e8f2709e60c2eddeb7b9bb7c24f4c8af21c91149ae73318e5a9917ceb9f3ebdb

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
23-08-2024 22:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e8f2709e60c2eddeb7b9bb7c24f4c8af21c91149ae73318e5a9917ceb9f3ebdb.exe
Size

1.1MB
MD5

87745f72b277da3d73e59060ab58a56a
SHA1

ed249b08ecca92169511f946210307ab170226b1
SHA256

e8f2709e60c2eddeb7b9bb7c24f4c8af21c91149ae73318e5a9917ceb9f3ebdb
SHA512

c99e2f7907ad2f876a06adcfa2a5e27bbaf2e668586ee80269b714d2fd3f3e43cb5a28b521a6cd39457fb635f7d02250235111b56ebf3df5b877bffc65dd30dd
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5QU:acallSllG4ZM7QzMT

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2948	svchcst.exe

Executes dropped EXE 25 IoCs

pid	Process
2948	svchcst.exe
2320	svchcst.exe
2420	svchcst.exe
2172	svchcst.exe
3008	svchcst.exe
2960	svchcst.exe
1624	svchcst.exe
576	svchcst.exe
2564	svchcst.exe
2128	svchcst.exe
2836	svchcst.exe
1520	svchcst.exe
1508	svchcst.exe
2592	svchcst.exe
2012	svchcst.exe
2484	svchcst.exe
1720	svchcst.exe
2688	svchcst.exe
2148	svchcst.exe
920	svchcst.exe
560	svchcst.exe
1200	svchcst.exe
1932	svchcst.exe
1748	svchcst.exe
1928	svchcst.exe

Loads dropped DLL 38 IoCs

pid	Process
536	WScript.exe
536	WScript.exe
2784	WScript.exe
560	WScript.exe
560	WScript.exe
1056	WScript.exe
1056	WScript.exe
1056	WScript.exe
1056	WScript.exe
1496	WScript.exe
1496	WScript.exe
2256	WScript.exe
1980	WScript.exe
1980	WScript.exe
2776	WScript.exe
2776	WScript.exe
2936	WScript.exe
2936	WScript.exe
1624	WScript.exe
1624	WScript.exe
1496	WScript.exe
1496	WScript.exe
2152	WScript.exe
2152	WScript.exe
2128	WScript.exe
2128	WScript.exe
2300	WScript.exe
2300	WScript.exe
2756	WScript.exe
2756	WScript.exe
2004	WScript.exe
2004	WScript.exe
2588	WScript.exe
2588	WScript.exe
1536	WScript.exe
1536	WScript.exe
904	WScript.exe
904	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 50 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e8f2709e60c2eddeb7b9bb7c24f4c8af21c91149ae73318e5a9917ceb9f3ebdb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2408	e8f2709e60c2eddeb7b9bb7c24f4c8af21c91149ae73318e5a9917ceb9f3ebdb.exe
2948	svchcst.exe
2948	svchcst.exe
2948	svchcst.exe
2948	svchcst.exe
2948	svchcst.exe
2948	svchcst.exe
2948	svchcst.exe
2948	svchcst.exe
2948	svchcst.exe
2948	svchcst.exe
2948	svchcst.exe
2948	svchcst.exe
2948	svchcst.exe
2948	svchcst.exe
2948	svchcst.exe
2948	svchcst.exe
2948	svchcst.exe
2948	svchcst.exe
2948	svchcst.exe
2948	svchcst.exe
2948	svchcst.exe
2948	svchcst.exe
2948	svchcst.exe
2948	svchcst.exe
2948	svchcst.exe
2948	svchcst.exe
2948	svchcst.exe
2948	svchcst.exe
2948	svchcst.exe
2948	svchcst.exe
2948	svchcst.exe
2948	svchcst.exe
2948	svchcst.exe
2948	svchcst.exe
2948	svchcst.exe
2948	svchcst.exe
2948	svchcst.exe
2948	svchcst.exe
2948	svchcst.exe
2948	svchcst.exe
2948	svchcst.exe
2948	svchcst.exe
2948	svchcst.exe
2948	svchcst.exe
2948	svchcst.exe
2948	svchcst.exe
2948	svchcst.exe
2948	svchcst.exe
2948	svchcst.exe
2948	svchcst.exe
2948	svchcst.exe
2948	svchcst.exe
2948	svchcst.exe
2948	svchcst.exe
2948	svchcst.exe
2948	svchcst.exe
2948	svchcst.exe
2948	svchcst.exe
2948	svchcst.exe
2948	svchcst.exe
2948	svchcst.exe
2948	svchcst.exe
2948	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2408	e8f2709e60c2eddeb7b9bb7c24f4c8af21c91149ae73318e5a9917ceb9f3ebdb.exe

Suspicious use of SetWindowsHookEx 52 IoCs

pid	Process
2408	e8f2709e60c2eddeb7b9bb7c24f4c8af21c91149ae73318e5a9917ceb9f3ebdb.exe
2408	e8f2709e60c2eddeb7b9bb7c24f4c8af21c91149ae73318e5a9917ceb9f3ebdb.exe
2948	svchcst.exe
2948	svchcst.exe
2320	svchcst.exe
2320	svchcst.exe
2420	svchcst.exe
2420	svchcst.exe
2172	svchcst.exe
2172	svchcst.exe
3008	svchcst.exe
3008	svchcst.exe
2960	svchcst.exe
2960	svchcst.exe
1624	svchcst.exe
1624	svchcst.exe
576	svchcst.exe
576	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2128	svchcst.exe
2128	svchcst.exe
2836	svchcst.exe
2836	svchcst.exe
1520	svchcst.exe
1520	svchcst.exe
1508	svchcst.exe
1508	svchcst.exe
2592	svchcst.exe
2592	svchcst.exe
2012	svchcst.exe
2012	svchcst.exe
2484	svchcst.exe
2484	svchcst.exe
1720	svchcst.exe
1720	svchcst.exe
2688	svchcst.exe
2688	svchcst.exe
2148	svchcst.exe
2148	svchcst.exe
920	svchcst.exe
920	svchcst.exe
560	svchcst.exe
560	svchcst.exe
1200	svchcst.exe
1200	svchcst.exe
1932	svchcst.exe
1932	svchcst.exe
1748	svchcst.exe
1748	svchcst.exe
1928	svchcst.exe
1928	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2408 wrote to memory of 536	2408	e8f2709e60c2eddeb7b9bb7c24f4c8af21c91149ae73318e5a9917ceb9f3ebdb.exe	30
PID 2408 wrote to memory of 536	2408	e8f2709e60c2eddeb7b9bb7c24f4c8af21c91149ae73318e5a9917ceb9f3ebdb.exe	30
PID 2408 wrote to memory of 536	2408	e8f2709e60c2eddeb7b9bb7c24f4c8af21c91149ae73318e5a9917ceb9f3ebdb.exe	30
PID 2408 wrote to memory of 536	2408	e8f2709e60c2eddeb7b9bb7c24f4c8af21c91149ae73318e5a9917ceb9f3ebdb.exe	30
PID 536 wrote to memory of 2948	536	WScript.exe	33
PID 536 wrote to memory of 2948	536	WScript.exe	33
PID 536 wrote to memory of 2948	536	WScript.exe	33
PID 536 wrote to memory of 2948	536	WScript.exe	33
PID 2948 wrote to memory of 2784	2948	svchcst.exe	34
PID 2948 wrote to memory of 2784	2948	svchcst.exe	34
PID 2948 wrote to memory of 2784	2948	svchcst.exe	34
PID 2948 wrote to memory of 2784	2948	svchcst.exe	34
PID 2784 wrote to memory of 2320	2784	WScript.exe	35
PID 2784 wrote to memory of 2320	2784	WScript.exe	35
PID 2784 wrote to memory of 2320	2784	WScript.exe	35
PID 2784 wrote to memory of 2320	2784	WScript.exe	35
PID 2320 wrote to memory of 560	2320	svchcst.exe	36
PID 2320 wrote to memory of 560	2320	svchcst.exe	36
PID 2320 wrote to memory of 560	2320	svchcst.exe	36
PID 2320 wrote to memory of 560	2320	svchcst.exe	36
PID 560 wrote to memory of 2420	560	WScript.exe	37
PID 560 wrote to memory of 2420	560	WScript.exe	37
PID 560 wrote to memory of 2420	560	WScript.exe	37
PID 560 wrote to memory of 2420	560	WScript.exe	37
PID 2420 wrote to memory of 1056	2420	svchcst.exe	38
PID 2420 wrote to memory of 1056	2420	svchcst.exe	38
PID 2420 wrote to memory of 1056	2420	svchcst.exe	38
PID 2420 wrote to memory of 1056	2420	svchcst.exe	38
PID 560 wrote to memory of 2172	560	WScript.exe	39
PID 560 wrote to memory of 2172	560	WScript.exe	39
PID 560 wrote to memory of 2172	560	WScript.exe	39
PID 560 wrote to memory of 2172	560	WScript.exe	39
PID 1056 wrote to memory of 3008	1056	WScript.exe	40
PID 1056 wrote to memory of 3008	1056	WScript.exe	40
PID 1056 wrote to memory of 3008	1056	WScript.exe	40
PID 1056 wrote to memory of 3008	1056	WScript.exe	40
PID 1056 wrote to memory of 2960	1056	WScript.exe	41
PID 1056 wrote to memory of 2960	1056	WScript.exe	41
PID 1056 wrote to memory of 2960	1056	WScript.exe	41
PID 1056 wrote to memory of 2960	1056	WScript.exe	41
PID 2960 wrote to memory of 1688	2960	svchcst.exe	42
PID 2960 wrote to memory of 1688	2960	svchcst.exe	42
PID 2960 wrote to memory of 1688	2960	svchcst.exe	42
PID 2960 wrote to memory of 1688	2960	svchcst.exe	42
PID 1056 wrote to memory of 1624	1056	WScript.exe	43
PID 1056 wrote to memory of 1624	1056	WScript.exe	43
PID 1056 wrote to memory of 1624	1056	WScript.exe	43
PID 1056 wrote to memory of 1624	1056	WScript.exe	43
PID 1624 wrote to memory of 1496	1624	svchcst.exe	44
PID 1624 wrote to memory of 1496	1624	svchcst.exe	44
PID 1624 wrote to memory of 1496	1624	svchcst.exe	44
PID 1624 wrote to memory of 1496	1624	svchcst.exe	44
PID 1496 wrote to memory of 576	1496	WScript.exe	45
PID 1496 wrote to memory of 576	1496	WScript.exe	45
PID 1496 wrote to memory of 576	1496	WScript.exe	45
PID 1496 wrote to memory of 576	1496	WScript.exe	45
PID 576 wrote to memory of 2256	576	svchcst.exe	46
PID 576 wrote to memory of 2256	576	svchcst.exe	46
PID 576 wrote to memory of 2256	576	svchcst.exe	46
PID 576 wrote to memory of 2256	576	svchcst.exe	46
PID 2256 wrote to memory of 2564	2256	WScript.exe	47
PID 2256 wrote to memory of 2564	2256	WScript.exe	47
PID 2256 wrote to memory of 2564	2256	WScript.exe	47
PID 2256 wrote to memory of 2564	2256	WScript.exe	47

C:\Users\Admin\AppData\Local\Temp\e8f2709e60c2eddeb7b9bb7c24f4c8af21c91149ae73318e5a9917ceb9f3ebdb.exe
"C:\Users\Admin\AppData\Local\Temp\e8f2709e60c2eddeb7b9bb7c24f4c8af21c91149ae73318e5a9917ceb9f3ebdb.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2408
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:536
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2948
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2784
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2320
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:560
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2420
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1056
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3008
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2960
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1688
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1624
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1496
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:576
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2256
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2564
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1980
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2128
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:2888
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2836
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2776
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1520
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:2800
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1508
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2936
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2592
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:2824
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2012
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1624
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2484
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1496
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1720
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2152
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2688
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2128
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2148
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2300
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:920
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2756
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:560
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2004
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1200
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2588
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1932
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1536
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1748
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:904
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1928
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        System Location Discovery: System Language Discovery
        
        PID:576
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
4d8de8aafa7849de2f40f61eb205cc42

SHA1
67decea42f8c2ee805e859a898922c90ae105cdc

SHA256
44a2def2aab8221d4302282a111d1b9592b8828363736aa27a3343836817d2e2

SHA512
a44c1b2e8bc3b432daac94073c22e3b93ee412e345f4b2037586fc178fc7909f9360c2ba0817d7648d0739aabf51c6533e87226bffcd7109974e561d901610fc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
4e9605159361f93230fef3cc5ad4301c

SHA1
64e6d5673487e049cc4e96650b507641062ca1bf

SHA256
2abd0c0ae088f6c911f23add50e985c447f1c62c8a45f848698b08d6e6dd20e7

SHA512
5cf02982826cc6e08ea33c4ce5d186ad4277493480cf08c2df56a7deea87e58a6df3a95097c96409a89317528933e0999d4ccddc2403024bd04b6e1c312f42fe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
af8007485ea76b282f69e3e13937f68d

SHA1
c5b78b25c5a71c764ad5796aeca2d655d051ae5c

SHA256
de2e269530bc0688ce7f34e1c9df04c933cf298be5f662fdec19ea437a4072cb

SHA512
a5f5b0e1f5d9b5728b75682032e70e745c200a5a2b403c7de281f69147b912d8f6eed2e2fd5aba69a7507fc6d3977ad61641863c8f97162d2cf27e6de6d4a4aa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
0b07dbb471d7fe60f6b7446050131aa9

SHA1
4e1f1ada445a0bd2f1df1b5fe3ac6fff22c577a1

SHA256
483f571197412d4524e63cd78ae3ccd6a0c934a2178119e6aea3331a7bae6929

SHA512
6ddb5ad7ea76630d076b3e6ff03cf3087f65b035e7de9a4b30c6243641efc9a1c2f2975f05662039e95558aa81e78ecc1694114b22877f1029cb0d551df59ec1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
70e226fbd8b4b3f2ddf8a8753a77586a

SHA1
a81a39d08f77479d0ee65599dd2749031c32fc19

SHA256
3eb2bfca11e83ada63c9e426764e07267c058964f959ca5e0c3f0f8933e40026

SHA512
f8c3f2f4172e8cabb856cbc2527dae48cba6d740a8ad9844bb32013ccba200b4c03dfdbe3713d9caa5f7416b8729cba4d516a73989b388c952ab08205b3cd4b8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
7c92f92a39b74a1a62d4e78cab1e85ce

SHA1
12be3de5566511f06ef1d1354ce14e74381ef078

SHA256
919b452d34117c54e6e79cf6c3d338679c3553dd3ef1bb8d750da8738f6f4166

SHA512
ad945215baeb1b488a43705d18520fea653a881632cfcd8bc79182ce2863d7167e8631043bdea1ee1071eabfb87f7ce63f460becf63c9c2060e51a30fc8171b8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
910e8b4a682865877d5b4c6b32ac2db3

SHA1
7df0ffdcff6b2f1d51878af2ca989990c399c005

SHA256
0eaa114fec2febec98337efcccfbb2863979005935decd44f9cd7db110b33b9f

SHA512
eb3e30e57f8ae59dc62d7c7f6c20296c7105a3fead464229b7b037924a20127266c0f09a6090cdeae4bea0f728f6213b2da67b44c3cd85a662c6b0cdf34c24bb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
6e11da1c8a05db963ff0dda7c43866e0

SHA1
e1343d4a94a629047631b0c53a0501eace14d2a9

SHA256
2605d23ba5b4a9fc117704a99d9351dfffc81f22681becb9aa59d72a64a6a8f6

SHA512
74be18fd41e091762e317fd4565c13d36832ca7d8fbcb60631c8e818c25f447db2ed4b3bc20e4a97da5efeb3ab66dbe815f34776b3db338a1e7d41abc57c99ac

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
3be529c48598ce74c5871846d63ca15c

SHA1
93bb8e6882b776b47589ffa48116e17c98071383

SHA256
f9f80c033a3cb1e2e9a8aa108427d6985dd2a08c2bea70e4dda2309f03ab7b2a

SHA512
e848a532aa9acfddfb754e081353660af23f3d0ee7720f6162fc5e8a2104d98b7be8aa461ea274a311634ae3b5b0bd219731da7d6b43c3b381de56d03bb43608

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
5c256ba320c7487a2c3cdb62bea97bb5

SHA1
2a28e5d7bd4483a40fb6035f1ec6fcf1d66cb2fc

SHA256
854aeaf6ba44537fc01088f8c336552a1aab4c6df84938d241c8616b6f0802e4

SHA512
bb55f293471dda9b074664d4cf2dad094f8f0c2479c1fd754dd85199d1d1b1012cfa3b050711ac0b59368d6bf1756cfcadcaff1e47d4f103a093a0b77782fdc0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
ed546bb522a06b2fe1964359d1c00489

SHA1
f645b56f6b42e6e187d97e90006e64493e168dfd

SHA256
770b107915197c74e581cfd8ea4047ad94180a81a2e6422eb5a8139839645257

SHA512
bc0172ea605aeb832088b2e5d3cd3c4ba9f052a1f4afaa3696e8672f3e6a5776537472d56805f0dea9d8474ffca77d9b574331c9dc57bc7a6e029e01169de0b3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
c80be53da988f0ea9caaea1ad69434d3

SHA1
9a18293be5e2dc6d10e18a26171b16ab3c074e62

SHA256
e5f3429d2b0b5eb62ef861d6a93b44beadc6724b4cc2f02dfad1697b19108be4

SHA512
96c95e186d8e1a5f958a8baa09eabc2f94e4a8fa81a9594a90c1bf1b14e5deff482940dc0fecbe442b5b80a80b9363c7c41e7393418fb8edad4e4ec6328135cf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
cc867de8b426da44544e4764b73b9608

SHA1
23cdef7299f7c838097769641f48c8b653cc986e

SHA256
5d3ebe545e9f22256af972807af53a13e29623fe555544389c34e6721d9a78fa

SHA512
4e65a1d8ae253798aeffa6771afbe1bf3f6ee6402f9a10651b5790c8b51d2c722d47b88b995b50938deaf53671387d32e84ee125c7f662941bb80d2e03ad7b59

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
541bcc5c10bf9bd6a7baf6548f69b011

SHA1
208880d73d7bcadfb2fb7d54ed7a41b8db333bac

SHA256
863682e742ced5dda0f2e62f16aed38b5ef6f374d535881f46112645f2550218

SHA512
ab2879cdae43c7bcdb71b76d1cfc2d7176330cd14c7e7e142209b7615adcb02c077bf8f96d9776172c0acb792992ae287fe81ef9c1ca7c85417ad2023fdad7e3

Download Submit
memory/536-13-0x00000000043C0000-0x000000000451F000-memory.dmp

Filesize
1.4MB

Download
memory/560-50-0x0000000004600000-0x000000000475F000-memory.dmp

Filesize
1.4MB

Download
memory/560-224-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/560-216-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/576-98-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/576-89-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/920-215-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/920-212-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1056-54-0x0000000004850000-0x00000000049AF000-memory.dmp

Filesize
1.4MB

Download
memory/1056-72-0x0000000004B10000-0x0000000004C6F000-memory.dmp

Filesize
1.4MB

Download
memory/1200-225-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1200-232-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1496-198-0x00000000045E0000-0x000000000473F000-memory.dmp

Filesize
1.4MB

Download
memory/1496-88-0x0000000004240000-0x000000000439F000-memory.dmp

Filesize
1.4MB

Download
memory/1496-87-0x0000000004240000-0x000000000439F000-memory.dmp

Filesize
1.4MB

Download
memory/1508-153-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1508-146-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1520-139-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1520-143-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1536-243-0x00000000049C0000-0x0000000004B1F000-memory.dmp

Filesize
1.4MB

Download
memory/1536-244-0x00000000049C0000-0x0000000004B1F000-memory.dmp

Filesize
1.4MB

Download
memory/1624-81-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1624-174-0x0000000004930000-0x0000000004A8F000-memory.dmp

Filesize
1.4MB

Download
memory/1720-190-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1720-187-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1748-245-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1748-252-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1928-253-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1932-239-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1932-242-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2012-173-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2012-166-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2128-121-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2128-112-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2148-207-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2148-204-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2172-56-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2172-52-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2256-101-0x0000000004930000-0x0000000004A8F000-memory.dmp

Filesize
1.4MB

Download
memory/2300-223-0x0000000004A70000-0x0000000004BCF000-memory.dmp

Filesize
1.4MB

Download
memory/2320-29-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2320-36-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2408-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2408-9-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2420-46-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2484-175-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2484-182-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2564-109-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2588-238-0x0000000004720000-0x000000000487F000-memory.dmp

Filesize
1.4MB

Download
memory/2588-233-0x0000000004720000-0x000000000487F000-memory.dmp

Filesize
1.4MB

Download
memory/2592-158-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2592-165-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2688-199-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2688-191-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2836-131-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2836-124-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2936-157-0x0000000004150000-0x00000000042AF000-memory.dmp

Filesize
1.4MB

Download
memory/2948-25-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2948-15-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2960-68-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2960-60-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3008-55-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3008-57-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download