4fd52090f0f58c413182bfdceb77b2760ca51217d95b06f9fb19af021c1c9955

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
13-08-2024 19:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4fd52090f0f58c413182bfdceb77b2760ca51217d95b06f9fb19af021c1c9955.exe
Size

1.1MB
MD5

74048ab45ff5e1526565c0d57ea47f18
SHA1

bea0a9386eae83372293c50244fec9590023decb
SHA256

4fd52090f0f58c413182bfdceb77b2760ca51217d95b06f9fb19af021c1c9955
SHA512

67add039799e127d6048ee247b3d3813e47024ada1761b729a327d7d9f5aac867c66cf61d0d731bc19a84a1af59e4334186bd2356056dc65a2d3721555013ac9
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5Q3:acallSllG4ZM7QzMA

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2820	svchcst.exe

Executes dropped EXE 23 IoCs

pid	Process
2820	svchcst.exe
2848	svchcst.exe
3028	svchcst.exe
1656	svchcst.exe
1932	svchcst.exe
844	svchcst.exe
2384	svchcst.exe
2572	svchcst.exe
296	svchcst.exe
2324	svchcst.exe
1980	svchcst.exe
1048	svchcst.exe
1676	svchcst.exe
2264	svchcst.exe
1972	svchcst.exe
2824	svchcst.exe
2708	svchcst.exe
2724	svchcst.exe
1736	svchcst.exe
1696	svchcst.exe
1500	svchcst.exe
1780	svchcst.exe
1652	svchcst.exe

Loads dropped DLL 38 IoCs

pid	Process
2568	WScript.exe
2568	WScript.exe
2632	WScript.exe
1748	WScript.exe
1748	WScript.exe
1760	WScript.exe
1704	WScript.exe
1704	WScript.exe
1704	WScript.exe
560	WScript.exe
1732	WScript.exe
2948	WScript.exe
2948	WScript.exe
1472	WScript.exe
2880	WScript.exe
1524	WScript.exe
1076	WScript.exe
1076	WScript.exe
772	WScript.exe
772	WScript.exe
2160	WScript.exe
2160	WScript.exe
2576	WScript.exe
2576	WScript.exe
2212	WScript.exe
2212	WScript.exe
1832	WScript.exe
1832	WScript.exe
2280	WScript.exe
2280	WScript.exe
2592	WScript.exe
2592	WScript.exe
1468	WScript.exe
1468	WScript.exe
2344	WScript.exe
2344	WScript.exe
1292	WScript.exe
1292	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 49 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4fd52090f0f58c413182bfdceb77b2760ca51217d95b06f9fb19af021c1c9955.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1712	4fd52090f0f58c413182bfdceb77b2760ca51217d95b06f9fb19af021c1c9955.exe
1712	4fd52090f0f58c413182bfdceb77b2760ca51217d95b06f9fb19af021c1c9955.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1712	4fd52090f0f58c413182bfdceb77b2760ca51217d95b06f9fb19af021c1c9955.exe

Suspicious use of SetWindowsHookEx 48 IoCs

pid	Process
1712	4fd52090f0f58c413182bfdceb77b2760ca51217d95b06f9fb19af021c1c9955.exe
1712	4fd52090f0f58c413182bfdceb77b2760ca51217d95b06f9fb19af021c1c9955.exe
2820	svchcst.exe
2820	svchcst.exe
2848	svchcst.exe
2848	svchcst.exe
3028	svchcst.exe
3028	svchcst.exe
1656	svchcst.exe
1656	svchcst.exe
1932	svchcst.exe
1932	svchcst.exe
844	svchcst.exe
844	svchcst.exe
2384	svchcst.exe
2384	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
296	svchcst.exe
296	svchcst.exe
2324	svchcst.exe
2324	svchcst.exe
1980	svchcst.exe
1980	svchcst.exe
1048	svchcst.exe
1048	svchcst.exe
1676	svchcst.exe
1676	svchcst.exe
2264	svchcst.exe
2264	svchcst.exe
1972	svchcst.exe
1972	svchcst.exe
2824	svchcst.exe
2824	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2724	svchcst.exe
2724	svchcst.exe
1736	svchcst.exe
1736	svchcst.exe
1696	svchcst.exe
1696	svchcst.exe
1500	svchcst.exe
1500	svchcst.exe
1780	svchcst.exe
1780	svchcst.exe
1652	svchcst.exe
1652	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1712 wrote to memory of 2568	1712	4fd52090f0f58c413182bfdceb77b2760ca51217d95b06f9fb19af021c1c9955.exe	30
PID 1712 wrote to memory of 2568	1712	4fd52090f0f58c413182bfdceb77b2760ca51217d95b06f9fb19af021c1c9955.exe	30
PID 1712 wrote to memory of 2568	1712	4fd52090f0f58c413182bfdceb77b2760ca51217d95b06f9fb19af021c1c9955.exe	30
PID 1712 wrote to memory of 2568	1712	4fd52090f0f58c413182bfdceb77b2760ca51217d95b06f9fb19af021c1c9955.exe	30
PID 2568 wrote to memory of 2820	2568	WScript.exe	32
PID 2568 wrote to memory of 2820	2568	WScript.exe	32
PID 2568 wrote to memory of 2820	2568	WScript.exe	32
PID 2568 wrote to memory of 2820	2568	WScript.exe	32
PID 2820 wrote to memory of 2632	2820	svchcst.exe	33
PID 2820 wrote to memory of 2632	2820	svchcst.exe	33
PID 2820 wrote to memory of 2632	2820	svchcst.exe	33
PID 2820 wrote to memory of 2632	2820	svchcst.exe	33
PID 2632 wrote to memory of 2848	2632	WScript.exe	34
PID 2632 wrote to memory of 2848	2632	WScript.exe	34
PID 2632 wrote to memory of 2848	2632	WScript.exe	34
PID 2632 wrote to memory of 2848	2632	WScript.exe	34
PID 2848 wrote to memory of 1748	2848	svchcst.exe	35
PID 2848 wrote to memory of 1748	2848	svchcst.exe	35
PID 2848 wrote to memory of 1748	2848	svchcst.exe	35
PID 2848 wrote to memory of 1748	2848	svchcst.exe	35
PID 1748 wrote to memory of 3028	1748	WScript.exe	37
PID 1748 wrote to memory of 3028	1748	WScript.exe	37
PID 1748 wrote to memory of 3028	1748	WScript.exe	37
PID 1748 wrote to memory of 3028	1748	WScript.exe	37
PID 3028 wrote to memory of 1760	3028	svchcst.exe	38
PID 3028 wrote to memory of 1760	3028	svchcst.exe	38
PID 3028 wrote to memory of 1760	3028	svchcst.exe	38
PID 3028 wrote to memory of 1760	3028	svchcst.exe	38
PID 1760 wrote to memory of 1656	1760	WScript.exe	39
PID 1760 wrote to memory of 1656	1760	WScript.exe	39
PID 1760 wrote to memory of 1656	1760	WScript.exe	39
PID 1760 wrote to memory of 1656	1760	WScript.exe	39
PID 1656 wrote to memory of 1704	1656	svchcst.exe	40
PID 1656 wrote to memory of 1704	1656	svchcst.exe	40
PID 1656 wrote to memory of 1704	1656	svchcst.exe	40
PID 1656 wrote to memory of 1704	1656	svchcst.exe	40
PID 1704 wrote to memory of 1932	1704	WScript.exe	41
PID 1704 wrote to memory of 1932	1704	WScript.exe	41
PID 1704 wrote to memory of 1932	1704	WScript.exe	41
PID 1704 wrote to memory of 1932	1704	WScript.exe	41
PID 1932 wrote to memory of 280	1932	svchcst.exe	42
PID 1932 wrote to memory of 280	1932	svchcst.exe	42
PID 1932 wrote to memory of 280	1932	svchcst.exe	42
PID 1932 wrote to memory of 280	1932	svchcst.exe	42
PID 1704 wrote to memory of 844	1704	WScript.exe	43
PID 1704 wrote to memory of 844	1704	WScript.exe	43
PID 1704 wrote to memory of 844	1704	WScript.exe	43
PID 1704 wrote to memory of 844	1704	WScript.exe	43
PID 844 wrote to memory of 560	844	svchcst.exe	44
PID 844 wrote to memory of 560	844	svchcst.exe	44
PID 844 wrote to memory of 560	844	svchcst.exe	44
PID 844 wrote to memory of 560	844	svchcst.exe	44
PID 844 wrote to memory of 864	844	svchcst.exe	45
PID 844 wrote to memory of 864	844	svchcst.exe	45
PID 844 wrote to memory of 864	844	svchcst.exe	45
PID 844 wrote to memory of 864	844	svchcst.exe	45
PID 560 wrote to memory of 2384	560	WScript.exe	46
PID 560 wrote to memory of 2384	560	WScript.exe	46
PID 560 wrote to memory of 2384	560	WScript.exe	46
PID 560 wrote to memory of 2384	560	WScript.exe	46
PID 2384 wrote to memory of 1732	2384	svchcst.exe	47
PID 2384 wrote to memory of 1732	2384	svchcst.exe	47
PID 2384 wrote to memory of 1732	2384	svchcst.exe	47
PID 2384 wrote to memory of 1732	2384	svchcst.exe	47

C:\Users\Admin\AppData\Local\Temp\4fd52090f0f58c413182bfdceb77b2760ca51217d95b06f9fb19af021c1c9955.exe
"C:\Users\Admin\AppData\Local\Temp\4fd52090f0f58c413182bfdceb77b2760ca51217d95b06f9fb19af021c1c9955.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1712
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2568
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2820
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2632
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2848
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1748
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3028
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1760
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1656
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1704
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1932
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:280
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:844
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:560
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2384
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1732
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2572
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2948
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:296
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1472
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2324
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2880
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1980
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1524
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1048
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1076
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1676
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:772
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2264
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2160
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1972
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2576
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2824
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2212
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2708
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1832
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2724
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2280
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1736
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2592
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1696
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1468
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1500
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2344
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1780
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        44⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1292
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1652
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        46⤵
        System Location Discovery: System Language Discovery
        
        PID:1580
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
308b7da7ec377746fab239c88940c7ea

SHA1
62356f1d6078f5587c1e0fa2201b199ebfdd0372

SHA256
3c6e5a89529248f6074cab8ca705d7f399c2808e185a451f2520d767e7aecd77

SHA512
bfd886261d3c9ae90f40968acb30b229e8d6754768bee5430f246594b5f81952de101a572cedb84bd1ab9a39cb607ec981287e9e03ea45b829744c47ee9bc877

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
0497dadaf37ea5f844b3d440c996f318

SHA1
371494e6a94699d8a292a54ff93735f3d9309abb

SHA256
deae6f2286188865e3f8aeafc4b4e9e9ebfd168bf99e82f0ea3f20700d10c448

SHA512
7e7ecac2c0c3d18269d2769c8c2ae71eae59bbbaf829fa6b8ea5eb7a94a60f94e181193f089d553b9feeccebd4e0fb037fb91190cd43957aa854e2d5e92ef880

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
d6aef0b19d7d8dc2eda464cf358007b7

SHA1
c271fa23eee2c534cc862f7575df47f660c94d27

SHA256
70965d19e9afccec497ac21e98bfea9be46cf5df938982b3d19e6295aab3bb1d

SHA512
c547f50069f9f97dd9877bdb529f4ed49f9761d5cab1ff703e5185a6071e7591b98237834c6bd386b68b9c6504b76bdc581bf17a6fcef94e74b1483d47cf764a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
427acf0d31e4c051a5ecca486df18aaa

SHA1
66ed2e8e5533846366375ce855fb7b5d574d97fc

SHA256
397aa2536df328968f7006d3c5a2d0e7e53ab1e6d2deae8bb5bc7a242b4ba012

SHA512
aa2fe9a10550076d478762ed2043437460bfa1d81c3e6b793127d1235f8a6e75dc6002aad415f8086387faf7dc75a83f1790662cdfa58aa66596c640ed35b778

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
93bffb400f506fbd69421b6075802c65

SHA1
b9d8c4ea6a8fd739f6cf167e1f58412525f15784

SHA256
2e455d4d9ba6db3056e273b33c3cc67d60d76c4a750b98b2d4d0e2bcc6aa57b1

SHA512
e00a5d4ad19c488dc18e50150fcd50505133666e333f12f9e0cb3a894162951e4195886798de3531561ff99b4a3fbca6fb351f1ff0bcd0e1ac20cd685962ec23

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
910e8b4a682865877d5b4c6b32ac2db3

SHA1
7df0ffdcff6b2f1d51878af2ca989990c399c005

SHA256
0eaa114fec2febec98337efcccfbb2863979005935decd44f9cd7db110b33b9f

SHA512
eb3e30e57f8ae59dc62d7c7f6c20296c7105a3fead464229b7b037924a20127266c0f09a6090cdeae4bea0f728f6213b2da67b44c3cd85a662c6b0cdf34c24bb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
c0b5050d31a3c3086d56cf03dbf39e65

SHA1
2f16721133b7efffc3b7c495803a409b47223c1f

SHA256
4eed6a5c4f010b8604f822c91683ba0cf9c2c1f7fd803bcd9c05bfd36d84f37a

SHA512
be8a9ade498e5b54e7ca07bb3f9f114962847942d282e46e2b4f3e53704b27b47853c7bc60e5fdfc777b6e1fa2f8d34aa0d3321354c8a6b81d1640ce7780d9d5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
298f56408ef5bfe14b938d85e57c843d

SHA1
691d78c4c4887333b4679d3e340a7a04caad13a3

SHA256
b5738b726b24c9d220bd7256e4abb2e97215d50416bf67983cc82dc83b46298a

SHA512
227bf6d7e70568144112dc142ef60fa38f2b5f39196e3d3377a120b78fa86382726021f024bf5413548df0ce1734bb905d28e56de4dd80c6f21c05ab2a5ef83e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
5771c014296ebb077452c34a3ea54708

SHA1
6e6ff6d4e62db0f7295883fcdf1b10a4f69b2b58

SHA256
8abb3ec990928dfb09f067bb1f8b7e99a9487f039c9a5f80ab5306006c746859

SHA512
642db2534af82e398285770d5b6564603b457e1e4e0853cb46322aa24f7a880223a839875e7022d5c21f5eb01730df4e4dffdb426ef6e6c81defeb5f5f774ac5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
22ee4efbc67fc70b9f9d483cf169e846

SHA1
5e0a01490f92c7a77457c1df61c009cdc5c641dd

SHA256
abd4fb5ee308e65770cced9ea111c1dcfc48e0571cfcb79284f4fbbab293e161

SHA512
7638f6551734a6256e6d7666a9811368ee2894afeb442f65c6da0680fe8134059c52f552e36b2539774c4e3e5fc0cc1ae027e3ef872b5bb5d4b8e0f6687ce238

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
25741fab0bc335b1ed971b3134b0edd3

SHA1
9849046efa3f20662f73cefd0d090bef480c9835

SHA256
05963c6d3a7cc5421377a784df6474456fcbd2f95c7190f2ddb4a9ccbfbe7f98

SHA512
6e772baf90739a76c5c477780e2d158502b55d9c898e69402b0a3bfb840949959c6779f9b291c0503a4fcad95369be55b5f3233ded9329d49d5cde3f1a8369e1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
a06c7d0a7b066c05cd09151daa1d5a66

SHA1
d681298db9198485fc6127dd12b09230b5321944

SHA256
ba7240b7bfc71fe0c5986f982020da151d3f86091eddc735565632501ecab4e6

SHA512
901ce96927fd5e123761b8b17416eb05fdd80b5613c6653b205cf26caafd410de15e6115492c7ba8d419e36b98b0a2c80ff8e2e1f18625d3af483f8e20bbd755

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
450474df8cbb776a2509532fdb53483a

SHA1
2bedde43d119bda06b43a166b9db7a46ede8f3a6

SHA256
df9206d3a9bcdc4c53cb444f371fc7d1ff22bff91f057ec2330073c91f9c2cbe

SHA512
189c65091f86111e764ab2a07acd7221b40fbe11e6c33e412ff87e021a8b271e4cb883c52bdf4d7ff67310d93a402b1b4f1ed073055b039a1170534e28770587

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
7117a94e22c6336b9b8d643ae507b602

SHA1
d93f62946bcf9059ec4e96ead138112e3e563d33

SHA256
99f04f3f571bba02ac574c2ff68158fe23699a816c0b25bdbdce964872e913f6

SHA512
91b83308381377ce0a18eff4b2a51495092952ccef6de62c8d7f7bc733063df51a0037fb87724aed5aea83267c10e57a19fbfb5a3677488b06901008689967eb

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
f716eb5c8223374d0ca9545d4a630f12

SHA1
336ce080d6a26f07ad2014e2b9541ea027204b34

SHA256
16f479b2a571ed5c4449b144dd11b7a2ca5710fd52bf8256acfe140b5febbc27

SHA512
9eb77d32f87c0243090ea2a1fe5aae120415d91ffd1acf4a07b289d0a11643d3a275b6aab0df748c6026faf1b915926183e6b39a7dfe4f25643ff83719c8df01

Download Submit
memory/296-120-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/296-129-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/560-93-0x0000000005EB0000-0x000000000600F000-memory.dmp

Filesize
1.4MB

Download
memory/844-89-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/844-79-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1048-155-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1048-162-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1500-229-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1500-236-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1652-251-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1656-61-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1676-163-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1676-170-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1696-228-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1696-220-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1704-77-0x0000000003E80000-0x0000000003FDF000-memory.dmp

Filesize
1.4MB

Download
memory/1704-78-0x0000000003E80000-0x0000000003FDF000-memory.dmp

Filesize
1.4MB

Download
memory/1712-9-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1712-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1732-105-0x0000000004790000-0x00000000048EF000-memory.dmp

Filesize
1.4MB

Download
memory/1736-219-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1736-212-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1760-54-0x0000000005A40000-0x0000000005B9F000-memory.dmp

Filesize
1.4MB

Download
memory/1780-244-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1832-227-0x0000000005AE0000-0x0000000005C3F000-memory.dmp

Filesize
1.4MB

Download
memory/1932-72-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1972-180-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1972-187-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1980-148-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1980-152-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2160-179-0x0000000005F60000-0x00000000060BF000-memory.dmp

Filesize
1.4MB

Download
memory/2264-178-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2264-171-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2324-140-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2324-132-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2344-237-0x0000000004290000-0x00000000043EF000-memory.dmp

Filesize
1.4MB

Download
memory/2384-101-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2384-94-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2568-14-0x0000000005C40000-0x0000000005D9F000-memory.dmp

Filesize
1.4MB

Download
memory/2568-15-0x0000000005C40000-0x0000000005D9F000-memory.dmp

Filesize
1.4MB

Download
memory/2572-113-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2576-188-0x0000000004A40000-0x0000000004B9F000-memory.dmp

Filesize
1.4MB

Download
memory/2708-203-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2724-211-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2724-206-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2820-16-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2820-25-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2824-189-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2824-196-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2848-28-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2848-37-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2880-147-0x0000000005B40000-0x0000000005C9F000-memory.dmp

Filesize
1.4MB

Download
memory/2948-118-0x0000000005BD0000-0x0000000005D2F000-memory.dmp

Filesize
1.4MB

Download
memory/2948-119-0x0000000005BD0000-0x0000000005D2F000-memory.dmp

Filesize
1.4MB

Download
memory/3028-42-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3028-50-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download