d3f5edaebaf22e31d3c4c7fd0cb095cdea60f6ac26db33caafa49bf3ecd9392a

Analysis

max time kernel
149s
max time network
118s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
25/08/2024, 22:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d3f5edaebaf22e31d3c4c7fd0cb095cdea60f6ac26db33caafa49bf3ecd9392a.exe
Size

1.1MB
MD5

52f31d3778e43772770d05902e1637c1
SHA1

40ccc9be592530cea1c34d64b9d161eadb93466b
SHA256

d3f5edaebaf22e31d3c4c7fd0cb095cdea60f6ac26db33caafa49bf3ecd9392a
SHA512

79be60804452e198237c7facf7a4a497d4fa28f0f5c8f04c76169d20d20a1ade50d4843aa6a054577649c60c810b7b6738f33d966b710f203e638879df188673
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5Q1:acallSllG4ZM7QzMe

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2596	svchcst.exe

Executes dropped EXE 23 IoCs

pid	Process
2596	svchcst.exe
2096	svchcst.exe
316	svchcst.exe
2164	svchcst.exe
960	svchcst.exe
2008	svchcst.exe
2144	svchcst.exe
2780	svchcst.exe
1300	svchcst.exe
1088	svchcst.exe
2520	svchcst.exe
1580	svchcst.exe
1680	svchcst.exe
1412	svchcst.exe
2768	svchcst.exe
948	svchcst.exe
2644	svchcst.exe
2060	svchcst.exe
1508	svchcst.exe
1660	svchcst.exe
2316	svchcst.exe
920	svchcst.exe
1800	svchcst.exe

Loads dropped DLL 36 IoCs

pid	Process
2792	WScript.exe
2792	WScript.exe
1156	WScript.exe
2120	WScript.exe
576	WScript.exe
1972	WScript.exe
576	WScript.exe
1932	WScript.exe
1932	WScript.exe
3020	WScript.exe
2540	WScript.exe
2252	WScript.exe
2356	WScript.exe
3004	WScript.exe
3004	WScript.exe
3004	WScript.exe
2040	WScript.exe
2040	WScript.exe
2212	WScript.exe
2212	WScript.exe
2996	WScript.exe
2996	WScript.exe
2476	WScript.exe
2476	WScript.exe
2908	WScript.exe
2908	WScript.exe
2452	WScript.exe
2452	WScript.exe
3064	WScript.exe
3064	WScript.exe
2108	WScript.exe
2108	WScript.exe
1252	WScript.exe
1252	WScript.exe
1972	WScript.exe
1972	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 48 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d3f5edaebaf22e31d3c4c7fd0cb095cdea60f6ac26db33caafa49bf3ecd9392a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1976	d3f5edaebaf22e31d3c4c7fd0cb095cdea60f6ac26db33caafa49bf3ecd9392a.exe
2596	svchcst.exe
2596	svchcst.exe
2596	svchcst.exe
2596	svchcst.exe
2596	svchcst.exe
2596	svchcst.exe
2596	svchcst.exe
2596	svchcst.exe
2596	svchcst.exe
2596	svchcst.exe
2596	svchcst.exe
2596	svchcst.exe
2596	svchcst.exe
2596	svchcst.exe
2596	svchcst.exe
2596	svchcst.exe
2596	svchcst.exe
2596	svchcst.exe
2596	svchcst.exe
2596	svchcst.exe
2596	svchcst.exe
2596	svchcst.exe
2596	svchcst.exe
2596	svchcst.exe
2596	svchcst.exe
2596	svchcst.exe
2596	svchcst.exe
2596	svchcst.exe
2596	svchcst.exe
2596	svchcst.exe
2596	svchcst.exe
2596	svchcst.exe
2596	svchcst.exe
2596	svchcst.exe
2596	svchcst.exe
2596	svchcst.exe
2596	svchcst.exe
2596	svchcst.exe
2596	svchcst.exe
2596	svchcst.exe
2596	svchcst.exe
2596	svchcst.exe
2596	svchcst.exe
2596	svchcst.exe
2596	svchcst.exe
2596	svchcst.exe
2596	svchcst.exe
2596	svchcst.exe
2596	svchcst.exe
2596	svchcst.exe
2596	svchcst.exe
2596	svchcst.exe
2596	svchcst.exe
2596	svchcst.exe
2596	svchcst.exe
2596	svchcst.exe
2596	svchcst.exe
2596	svchcst.exe
2596	svchcst.exe
2596	svchcst.exe
2596	svchcst.exe
2596	svchcst.exe
2596	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1976	d3f5edaebaf22e31d3c4c7fd0cb095cdea60f6ac26db33caafa49bf3ecd9392a.exe

Suspicious use of SetWindowsHookEx 48 IoCs

pid	Process
1976	d3f5edaebaf22e31d3c4c7fd0cb095cdea60f6ac26db33caafa49bf3ecd9392a.exe
1976	d3f5edaebaf22e31d3c4c7fd0cb095cdea60f6ac26db33caafa49bf3ecd9392a.exe
2596	svchcst.exe
2596	svchcst.exe
2096	svchcst.exe
2096	svchcst.exe
316	svchcst.exe
316	svchcst.exe
2164	svchcst.exe
2164	svchcst.exe
960	svchcst.exe
960	svchcst.exe
2008	svchcst.exe
2008	svchcst.exe
2144	svchcst.exe
2144	svchcst.exe
2780	svchcst.exe
2780	svchcst.exe
1300	svchcst.exe
1300	svchcst.exe
1088	svchcst.exe
1088	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
1580	svchcst.exe
1580	svchcst.exe
1680	svchcst.exe
1680	svchcst.exe
1412	svchcst.exe
1412	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
948	svchcst.exe
948	svchcst.exe
2644	svchcst.exe
2644	svchcst.exe
2060	svchcst.exe
2060	svchcst.exe
1508	svchcst.exe
1508	svchcst.exe
1660	svchcst.exe
1660	svchcst.exe
2316	svchcst.exe
2316	svchcst.exe
920	svchcst.exe
920	svchcst.exe
1800	svchcst.exe
1800	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1976 wrote to memory of 2792	1976	d3f5edaebaf22e31d3c4c7fd0cb095cdea60f6ac26db33caafa49bf3ecd9392a.exe	30
PID 1976 wrote to memory of 2792	1976	d3f5edaebaf22e31d3c4c7fd0cb095cdea60f6ac26db33caafa49bf3ecd9392a.exe	30
PID 1976 wrote to memory of 2792	1976	d3f5edaebaf22e31d3c4c7fd0cb095cdea60f6ac26db33caafa49bf3ecd9392a.exe	30
PID 1976 wrote to memory of 2792	1976	d3f5edaebaf22e31d3c4c7fd0cb095cdea60f6ac26db33caafa49bf3ecd9392a.exe	30
PID 2792 wrote to memory of 2596	2792	WScript.exe	32
PID 2792 wrote to memory of 2596	2792	WScript.exe	32
PID 2792 wrote to memory of 2596	2792	WScript.exe	32
PID 2792 wrote to memory of 2596	2792	WScript.exe	32
PID 2596 wrote to memory of 1156	2596	svchcst.exe	33
PID 2596 wrote to memory of 1156	2596	svchcst.exe	33
PID 2596 wrote to memory of 1156	2596	svchcst.exe	33
PID 2596 wrote to memory of 1156	2596	svchcst.exe	33
PID 1156 wrote to memory of 2096	1156	WScript.exe	34
PID 1156 wrote to memory of 2096	1156	WScript.exe	34
PID 1156 wrote to memory of 2096	1156	WScript.exe	34
PID 1156 wrote to memory of 2096	1156	WScript.exe	34
PID 2096 wrote to memory of 2120	2096	svchcst.exe	35
PID 2096 wrote to memory of 2120	2096	svchcst.exe	35
PID 2096 wrote to memory of 2120	2096	svchcst.exe	35
PID 2096 wrote to memory of 2120	2096	svchcst.exe	35
PID 2120 wrote to memory of 316	2120	WScript.exe	36
PID 2120 wrote to memory of 316	2120	WScript.exe	36
PID 2120 wrote to memory of 316	2120	WScript.exe	36
PID 2120 wrote to memory of 316	2120	WScript.exe	36
PID 316 wrote to memory of 576	316	svchcst.exe	37
PID 316 wrote to memory of 576	316	svchcst.exe	37
PID 316 wrote to memory of 576	316	svchcst.exe	37
PID 316 wrote to memory of 576	316	svchcst.exe	37
PID 576 wrote to memory of 2164	576	WScript.exe	38
PID 576 wrote to memory of 2164	576	WScript.exe	38
PID 576 wrote to memory of 2164	576	WScript.exe	38
PID 576 wrote to memory of 2164	576	WScript.exe	38
PID 2164 wrote to memory of 1972	2164	svchcst.exe	39
PID 2164 wrote to memory of 1972	2164	svchcst.exe	39
PID 2164 wrote to memory of 1972	2164	svchcst.exe	39
PID 2164 wrote to memory of 1972	2164	svchcst.exe	39
PID 1972 wrote to memory of 960	1972	WScript.exe	40
PID 1972 wrote to memory of 960	1972	WScript.exe	40
PID 1972 wrote to memory of 960	1972	WScript.exe	40
PID 1972 wrote to memory of 960	1972	WScript.exe	40
PID 960 wrote to memory of 884	960	svchcst.exe	41
PID 960 wrote to memory of 884	960	svchcst.exe	41
PID 960 wrote to memory of 884	960	svchcst.exe	41
PID 960 wrote to memory of 884	960	svchcst.exe	41
PID 576 wrote to memory of 2008	576	WScript.exe	42
PID 576 wrote to memory of 2008	576	WScript.exe	42
PID 576 wrote to memory of 2008	576	WScript.exe	42
PID 576 wrote to memory of 2008	576	WScript.exe	42
PID 2008 wrote to memory of 1932	2008	svchcst.exe	43
PID 2008 wrote to memory of 1932	2008	svchcst.exe	43
PID 2008 wrote to memory of 1932	2008	svchcst.exe	43
PID 2008 wrote to memory of 1932	2008	svchcst.exe	43
PID 1932 wrote to memory of 2144	1932	WScript.exe	44
PID 1932 wrote to memory of 2144	1932	WScript.exe	44
PID 1932 wrote to memory of 2144	1932	WScript.exe	44
PID 1932 wrote to memory of 2144	1932	WScript.exe	44
PID 2144 wrote to memory of 3020	2144	svchcst.exe	45
PID 2144 wrote to memory of 3020	2144	svchcst.exe	45
PID 2144 wrote to memory of 3020	2144	svchcst.exe	45
PID 2144 wrote to memory of 3020	2144	svchcst.exe	45
PID 3020 wrote to memory of 2780	3020	WScript.exe	46
PID 3020 wrote to memory of 2780	3020	WScript.exe	46
PID 3020 wrote to memory of 2780	3020	WScript.exe	46
PID 3020 wrote to memory of 2780	3020	WScript.exe	46

C:\Users\Admin\AppData\Local\Temp\d3f5edaebaf22e31d3c4c7fd0cb095cdea60f6ac26db33caafa49bf3ecd9392a.exe
"C:\Users\Admin\AppData\Local\Temp\d3f5edaebaf22e31d3c4c7fd0cb095cdea60f6ac26db33caafa49bf3ecd9392a.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1976
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2792
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2596
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1156
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2096
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2120
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:316
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:576
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2164
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1972
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:960
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:884
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2008
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1932
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2144
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3020
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2780
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2540
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1300
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2252
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1088
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2356
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2520
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3004
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1580
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:2116
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1680
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2040
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1412
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2212
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2768
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2996
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:948
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2476
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2644
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2908
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2060
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2452
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1508
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3064
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1660
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2108
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2316
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1252
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:920
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1972
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1800
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        System Location Discovery: System Language Discovery
        
        PID:2392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
cc58665a006d8587f052f05f7e36e111

SHA1
14ff96d3f51bb54b99c5f391eecf1f4a9ee90a5f

SHA256
989228a1e2fc5937e37962f864930b0bfac8e2da406467f7bd9b7e1e45a401b2

SHA512
ff9c25fe7610feaa503e62801a55b1f9b2e910bb1bc4268a3b9bee563373cf8aa0b3e93be322c1f83615b6f59ba0abd2761e0f0740a67de24873aebebce7235b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
70e226fbd8b4b3f2ddf8a8753a77586a

SHA1
a81a39d08f77479d0ee65599dd2749031c32fc19

SHA256
3eb2bfca11e83ada63c9e426764e07267c058964f959ca5e0c3f0f8933e40026

SHA512
f8c3f2f4172e8cabb856cbc2527dae48cba6d740a8ad9844bb32013ccba200b4c03dfdbe3713d9caa5f7416b8729cba4d516a73989b388c952ab08205b3cd4b8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
8ff9269f0a87aaf29e707ac354505e61

SHA1
68c900e567a236096ac8c812cb14dec97e3e088c

SHA256
ed84c3ff01194f8f55c30fb4f5685d4f74c186732e01e20d9909fb7a63ebb7d1

SHA512
5980c8ca52c3c047380b9aabced91699a68228bf8e5d545ff3105bdc5c469f30f7e490f459e2e8bc57f088d904ae0fb3e3167dfa0cd84b83b3d8e78402e8ae9d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
be85ce7bb02d959078db568ee3a8905d

SHA1
e3598468f1db49d961a98da4deda91a619b56985

SHA256
4d76969f7a746574f6be0eca7b1939230ca7607610f12f82b670f4b7bf829806

SHA512
8ffd0d9432c57b2a445afb0701de88903bee1df5295b7ec14042623bfd5d72d0d3cdf198bbdce55be06439c8ac594ddc9bcf53f425bf9e9c9ebb299f6d8150cb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
e4e96c55460da5fa5643648177198d56

SHA1
da09b8271cfd09349b8e79bd8856671e6124d6a0

SHA256
6ca56d2034da62f3a82f84935631e9d90430875cfd9b95382fdf1210758ba761

SHA512
23da2c3c87c8e52aab70931c7ca6f0d04f453cff01bda2fe078a060468d9d7b9e544635eb11976541246eaed2e4cac06e0ed7ed86bce775f95ff5d5f40c5d1bb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
55765ba68da8820ee35d2d4d1dedeac0

SHA1
19f5f147056f3d837a11d6b08a7fc9544f9927f6

SHA256
1eb237d283717ac45bdfef217d3d09fb4ef73db3838859057c94e488b329c522

SHA512
61b6361b8dfef2067016c50e830db1fc768d0654a3f643cf4b4cb1193de722f74401e73f719d8cff5a443058adfa7e3cd0dfc502f25dd249cdc36a7056c81c18

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
c5ae655707a21f6473c5f382a787e100

SHA1
1d2078ebfae286212eb90e60c9dbce5e70ac24f1

SHA256
baf83e476c96ab1af7a7482de26dae9909744fad6d12c6ae818f51b834cecb50

SHA512
af80731f380d75a643ab885ba152cb7118297ab4e70ff44dd96b7bae8542881f0d06cdbe0ac524cdc30ddca970c2b27adf6398f8efc6e510cea6cc0b2a59b34f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
85fa416be0b995c6e53ce5e2df106d8a

SHA1
bcffe6d0eb7594897fb6c1c1e6e409bacd04f009

SHA256
f08a191ea7850c2d2e0fa0cd1f40254eecb8dcb63a9dfa94cc8a97f609c49293

SHA512
5d92938d833d0555e94027148d0d9fc064274885bb4992f4e5840e7be03b629a3d2dc3703f9a7aa7614cb46ee19f9cfe26c69cc2e3a162f4be9045e5da18efbf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
2af86d83545125b952334759f8554ae3

SHA1
ddfef7be6fbd8d8185c772a9a78eb18617a9637b

SHA256
7dd3660d7e87e64f451b4d1882d07c1733ce38d828770910453cc1b7f457d11d

SHA512
38d2854f941ff77a2fec871ba6513df9862fe4f86778b22053b4c3e25995b192f4ab943051a2c613cc3e78d275bc543b0dff09149cb4620e307809d20beae17b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
c94fda6716d92036e02a0e70b433735f

SHA1
eb4e57b1461e03a201dbfd20dd308ca88694e55d

SHA256
ca8d32856a5ad76e2bf41249ee83a498c238f51d9d3addbd5ca456ee6a6108ba

SHA512
bf4b3613a4d6d2854f7750a73f84579a3022c2aaae770c392c3d4b273cbb2b493028f8109856ba66ee4636bcfac53b61b7f9b689002858a040b62b47d097d24f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
ae75c3a96c26ddc15e3c678434b18374

SHA1
7abb4cd173f5c8565c891bc5305922439e880fed

SHA256
1b84f073d7c021672b1951a420b183f570b94f4d7c14c86698b22bbd353bf965

SHA512
e817ab91d4d73840a290ff2e999a5136328b315afa16ec831b6ddabea08cf07d8dd61b332cbeded13bde712e7c87538228ff8d163c0f659da84134f04e5a3b7e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
2c6490a42a6a0c40ff0c4e23b3e1aa2f

SHA1
673399038e095a86936267b5014fc7d216ee5c0a

SHA256
4b5b75f23c5d2765bccf9691327947fcdd4e1e17e6da73c1b1c47dab8db99b3d

SHA512
8ffd13c3e9ecd8c522703bf13f839b3925bf3dd0418c33e8b4edc5cd07ca53d76d21e3d8f2e47622d51cc73ac3eed7dd2f7308bb332cde1bd1e6f1cb8f8bb8d5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
234d3bd7d4c79c9f8515c4e3812a1c9b

SHA1
f0add1f9e02bad7016d7b183f6d64d4800df4e12

SHA256
c9ba84b70031261f15918f7e74bd45b7b889b8e8427efa4ff19537e3d27633d0

SHA512
3d42cb367d8ba46cff006692c69f88ab165b9b326000c0bf187e682ce181413dd6f8eb083972765f332dc4309996b3621018ce3cf22d4d944c2b3c0e51f4aea0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
2ecbd22f218ece31494935a52d62bb50

SHA1
ac687aad8979f9f6bf3741ce49662e37dd8b47f1

SHA256
26803abc1799adf703b177f3d16315f9e3bbdd57b7a4cf24cc86224488b598f6

SHA512
511603ffa6a1ff0f24f35cbc37152116ecbecaa627412ee35e4a3e410051532ee840fe4dc0440ccba8e4cc7d2f9ea4961b01eb136413d8c36df6e7ca93890f1a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
25db347a64775ef804de727ab5aa4433

SHA1
025af8ecfaa6f70ab6ff286a2f9c5995bf11c119

SHA256
edea9289f054b6f7d39be951208a2ddda95917c3bad6efa144da26cdf02ab6b3

SHA512
84f93e130a7c4691873898558d3bd1c4aa3f54f2ee17fcf3b667c71fab0d0eba2e5dd9935c8b7de39c3fc126301550e90887e3fbb30cece73ef0514e7ec723ca

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
44e6768109dba0b77bddf24cb3e86011

SHA1
1ea90f75a10c5dd9820c4ac357a3f8c87fdf3619

SHA256
0dc4e72ba19c517e5992a4e37fdf39965a3aeceef5f88f2d39882021a106fa7b

SHA512
7106f0f6ab281b556e427caedadff1741ee06182414522560e28950f1d08d94bca5b1330cc348ad41940e8afa28794c6ab90ae16e4a52e0f9286d38b3c67ba32

Download Submit
memory/316-47-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/316-42-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/576-69-0x00000000047D0000-0x000000000492F000-memory.dmp

Filesize
1.4MB

Download
memory/920-244-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/948-191-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/960-70-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/960-62-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1088-123-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1088-131-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1252-237-0x0000000005C70000-0x0000000005DCF000-memory.dmp

Filesize
1.4MB

Download
memory/1300-112-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1300-120-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1412-174-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1412-171-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1508-218-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1580-157-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1580-153-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1660-227-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1660-220-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1680-165-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1932-92-0x00000000048C0000-0x0000000004A1F000-memory.dmp

Filesize
1.4MB

Download
memory/1932-108-0x00000000048C0000-0x0000000004A1F000-memory.dmp

Filesize
1.4MB

Download
memory/1976-9-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1976-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2008-82-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2008-74-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2040-166-0x0000000005D20000-0x0000000005E7F000-memory.dmp

Filesize
1.4MB

Download
memory/2060-210-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2060-207-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2096-27-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2096-35-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2108-228-0x0000000005850000-0x00000000059AF000-memory.dmp

Filesize
1.4MB

Download
memory/2144-98-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2144-93-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2164-57-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2212-175-0x0000000004750000-0x00000000048AF000-memory.dmp

Filesize
1.4MB

Download
memory/2316-236-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2316-229-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2452-211-0x0000000004380000-0x00000000044DF000-memory.dmp

Filesize
1.4MB

Download
memory/2476-192-0x0000000004450000-0x00000000045AF000-memory.dmp

Filesize
1.4MB

Download
memory/2520-135-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2520-144-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2596-23-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2596-14-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2644-193-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2644-200-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2768-183-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2768-176-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2780-109-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2908-201-0x0000000004330000-0x000000000448F000-memory.dmp

Filesize
1.4MB

Download
memory/2908-202-0x0000000004330000-0x000000000448F000-memory.dmp

Filesize
1.4MB

Download
memory/2996-184-0x00000000043D0000-0x000000000452F000-memory.dmp

Filesize
1.4MB

Download
memory/3064-219-0x0000000004620000-0x000000000477F000-memory.dmp

Filesize
1.4MB

Download