64a14b0fff30ca849372f5fbb52f475206561481177a6d1154b42ab75a0b298b

Analysis

max time kernel
149s
max time network
118s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
19-08-2024 19:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

64a14b0fff30ca849372f5fbb52f475206561481177a6d1154b42ab75a0b298b.exe
Size

1.1MB
MD5

1b928d4ce77cab4014e87053a005b322
SHA1

32cc2020e63f01f9c5922d5a8ebf0a33d6501068
SHA256

64a14b0fff30ca849372f5fbb52f475206561481177a6d1154b42ab75a0b298b
SHA512

36a813002c393db8256fb620b38a571e19e5b864b6408ec80dad90a71f888b3413a55cfd391aed317e06c4ccb8df93d3b43012e5d8c01a85f8e30538a1969cb6
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5QP:acallSllG4ZM7QzMY

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2820	svchcst.exe

Executes dropped EXE 23 IoCs

pid	Process
2820	svchcst.exe
2008	svchcst.exe
544	svchcst.exe
2744	svchcst.exe
2056	svchcst.exe
688	svchcst.exe
2156	svchcst.exe
1600	svchcst.exe
800	svchcst.exe
1248	svchcst.exe
2536	svchcst.exe
1136	svchcst.exe
1968	svchcst.exe
972	svchcst.exe
2116	svchcst.exe
2856	svchcst.exe
2452	svchcst.exe
1264	svchcst.exe
664	svchcst.exe
692	svchcst.exe
1596	svchcst.exe
2552	svchcst.exe
1800	svchcst.exe

Loads dropped DLL 37 IoCs

pid	Process
2076	WScript.exe
2076	WScript.exe
2740	WScript.exe
2740	WScript.exe
1856	WScript.exe
1856	WScript.exe
1932	WScript.exe
1484	WScript.exe
1808	WScript.exe
1992	WScript.exe
1572	WScript.exe
1572	WScript.exe
1572	WScript.exe
620	WScript.exe
620	WScript.exe
644	WScript.exe
1100	WScript.exe
1520	WScript.exe
1520	WScript.exe
2020	WScript.exe
2020	WScript.exe
2708	WScript.exe
2708	WScript.exe
1980	WScript.exe
1980	WScript.exe
2008	WScript.exe
2008	WScript.exe
1496	WScript.exe
1496	WScript.exe
2584	WScript.exe
2584	WScript.exe
2444	WScript.exe
2444	WScript.exe
2056	WScript.exe
2056	WScript.exe
1696	WScript.exe
1696	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 48 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	64a14b0fff30ca849372f5fbb52f475206561481177a6d1154b42ab75a0b298b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1512	64a14b0fff30ca849372f5fbb52f475206561481177a6d1154b42ab75a0b298b.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1512	64a14b0fff30ca849372f5fbb52f475206561481177a6d1154b42ab75a0b298b.exe

Suspicious use of SetWindowsHookEx 48 IoCs

pid	Process
1512	64a14b0fff30ca849372f5fbb52f475206561481177a6d1154b42ab75a0b298b.exe
1512	64a14b0fff30ca849372f5fbb52f475206561481177a6d1154b42ab75a0b298b.exe
2820	svchcst.exe
2820	svchcst.exe
2008	svchcst.exe
2008	svchcst.exe
544	svchcst.exe
544	svchcst.exe
2744	svchcst.exe
2744	svchcst.exe
2056	svchcst.exe
2056	svchcst.exe
688	svchcst.exe
688	svchcst.exe
2156	svchcst.exe
2156	svchcst.exe
1600	svchcst.exe
1600	svchcst.exe
800	svchcst.exe
800	svchcst.exe
1248	svchcst.exe
1248	svchcst.exe
2536	svchcst.exe
2536	svchcst.exe
1136	svchcst.exe
1136	svchcst.exe
1968	svchcst.exe
1968	svchcst.exe
972	svchcst.exe
972	svchcst.exe
2116	svchcst.exe
2116	svchcst.exe
2856	svchcst.exe
2856	svchcst.exe
2452	svchcst.exe
2452	svchcst.exe
1264	svchcst.exe
1264	svchcst.exe
664	svchcst.exe
664	svchcst.exe
692	svchcst.exe
692	svchcst.exe
1596	svchcst.exe
1596	svchcst.exe
2552	svchcst.exe
2552	svchcst.exe
1800	svchcst.exe
1800	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1512 wrote to memory of 2076	1512	64a14b0fff30ca849372f5fbb52f475206561481177a6d1154b42ab75a0b298b.exe	30
PID 1512 wrote to memory of 2076	1512	64a14b0fff30ca849372f5fbb52f475206561481177a6d1154b42ab75a0b298b.exe	30
PID 1512 wrote to memory of 2076	1512	64a14b0fff30ca849372f5fbb52f475206561481177a6d1154b42ab75a0b298b.exe	30
PID 1512 wrote to memory of 2076	1512	64a14b0fff30ca849372f5fbb52f475206561481177a6d1154b42ab75a0b298b.exe	30
PID 2076 wrote to memory of 2820	2076	WScript.exe	32
PID 2076 wrote to memory of 2820	2076	WScript.exe	32
PID 2076 wrote to memory of 2820	2076	WScript.exe	32
PID 2076 wrote to memory of 2820	2076	WScript.exe	32
PID 2820 wrote to memory of 2740	2820	svchcst.exe	33
PID 2820 wrote to memory of 2740	2820	svchcst.exe	33
PID 2820 wrote to memory of 2740	2820	svchcst.exe	33
PID 2820 wrote to memory of 2740	2820	svchcst.exe	33
PID 2740 wrote to memory of 2008	2740	WScript.exe	35
PID 2740 wrote to memory of 2008	2740	WScript.exe	35
PID 2740 wrote to memory of 2008	2740	WScript.exe	35
PID 2740 wrote to memory of 2008	2740	WScript.exe	35
PID 2008 wrote to memory of 1856	2008	svchcst.exe	36
PID 2008 wrote to memory of 1856	2008	svchcst.exe	36
PID 2008 wrote to memory of 1856	2008	svchcst.exe	36
PID 2008 wrote to memory of 1856	2008	svchcst.exe	36
PID 1856 wrote to memory of 544	1856	WScript.exe	37
PID 1856 wrote to memory of 544	1856	WScript.exe	37
PID 1856 wrote to memory of 544	1856	WScript.exe	37
PID 1856 wrote to memory of 544	1856	WScript.exe	37
PID 544 wrote to memory of 1932	544	svchcst.exe	38
PID 544 wrote to memory of 1932	544	svchcst.exe	38
PID 544 wrote to memory of 1932	544	svchcst.exe	38
PID 544 wrote to memory of 1932	544	svchcst.exe	38
PID 1932 wrote to memory of 2744	1932	WScript.exe	39
PID 1932 wrote to memory of 2744	1932	WScript.exe	39
PID 1932 wrote to memory of 2744	1932	WScript.exe	39
PID 1932 wrote to memory of 2744	1932	WScript.exe	39
PID 2744 wrote to memory of 1484	2744	svchcst.exe	40
PID 2744 wrote to memory of 1484	2744	svchcst.exe	40
PID 2744 wrote to memory of 1484	2744	svchcst.exe	40
PID 2744 wrote to memory of 1484	2744	svchcst.exe	40
PID 1484 wrote to memory of 2056	1484	WScript.exe	41
PID 1484 wrote to memory of 2056	1484	WScript.exe	41
PID 1484 wrote to memory of 2056	1484	WScript.exe	41
PID 1484 wrote to memory of 2056	1484	WScript.exe	41
PID 2056 wrote to memory of 1808	2056	svchcst.exe	42
PID 2056 wrote to memory of 1808	2056	svchcst.exe	42
PID 2056 wrote to memory of 1808	2056	svchcst.exe	42
PID 2056 wrote to memory of 1808	2056	svchcst.exe	42
PID 1808 wrote to memory of 688	1808	WScript.exe	43
PID 1808 wrote to memory of 688	1808	WScript.exe	43
PID 1808 wrote to memory of 688	1808	WScript.exe	43
PID 1808 wrote to memory of 688	1808	WScript.exe	43
PID 688 wrote to memory of 1992	688	svchcst.exe	44
PID 688 wrote to memory of 1992	688	svchcst.exe	44
PID 688 wrote to memory of 1992	688	svchcst.exe	44
PID 688 wrote to memory of 1992	688	svchcst.exe	44
PID 1992 wrote to memory of 2156	1992	WScript.exe	45
PID 1992 wrote to memory of 2156	1992	WScript.exe	45
PID 1992 wrote to memory of 2156	1992	WScript.exe	45
PID 1992 wrote to memory of 2156	1992	WScript.exe	45
PID 2156 wrote to memory of 1572	2156	svchcst.exe	46
PID 2156 wrote to memory of 1572	2156	svchcst.exe	46
PID 2156 wrote to memory of 1572	2156	svchcst.exe	46
PID 2156 wrote to memory of 1572	2156	svchcst.exe	46
PID 1572 wrote to memory of 1600	1572	WScript.exe	47
PID 1572 wrote to memory of 1600	1572	WScript.exe	47
PID 1572 wrote to memory of 1600	1572	WScript.exe	47
PID 1572 wrote to memory of 1600	1572	WScript.exe	47

C:\Users\Admin\AppData\Local\Temp\64a14b0fff30ca849372f5fbb52f475206561481177a6d1154b42ab75a0b298b.exe
"C:\Users\Admin\AppData\Local\Temp\64a14b0fff30ca849372f5fbb52f475206561481177a6d1154b42ab75a0b298b.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1512
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2076
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2820
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2740
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2008
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1856
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:544
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1932
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2744
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1484
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2056
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1808
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:688
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1992
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2156
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1572
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1600
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:620
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1248
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:1172
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2536
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:644
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1136
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1100
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1968
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1520
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:972
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2020
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2116
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2708
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2856
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1980
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2452
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2008
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1264
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1496
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:664
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2584
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:692
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2444
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1596
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2056
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2552
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1696
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1800
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        44⤵
        System Location Discovery: System Language Discovery
        
        PID:1804
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:800
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:3024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
f9d25791d9949ef33ed0c208f3d11851

SHA1
1cdf525209a1d7ade65168011e4de530de7bdc5a

SHA256
d3592a18c2a195dba2db76e25fb1516b2a9ef5297e9d72716e232d3540bc4481

SHA512
efb6f3882b9c75aa5193cf1bfeeb430b0a963681bf5367f535e3eb9c4e7c796c0aa1d0e3df9803c635ba6d863dc129a9ab30c954c6d4af27803036859d3d3113

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
608aea68519434d685c413b31a12c6ce

SHA1
7a62e13cab985d0588a0faea63751fd0355da7fc

SHA256
5ed3aa382febd7a4e6c3a921a5add055f6e2bbea7558b21da46752f037d52b1a

SHA512
6ddca4b85fc1b6ecb6c1081b32067eb438ed5167b48565ea449e6babb1f27a01c75599c6b0f10b29ac9278e619891588d654466ce882d8080f4d2435f450d198

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
019feed1ea8f8c958541919ac0621b1f

SHA1
2a160f10661584ede3f89787394377731b86c009

SHA256
f286c1a38a730dc11e36b444ccd806199dd8cd4f147beef54a48d80070e97fa7

SHA512
a168e6260e977c15fc366c41b4cc038565a5e5a5668868b9970abcb1389079b0ea3de5db9601ff80b0878aefe95e2a31535aac1513a419112799df762a2e1924

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
5f2a40f410e1db471d583c90bb1bf208

SHA1
1e49ed23e02976dede24633c367ab8c92fb4fd9b

SHA256
03c04fafe55862423025fe6e16bbeda1dbded8150a0c0dd363164733051fe1e4

SHA512
98a4ba3960f66728d4a286c8cff2223742d701467a647b6d4a2f118a6e2c53c9a4f6c329a36c099b151d42279ba0823ff07a8df49c87d02a7470f595052f725c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
8e2ae053ceb7062fca84af2a4b776842

SHA1
e0efd0b54009a60e3682ed38deaddd833c8652b6

SHA256
58391f462883b293fdb398c52afb015698a4aa455fde921d706159ccccc6375f

SHA512
71b28f16bbcd83fd3cd69c985cc7482ddb167f287f6f331fc6c2f71b5b9759d6692ad93eb45e3a4039e5234f795076cd090e46c80b2661a00327a19b0ceab7b3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
2af86d83545125b952334759f8554ae3

SHA1
ddfef7be6fbd8d8185c772a9a78eb18617a9637b

SHA256
7dd3660d7e87e64f451b4d1882d07c1733ce38d828770910453cc1b7f457d11d

SHA512
38d2854f941ff77a2fec871ba6513df9862fe4f86778b22053b4c3e25995b192f4ab943051a2c613cc3e78d275bc543b0dff09149cb4620e307809d20beae17b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
9627e3850f4f7495f6d36ebae56aa594

SHA1
001694633bc632a7ae2812ed74828335bec77531

SHA256
0aeaf02fb74a0799c8eccaa37e1586435318608e7945b8084fe87f956822cb25

SHA512
03986ee3b4faf96fdb2bdeb1c41e216c81e1c0f7d4403b69c7e7e39baa45e2806d57fad32904bdf04728eb9db7570d94341e73bf8a1f6ba1964072a65de4e894

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
d44632a3e4cce7689f6de0096ea7b712

SHA1
62726ae2641d71b6a218793f1ca8c00c81443eda

SHA256
013ba01f27689a865f4497bdab298b8914e8c235beac2311020fa928649a7603

SHA512
ed9934194e0211fca3d30bb16802ae080086a71d4b8b065afecea339f06f4d5dc43f51786059d6ccaf7718a54dde8b050268068ed6a416dacfa6c79a8ba0881a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
7c92f92a39b74a1a62d4e78cab1e85ce

SHA1
12be3de5566511f06ef1d1354ce14e74381ef078

SHA256
919b452d34117c54e6e79cf6c3d338679c3553dd3ef1bb8d750da8738f6f4166

SHA512
ad945215baeb1b488a43705d18520fea653a881632cfcd8bc79182ce2863d7167e8631043bdea1ee1071eabfb87f7ce63f460becf63c9c2060e51a30fc8171b8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
b80e64a84f22d05c1da6e47ce54973aa

SHA1
5cad9390328f2c7439c775fabb7a0456663085d9

SHA256
9dd0f5f176d3fad7c0eb3bdd6f14036a878cbce9fd50fb1a47318da147bfd82e

SHA512
983affb7f9189c1eb80982438c288ee607e7ee91675b6a6e854873c476961b39ddec66801e0a09bedd0f133a0132693a5fed5c8ff0f8c3d3aa4f470fdb8c39b9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
68131c1f4506af5c010d5e01f031bfae

SHA1
51cc54917c040091c3a39dd33ec52fc5f4cb4c15

SHA256
d235953ddf5884a014ce05d8a26b9b93bafd580bdeda08e369e2d6e395d34a95

SHA512
69be7da57430dd6d3f1deea9c2a4f78a0ec41a74fc593f033a7944504cd9c4fe6d2f7a0be052e40238a4389b649c36a603b1725959fab050a0114714a6d65c6d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
bd0cc8385e2c94da465451e7bd8d4303

SHA1
6866d3d8d4bc37bbd976b44b74d4cef9b018da66

SHA256
099ad392a60ee09509cf2982deb126acb373115124e33c1c9d18931fa32af630

SHA512
5212403107457416b6b8e3c033c9521f744845edbf0c9bba5c962bea5946c2a24e1081cf472e907b3e16fb593b98c119802e3162e5260b30574f2c086af3d6b2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
e23b0c98cd457c1b02f24649dc259c54

SHA1
ac24a0496a9a40743fa135a67bd1d97d6fff3d3f

SHA256
5c65cdbaef4d4c29129e407fe763fb580a5e32f3abe22876a1adce21fe42a7d5

SHA512
892d1a362bbb3edcc6691334764c3a531546cf971b83609306afedb25fc3a4b0c348db45c1c12b7d1bb5ad803eab953acd5fa8c8fa3e48eac29b97ea07b8b6a1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
962d46dca23abbd58665c9dd40fcf985

SHA1
7feba6bd6e03afb5bfa94022fdd3642fed378e36

SHA256
593a24bd4ba10ff8783fae53e0fcbcf98104453d465c9924bae3654f0c85dac3

SHA512
a81f7e46330c857a0557c563f09e497a3f686bc0d604cdf5e9cf53f2149be432b005333f283c5b93e64c350b31d21e26538ceb0144b720976d48bc8d5d0ef011

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
e46e66cb66fda58a9b44cf327793fcfd

SHA1
836599bf777437d0a997c51aa607543f24182f94

SHA256
4c8724a2a60832162e8eeb0bd811e552a885d7bdb44acec4cab2ba304ec63c1d

SHA512
e07b885dbeed64d7b229916e60781a82d4d29b11435c457169b459d4b2ba898dab450e5063cf17cbef06673792e9a38c83accb255bdbc0c6c67228e70ff0f8eb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
e2f2bfad420d3263a89cb8f92ced769a

SHA1
2848ea00c205691b119f3ceaa2b8a9a45760c17d

SHA256
d6e7632106328a086e2011a5f516c0e7127ba091af0ae6ac0bc1ec41f703d9e2

SHA512
86eb5fe4466a9c734588c4515f56a1f7f765dae289bb54e5e0d306803c953712f2a64c5e1afeaa3488421913d0cc4401fd2152f07921813d6f4ad4d579509c17

Download Submit
memory/544-47-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/544-54-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/620-139-0x0000000004640000-0x000000000479F000-memory.dmp

Filesize
1.4MB

Download
memory/664-215-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/664-212-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/688-85-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/688-78-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/692-223-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/800-125-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/800-117-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/972-174-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1136-159-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1136-151-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1248-136-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1248-128-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1264-207-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1264-200-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1512-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1512-9-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1572-103-0x0000000004270000-0x00000000043CF000-memory.dmp

Filesize
1.4MB

Download
memory/1572-116-0x00000000043A0000-0x00000000044FF000-memory.dmp

Filesize
1.4MB

Download
memory/1572-104-0x0000000004270000-0x00000000043CF000-memory.dmp

Filesize
1.4MB

Download
memory/1596-231-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1600-109-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1600-113-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1800-240-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1968-164-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1968-167-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2008-31-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2008-40-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2008-199-0x0000000005C60000-0x0000000005DBF000-memory.dmp

Filesize
1.4MB

Download
memory/2056-75-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2076-13-0x0000000003F50000-0x00000000040AF000-memory.dmp

Filesize
1.4MB

Download
memory/2076-14-0x0000000003F50000-0x00000000040AF000-memory.dmp

Filesize
1.4MB

Download
memory/2116-179-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2116-182-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2156-93-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2156-98-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2444-224-0x0000000005AD0000-0x0000000005C2F000-memory.dmp

Filesize
1.4MB

Download
memory/2452-198-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2536-148-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2536-140-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2552-236-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2552-239-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2584-216-0x0000000005A10000-0x0000000005B6F000-memory.dmp

Filesize
1.4MB

Download
memory/2708-183-0x0000000005E60000-0x0000000005FBF000-memory.dmp

Filesize
1.4MB

Download
memory/2744-57-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2744-65-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2820-26-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2820-16-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2856-191-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2856-184-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download