3943e1c9fa88a32b1d589cf75dee13bd70029e8365a64b471e39e3c57849f459

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
28-08-2024 20:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3943e1c9fa88a32b1d589cf75dee13bd70029e8365a64b471e39e3c57849f459.exe
Size

1.1MB
MD5

36247942fc9f074517b59111709f0c02
SHA1

a79b9872bcf2e1eab71beaadc74499961d106ffc
SHA256

3943e1c9fa88a32b1d589cf75dee13bd70029e8365a64b471e39e3c57849f459
SHA512

248187aefa7bc157cae58fba1d864775b6fdb8a98ebf50b2880a3426031a3c702bdc9df1c9b47a4d7de0afb2ffa508481ea0b53b715cd1bbb4fb48322da550a5
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5QY:acallSllG4ZM7QzMP

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2864	svchcst.exe

Executes dropped EXE 24 IoCs

pid	Process
2864	svchcst.exe
2008	svchcst.exe
1080	svchcst.exe
688	svchcst.exe
1840	svchcst.exe
944	svchcst.exe
2068	svchcst.exe
2720	svchcst.exe
2328	svchcst.exe
2588	svchcst.exe
1400	svchcst.exe
408	svchcst.exe
3004	svchcst.exe
3000	svchcst.exe
1744	svchcst.exe
2360	svchcst.exe
1940	svchcst.exe
2600	svchcst.exe
2320	svchcst.exe
1996	svchcst.exe
1712	svchcst.exe
2288	svchcst.exe
2164	svchcst.exe
1424	svchcst.exe

Loads dropped DLL 38 IoCs

pid	Process
2968	WScript.exe
2968	WScript.exe
2652	WScript.exe
2932	WScript.exe
1164	WScript.exe
1164	WScript.exe
2856	WScript.exe
2856	WScript.exe
1108	WScript.exe
1748	WScript.exe
2076	WScript.exe
2076	WScript.exe
2076	WScript.exe
2676	WScript.exe
2676	WScript.exe
580	WScript.exe
2428	WScript.exe
2428	WScript.exe
1840	WScript.exe
1840	WScript.exe
1764	WScript.exe
1764	WScript.exe
2448	WScript.exe
2448	WScript.exe
3024	WScript.exe
3024	WScript.exe
2168	WScript.exe
2168	WScript.exe
1072	WScript.exe
1072	WScript.exe
320	WScript.exe
320	WScript.exe
1376	WScript.exe
1376	WScript.exe
1516	WScript.exe
1516	WScript.exe
1672	WScript.exe
1672	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 49 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3943e1c9fa88a32b1d589cf75dee13bd70029e8365a64b471e39e3c57849f459.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2544	3943e1c9fa88a32b1d589cf75dee13bd70029e8365a64b471e39e3c57849f459.exe
2864	svchcst.exe
2864	svchcst.exe
2864	svchcst.exe
2864	svchcst.exe
2864	svchcst.exe
2864	svchcst.exe
2864	svchcst.exe
2864	svchcst.exe
2864	svchcst.exe
2864	svchcst.exe
2864	svchcst.exe
2864	svchcst.exe
2864	svchcst.exe
2864	svchcst.exe
2864	svchcst.exe
2864	svchcst.exe
2864	svchcst.exe
2864	svchcst.exe
2864	svchcst.exe
2864	svchcst.exe
2864	svchcst.exe
2864	svchcst.exe
2864	svchcst.exe
2864	svchcst.exe
2864	svchcst.exe
2864	svchcst.exe
2864	svchcst.exe
2864	svchcst.exe
2864	svchcst.exe
2864	svchcst.exe
2864	svchcst.exe
2864	svchcst.exe
2864	svchcst.exe
2864	svchcst.exe
2864	svchcst.exe
2864	svchcst.exe
2864	svchcst.exe
2864	svchcst.exe
2864	svchcst.exe
2864	svchcst.exe
2864	svchcst.exe
2864	svchcst.exe
2864	svchcst.exe
2864	svchcst.exe
2864	svchcst.exe
2864	svchcst.exe
2864	svchcst.exe
2864	svchcst.exe
2864	svchcst.exe
2864	svchcst.exe
2864	svchcst.exe
2864	svchcst.exe
2864	svchcst.exe
2864	svchcst.exe
2864	svchcst.exe
2864	svchcst.exe
2864	svchcst.exe
2864	svchcst.exe
2864	svchcst.exe
2864	svchcst.exe
2864	svchcst.exe
2864	svchcst.exe
2864	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2544	3943e1c9fa88a32b1d589cf75dee13bd70029e8365a64b471e39e3c57849f459.exe

Suspicious use of SetWindowsHookEx 50 IoCs

pid	Process
2544	3943e1c9fa88a32b1d589cf75dee13bd70029e8365a64b471e39e3c57849f459.exe
2544	3943e1c9fa88a32b1d589cf75dee13bd70029e8365a64b471e39e3c57849f459.exe
2864	svchcst.exe
2864	svchcst.exe
2008	svchcst.exe
2008	svchcst.exe
1080	svchcst.exe
1080	svchcst.exe
688	svchcst.exe
688	svchcst.exe
1840	svchcst.exe
1840	svchcst.exe
944	svchcst.exe
944	svchcst.exe
2068	svchcst.exe
2068	svchcst.exe
2720	svchcst.exe
2720	svchcst.exe
2328	svchcst.exe
2328	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
1400	svchcst.exe
1400	svchcst.exe
408	svchcst.exe
408	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3000	svchcst.exe
3000	svchcst.exe
1744	svchcst.exe
1744	svchcst.exe
2360	svchcst.exe
2360	svchcst.exe
1940	svchcst.exe
1940	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2320	svchcst.exe
2320	svchcst.exe
1996	svchcst.exe
1996	svchcst.exe
1712	svchcst.exe
1712	svchcst.exe
2288	svchcst.exe
2288	svchcst.exe
2164	svchcst.exe
2164	svchcst.exe
1424	svchcst.exe
1424	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2544 wrote to memory of 2968	2544	3943e1c9fa88a32b1d589cf75dee13bd70029e8365a64b471e39e3c57849f459.exe	30
PID 2544 wrote to memory of 2968	2544	3943e1c9fa88a32b1d589cf75dee13bd70029e8365a64b471e39e3c57849f459.exe	30
PID 2544 wrote to memory of 2968	2544	3943e1c9fa88a32b1d589cf75dee13bd70029e8365a64b471e39e3c57849f459.exe	30
PID 2544 wrote to memory of 2968	2544	3943e1c9fa88a32b1d589cf75dee13bd70029e8365a64b471e39e3c57849f459.exe	30
PID 2968 wrote to memory of 2864	2968	WScript.exe	32
PID 2968 wrote to memory of 2864	2968	WScript.exe	32
PID 2968 wrote to memory of 2864	2968	WScript.exe	32
PID 2968 wrote to memory of 2864	2968	WScript.exe	32
PID 2864 wrote to memory of 2652	2864	svchcst.exe	33
PID 2864 wrote to memory of 2652	2864	svchcst.exe	33
PID 2864 wrote to memory of 2652	2864	svchcst.exe	33
PID 2864 wrote to memory of 2652	2864	svchcst.exe	33
PID 2652 wrote to memory of 2008	2652	WScript.exe	34
PID 2652 wrote to memory of 2008	2652	WScript.exe	34
PID 2652 wrote to memory of 2008	2652	WScript.exe	34
PID 2652 wrote to memory of 2008	2652	WScript.exe	34
PID 2008 wrote to memory of 2932	2008	svchcst.exe	35
PID 2008 wrote to memory of 2932	2008	svchcst.exe	35
PID 2008 wrote to memory of 2932	2008	svchcst.exe	35
PID 2008 wrote to memory of 2932	2008	svchcst.exe	35
PID 2932 wrote to memory of 1080	2932	WScript.exe	37
PID 2932 wrote to memory of 1080	2932	WScript.exe	37
PID 2932 wrote to memory of 1080	2932	WScript.exe	37
PID 2932 wrote to memory of 1080	2932	WScript.exe	37
PID 1080 wrote to memory of 1164	1080	svchcst.exe	38
PID 1080 wrote to memory of 1164	1080	svchcst.exe	38
PID 1080 wrote to memory of 1164	1080	svchcst.exe	38
PID 1080 wrote to memory of 1164	1080	svchcst.exe	38
PID 1164 wrote to memory of 688	1164	WScript.exe	39
PID 1164 wrote to memory of 688	1164	WScript.exe	39
PID 1164 wrote to memory of 688	1164	WScript.exe	39
PID 1164 wrote to memory of 688	1164	WScript.exe	39
PID 688 wrote to memory of 2856	688	svchcst.exe	40
PID 688 wrote to memory of 2856	688	svchcst.exe	40
PID 688 wrote to memory of 2856	688	svchcst.exe	40
PID 688 wrote to memory of 2856	688	svchcst.exe	40
PID 2856 wrote to memory of 1840	2856	WScript.exe	41
PID 2856 wrote to memory of 1840	2856	WScript.exe	41
PID 2856 wrote to memory of 1840	2856	WScript.exe	41
PID 2856 wrote to memory of 1840	2856	WScript.exe	41
PID 1840 wrote to memory of 1108	1840	svchcst.exe	42
PID 1840 wrote to memory of 1108	1840	svchcst.exe	42
PID 1840 wrote to memory of 1108	1840	svchcst.exe	42
PID 1840 wrote to memory of 1108	1840	svchcst.exe	42
PID 1108 wrote to memory of 944	1108	WScript.exe	43
PID 1108 wrote to memory of 944	1108	WScript.exe	43
PID 1108 wrote to memory of 944	1108	WScript.exe	43
PID 1108 wrote to memory of 944	1108	WScript.exe	43
PID 944 wrote to memory of 1748	944	svchcst.exe	44
PID 944 wrote to memory of 1748	944	svchcst.exe	44
PID 944 wrote to memory of 1748	944	svchcst.exe	44
PID 944 wrote to memory of 1748	944	svchcst.exe	44
PID 1748 wrote to memory of 2068	1748	WScript.exe	45
PID 1748 wrote to memory of 2068	1748	WScript.exe	45
PID 1748 wrote to memory of 2068	1748	WScript.exe	45
PID 1748 wrote to memory of 2068	1748	WScript.exe	45
PID 2068 wrote to memory of 2076	2068	svchcst.exe	46
PID 2068 wrote to memory of 2076	2068	svchcst.exe	46
PID 2068 wrote to memory of 2076	2068	svchcst.exe	46
PID 2068 wrote to memory of 2076	2068	svchcst.exe	46
PID 2076 wrote to memory of 2720	2076	WScript.exe	47
PID 2076 wrote to memory of 2720	2076	WScript.exe	47
PID 2076 wrote to memory of 2720	2076	WScript.exe	47
PID 2076 wrote to memory of 2720	2076	WScript.exe	47

C:\Users\Admin\AppData\Local\Temp\3943e1c9fa88a32b1d589cf75dee13bd70029e8365a64b471e39e3c57849f459.exe
"C:\Users\Admin\AppData\Local\Temp\3943e1c9fa88a32b1d589cf75dee13bd70029e8365a64b471e39e3c57849f459.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2544
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2968
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2864
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2652
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2008
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2932
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1080
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1164
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:688
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2856
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1840
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1108
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:944
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1748
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2068
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2076
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2720
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:2276
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2328
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2676
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2588
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2428
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3004
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3000
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1840
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1744
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1764
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2360
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2448
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1940
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3024
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2600
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2168
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2320
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1072
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1996
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:320
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1712
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1376
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2288
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1516
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2164
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1672
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1424
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        System Location Discovery: System Language Discovery
        
        PID:2560
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1400
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:580
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:408
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:2932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
1a94fff9bade36e4d067e0fcefb1a8f5

SHA1
1713c3fc499a56cd97035e44405e0b5e1a0a586b

SHA256
1977a5ac15e88252efdd11b9aace6de92383e71132a94273b0e890e92ae91048

SHA512
89a7dd6811f9491a14bf49f1cbce3e869107d2e0d410fa3d3c867ce68d573d6f8e6ada98ac3635fc620c96c61676b5cef2563b5fbea14f617c1fa61bce4f3ac7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
cb8ebe5ace84b39120bf275815338cee

SHA1
73458d21ebc73c1b2c1a826e1fc6c418c20c736d

SHA256
b7c7458d1708ff5f42aa893d1704b420880ee6108f37999d0b9b0d727eed5d80

SHA512
b57e8e8d2f038ad1d1e7914768508dca7e6ff01aa9ca5516da7651b79c9473aefbb3ec935dfb922e3d83a7c54317014df9c159bd2d81c5337b5ef2dc21dc726b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
6e11da1c8a05db963ff0dda7c43866e0

SHA1
e1343d4a94a629047631b0c53a0501eace14d2a9

SHA256
2605d23ba5b4a9fc117704a99d9351dfffc81f22681becb9aa59d72a64a6a8f6

SHA512
74be18fd41e091762e317fd4565c13d36832ca7d8fbcb60631c8e818c25f447db2ed4b3bc20e4a97da5efeb3ab66dbe815f34776b3db338a1e7d41abc57c99ac

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
4d8de8aafa7849de2f40f61eb205cc42

SHA1
67decea42f8c2ee805e859a898922c90ae105cdc

SHA256
44a2def2aab8221d4302282a111d1b9592b8828363736aa27a3343836817d2e2

SHA512
a44c1b2e8bc3b432daac94073c22e3b93ee412e345f4b2037586fc178fc7909f9360c2ba0817d7648d0739aabf51c6533e87226bffcd7109974e561d901610fc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
38a699d07d8879db6356427ad5568cde

SHA1
a13f87e47243e126c2ea20018877fbeac913a320

SHA256
33039fb8b50833ea2836de980992405e10426ad862007f2fef2a96147dccc7bb

SHA512
b5373577a397c0eb493b1173f0fa5a583fe10b986eced439f39997707622fdb54dad7f39311c0148da02b9f0eda2c097d6d9e98b6a7c7d4aa5996e7cc5f4791d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
608aea68519434d685c413b31a12c6ce

SHA1
7a62e13cab985d0588a0faea63751fd0355da7fc

SHA256
5ed3aa382febd7a4e6c3a921a5add055f6e2bbea7558b21da46752f037d52b1a

SHA512
6ddca4b85fc1b6ecb6c1081b32067eb438ed5167b48565ea449e6babb1f27a01c75599c6b0f10b29ac9278e619891588d654466ce882d8080f4d2435f450d198

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
25741fab0bc335b1ed971b3134b0edd3

SHA1
9849046efa3f20662f73cefd0d090bef480c9835

SHA256
05963c6d3a7cc5421377a784df6474456fcbd2f95c7190f2ddb4a9ccbfbe7f98

SHA512
6e772baf90739a76c5c477780e2d158502b55d9c898e69402b0a3bfb840949959c6779f9b291c0503a4fcad95369be55b5f3233ded9329d49d5cde3f1a8369e1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
4e9605159361f93230fef3cc5ad4301c

SHA1
64e6d5673487e049cc4e96650b507641062ca1bf

SHA256
2abd0c0ae088f6c911f23add50e985c447f1c62c8a45f848698b08d6e6dd20e7

SHA512
5cf02982826cc6e08ea33c4ce5d186ad4277493480cf08c2df56a7deea87e58a6df3a95097c96409a89317528933e0999d4ccddc2403024bd04b6e1c312f42fe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
e94e88174ec781f873054a1341dde3c1

SHA1
1bfcc1fd57262661e3e17db7f582004d481e95d9

SHA256
83a3606b4d4b48761b768ff2bd5668a599025f46b5d31b73bd0b014f6f95e225

SHA512
10dd4c89ea250920267a33317f693093471b805e33f18b38ffd7e3b9fb12624047f6bca7c82b0a2c83a3d6cead4d289f3da723b249a7ab6a9c40b339977fe7f6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
2551ae733b39ac9061a9d5ebd2f29d98

SHA1
08247d27dd5bf959db0b29d3e5b0551dc47c9d02

SHA256
c69ee4a632cc1c351d5fa930d42546923a4125e7d9cbccb2ad9f9e3318be2b77

SHA512
a1c669cb87194c2b496a7131f7f2920b6c31156f88d6c1140e79f3b83fbca3785cd57fea2d47cb951ed576e69a1240e81746a5bc5444e65fd05fa5234125731c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
d7e57302723e6adcd36bc753c7cb3d1b

SHA1
24f5af99f2988b5fa7383dae1f53347b597956a3

SHA256
abf7ef48d31eaabd0227b0a91a44e8b53e9fbadff16ef2d9c2b131776898977e

SHA512
0aee51cab495d2df1e1957f85cbfa1a8ca95fad5fa669d2f0918a0e4be4d090c868582935136684d872695bdd075523ad1386639690e9d7016201b6985a9c8a6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
a3b1a2435db9006df38c9e78df96e2f2

SHA1
a8a6d302d102686610f54547bdf0245b177a752f

SHA256
8ca1784265581709551e81326c9733c10ac943c899070bee9b799f88dad7870e

SHA512
fe8a0d2a67e28fcf1b31e640132a669186ddb33302b135d11c0706a5c9e98548d53d51be0d2ecc9d20c43efbe393d7865c57ca9b6c651deca93f67aff0968210

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
087a0c6d7558487b3abb0447f58b2957

SHA1
eeed7990c0ec9ecc7b30ed6fef9c9847ddcbee50

SHA256
8c8e7bccb68bda0528e8f5beb0e4cdc73c44d08ac23cc05942a30560583fd5a1

SHA512
96649193f1c5953d6c29b14aa2a8a6cbdb0c0bcf48f91cfd392afadb19bb5495d75bb282e59c30759c55f6647e0df71751a53a93cce3b7af8262b319ebd30dee

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
361da185db692e2b7c998f0887d54435

SHA1
0294c687a540022d5c77fae390e35e94d2d6d8c7

SHA256
481ae520915dd4e91f73a944a5dfbaa91ad68afe137dd613794b790b60bf25c0

SHA512
8ca5959a69a68712b0e22f06552743bb396529a30394e67da8f979fcf66966761498a802bcf2a85b80df2345c20671a418aeaf87d43f2dafb47268e987239d09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
dba2da9021c8b9321b52062da5779b27

SHA1
d3dbf28ccd60b2e416512b6a451b8d6b01c3532c

SHA256
2398035c1d632d87f6bd7c0a1cf3c728aec2977933953729c6937358424e1cd6

SHA512
102c27150b8694f3a28b960501d84d59844103c045c06edcf29e49dad8af388861fc092db2c15d4f3860aa6c450113609c52e8712f695d2516c4ab32687cfb40

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
9091379224daf97cc0cfe0e432a59443

SHA1
bad93c97acd32fcda8514f7589d492dec5b0c69f

SHA256
edb6c452f9924d3796683a4601f74bc7e6f35d73b7c1491fda00c03958a0702a

SHA512
bc29cc6ad08b196ed0d53eea62fb9943a07dcd9521285870c51488b6ad26aa38716c72dcd1c68516c8a3fdbff2925687d23d97de65859427c2aa865d4a532050

Download Submit
memory/408-146-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/408-156-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/688-52-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/688-61-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/944-81-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/944-88-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1080-47-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1108-80-0x0000000004620000-0x000000000477F000-memory.dmp

Filesize
1.4MB

Download
memory/1400-143-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1400-136-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1424-235-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1712-211-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1712-218-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1744-166-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1744-173-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1840-165-0x0000000004600000-0x000000000475F000-memory.dmp

Filesize
1.4MB

Download
memory/1840-73-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1840-77-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1940-182-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1940-189-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1996-210-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2008-36-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2008-29-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2068-99-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2164-227-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2164-234-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2288-226-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2288-219-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2320-203-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2328-123-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2328-117-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2360-174-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2360-181-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2544-9-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2544-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2588-133-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2600-196-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2652-28-0x0000000004710000-0x000000000486F000-memory.dmp

Filesize
1.4MB

Download
memory/2720-106-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2720-113-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2856-65-0x0000000003EF0000-0x000000000404F000-memory.dmp

Filesize
1.4MB

Download
memory/2856-68-0x0000000003EF0000-0x000000000404F000-memory.dmp

Filesize
1.4MB

Download
memory/2864-14-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2864-25-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2968-15-0x00000000044B0000-0x000000000460F000-memory.dmp

Filesize
1.4MB

Download
memory/3000-164-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3000-157-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3004-155-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3004-154-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download