406c72f1c116fdd0a26e59d61b0e32a3c7ba7a2e9d835d8ff4803c82fe47f3ec

Analysis

max time kernel
150s
max time network
119s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
21-08-2024 19:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

406c72f1c116fdd0a26e59d61b0e32a3c7ba7a2e9d835d8ff4803c82fe47f3ec.exe
Size

1.1MB
MD5

a231fdacca5fbf8e23d88bef82512791
SHA1

face1502dc72dba4aa55edcb2d91aa27fe20baf0
SHA256

406c72f1c116fdd0a26e59d61b0e32a3c7ba7a2e9d835d8ff4803c82fe47f3ec
SHA512

4b63b2038ebccaddb6dbce645520d515f2e1d6f7182f3391f84d25aed38adad9135542797de2559085e102d8250e5affc2d4f1b70bc260ab3ba9d9c3412b67a6
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5Qt:acallSllG4ZM7QzMG

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2672	svchcst.exe

Executes dropped EXE 26 IoCs

pid	Process
2672	svchcst.exe
1964	svchcst.exe
2896	svchcst.exe
2160	svchcst.exe
1020	svchcst.exe
1360	svchcst.exe
264	svchcst.exe
2984	svchcst.exe
2748	svchcst.exe
2656	svchcst.exe
1100	svchcst.exe
1080	svchcst.exe
1936	svchcst.exe
620	svchcst.exe
1336	svchcst.exe
1488	svchcst.exe
1648	svchcst.exe
2316	svchcst.exe
1596	svchcst.exe
1948	svchcst.exe
1116	svchcst.exe
2860	svchcst.exe
992	svchcst.exe
2536	svchcst.exe
1248	svchcst.exe
2660	svchcst.exe

Loads dropped DLL 39 IoCs

pid	Process
1684	WScript.exe
1684	WScript.exe
2612	WScript.exe
1736	WScript.exe
1736	WScript.exe
1420	WScript.exe
328	WScript.exe
1908	WScript.exe
324	WScript.exe
1116	WScript.exe
2724	WScript.exe
2724	WScript.exe
1116	WScript.exe
2724	WScript.exe
2724	WScript.exe
2596	WScript.exe
1572	WScript.exe
288	WScript.exe
288	WScript.exe
1420	WScript.exe
1420	WScript.exe
2460	WScript.exe
2460	WScript.exe
2848	WScript.exe
2848	WScript.exe
2576	WScript.exe
2576	WScript.exe
1100	WScript.exe
1100	WScript.exe
2180	WScript.exe
2180	WScript.exe
2716	WScript.exe
2716	WScript.exe
1760	WScript.exe
1760	WScript.exe
2272	WScript.exe
2272	WScript.exe
1572	WScript.exe
1572	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 51 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	406c72f1c116fdd0a26e59d61b0e32a3c7ba7a2e9d835d8ff4803c82fe47f3ec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1880	406c72f1c116fdd0a26e59d61b0e32a3c7ba7a2e9d835d8ff4803c82fe47f3ec.exe
2672	svchcst.exe
2672	svchcst.exe
2672	svchcst.exe
2672	svchcst.exe
2672	svchcst.exe
2672	svchcst.exe
2672	svchcst.exe
2672	svchcst.exe
2672	svchcst.exe
2672	svchcst.exe
2672	svchcst.exe
2672	svchcst.exe
2672	svchcst.exe
2672	svchcst.exe
2672	svchcst.exe
2672	svchcst.exe
2672	svchcst.exe
2672	svchcst.exe
2672	svchcst.exe
2672	svchcst.exe
2672	svchcst.exe
2672	svchcst.exe
2672	svchcst.exe
2672	svchcst.exe
2672	svchcst.exe
2672	svchcst.exe
2672	svchcst.exe
2672	svchcst.exe
2672	svchcst.exe
2672	svchcst.exe
2672	svchcst.exe
2672	svchcst.exe
2672	svchcst.exe
2672	svchcst.exe
2672	svchcst.exe
2672	svchcst.exe
2672	svchcst.exe
2672	svchcst.exe
2672	svchcst.exe
2672	svchcst.exe
2672	svchcst.exe
2672	svchcst.exe
2672	svchcst.exe
2672	svchcst.exe
2672	svchcst.exe
2672	svchcst.exe
2672	svchcst.exe
2672	svchcst.exe
2672	svchcst.exe
2672	svchcst.exe
2672	svchcst.exe
2672	svchcst.exe
2672	svchcst.exe
2672	svchcst.exe
2672	svchcst.exe
2672	svchcst.exe
2672	svchcst.exe
2672	svchcst.exe
2672	svchcst.exe
2672	svchcst.exe
2672	svchcst.exe
2672	svchcst.exe
2672	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1880	406c72f1c116fdd0a26e59d61b0e32a3c7ba7a2e9d835d8ff4803c82fe47f3ec.exe

Suspicious use of SetWindowsHookEx 54 IoCs

pid	Process
1880	406c72f1c116fdd0a26e59d61b0e32a3c7ba7a2e9d835d8ff4803c82fe47f3ec.exe
1880	406c72f1c116fdd0a26e59d61b0e32a3c7ba7a2e9d835d8ff4803c82fe47f3ec.exe
2672	svchcst.exe
2672	svchcst.exe
1964	svchcst.exe
1964	svchcst.exe
2896	svchcst.exe
2896	svchcst.exe
2160	svchcst.exe
2160	svchcst.exe
1020	svchcst.exe
1020	svchcst.exe
1360	svchcst.exe
1360	svchcst.exe
264	svchcst.exe
264	svchcst.exe
2984	svchcst.exe
2984	svchcst.exe
2748	svchcst.exe
2748	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
1100	svchcst.exe
1100	svchcst.exe
1080	svchcst.exe
1080	svchcst.exe
1936	svchcst.exe
1936	svchcst.exe
620	svchcst.exe
620	svchcst.exe
1336	svchcst.exe
1336	svchcst.exe
1488	svchcst.exe
1488	svchcst.exe
1648	svchcst.exe
1648	svchcst.exe
2316	svchcst.exe
2316	svchcst.exe
1596	svchcst.exe
1596	svchcst.exe
1948	svchcst.exe
1948	svchcst.exe
1116	svchcst.exe
1116	svchcst.exe
2860	svchcst.exe
2860	svchcst.exe
992	svchcst.exe
992	svchcst.exe
2536	svchcst.exe
2536	svchcst.exe
1248	svchcst.exe
1248	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1880 wrote to memory of 1684	1880	406c72f1c116fdd0a26e59d61b0e32a3c7ba7a2e9d835d8ff4803c82fe47f3ec.exe	31
PID 1880 wrote to memory of 1684	1880	406c72f1c116fdd0a26e59d61b0e32a3c7ba7a2e9d835d8ff4803c82fe47f3ec.exe	31
PID 1880 wrote to memory of 1684	1880	406c72f1c116fdd0a26e59d61b0e32a3c7ba7a2e9d835d8ff4803c82fe47f3ec.exe	31
PID 1880 wrote to memory of 1684	1880	406c72f1c116fdd0a26e59d61b0e32a3c7ba7a2e9d835d8ff4803c82fe47f3ec.exe	31
PID 1684 wrote to memory of 2672	1684	WScript.exe	33
PID 1684 wrote to memory of 2672	1684	WScript.exe	33
PID 1684 wrote to memory of 2672	1684	WScript.exe	33
PID 1684 wrote to memory of 2672	1684	WScript.exe	33
PID 2672 wrote to memory of 2612	2672	svchcst.exe	34
PID 2672 wrote to memory of 2612	2672	svchcst.exe	34
PID 2672 wrote to memory of 2612	2672	svchcst.exe	34
PID 2672 wrote to memory of 2612	2672	svchcst.exe	34
PID 2612 wrote to memory of 1964	2612	WScript.exe	35
PID 2612 wrote to memory of 1964	2612	WScript.exe	35
PID 2612 wrote to memory of 1964	2612	WScript.exe	35
PID 2612 wrote to memory of 1964	2612	WScript.exe	35
PID 1964 wrote to memory of 1736	1964	svchcst.exe	36
PID 1964 wrote to memory of 1736	1964	svchcst.exe	36
PID 1964 wrote to memory of 1736	1964	svchcst.exe	36
PID 1964 wrote to memory of 1736	1964	svchcst.exe	36
PID 1736 wrote to memory of 2896	1736	WScript.exe	37
PID 1736 wrote to memory of 2896	1736	WScript.exe	37
PID 1736 wrote to memory of 2896	1736	WScript.exe	37
PID 1736 wrote to memory of 2896	1736	WScript.exe	37
PID 2896 wrote to memory of 1548	2896	svchcst.exe	38
PID 2896 wrote to memory of 1548	2896	svchcst.exe	38
PID 2896 wrote to memory of 1548	2896	svchcst.exe	38
PID 2896 wrote to memory of 1548	2896	svchcst.exe	38
PID 1736 wrote to memory of 2160	1736	WScript.exe	39
PID 1736 wrote to memory of 2160	1736	WScript.exe	39
PID 1736 wrote to memory of 2160	1736	WScript.exe	39
PID 1736 wrote to memory of 2160	1736	WScript.exe	39
PID 2160 wrote to memory of 1420	2160	svchcst.exe	40
PID 2160 wrote to memory of 1420	2160	svchcst.exe	40
PID 2160 wrote to memory of 1420	2160	svchcst.exe	40
PID 2160 wrote to memory of 1420	2160	svchcst.exe	40
PID 1420 wrote to memory of 1020	1420	WScript.exe	41
PID 1420 wrote to memory of 1020	1420	WScript.exe	41
PID 1420 wrote to memory of 1020	1420	WScript.exe	41
PID 1420 wrote to memory of 1020	1420	WScript.exe	41
PID 1020 wrote to memory of 328	1020	svchcst.exe	42
PID 1020 wrote to memory of 328	1020	svchcst.exe	42
PID 1020 wrote to memory of 328	1020	svchcst.exe	42
PID 1020 wrote to memory of 328	1020	svchcst.exe	42
PID 328 wrote to memory of 1360	328	WScript.exe	43
PID 328 wrote to memory of 1360	328	WScript.exe	43
PID 328 wrote to memory of 1360	328	WScript.exe	43
PID 328 wrote to memory of 1360	328	WScript.exe	43
PID 1360 wrote to memory of 1908	1360	svchcst.exe	44
PID 1360 wrote to memory of 1908	1360	svchcst.exe	44
PID 1360 wrote to memory of 1908	1360	svchcst.exe	44
PID 1360 wrote to memory of 1908	1360	svchcst.exe	44
PID 1908 wrote to memory of 264	1908	WScript.exe	45
PID 1908 wrote to memory of 264	1908	WScript.exe	45
PID 1908 wrote to memory of 264	1908	WScript.exe	45
PID 1908 wrote to memory of 264	1908	WScript.exe	45
PID 264 wrote to memory of 324	264	svchcst.exe	46
PID 264 wrote to memory of 324	264	svchcst.exe	46
PID 264 wrote to memory of 324	264	svchcst.exe	46
PID 264 wrote to memory of 324	264	svchcst.exe	46
PID 324 wrote to memory of 2984	324	WScript.exe	47
PID 324 wrote to memory of 2984	324	WScript.exe	47
PID 324 wrote to memory of 2984	324	WScript.exe	47
PID 324 wrote to memory of 2984	324	WScript.exe	47

C:\Users\Admin\AppData\Local\Temp\406c72f1c116fdd0a26e59d61b0e32a3c7ba7a2e9d835d8ff4803c82fe47f3ec.exe
"C:\Users\Admin\AppData\Local\Temp\406c72f1c116fdd0a26e59d61b0e32a3c7ba7a2e9d835d8ff4803c82fe47f3ec.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1880
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1684
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2672
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2612
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1964
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1736
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2896
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1548
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2160
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1420
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1020
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:328
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1360
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1908
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:264
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:324
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2984
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1116
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2748
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2724
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2656
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1080
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2596
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:620
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1936
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1572
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1336
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:288
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1488
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1420
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1648
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2460
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2316
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2848
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1596
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2576
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1948
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1100
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1116
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2180
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2860
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2716
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:992
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1760
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2536
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2272
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1248
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1572
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2660
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        44⤵
        System Location Discovery: System Language Discovery
        
        PID:316
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
e4e96c55460da5fa5643648177198d56

SHA1
da09b8271cfd09349b8e79bd8856671e6124d6a0

SHA256
6ca56d2034da62f3a82f84935631e9d90430875cfd9b95382fdf1210758ba761

SHA512
23da2c3c87c8e52aab70931c7ca6f0d04f453cff01bda2fe078a060468d9d7b9e544635eb11976541246eaed2e4cac06e0ed7ed86bce775f95ff5d5f40c5d1bb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
b360e904536f5fa1cdb5fc9775797c63

SHA1
9a8302f876e331d31ac4f06b2d05ba44c1d6d1e0

SHA256
c6a0efb27c1781b048fc708bd12c92653b7d5da479fa35b7fd243b1dbffc7fd3

SHA512
3356b9a7f17f46c88c567f84f981b38fd9ca57fcb84fcc338196fbc084f75bc273627cc8211ae64274e42beaacbaf55c998fb9b94a8f3e171dbd3b083498c8b7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
f9749c13b20bc60748c3f72c2cf20740

SHA1
227698fcf7919e5c66d91e4e0fd51a5d54ffcd6e

SHA256
2ea51d4fb5a6022d3cf66550189fa271c025d8fabd55cc24025d12e600b70594

SHA512
541c5d5e8187257adb03505430c87bd364bec53487b373ecf4f91aee21dcecc746a4855ca0ee72fbfddcf34e52fe2453770ae66183b308d6b45a0f37342e44d8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
ad7007ed9542468662553e405df66821

SHA1
757c5ee287a113d689f2d370176fcf9c9e1223a3

SHA256
12967e637928b853b708430671e1b72f6ca847a2af2680f8f15da98efb31161e

SHA512
812220b05239ebb0e14f3cd738e58274deb60624eacc360d2b3be6c5010dc418f2587f5f6736a1d80a3a5f52ae9887a492e8934e64af66c89b45a9b47d3069c9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
b80e64a84f22d05c1da6e47ce54973aa

SHA1
5cad9390328f2c7439c775fabb7a0456663085d9

SHA256
9dd0f5f176d3fad7c0eb3bdd6f14036a878cbce9fd50fb1a47318da147bfd82e

SHA512
983affb7f9189c1eb80982438c288ee607e7ee91675b6a6e854873c476961b39ddec66801e0a09bedd0f133a0132693a5fed5c8ff0f8c3d3aa4f470fdb8c39b9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
d6998fa6acf02bf81ca3b787bf2aac86

SHA1
c3c08503b40c243120c2815bec43823d1457c93f

SHA256
5f2a7d05a52819de3a4caa28c4b355ca484eea50de6ed9ce8078d244de25e365

SHA512
068536d1ae495d6610534c4536f6024b33bac2e935cb37f99668affefcb8d1fcd8c420e150b6e5807a58157eec83b24cc9017e7cb7b597a7523decdfbaf2a8e0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
7d2c3f227d42fae4a5b7fbcb491b74e3

SHA1
c1271bbd86747cc709b694ba9579a68b5e75a17c

SHA256
9353a2f27a61e571c5bc92ccc1046c1059c5fad8e1e2cafe63a9cc73e1169c33

SHA512
50330ad733975966b32fbedffb99a25cd13004d685e5788ef11f1f0fedfc62658e3e8f5ed0030fe60ecb02ba95ffa7d440c067a1e164cc3bc02ac5008b6a27d3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
5ef4272f4d6f345fc8cc1b2f059c81b4

SHA1
78bcb559f775d70e10396e1d6d7b95c28d2645d1

SHA256
19f8d5209b4a5789cdfd5b67cb0b9f6c3546c62912bcb1ef1c69a15602beb652

SHA512
002693255c600456d965b5a7e36f780deec4d80cd9fe56f7f974b8762e2b140002a1dabf4b059d6163c9cc00a0e1e9da71899e13347fb4bb2985bbc7058469cb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
b9f42b67196579be4b48ef3493e40a6d

SHA1
f0a798a4aa9401ce637b3016829d6bc178b46b36

SHA256
5af7cfef4fc0b02f32178caf67f947bc09a9631a5ec201ffa67b2f4f470bbed2

SHA512
875207383356da783c8f932da091d7c1316a0859406a388a6a4b0e641cc15326ac5134a5dc3e5299cccd6c245456483db86f5f9652fec2fa049996259d166284

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
68131c1f4506af5c010d5e01f031bfae

SHA1
51cc54917c040091c3a39dd33ec52fc5f4cb4c15

SHA256
d235953ddf5884a014ce05d8a26b9b93bafd580bdeda08e369e2d6e395d34a95

SHA512
69be7da57430dd6d3f1deea9c2a4f78a0ec41a74fc593f033a7944504cd9c4fe6d2f7a0be052e40238a4389b649c36a603b1725959fab050a0114714a6d65c6d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
7c7211c6ab078878929bb3683f705560

SHA1
5a52049f54692294392837b5922d865e9c407022

SHA256
bb9e2a89c0fc9574eac35f2b2c4bc696f3642fc96ff2fd1f6a2d3467784fbeff

SHA512
4d9b5d0053b0f57651c08084c87416d2ae8613b9ea74651e51f251e5d806f36c194735e4f6f3152d7c72592f60f2a7e971ee82c60410762472942823b1956c38

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
8364c7b31d7cc2ff033d43e692633d35

SHA1
8c51dd902e1739104aff48093aecb669522fea1f

SHA256
7ac0c74de647ef78ef6fffba49310f3c9c1b7d9ad19121d3502ec03c6e412a42

SHA512
0615c03be93f2b8cadfa7f0fca0ec6a790728d61980a9cd5edc372c99d3d73c5bdd1e6abfc055d4bd7ff2a2aa67f6fd5221c0d0479e33ac6736522fdc0572571

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
cab6b7b2c7da3f679a8c7c06940e565e

SHA1
5822da80e4ddf2bc8473cfd224724b5ec915476a

SHA256
c22d47e371fc8894ef363ab59050e37fe9154c15865343b076498b242e7f508b

SHA512
d3b4b8d5bae397001fc8adacbfadeb19c27b7e2ac327af19faed88f47f0cba64b97b972fc3e6e7cc7051987c97961dd54d9b846cda86023cdf251ff38d1b2dc6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
c7f14868ffb6c1b691e55289a1f48c62

SHA1
4016417fbe5a06f5f0be49e3cc5439bbc5e21d18

SHA256
58a59a5a6045bcb89b50f54d1be8d6e0bd3a8ccbfce27db56960927812f67da1

SHA512
e8fe15ba1f5e14841037f1884e3d6c9955b7b0d7b2a163d86fb946f5ff66c593ce97e39b3f7d17e330f5fb8008d547a8e2883dec471cc33a33e2c7cb7f45ba14

Download Submit
memory/264-85-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/264-94-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/324-118-0x0000000005C90000-0x0000000005DEF000-memory.dmp

Filesize
1.4MB

Download
memory/328-93-0x0000000005CC0000-0x0000000005E1F000-memory.dmp

Filesize
1.4MB

Download
memory/620-146-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/992-219-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1020-62-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1020-70-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1080-137-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1100-126-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1116-198-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1116-108-0x0000000005B20000-0x0000000005C7F000-memory.dmp

Filesize
1.4MB

Download
memory/1116-205-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1248-233-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1336-158-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1360-81-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1360-73-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1420-167-0x0000000004540000-0x000000000469F000-memory.dmp

Filesize
1.4MB

Download
memory/1488-159-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1488-166-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1596-190-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1596-183-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1648-174-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1684-15-0x0000000004530000-0x000000000468F000-memory.dmp

Filesize
1.4MB

Download
memory/1684-20-0x0000000004530000-0x000000000468F000-memory.dmp

Filesize
1.4MB

Download
memory/1880-10-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1880-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1908-84-0x0000000005BF0000-0x0000000005D4F000-memory.dmp

Filesize
1.4MB

Download
memory/1936-140-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1936-151-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1948-197-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1964-38-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1964-32-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2160-52-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2160-59-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2316-175-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2316-182-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2536-226-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2612-30-0x0000000005CD0000-0x0000000005E2F000-memory.dmp

Filesize
1.4MB

Download
memory/2656-127-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2660-234-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2672-26-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2672-21-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2748-119-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2748-109-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2860-212-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2896-45-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2896-49-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2984-105-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2984-97-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download