c93faa61de3c6365368c21c7c5796e87fe58243e7fd12c8913012e17f3b90fd1

Analysis

max time kernel
149s
max time network
125s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
12/08/2024, 00:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c93faa61de3c6365368c21c7c5796e87fe58243e7fd12c8913012e17f3b90fd1.exe
Size

1.1MB
MD5

0032c6a28c1c3be52fc23f9190cb46ff
SHA1

d7226cf4898426c52681f5a7c48ac2ae67459523
SHA256

c93faa61de3c6365368c21c7c5796e87fe58243e7fd12c8913012e17f3b90fd1
SHA512

1d67c6fee13755f6da90c411dfc4f5715cb1fe0f2f6783797f4bfff1a3187d2fc429964c159694882045b113e99deaa7ccf57904810dba9c7d61f0a37411ae49
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5Q5:acallSllG4ZM7QzMa

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2712	svchcst.exe

Executes dropped EXE 23 IoCs

pid	Process
2712	svchcst.exe
1808	svchcst.exe
1156	svchcst.exe
3028	svchcst.exe
2032	svchcst.exe
2440	svchcst.exe
1608	svchcst.exe
2248	svchcst.exe
2612	svchcst.exe
2916	svchcst.exe
752	svchcst.exe
2020	svchcst.exe
1132	svchcst.exe
1804	svchcst.exe
856	svchcst.exe
1332	svchcst.exe
1660	svchcst.exe
2056	svchcst.exe
3000	svchcst.exe
1864	svchcst.exe
1616	svchcst.exe
2468	svchcst.exe
2168	svchcst.exe

Loads dropped DLL 36 IoCs

pid	Process
1976	WScript.exe
1976	WScript.exe
2648	WScript.exe
2648	WScript.exe
3060	WScript.exe
580	WScript.exe
920	WScript.exe
920	WScript.exe
844	WScript.exe
2684	WScript.exe
1792	WScript.exe
2880	WScript.exe
1792	WScript.exe
2520	WScript.exe
1376	WScript.exe
2168	WScript.exe
2168	WScript.exe
2168	WScript.exe
1996	WScript.exe
1996	WScript.exe
1032	WScript.exe
1032	WScript.exe
2592	WScript.exe
2592	WScript.exe
1632	WScript.exe
1632	WScript.exe
2812	WScript.exe
2812	WScript.exe
2376	WScript.exe
2376	WScript.exe
2216	WScript.exe
2216	WScript.exe
2020	WScript.exe
2020	WScript.exe
1116	WScript.exe
1116	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 48 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c93faa61de3c6365368c21c7c5796e87fe58243e7fd12c8913012e17f3b90fd1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1972	c93faa61de3c6365368c21c7c5796e87fe58243e7fd12c8913012e17f3b90fd1.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1972	c93faa61de3c6365368c21c7c5796e87fe58243e7fd12c8913012e17f3b90fd1.exe

Suspicious use of SetWindowsHookEx 48 IoCs

pid	Process
1972	c93faa61de3c6365368c21c7c5796e87fe58243e7fd12c8913012e17f3b90fd1.exe
1972	c93faa61de3c6365368c21c7c5796e87fe58243e7fd12c8913012e17f3b90fd1.exe
2712	svchcst.exe
2712	svchcst.exe
1808	svchcst.exe
1808	svchcst.exe
1156	svchcst.exe
1156	svchcst.exe
3028	svchcst.exe
3028	svchcst.exe
2032	svchcst.exe
2032	svchcst.exe
2440	svchcst.exe
2440	svchcst.exe
1608	svchcst.exe
1608	svchcst.exe
2248	svchcst.exe
2248	svchcst.exe
2612	svchcst.exe
2612	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
752	svchcst.exe
752	svchcst.exe
2020	svchcst.exe
2020	svchcst.exe
1132	svchcst.exe
1132	svchcst.exe
1804	svchcst.exe
1804	svchcst.exe
856	svchcst.exe
856	svchcst.exe
1332	svchcst.exe
1332	svchcst.exe
1660	svchcst.exe
1660	svchcst.exe
2056	svchcst.exe
2056	svchcst.exe
3000	svchcst.exe
3000	svchcst.exe
1864	svchcst.exe
1864	svchcst.exe
1616	svchcst.exe
1616	svchcst.exe
2468	svchcst.exe
2468	svchcst.exe
2168	svchcst.exe
2168	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1972 wrote to memory of 1976	1972	c93faa61de3c6365368c21c7c5796e87fe58243e7fd12c8913012e17f3b90fd1.exe	30
PID 1972 wrote to memory of 1976	1972	c93faa61de3c6365368c21c7c5796e87fe58243e7fd12c8913012e17f3b90fd1.exe	30
PID 1972 wrote to memory of 1976	1972	c93faa61de3c6365368c21c7c5796e87fe58243e7fd12c8913012e17f3b90fd1.exe	30
PID 1972 wrote to memory of 1976	1972	c93faa61de3c6365368c21c7c5796e87fe58243e7fd12c8913012e17f3b90fd1.exe	30
PID 1976 wrote to memory of 2712	1976	WScript.exe	32
PID 1976 wrote to memory of 2712	1976	WScript.exe	32
PID 1976 wrote to memory of 2712	1976	WScript.exe	32
PID 1976 wrote to memory of 2712	1976	WScript.exe	32
PID 2712 wrote to memory of 2648	2712	svchcst.exe	33
PID 2712 wrote to memory of 2648	2712	svchcst.exe	33
PID 2712 wrote to memory of 2648	2712	svchcst.exe	33
PID 2712 wrote to memory of 2648	2712	svchcst.exe	33
PID 2648 wrote to memory of 1808	2648	WScript.exe	34
PID 2648 wrote to memory of 1808	2648	WScript.exe	34
PID 2648 wrote to memory of 1808	2648	WScript.exe	34
PID 2648 wrote to memory of 1808	2648	WScript.exe	34
PID 1808 wrote to memory of 3060	1808	svchcst.exe	35
PID 1808 wrote to memory of 3060	1808	svchcst.exe	35
PID 1808 wrote to memory of 3060	1808	svchcst.exe	35
PID 1808 wrote to memory of 3060	1808	svchcst.exe	35
PID 3060 wrote to memory of 1156	3060	WScript.exe	36
PID 3060 wrote to memory of 1156	3060	WScript.exe	36
PID 3060 wrote to memory of 1156	3060	WScript.exe	36
PID 3060 wrote to memory of 1156	3060	WScript.exe	36
PID 1156 wrote to memory of 580	1156	svchcst.exe	37
PID 1156 wrote to memory of 580	1156	svchcst.exe	37
PID 1156 wrote to memory of 580	1156	svchcst.exe	37
PID 1156 wrote to memory of 580	1156	svchcst.exe	37
PID 580 wrote to memory of 3028	580	WScript.exe	38
PID 580 wrote to memory of 3028	580	WScript.exe	38
PID 580 wrote to memory of 3028	580	WScript.exe	38
PID 580 wrote to memory of 3028	580	WScript.exe	38
PID 3028 wrote to memory of 920	3028	svchcst.exe	39
PID 3028 wrote to memory of 920	3028	svchcst.exe	39
PID 3028 wrote to memory of 920	3028	svchcst.exe	39
PID 3028 wrote to memory of 920	3028	svchcst.exe	39
PID 920 wrote to memory of 2032	920	WScript.exe	40
PID 920 wrote to memory of 2032	920	WScript.exe	40
PID 920 wrote to memory of 2032	920	WScript.exe	40
PID 920 wrote to memory of 2032	920	WScript.exe	40
PID 2032 wrote to memory of 844	2032	svchcst.exe	41
PID 2032 wrote to memory of 844	2032	svchcst.exe	41
PID 2032 wrote to memory of 844	2032	svchcst.exe	41
PID 2032 wrote to memory of 844	2032	svchcst.exe	41
PID 844 wrote to memory of 2440	844	WScript.exe	42
PID 844 wrote to memory of 2440	844	WScript.exe	42
PID 844 wrote to memory of 2440	844	WScript.exe	42
PID 844 wrote to memory of 2440	844	WScript.exe	42
PID 2440 wrote to memory of 2684	2440	svchcst.exe	43
PID 2440 wrote to memory of 2684	2440	svchcst.exe	43
PID 2440 wrote to memory of 2684	2440	svchcst.exe	43
PID 2440 wrote to memory of 2684	2440	svchcst.exe	43
PID 2684 wrote to memory of 1608	2684	WScript.exe	44
PID 2684 wrote to memory of 1608	2684	WScript.exe	44
PID 2684 wrote to memory of 1608	2684	WScript.exe	44
PID 2684 wrote to memory of 1608	2684	WScript.exe	44
PID 1608 wrote to memory of 1792	1608	svchcst.exe	45
PID 1608 wrote to memory of 1792	1608	svchcst.exe	45
PID 1608 wrote to memory of 1792	1608	svchcst.exe	45
PID 1608 wrote to memory of 1792	1608	svchcst.exe	45
PID 1792 wrote to memory of 2248	1792	WScript.exe	46
PID 1792 wrote to memory of 2248	1792	WScript.exe	46
PID 1792 wrote to memory of 2248	1792	WScript.exe	46
PID 1792 wrote to memory of 2248	1792	WScript.exe	46

C:\Users\Admin\AppData\Local\Temp\c93faa61de3c6365368c21c7c5796e87fe58243e7fd12c8913012e17f3b90fd1.exe
"C:\Users\Admin\AppData\Local\Temp\c93faa61de3c6365368c21c7c5796e87fe58243e7fd12c8913012e17f3b90fd1.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1976
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2712
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2648
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1808
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3060
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1156
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:580
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3028
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:920
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2032
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:844
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2440
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2684
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1608
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1792
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2248
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2880
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2612
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:1656
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2916
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2520
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:752
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1376
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2020
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2168
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1132
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        System Location Discovery: System Language Discovery
        
        PID:2552
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1804
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1996
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:856
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1032
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1332
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2592
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1660
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1632
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2056
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2812
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3000
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2376
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1864
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2216
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1616
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2020
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2468
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1116
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2168
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        System Location Discovery: System Language Discovery
        
        PID:1992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
f94bb80d66c86275b22887d8a523e674

SHA1
ecc8110a8de5d7382702d7de3c2c66b0483f9093

SHA256
0118882d587ae71e83e624540e109fc77ebc72b71c41d408cd2c2ba66091024b

SHA512
bea24e5ffb95a7dd59baf44cd1ed3d1b5151eea6bee552d510a425f405d483912c24165911a492ee3bff3dfbca8101143e29a7d268c648a4a9089d2690c1cb62

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
5f2a40f410e1db471d583c90bb1bf208

SHA1
1e49ed23e02976dede24633c367ab8c92fb4fd9b

SHA256
03c04fafe55862423025fe6e16bbeda1dbded8150a0c0dd363164733051fe1e4

SHA512
98a4ba3960f66728d4a286c8cff2223742d701467a647b6d4a2f118a6e2c53c9a4f6c329a36c099b151d42279ba0823ff07a8df49c87d02a7470f595052f725c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
8b412aa0b6687b4da946906a06c460fa

SHA1
180bb2d6f0645242e91d23e76043c0301916f7f5

SHA256
923ae6b14f6c2bebf34efcf9db8485390ca298cdb952df04bc457df9c45647b3

SHA512
73d949f5159a7c976e250d20b975fff6469d5c41b47488d9738a3466dfb372c7977846f6d8fbf676e07715a5fe284ca1597b74f090e0b55301314f71522ac143

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
ddd204c2596c95e0b37f2faf17345158

SHA1
fb5c9a676eb0b0e08ed0498a5696bbd7d443b1a2

SHA256
6ba8498e50d16dedd7a4479998981b504b684f524c08329269fd4eb6e3fe52a2

SHA512
17f8ff158d74cb8b37954cd5d458440cbf7e41dd03d08d5101b55f7ca259fdd1e36967e5231a31362c68456d0e91bdbac1c83cc19876ab7ec1c97bde0ec03244

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
152cdcb10a0dcbdcaeb00bd4b08b2f94

SHA1
d957bd7eff64e6b13d3a088c0ae764eaeedf0ad2

SHA256
5525126f60e1b6cf4d353d30db46873836712e3964020d1dbca2694b6dc3d599

SHA512
c2e61516af9e5c14978792ec3b5e20aa84d5f6d9607322575d2f0448a67b6a10911ebf350f51e24e19f40840897251c891cda2c651c0881fccc9e0006d1a2f99

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
25741fab0bc335b1ed971b3134b0edd3

SHA1
9849046efa3f20662f73cefd0d090bef480c9835

SHA256
05963c6d3a7cc5421377a784df6474456fcbd2f95c7190f2ddb4a9ccbfbe7f98

SHA512
6e772baf90739a76c5c477780e2d158502b55d9c898e69402b0a3bfb840949959c6779f9b291c0503a4fcad95369be55b5f3233ded9329d49d5cde3f1a8369e1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
a28791ebea83786bb5889ef857a9e493

SHA1
0c7cc3d05c844d5edd4535fbd48d2c73b2764630

SHA256
ad8607d9518b14cf6e9f567194700afa64c424bbe7da5b1819babbc7678a98bf

SHA512
d357643579f32de1c3f28b9d717d4d82a91d2ae25014a2ab52c0b6340ea577c31386cfa7901694f47889e5966ab11ff6888ae19a8602f812d2484827295d12ce

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
1c0ff223574a58a062d6e26c4b0bb7cd

SHA1
b61341ae86f6fd2a2e76592a2fc693479b62f37c

SHA256
b9baaa35fb2544dd650a875b31c12ae5393b345528009fc8c438296ac71da48b

SHA512
b89b388955e99d95ea0a6be87df42a49823ca71ab65505e19689b8ecc56484246bc36abaac9b7b76874b8c287a33645932573b90786886e0289dff05a6874cc5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
ee35194fa07bea6145178b37a18edb25

SHA1
7cbe9989cbc0090cc0ab534c7aa77d64d959e489

SHA256
e323603a594cf3a7e03aea20d2ab69a17040a02f256ac1e3fe02f8a36889a483

SHA512
d292e22575da17d694a33d6132cea65ca1c58a16bd2532dd24db161d2a77cf233039ed1b66b48868210f4d0ffff16678db3be341eca044432b8087b520e59f71

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
780c5b88f55c3463a252f361d53f98db

SHA1
244e739c7401ce41027d7786f4a48f4806a9939b

SHA256
d8b383df125f83a39c299a3134c88e981cf47755ddd6b44310f70231305c6bb0

SHA512
b12e3266edea4f9dff105ed8617c81a29f9873d646b6b326c5c29c0c590049dd85458b8ff7541957f9ab995896e7bfd08b171959e592ccc6edbedf998fdf1045

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
dabf4e9d32908d961aaffdd1c77d4879

SHA1
e41572d98b7452016fb004c843236377364ab1d3

SHA256
3488c64a6d2da3c00e50e954c495ac354ee504e54f3ed6dda6a991c5b9d33e19

SHA512
911d46aca8005857c86eddbb3cbbc4301ee5e173b2358a717053cf12727c06cc3b2d757ddf513f969dafe61c6b88d03b1478d8c483495f153e30bf64585195aa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
0deab118abcf8e078322ee46edd4cfd3

SHA1
b0f46f2ca33e8ea264812838f6c7a98d0c55a0bf

SHA256
344ce7e23c768177547510b0627c60667804530f220048e11f21e1cda521c502

SHA512
e7e4c041addbecf42ec91877dac6c89a207a3c1eb0247d56c6e4844852a3c7a3a716809d5040d01b03ab332bd155a4f4fb014abc896b9598ac52218c74a1f3c0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
d6aef0b19d7d8dc2eda464cf358007b7

SHA1
c271fa23eee2c534cc862f7575df47f660c94d27

SHA256
70965d19e9afccec497ac21e98bfea9be46cf5df938982b3d19e6295aab3bb1d

SHA512
c547f50069f9f97dd9877bdb529f4ed49f9761d5cab1ff703e5185a6071e7591b98237834c6bd386b68b9c6504b76bdc581bf17a6fcef94e74b1483d47cf764a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
0197cfc394aff8d9cf93465445d6e71e

SHA1
6ae06dd07009ec3d82f35654dd72d8979a44b882

SHA256
7b2a03fd9a48ed13fd4cb736aa8b0604460fb8194881f69be98a75a3ab5dc494

SHA512
9eb86763e85556944c1d2e9382f90859fe3dd170f4a508d53806c613faf7a0e65908bfc18ada17b3ccf773d41fce5f20de3ec689ebf97699bc826e95ab9d4351

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
9227e2a72432148df4749fa0fa321d5e

SHA1
2f628674ba90e7f6666d43887590c7ebc5593096

SHA256
2bb9eb3455fad56687534c0727fc2e7b57525a911ae73cf882918eb96333bb40

SHA512
b8253dfd875b2e124b5b9724189dd6f9021db2dc1c85cb93811ffb68b0762720cd3f88c3c4cb4ce956f5c8c712c59ed7c320640181aa1236bc4d388bacb11130

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
5ddee0a55aaa853561319f8840add5c3

SHA1
f64ac4d9aa252c4094ff0fddcd2e2cd1dbb075b1

SHA256
ae9cc4988ffa50a818445ec2f8d8b15b742498c97b720b967ec6653d38591363

SHA512
5026a61d3a1cacdb8507f4a401df1fc85991132cfc55efc3ecc15ba21e7d58240f9ddc1e78d5119fd8d6222efdb193991b322bfb2aba30c921efce16515b8cf0

Download Submit
memory/752-144-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/752-135-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/856-174-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/856-181-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/920-99-0x0000000004C80000-0x0000000004DDF000-memory.dmp

Filesize
1.4MB

Download
memory/1116-239-0x00000000041F0000-0x000000000434F000-memory.dmp

Filesize
1.4MB

Download
memory/1132-161-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1132-164-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1156-51-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1156-44-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1332-182-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1332-189-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1608-100-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1608-91-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1616-223-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1616-230-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1660-198-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1660-191-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1804-172-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1804-169-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1808-31-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1808-39-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1864-222-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1864-215-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1972-9-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1972-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1996-173-0x0000000004710000-0x000000000486F000-memory.dmp

Filesize
1.4MB

Download
memory/2020-147-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2020-155-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2032-72-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2032-77-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2056-199-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2056-206-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2168-247-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2168-240-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2248-103-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2248-111-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2440-83-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2440-88-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2468-231-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2468-238-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2592-190-0x0000000004880000-0x00000000049DF000-memory.dmp

Filesize
1.4MB

Download
memory/2612-121-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2648-30-0x0000000004940000-0x0000000004A9F000-memory.dmp

Filesize
1.4MB

Download
memory/2648-29-0x0000000004940000-0x0000000004A9F000-memory.dmp

Filesize
1.4MB

Download
memory/2712-14-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2712-23-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2916-124-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2916-131-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3000-214-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3000-211-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3028-63-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3028-54-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3060-41-0x00000000046D0000-0x000000000482F000-memory.dmp

Filesize
1.4MB

Download