07915612c538c385f

SHA256
46436b128cbdb907e9666c1aa6257164f7e5a2ebe1c79b9198b36e50115a8163

SHA512
59c0e9f508682af572185dd2578ad1e62abb99297a99018af7638bc8d2f6693fe00900bd739e00a912088f77624f08034dba041ce1677e2924cb8ab3196b6054

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
b01deb2dadc8260c4bcb435df78599d9

SHA1
7ac78543d19aefbe54d4e7d12d045cff0e7934f0

SHA256
4f88b370f98b6357f72a7942c293827b72164112e87fbbb6c842d9b206ab53b0

SHA512
319c1925e74af3cace9d3c3fafb7ff3c28ae3240e1d67da7d05ed25b7ec523eec9a974f21ff9914e602334c192e5801a55695ad705dbaa2a32e3b08e7996bb4b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
5ef4272f4d6f345fc8cc1b2f059c81b4

SHA1
78bcb559f775d70e10396e1d6d7b95c28d2645d1

SHA256
19f8d5209b4a5789cdfd5b67cb0b9f6c3546c62912bcb1ef1c69a15602beb652

SHA512
002693255c600456d965b5a7e36f780deec4d80cd9fe56f7f974b8762e2b140002a1dabf4b059d6163c9cc00a0e1e9da71899e13347fb4bb2985bbc7058469cb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
774844b08b364b32d1209ef0d962d2fd

SHA1
967a30d076aa269a5cef321d36ac1f5c1eb180cb

SHA256
c9beda5ae7965cd968f1e6b1e11f17b1b443b8fc6dddb9ad0fe830aafe35ae3a

SHA512
2bab1d82f2cf484029722e64dd75516645e3f2dc6028153b65479757a3d33bbe883a1ac97771f1a9dfff1927cbfc58b5460f0c21a3ce01a4eae32b205772c4ec

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
5f762b3b2477d92959f29d768008d453

SHA1
ceaa2b37d64bcffd7f862a75e1d0fb06edbddb97

SHA256
5827d14409ed9f3361d81904d50e067223457590dda163a680ce4216e495a3d5

SHA512
fd1445d89a0fa5d185ce51442c402d9906fa8bf7c1458a862568ad0649dfa22c5f90ed243b98339ec9706541d244b0217f1cd05e715dc49067e059fe08d80420

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
b477e7dce5bd27cd752db59895425f41

SHA1
be8b80983cf937f660b53c20e581ecac063ad23e

SHA256
0736ea0e74f38894d4ed8235dc5f7b9b815314e1fe678cf634af3250698b011e

SHA512
89e3a16edd1d1bbf4c09b21aa243962586bbf75cafa44847469fef61a23585284fa035e5f540260a0d075f70c94cbcd2b49dd9cfdc3560c74b12aac576493f39

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
e6b09b8bf68295950db375dcbd9318d6

SHA1
f2b3d951d6f531da1fc7a685d9a1734815809535

SHA256
7f85289c3f05dc958dbde36dad2130cadf642e8b29655befffabc50d58e52a51

SHA512
3eb76278593cdb82563fcf4e7e9c3eab35cec5c5093a329caf0e3590151bae8351490adf7c24423fa5f55bffd9129f4eebe92d92829543905f208455a260eaf1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
3e5a286c99b2c05067bf7a4354e08288

SHA1
6bbd9deba36d376e5c2b925d3cb1eaa0787d0180

SHA256
047946103c83029d9854a550c3eaa75ae8808c8d39d14b1df74e087a8359e9e9

SHA512
60723d7f87510bb3b983f5566ffe39d2680eee4dd595930984bede79e7e63330ee6c10224d98d15e98c734cf7e4ce92cec517afbf4b25c9859283b50722d246a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
b00834f653b9721d1bf1839bf94ab307

SHA1
e0db6be73f65a5fdc3e8508a894a71096807ae64

SHA256
c627bf38bd9be6d8e1d9b2513602ecd84c72d6efc04d18327bed6dcc44efacfa

SHA512
71390c3f1951af6698067a71c35e63f92bb9283e0bf210e2bf82a577b604b82c633f583af5eac1b26ee7ec7e2c07ac1460e1415d715c8767f0643383d8d9c147

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
e1ddd13e7d49ce34c5c8157dff256957

SHA1
02cfde7589f107341b3181252c2c7a8a6aa7b50e

SHA256
16fdd941d309c7910ac2f9f5aca32483bc7b34184f394b92e3c956dc784c1d0d

SHA512
795ee3c2391743834a6ed8e11e3d8a6f5aed12ee1bbfd8820cb3a411f0812cded27a5e00446363c8fdd8a12e66357b057dc9de7afc7a47605513b0f9e1aee569

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
bfa783e22c44dbd54b5be7209001faa0

SHA1
4233d5b672c31e49a8c173e0fc55b3dbcb61320e

SHA256
6db28409913a97b26281277d12f02185d577ca854c4867261cccbd8d33965a1c

SHA512
1209bdeceb8cacf852e931c8429bba1afe5a494437612f2e951aa2cdd9b791efb4f839b24c8422eeb011c8af639011664f1dea19128f600968b88274e54bb9e4

Download Submit
memory/744-178-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/744-175-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/812-213-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/812-206-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/840-156-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/840-160-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/872-188-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/872-180-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1120-73-0x00000000048B0000-0x0000000004A0F000-memory.dmp

Filesize
1.4MB

Download
memory/1120-32-0x00000000048B0000-0x0000000004A0F000-memory.dmp

Filesize
1.4MB

Download
memory/1136-193-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1136-196-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1236-133-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1236-137-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1268-42-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1268-37-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1456-81-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1456-77-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1480-47-0x0000000004A70000-0x0000000004BCF000-memory.dmp

Filesize
1.4MB

Download
memory/1512-246-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1512-243-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1556-197-0x0000000004810000-0x000000000496F000-memory.dmp

Filesize
1.4MB

Download
memory/1620-251-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1636-198-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1636-205-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1664-235-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1664-238-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1708-95-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1708-102-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1844-169-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1844-162-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1900-179-0x00000000040D0000-0x000000000422F000-memory.dmp

Filesize
1.4MB

Download
memory/1944-161-0x00000000047B0000-0x000000000490F000-memory.dmp

Filesize
1.4MB

Download
memory/1976-174-0x0000000004340000-0x000000000449F000-memory.dmp

Filesize
1.4MB

Download
memory/2028-48-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2028-56-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2092-65-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2092-69-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2132-92-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2132-84-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2220-230-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2220-227-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2240-187-0x0000000004900000-0x0000000004A5F000-memory.dmp

Filesize
1.4MB

Download
memory/2360-226-0x0000000004830000-0x000000000498F000-memory.dmp

Filesize
1.4MB

Download
memory/2364-218-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2364-221-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2444-159-0x0000000004620000-0x000000000477F000-memory.dmp

Filesize
1.4MB

Download
memory/2500-150-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2500-141-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2540-27-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2540-16-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2716-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2716-9-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2736-14-0x00000000047E0000-0x000000000493F000-memory.dmp

Filesize
1.4MB

Download
memory/2736-15-0x00000000047E0000-0x000000000493F000-memory.dmp

Filesize
1.4MB

Download
memory/2852-127-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2852-123-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3064-105-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3064-114-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download