896c083e6fa2e3d8fcf062c4516307b56e5ab1ce2cb9e4002cbfb1053c00ae5e

Analysis

max time kernel
150s
max time network
17s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
29-08-2024 12:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

896c083e6fa2e3d8fcf062c4516307b56e5ab1ce2cb9e4002cbfb1053c00ae5e.exe
Size

1.1MB
MD5

330db759660bd928ed72b46a357590f8
SHA1

504931920bd285359cf085b1ba64bf22562b7113
SHA256

896c083e6fa2e3d8fcf062c4516307b56e5ab1ce2cb9e4002cbfb1053c00ae5e
SHA512

333bfc4af7c11afccbd23aef9dee1d7af57a7d90c98afb26db34b70eefce5786ada010076826bbf944ca4aee0df1fd2af5280117f0e699e2ba2afbbbd18ab854
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Qu:CcaClSFlG4ZM7QzM1

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2832	svchcst.exe

Executes dropped EXE 25 IoCs

pid	Process
2832	svchcst.exe
2296	svchcst.exe
2148	svchcst.exe
1260	svchcst.exe
1148	svchcst.exe
1072	svchcst.exe
2188	svchcst.exe
2144	svchcst.exe
2916	svchcst.exe
2796	svchcst.exe
832	svchcst.exe
2176	svchcst.exe
2164	svchcst.exe
2276	svchcst.exe
264	svchcst.exe
1944	svchcst.exe
2144	svchcst.exe
2808	svchcst.exe
2812	svchcst.exe
2456	svchcst.exe
1416	svchcst.exe
1932	svchcst.exe
2416	svchcst.exe
1160	svchcst.exe
868	svchcst.exe

Loads dropped DLL 43 IoCs

pid	Process
2232	WScript.exe
2232	WScript.exe
2476	WScript.exe
1416	WScript.exe
636	WScript.exe
636	WScript.exe
2228	WScript.exe
2228	WScript.exe
2668	WScript.exe
1732	WScript.exe
2320	WScript.exe
2944	WScript.exe
2360	WScript.exe
2360	WScript.exe
2460	WScript.exe
2460	WScript.exe
1144	WScript.exe
1144	WScript.exe
2208	WScript.exe
2208	WScript.exe
852	WScript.exe
852	WScript.exe
1880	WScript.exe
1880	WScript.exe
1880	WScript.exe
1880	WScript.exe
2904	WScript.exe
2904	WScript.exe
1780	WScript.exe
1780	WScript.exe
2348	WScript.exe
2348	WScript.exe
2684	WScript.exe
2684	WScript.exe
2388	WScript.exe
2388	WScript.exe
2252	WScript.exe
2252	WScript.exe
1644	WScript.exe
1644	WScript.exe
2652	WScript.exe
2652	WScript.exe
1688	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 53 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	896c083e6fa2e3d8fcf062c4516307b56e5ab1ce2cb9e4002cbfb1053c00ae5e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2776	896c083e6fa2e3d8fcf062c4516307b56e5ab1ce2cb9e4002cbfb1053c00ae5e.exe
2832	svchcst.exe
2832	svchcst.exe
2832	svchcst.exe
2832	svchcst.exe
2832	svchcst.exe
2832	svchcst.exe
2832	svchcst.exe
2832	svchcst.exe
2832	svchcst.exe
2832	svchcst.exe
2832	svchcst.exe
2832	svchcst.exe
2832	svchcst.exe
2832	svchcst.exe
2832	svchcst.exe
2832	svchcst.exe
2832	svchcst.exe
2832	svchcst.exe
2832	svchcst.exe
2832	svchcst.exe
2832	svchcst.exe
2832	svchcst.exe
2832	svchcst.exe
2832	svchcst.exe
2832	svchcst.exe
2832	svchcst.exe
2832	svchcst.exe
2832	svchcst.exe
2832	svchcst.exe
2832	svchcst.exe
2832	svchcst.exe
2832	svchcst.exe
2832	svchcst.exe
2832	svchcst.exe
2832	svchcst.exe
2832	svchcst.exe
2832	svchcst.exe
2832	svchcst.exe
2832	svchcst.exe
2832	svchcst.exe
2832	svchcst.exe
2832	svchcst.exe
2832	svchcst.exe
2832	svchcst.exe
2832	svchcst.exe
2832	svchcst.exe
2832	svchcst.exe
2832	svchcst.exe
2832	svchcst.exe
2832	svchcst.exe
2832	svchcst.exe
2832	svchcst.exe
2832	svchcst.exe
2832	svchcst.exe
2832	svchcst.exe
2832	svchcst.exe
2832	svchcst.exe
2832	svchcst.exe
2832	svchcst.exe
2832	svchcst.exe
2832	svchcst.exe
2832	svchcst.exe
2832	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2776	896c083e6fa2e3d8fcf062c4516307b56e5ab1ce2cb9e4002cbfb1053c00ae5e.exe

Suspicious use of SetWindowsHookEx 52 IoCs

pid	Process
2776	896c083e6fa2e3d8fcf062c4516307b56e5ab1ce2cb9e4002cbfb1053c00ae5e.exe
2776	896c083e6fa2e3d8fcf062c4516307b56e5ab1ce2cb9e4002cbfb1053c00ae5e.exe
2832	svchcst.exe
2832	svchcst.exe
2296	svchcst.exe
2296	svchcst.exe
2148	svchcst.exe
2148	svchcst.exe
1260	svchcst.exe
1260	svchcst.exe
1148	svchcst.exe
1148	svchcst.exe
1072	svchcst.exe
1072	svchcst.exe
2188	svchcst.exe
2188	svchcst.exe
2144	svchcst.exe
2144	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2796	svchcst.exe
2796	svchcst.exe
832	svchcst.exe
832	svchcst.exe
2176	svchcst.exe
2176	svchcst.exe
2164	svchcst.exe
2164	svchcst.exe
2276	svchcst.exe
2276	svchcst.exe
264	svchcst.exe
264	svchcst.exe
1944	svchcst.exe
1944	svchcst.exe
2144	svchcst.exe
2144	svchcst.exe
2808	svchcst.exe
2808	svchcst.exe
2812	svchcst.exe
2812	svchcst.exe
2456	svchcst.exe
2456	svchcst.exe
1416	svchcst.exe
1416	svchcst.exe
1932	svchcst.exe
1932	svchcst.exe
2416	svchcst.exe
2416	svchcst.exe
1160	svchcst.exe
1160	svchcst.exe
868	svchcst.exe
868	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2776 wrote to memory of 2232	2776	896c083e6fa2e3d8fcf062c4516307b56e5ab1ce2cb9e4002cbfb1053c00ae5e.exe	30
PID 2776 wrote to memory of 2232	2776	896c083e6fa2e3d8fcf062c4516307b56e5ab1ce2cb9e4002cbfb1053c00ae5e.exe	30
PID 2776 wrote to memory of 2232	2776	896c083e6fa2e3d8fcf062c4516307b56e5ab1ce2cb9e4002cbfb1053c00ae5e.exe	30
PID 2776 wrote to memory of 2232	2776	896c083e6fa2e3d8fcf062c4516307b56e5ab1ce2cb9e4002cbfb1053c00ae5e.exe	30
PID 2232 wrote to memory of 2832	2232	WScript.exe	32
PID 2232 wrote to memory of 2832	2232	WScript.exe	32
PID 2232 wrote to memory of 2832	2232	WScript.exe	32
PID 2232 wrote to memory of 2832	2232	WScript.exe	32
PID 2832 wrote to memory of 2476	2832	svchcst.exe	33
PID 2832 wrote to memory of 2476	2832	svchcst.exe	33
PID 2832 wrote to memory of 2476	2832	svchcst.exe	33
PID 2832 wrote to memory of 2476	2832	svchcst.exe	33
PID 2476 wrote to memory of 2296	2476	WScript.exe	34
PID 2476 wrote to memory of 2296	2476	WScript.exe	34
PID 2476 wrote to memory of 2296	2476	WScript.exe	34
PID 2476 wrote to memory of 2296	2476	WScript.exe	34
PID 2296 wrote to memory of 1416	2296	svchcst.exe	35
PID 2296 wrote to memory of 1416	2296	svchcst.exe	35
PID 2296 wrote to memory of 1416	2296	svchcst.exe	35
PID 2296 wrote to memory of 1416	2296	svchcst.exe	35
PID 1416 wrote to memory of 2148	1416	WScript.exe	36
PID 1416 wrote to memory of 2148	1416	WScript.exe	36
PID 1416 wrote to memory of 2148	1416	WScript.exe	36
PID 1416 wrote to memory of 2148	1416	WScript.exe	36
PID 2148 wrote to memory of 636	2148	svchcst.exe	37
PID 2148 wrote to memory of 636	2148	svchcst.exe	37
PID 2148 wrote to memory of 636	2148	svchcst.exe	37
PID 2148 wrote to memory of 636	2148	svchcst.exe	37
PID 636 wrote to memory of 1260	636	WScript.exe	38
PID 636 wrote to memory of 1260	636	WScript.exe	38
PID 636 wrote to memory of 1260	636	WScript.exe	38
PID 636 wrote to memory of 1260	636	WScript.exe	38
PID 1260 wrote to memory of 2228	1260	svchcst.exe	39
PID 1260 wrote to memory of 2228	1260	svchcst.exe	39
PID 1260 wrote to memory of 2228	1260	svchcst.exe	39
PID 1260 wrote to memory of 2228	1260	svchcst.exe	39
PID 2228 wrote to memory of 1148	2228	WScript.exe	40
PID 2228 wrote to memory of 1148	2228	WScript.exe	40
PID 2228 wrote to memory of 1148	2228	WScript.exe	40
PID 2228 wrote to memory of 1148	2228	WScript.exe	40
PID 1148 wrote to memory of 2668	1148	svchcst.exe	41
PID 1148 wrote to memory of 2668	1148	svchcst.exe	41
PID 1148 wrote to memory of 2668	1148	svchcst.exe	41
PID 1148 wrote to memory of 2668	1148	svchcst.exe	41
PID 2668 wrote to memory of 1072	2668	WScript.exe	42
PID 2668 wrote to memory of 1072	2668	WScript.exe	42
PID 2668 wrote to memory of 1072	2668	WScript.exe	42
PID 2668 wrote to memory of 1072	2668	WScript.exe	42
PID 1072 wrote to memory of 1732	1072	svchcst.exe	43
PID 1072 wrote to memory of 1732	1072	svchcst.exe	43
PID 1072 wrote to memory of 1732	1072	svchcst.exe	43
PID 1072 wrote to memory of 1732	1072	svchcst.exe	43
PID 1732 wrote to memory of 2188	1732	WScript.exe	44
PID 1732 wrote to memory of 2188	1732	WScript.exe	44
PID 1732 wrote to memory of 2188	1732	WScript.exe	44
PID 1732 wrote to memory of 2188	1732	WScript.exe	44
PID 2188 wrote to memory of 2320	2188	svchcst.exe	45
PID 2188 wrote to memory of 2320	2188	svchcst.exe	45
PID 2188 wrote to memory of 2320	2188	svchcst.exe	45
PID 2188 wrote to memory of 2320	2188	svchcst.exe	45
PID 2320 wrote to memory of 2144	2320	WScript.exe	46
PID 2320 wrote to memory of 2144	2320	WScript.exe	46
PID 2320 wrote to memory of 2144	2320	WScript.exe	46
PID 2320 wrote to memory of 2144	2320	WScript.exe	46

C:\Users\Admin\AppData\Local\Temp\896c083e6fa2e3d8fcf062c4516307b56e5ab1ce2cb9e4002cbfb1053c00ae5e.exe
"C:\Users\Admin\AppData\Local\Temp\896c083e6fa2e3d8fcf062c4516307b56e5ab1ce2cb9e4002cbfb1053c00ae5e.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2776
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2232
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2832
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2476
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2296
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1416
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2148
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:636
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1260
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2228
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1148
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2668
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1072
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1732
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2188
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2320
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2144
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2944
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2916
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2360
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2796
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2460
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:832
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1144
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2176
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2208
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2164
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:852
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2276
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1880
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:264
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        System Location Discovery: System Language Discovery
        
        PID:992
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1944
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2904
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2144
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1780
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2808
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2348
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2812
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2684
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2456
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2388
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1416
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2252
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1932
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1644
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2416
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        44⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1688
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:868
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        46⤵
        System Location Discovery: System Language Discovery
        
        PID:2212
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        46⤵
        System Location Discovery: System Language Discovery
        
        PID:1128
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2652
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
8ae471a6b36aab6d26424f62e2a54d48

SHA1
8bea769c27f0be7f8adc20fb1a0855f9eb2c8290

SHA256
8e5b8d07239c6288e6cc0ad92253ad658d067957827226391c5568aaf1f0d9f6

SHA512
8dbb59812a976260b7e63dadbfb50f6cd7ba834a67fd8805ac439accac60d399776785fbfe96555b1514e54cb53366267cf4bd500f6813060f94f06c67d5ceed

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
fb757130836576e5f952cb011021776c

SHA1
68f6351ef6dd363f67e76b91e7d8150050948698

SHA256
2d8143967be00cc4d6f3a1b8671885498b80e57ec52a84e19eaf136e64980e5b

SHA512
6f7311c6964be509733152377344d37f311021a6638946d275d282aa1b0212d8d790175b8c4e61fba6f5f4299c0e5da3307b69b03f619273462edd5c3cfce0d8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
2af86d83545125b952334759f8554ae3

SHA1
ddfef7be6fbd8d8185c772a9a78eb18617a9637b

SHA256
7dd3660d7e87e64f451b4d1882d07c1733ce38d828770910453cc1b7f457d11d

SHA512
38d2854f941ff77a2fec871ba6513df9862fe4f86778b22053b4c3e25995b192f4ab943051a2c613cc3e78d275bc543b0dff09149cb4620e307809d20beae17b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
7d2c3f227d42fae4a5b7fbcb491b74e3

SHA1
c1271bbd86747cc709b694ba9579a68b5e75a17c

SHA256
9353a2f27a61e571c5bc92ccc1046c1059c5fad8e1e2cafe63a9cc73e1169c33

SHA512
50330ad733975966b32fbedffb99a25cd13004d685e5788ef11f1f0fedfc62658e3e8f5ed0030fe60ecb02ba95ffa7d440c067a1e164cc3bc02ac5008b6a27d3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
e5bba46683440caa1508061b6e638120

SHA1
538ff5b7cb3ca90cee3e60bae0b487f4b78912de

SHA256
9b324dbd185a14c0ebfd2cd2731f6bb32c501dfefa7aef4f65b137357502c65d

SHA512
466f00fee10e323273e5d1151062e9fcc36f5657a404c6dd3c0c9ecb56e5205930087e612b13a9c6d1a56df7e05a2bd9c14e95debd5e5aed96ad2ef867e8de4d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
efa4b9f79f0e80cc4480b4196f965c98

SHA1
56401c277c2e9c8111a865c9225b943fc4a7433b

SHA256
5db1107f337e47becfbcacfdc107678db82fb69fc4a9a1341c0decacff5146c3

SHA512
c3b3f2cd4b0a7257fcb391a7defee9a0db1650febb3dab466732bf81cdec9a8bbfb9e28afd2ffff03d57f2cd2be8adc8da67abeb39e295c94b3dd536fb092180

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
8e2ae053ceb7062fca84af2a4b776842

SHA1
e0efd0b54009a60e3682ed38deaddd833c8652b6

SHA256
58391f462883b293fdb398c52afb015698a4aa455fde921d706159ccccc6375f

SHA512
71b28f16bbcd83fd3cd69c985cc7482ddb167f287f6f331fc6c2f71b5b9759d6692ad93eb45e3a4039e5234f795076cd090e46c80b2661a00327a19b0ceab7b3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
2551ae733b39ac9061a9d5ebd2f29d98

SHA1
08247d27dd5bf959db0b29d3e5b0551dc47c9d02

SHA256
c69ee4a632cc1c351d5fa930d42546923a4125e7d9cbccb2ad9f9e3318be2b77

SHA512
a1c669cb87194c2b496a7131f7f2920b6c31156f88d6c1140e79f3b83fbca3785cd57fea2d47cb951ed576e69a1240e81746a5bc5444e65fd05fa5234125731c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
8364c7b31d7cc2ff033d43e692633d35

SHA1
8c51dd902e1739104aff48093aecb669522fea1f

SHA256
7ac0c74de647ef78ef6fffba49310f3c9c1b7d9ad19121d3502ec03c6e412a42

SHA512
0615c03be93f2b8cadfa7f0fca0ec6a790728d61980a9cd5edc372c99d3d73c5bdd1e6abfc055d4bd7ff2a2aa67f6fd5221c0d0479e33ac6736522fdc0572571

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
28167c064311357a30cc6de51b34120d

SHA1
cd6e8343bf5fa014ded5905fd8c6037eda277818

SHA256
e1a76a59c230fb740b85443e95d9db97f660e6d57f8f79060c51d3fb21f7af2a

SHA512
a8ca9a0804c9cb2c87148d82b2ffb169d766b6ea91b4106363b24d555c9a58594915364b6cb61a1757723e96f7095f06859ab83a6e1055d43c8e78e9b52c8b57

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
0192d17fea0102bde8e142aabd30379e

SHA1
f625075beef58c06ca68d43a3ba5cc1caa8efdfd

SHA256
98e8ea7a93d93f491f56d4026b5683e7fdeff25fe26f518e2e81a1319ef49719

SHA512
43002329c61c0fedc908a1838c1868573a5f6f64b4bad3295182b341562cd4b17710ce021e75157830b5b29d29141ae394b3addae4f8c180259f02cb44648163

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
6e11da1c8a05db963ff0dda7c43866e0

SHA1
e1343d4a94a629047631b0c53a0501eace14d2a9

SHA256
2605d23ba5b4a9fc117704a99d9351dfffc81f22681becb9aa59d72a64a6a8f6

SHA512
74be18fd41e091762e317fd4565c13d36832ca7d8fbcb60631c8e818c25f447db2ed4b3bc20e4a97da5efeb3ab66dbe815f34776b3db338a1e7d41abc57c99ac

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
faa8ef2e758448ccba58a486794e0699

SHA1
85bd05023b75335ca0ff084efcd02e7e9e447e88

SHA256
f4c0222febb3104b66ec8578be36697e28bc8956d3606e711c39b3ad7fcf6b8b

SHA512
8a1074670bbf7942ba1cef24d474aa26b9a66c378cc790a5577bc3d487f7174dad7890d2fdd43eccad42c4da28e282e5909a8f9de120a3ba81ee2847b44a328e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
ae75c3a96c26ddc15e3c678434b18374

SHA1
7abb4cd173f5c8565c891bc5305922439e880fed

SHA256
1b84f073d7c021672b1951a420b183f570b94f4d7c14c86698b22bbd353bf965

SHA512
e817ab91d4d73840a290ff2e999a5136328b315afa16ec831b6ddabea08cf07d8dd61b332cbeded13bde712e7c87538228ff8d163c0f659da84134f04e5a3b7e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
73dd42e0ba8cff47f0542d7d8aa40f90

SHA1
ffbb1b56415be5abcf4613aed3136768f2edbc38

SHA256
c73b4e554a4ae515ae3aa320a19d752e3d848d00ed0cd8f084081ed530b8fc3d

SHA512
efd0075f9e70dd557271bdbcd782a083ae2cde8cd5674bf7f8cf63064847951adfcbaa9c9cff91c57d19c7308d0b7bf4754bfbe8fce6ec0e41d920bde7f5a67e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
b960989210600759acfdd6d807ae3669

SHA1
8d886113e7d44f0e5efb5ca6b133314c36bfc883

SHA256
224c599ddbd27d991fbb2f273ab80dbb842b4ff261008fc146f47b9353e25d4d

SHA512
a545a27ef60cd3de643659feae63c2c464537c4ace76219437513f9b819af29449dbf2eaa79bdc452041e6ca174108bfdf7b53d79dc2577206071da219cb67c8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
292aab2a83474327895fb0da6575d318

SHA1
688615595a33f3c146d00fa5dc4feadf40fc5764

SHA256
7f90e30c87fe72db6872465b046c48b0ffd22277aefc9a92127d68bb3d4b387a

SHA512
5cf73bfacde5d5a31a1d0eb7187a2301198355ff718508303df90cc094724f689a32368fc060b85cb67af83888a4748fe02553539f82bcffce7735705156158b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
4ee8f969d730eb2c8e1f14adaa39cdc7

SHA1
f4e8fc78ce5fe6efecc4fc66d085ca5e8c543662

SHA256
6003e93fe69d9b38214ceb179f8ead5ff60629f4efef478b4fcd454a2c48ca36

SHA512
b602710d312065cfaa71ac59de1073bca3a66d155ad269f43756258fb568f82d3e895dde169b8fe520cf6a08b1c89851516f5552e06a09a837c5b254e5a108c8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
6a82d2c8b180c27582748c351ff4933b

SHA1
a46632ce5837415a3cca509df607e5154a255da3

SHA256
2c3856f739810f2065769586b7ca5ec9f348e9d953e6eda9d41a7499e2b8af50

SHA512
29f0369962ac2ddced764185927e379f07deb6010ccaa4f2790dce19699ca497efa9366cab341fa6aa65b3b61d4a4b36d8dcb591a0525ef37e8563148069d7ca

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
6362fcebe40a64564ee5172edcd405ac

SHA1
0fd36e5ef0cbc613ef38cf7b62f1c143a8edc886

SHA256
90831560891bf2066da9b31567611bf6201b950189fb31b29ea3237f232af537

SHA512
5ca977e78f9fbb2101bbcfbb18ec29407564130127d080b0f2fc72ce8b1bbbc41b0ea9c6ec375de1afa76f370aff8ea7406f73ca67a48b78dd54763f2efe3c20

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
cb479a843120f97ccf75e19709550ee4

SHA1
87b4852af431013fd43575d89e5e97fa9a3ae989

SHA256
cc6140ecbc36594989da7614cb07a0fc6d8a03c0970a49d99b2c688dc1718acc

SHA512
79991ff28a3e764340746d0bcbe7b3d0db1c6ab416d8c2c9170c34ac195be17a6676a4084d271d22f7edc9b678e7261c1b617d9bb1f5eda233f6774a2a21b7e5

Download Submit
memory/2776-8-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download