8a08e9fab5333a5ab546d582afd41fd2229f571d3caf454c6c0a03f7eb9e5704

Analysis

max time kernel
149s
max time network
117s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
29-08-2024 04:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8a08e9fab5333a5ab546d582afd41fd2229f571d3caf454c6c0a03f7eb9e5704.exe
Size

1.1MB
MD5

2a512b481d90e0062bb8d0bc1984bb97
SHA1

05732e7340d6dfe9ae849461c421c3b77cab4a3e
SHA256

8a08e9fab5333a5ab546d582afd41fd2229f571d3caf454c6c0a03f7eb9e5704
SHA512

861dd67a9f0e49be56dd20ac171eea4bc2db51496fc4effcc1615eecb679c9941541e6dce6eb87217bef7350458f6d0d9d9525321e2efbba743e07b030f279ef
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5QM:acallSllG4ZM7QzM7

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2904	svchcst.exe

Executes dropped EXE 24 IoCs

pid	Process
2904	svchcst.exe
2640	svchcst.exe
2096	svchcst.exe
2584	svchcst.exe
2940	svchcst.exe
1536	svchcst.exe
2476	svchcst.exe
1048	svchcst.exe
2412	svchcst.exe
1152	svchcst.exe
2760	svchcst.exe
1164	svchcst.exe
2448	svchcst.exe
2692	svchcst.exe
1536	svchcst.exe
2360	svchcst.exe
2532	svchcst.exe
1152	svchcst.exe
2300	svchcst.exe
1760	svchcst.exe
1524	svchcst.exe
1752	svchcst.exe
2496	svchcst.exe
2272	svchcst.exe

Loads dropped DLL 37 IoCs

pid	Process
2560	WScript.exe
2560	WScript.exe
2568	WScript.exe
1544	WScript.exe
1544	WScript.exe
2172	WScript.exe
1044	WScript.exe
1928	WScript.exe
1928	WScript.exe
1928	WScript.exe
2508	WScript.exe
2508	WScript.exe
2508	WScript.exe
1752	WScript.exe
1752	WScript.exe
284	WScript.exe
2084	WScript.exe
2564	WScript.exe
2564	WScript.exe
1828	WScript.exe
1828	WScript.exe
1596	WScript.exe
1596	WScript.exe
2716	WScript.exe
2716	WScript.exe
2540	WScript.exe
2540	WScript.exe
2820	WScript.exe
2820	WScript.exe
2184	WScript.exe
2184	WScript.exe
848	WScript.exe
848	WScript.exe
2180	WScript.exe
2180	WScript.exe
2692	WScript.exe
2692	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 49 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8a08e9fab5333a5ab546d582afd41fd2229f571d3caf454c6c0a03f7eb9e5704.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3068	8a08e9fab5333a5ab546d582afd41fd2229f571d3caf454c6c0a03f7eb9e5704.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3068	8a08e9fab5333a5ab546d582afd41fd2229f571d3caf454c6c0a03f7eb9e5704.exe

Suspicious use of SetWindowsHookEx 50 IoCs

pid	Process
3068	8a08e9fab5333a5ab546d582afd41fd2229f571d3caf454c6c0a03f7eb9e5704.exe
3068	8a08e9fab5333a5ab546d582afd41fd2229f571d3caf454c6c0a03f7eb9e5704.exe
2904	svchcst.exe
2904	svchcst.exe
2640	svchcst.exe
2640	svchcst.exe
2096	svchcst.exe
2096	svchcst.exe
2584	svchcst.exe
2584	svchcst.exe
2940	svchcst.exe
2940	svchcst.exe
1536	svchcst.exe
1536	svchcst.exe
2476	svchcst.exe
2476	svchcst.exe
1048	svchcst.exe
1048	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
1152	svchcst.exe
1152	svchcst.exe
2760	svchcst.exe
2760	svchcst.exe
1164	svchcst.exe
1164	svchcst.exe
2448	svchcst.exe
2448	svchcst.exe
2692	svchcst.exe
2692	svchcst.exe
1536	svchcst.exe
1536	svchcst.exe
2360	svchcst.exe
2360	svchcst.exe
2532	svchcst.exe
2532	svchcst.exe
1152	svchcst.exe
1152	svchcst.exe
2300	svchcst.exe
2300	svchcst.exe
1760	svchcst.exe
1760	svchcst.exe
1524	svchcst.exe
1524	svchcst.exe
1752	svchcst.exe
1752	svchcst.exe
2496	svchcst.exe
2496	svchcst.exe
2272	svchcst.exe
2272	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3068 wrote to memory of 2560	3068	8a08e9fab5333a5ab546d582afd41fd2229f571d3caf454c6c0a03f7eb9e5704.exe	30
PID 3068 wrote to memory of 2560	3068	8a08e9fab5333a5ab546d582afd41fd2229f571d3caf454c6c0a03f7eb9e5704.exe	30
PID 3068 wrote to memory of 2560	3068	8a08e9fab5333a5ab546d582afd41fd2229f571d3caf454c6c0a03f7eb9e5704.exe	30
PID 3068 wrote to memory of 2560	3068	8a08e9fab5333a5ab546d582afd41fd2229f571d3caf454c6c0a03f7eb9e5704.exe	30
PID 2560 wrote to memory of 2904	2560	WScript.exe	33
PID 2560 wrote to memory of 2904	2560	WScript.exe	33
PID 2560 wrote to memory of 2904	2560	WScript.exe	33
PID 2560 wrote to memory of 2904	2560	WScript.exe	33
PID 2904 wrote to memory of 2568	2904	svchcst.exe	34
PID 2904 wrote to memory of 2568	2904	svchcst.exe	34
PID 2904 wrote to memory of 2568	2904	svchcst.exe	34
PID 2904 wrote to memory of 2568	2904	svchcst.exe	34
PID 2568 wrote to memory of 2640	2568	WScript.exe	35
PID 2568 wrote to memory of 2640	2568	WScript.exe	35
PID 2568 wrote to memory of 2640	2568	WScript.exe	35
PID 2568 wrote to memory of 2640	2568	WScript.exe	35
PID 2640 wrote to memory of 1544	2640	svchcst.exe	36
PID 2640 wrote to memory of 1544	2640	svchcst.exe	36
PID 2640 wrote to memory of 1544	2640	svchcst.exe	36
PID 2640 wrote to memory of 1544	2640	svchcst.exe	36
PID 1544 wrote to memory of 2096	1544	WScript.exe	37
PID 1544 wrote to memory of 2096	1544	WScript.exe	37
PID 1544 wrote to memory of 2096	1544	WScript.exe	37
PID 1544 wrote to memory of 2096	1544	WScript.exe	37
PID 2096 wrote to memory of 1648	2096	svchcst.exe	38
PID 2096 wrote to memory of 1648	2096	svchcst.exe	38
PID 2096 wrote to memory of 1648	2096	svchcst.exe	38
PID 2096 wrote to memory of 1648	2096	svchcst.exe	38
PID 1544 wrote to memory of 2584	1544	WScript.exe	39
PID 1544 wrote to memory of 2584	1544	WScript.exe	39
PID 1544 wrote to memory of 2584	1544	WScript.exe	39
PID 1544 wrote to memory of 2584	1544	WScript.exe	39
PID 2584 wrote to memory of 2172	2584	svchcst.exe	40
PID 2584 wrote to memory of 2172	2584	svchcst.exe	40
PID 2584 wrote to memory of 2172	2584	svchcst.exe	40
PID 2584 wrote to memory of 2172	2584	svchcst.exe	40
PID 2172 wrote to memory of 2940	2172	WScript.exe	41
PID 2172 wrote to memory of 2940	2172	WScript.exe	41
PID 2172 wrote to memory of 2940	2172	WScript.exe	41
PID 2172 wrote to memory of 2940	2172	WScript.exe	41
PID 2940 wrote to memory of 1044	2940	svchcst.exe	42
PID 2940 wrote to memory of 1044	2940	svchcst.exe	42
PID 2940 wrote to memory of 1044	2940	svchcst.exe	42
PID 2940 wrote to memory of 1044	2940	svchcst.exe	42
PID 1044 wrote to memory of 1536	1044	WScript.exe	43
PID 1044 wrote to memory of 1536	1044	WScript.exe	43
PID 1044 wrote to memory of 1536	1044	WScript.exe	43
PID 1044 wrote to memory of 1536	1044	WScript.exe	43
PID 1536 wrote to memory of 1928	1536	svchcst.exe	44
PID 1536 wrote to memory of 1928	1536	svchcst.exe	44
PID 1536 wrote to memory of 1928	1536	svchcst.exe	44
PID 1536 wrote to memory of 1928	1536	svchcst.exe	44
PID 1928 wrote to memory of 2476	1928	WScript.exe	45
PID 1928 wrote to memory of 2476	1928	WScript.exe	45
PID 1928 wrote to memory of 2476	1928	WScript.exe	45
PID 1928 wrote to memory of 2476	1928	WScript.exe	45
PID 1928 wrote to memory of 1048	1928	WScript.exe	46
PID 1928 wrote to memory of 1048	1928	WScript.exe	46
PID 1928 wrote to memory of 1048	1928	WScript.exe	46
PID 1928 wrote to memory of 1048	1928	WScript.exe	46
PID 1048 wrote to memory of 1560	1048	svchcst.exe	47
PID 1048 wrote to memory of 1560	1048	svchcst.exe	47
PID 1048 wrote to memory of 1560	1048	svchcst.exe	47
PID 1048 wrote to memory of 1560	1048	svchcst.exe	47

C:\Users\Admin\AppData\Local\Temp\8a08e9fab5333a5ab546d582afd41fd2229f571d3caf454c6c0a03f7eb9e5704.exe
"C:\Users\Admin\AppData\Local\Temp\8a08e9fab5333a5ab546d582afd41fd2229f571d3caf454c6c0a03f7eb9e5704.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3068
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2560
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2904
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2568
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2640
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1544
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2096
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1648
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2584
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2172
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2940
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1044
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1536
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1928
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2476
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1048
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:1560
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2412
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2508
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1152
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:2668
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2760
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1752
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1164
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:284
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2448
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2084
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2692
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2564
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1536
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1828
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2360
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1596
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2532
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2716
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1152
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2540
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2300
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2820
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1760
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2184
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1524
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:848
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1752
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2180
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2496
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2692
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2272
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        System Location Discovery: System Language Discovery
        
        PID:2488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
28167c064311357a30cc6de51b34120d

SHA1
cd6e8343bf5fa014ded5905fd8c6037eda277818

SHA256
e1a76a59c230fb740b85443e95d9db97f660e6d57f8f79060c51d3fb21f7af2a

SHA512
a8ca9a0804c9cb2c87148d82b2ffb169d766b6ea91b4106363b24d555c9a58594915364b6cb61a1757723e96f7095f06859ab83a6e1055d43c8e78e9b52c8b57

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
8052781dbd4f45c8df7789f224783ba7

SHA1
0593c9236e6128a6c9f4f290b433e8817e19b03d

SHA256
27bf0b822c3a21e16fe4184272e7eae6cbcbc31f3d2aa112f63edb44871ca4e5

SHA512
334a8063478510973bb9bb7dc9e64fb79dbfd978b4f7c90d3413f92c78325ec5403f05d7c7c60a5de481e4cc744c47bf64d32c2dc4375ec8baeeb422081853a6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
f2d2f31794455ef80ea8a41b0b218045

SHA1
926c4e45922f43c6afc2cb31d96b5b35d4db3cae

SHA256
698e3bc7681704e68728030dcceb12377aae02f71e91a5fd15c12b686ba00141

SHA512
36cc2c9bd29c6bd97c2bd7eef7b9bffc512ebabf43d089a2866a66efc4f4f3f7d92b2d0719ae61ad07c38b89b1c0a4b59df57f84beef76c88bd376125048d714

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
49586bddf88b5db5b4106eee55d7e03b

SHA1
3001fb71136b5c8d307695de4f651ccd9b4dcebc

SHA256
bf9c7a65973ae0ee9e2da4bae47ba378234e45820598034a3672edfb233e002d

SHA512
6933b416d4af6997e31e7277ddbf5820f421f01763ee6560e50a0dfb8323e8c66312511b4093d16540c17521f338b239e79d67c70fcda4ff793363e1366d4011

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
08e59d2d672728796d1d263f61b8e693

SHA1
e2cf49b43ffba5735bf7d9aa4e1da8c5a1a4a243

SHA256
f0504a6142a9709ba8612a4e55816d410dc92778bedea66d34316e77edd2f923

SHA512
328bc5a9404388f3ef192bb0e4da20cc34b9eacd974299461b5cc2f37ce7d7f9bb494e933fe7e8bca0baa037b40778b06965e76ce258b596b60e88bd6b2f4253

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
73dd42e0ba8cff47f0542d7d8aa40f90

SHA1
ffbb1b56415be5abcf4613aed3136768f2edbc38

SHA256
c73b4e554a4ae515ae3aa320a19d752e3d848d00ed0cd8f084081ed530b8fc3d

SHA512
efd0075f9e70dd557271bdbcd782a083ae2cde8cd5674bf7f8cf63064847951adfcbaa9c9cff91c57d19c7308d0b7bf4754bfbe8fce6ec0e41d920bde7f5a67e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
7d2c3f227d42fae4a5b7fbcb491b74e3

SHA1
c1271bbd86747cc709b694ba9579a68b5e75a17c

SHA256
9353a2f27a61e571c5bc92ccc1046c1059c5fad8e1e2cafe63a9cc73e1169c33

SHA512
50330ad733975966b32fbedffb99a25cd13004d685e5788ef11f1f0fedfc62658e3e8f5ed0030fe60ecb02ba95ffa7d440c067a1e164cc3bc02ac5008b6a27d3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
a28791ebea83786bb5889ef857a9e493

SHA1
0c7cc3d05c844d5edd4535fbd48d2c73b2764630

SHA256
ad8607d9518b14cf6e9f567194700afa64c424bbe7da5b1819babbc7678a98bf

SHA512
d357643579f32de1c3f28b9d717d4d82a91d2ae25014a2ab52c0b6340ea577c31386cfa7901694f47889e5966ab11ff6888ae19a8602f812d2484827295d12ce

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
99190cc32e9995c46b8a5b9b268a5bbe

SHA1
4ad00bc8655bced61776b40f2cc5bf0180a175d4

SHA256
308f79dad8498e1020104d40c992a2a6b9d4841f2c9c705e4b4401c48764a096

SHA512
f6447cdd779f7e95f6e84469388e55d7c18249f434aadf7cb7d4ec18cded20161a1cd8bb8830186c55ce8a945ab7c7cff08f85787c2616d447a90cb6f4622571

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
df56efc5aa49720056952b653a76a0d1

SHA1
82823a83837e69b031a973238d78e0360d113ac7

SHA256
bd6fdd2db5dd3828baa84352f1c382304ce0481755f000a7445e3977c24d0a35

SHA512
ffd2ffc465dcd33cca7fdf4cce8711ce7a5cb6af0933fbf2885b7b4164ea2c19ec1a776f2422996599e28b05a3ff927dd76221b9b4dec49b942941b48962034c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
780c5b88f55c3463a252f361d53f98db

SHA1
244e739c7401ce41027d7786f4a48f4806a9939b

SHA256
d8b383df125f83a39c299a3134c88e981cf47755ddd6b44310f70231305c6bb0

SHA512
b12e3266edea4f9dff105ed8617c81a29f9873d646b6b326c5c29c0c590049dd85458b8ff7541957f9ab995896e7bfd08b171959e592ccc6edbedf998fdf1045

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
93bffb400f506fbd69421b6075802c65

SHA1
b9d8c4ea6a8fd739f6cf167e1f58412525f15784

SHA256
2e455d4d9ba6db3056e273b33c3cc67d60d76c4a750b98b2d4d0e2bcc6aa57b1

SHA512
e00a5d4ad19c488dc18e50150fcd50505133666e333f12f9e0cb3a894162951e4195886798de3531561ff99b4a3fbca6fb351f1ff0bcd0e1ac20cd685962ec23

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
9e8dca236ce949019c46b94428612ac9

SHA1
0917050afcbb7b94fce6fbb9827fb57de7432b0b

SHA256
bd9f06dbb8f2165c3b75da289ad7983f0c57328d236b2c68a2b5798188874fb3

SHA512
23ce9deba9286cbb24c1725503542b63d7e44ea7ada302e5aba6595f84398e2162008d7431f842cccfb2b8fae126216d85c566931d5fcc8c8c5625e2c05f44d6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
e94e88174ec781f873054a1341dde3c1

SHA1
1bfcc1fd57262661e3e17db7f582004d481e95d9

SHA256
83a3606b4d4b48761b768ff2bd5668a599025f46b5d31b73bd0b014f6f95e225

SHA512
10dd4c89ea250920267a33317f693093471b805e33f18b38ffd7e3b9fb12624047f6bca7c82b0a2c83a3d6cead4d289f3da723b249a7ab6a9c40b339977fe7f6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
5c727957362afa43da153148134a4dd8

SHA1
44b3bee63f219a285a077fd2b23a7c55b926004d

SHA256
592326d4f1c87f12fd741cda51fe5efb32a055483687612a45995ac4e4957adf

SHA512
1e371ada3e4f04ea0df8892ed363aedc16332ab24577fa05a320b9fc8beba99ec1f5fe42a27c77c5dc95cec9779bc2bcd468ce05d1403871b913a5a44566f304

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
c4fec5ce34df18e7f3e6cc9db3a71c00

SHA1
cb6f17e4759d8fd1af53950e8dfdba40887876bc

SHA256
9a2363ad2f00be8fdd8c23abfd094da0afe59498213d0a1ba8e097f617c78cc0

SHA512
a0aa4d6abfbed559303b76fc28a93d5a965a72b80ca240e5ac647557192f16744fb72775cd53bae4fa068e87f58872b4939a31abfbce41bddab7bede214f8dd5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
d1828b4daa006ead79351555cdf01097

SHA1
aed454f2485e56919c7431007ad9e6a2dcb7da23

SHA256
f8fa06075fee7fa35e79b43bcf5b26ae5b43febe65ed0466e5fa91204ac60c22

SHA512
312a4f38fe77d2e7099ade465ee1baea8cf980fae8993d2fe3563dc80842240a8928ce534bfcbf3668f730573276f2dd07a01fb72b549a2b9298d401aa7b0090

Download Submit
memory/1048-96-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1048-88-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1152-120-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1152-197-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1164-148-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1524-220-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1524-213-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1536-169-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1536-79-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1536-71-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1536-176-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1752-139-0x0000000005E00000-0x0000000005F5F000-memory.dmp

Filesize
1.4MB

Download
memory/1752-227-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1760-212-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1928-99-0x0000000004840000-0x000000000499F000-memory.dmp

Filesize
1.4MB

Download
memory/1928-83-0x0000000004340000-0x000000000449F000-memory.dmp

Filesize
1.4MB

Download
memory/1928-87-0x00000000046E0000-0x000000000483F000-memory.dmp

Filesize
1.4MB

Download
memory/2096-48-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2096-39-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2300-205-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2300-198-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2360-183-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2412-108-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2412-101-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2448-160-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2448-151-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2476-107-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2476-84-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2496-234-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2532-190-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2560-15-0x0000000005DB0000-0x0000000005F0F000-memory.dmp

Filesize
1.4MB

Download
memory/2564-168-0x0000000004500000-0x000000000465F000-memory.dmp

Filesize
1.4MB

Download
memory/2568-29-0x0000000005B60000-0x0000000005CBF000-memory.dmp

Filesize
1.4MB

Download
memory/2584-57-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2640-36-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2640-30-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2692-167-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2760-133-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2760-125-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2904-25-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2940-68-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2940-64-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3068-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3068-10-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download