94b6212bad83555bc84744166d25aaad98fbbbb8d759e96d1be2f08149850d86

Analysis

max time kernel
62s
max time network
126s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11/09/2024, 07:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

94b6212bad83555bc84744166d25aaad98fbbbb8d759e96d1be2f08149850d86.exe
Size

1.1MB
MD5

9cb2e24f881a465caa69b86f8e0c77b1
SHA1

afe16b2327a4cd552d5969da5758193c377c5a16
SHA256

94b6212bad83555bc84744166d25aaad98fbbbb8d759e96d1be2f08149850d86
SHA512

f4fd3263b48f7447f9026e1cb22b6d4f836741405dd5e3be1c5ddcaa9c6733ef2433595617038e8a47db50b9b7a57be50ced41f6fe8badb45217a5c6fd8c44c2
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5Q6:acallSllG4ZM7QzM5

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2784	svchcst.exe

Executes dropped EXE 14 IoCs

pid	Process
2784	svchcst.exe
2624	svchcst.exe
2608	svchcst.exe
2844	svchcst.exe
2952	svchcst.exe
1808	svchcst.exe
364	svchcst.exe
2268	svchcst.exe
2632	svchcst.exe
2068	svchcst.exe
3052	svchcst.exe
3068	svchcst.exe
1884	svchcst.exe
1876	svchcst.exe

Loads dropped DLL 16 IoCs

pid	Process
2352	WScript.exe
2352	WScript.exe
2572	WScript.exe
1272	WScript.exe
1272	WScript.exe
1272	WScript.exe
2652	WScript.exe
1196	WScript.exe
2232	WScript.exe
1560	WScript.exe
2232	WScript.exe
2636	WScript.exe
2636	WScript.exe
2640	WScript.exe
2636	WScript.exe
2184	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 27 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	94b6212bad83555bc84744166d25aaad98fbbbb8d759e96d1be2f08149850d86.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2108	94b6212bad83555bc84744166d25aaad98fbbbb8d759e96d1be2f08149850d86.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2108	94b6212bad83555bc84744166d25aaad98fbbbb8d759e96d1be2f08149850d86.exe

Suspicious use of SetWindowsHookEx 30 IoCs

pid	Process
2108	94b6212bad83555bc84744166d25aaad98fbbbb8d759e96d1be2f08149850d86.exe
2108	94b6212bad83555bc84744166d25aaad98fbbbb8d759e96d1be2f08149850d86.exe
2784	svchcst.exe
2784	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2608	svchcst.exe
2608	svchcst.exe
2844	svchcst.exe
2844	svchcst.exe
2952	svchcst.exe
2952	svchcst.exe
1808	svchcst.exe
1808	svchcst.exe
364	svchcst.exe
364	svchcst.exe
2268	svchcst.exe
2268	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2068	svchcst.exe
2068	svchcst.exe
3052	svchcst.exe
3052	svchcst.exe
3068	svchcst.exe
3068	svchcst.exe
1884	svchcst.exe
1884	svchcst.exe
1876	svchcst.exe
1876	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2108 wrote to memory of 2352	2108	94b6212bad83555bc84744166d25aaad98fbbbb8d759e96d1be2f08149850d86.exe	30
PID 2108 wrote to memory of 2352	2108	94b6212bad83555bc84744166d25aaad98fbbbb8d759e96d1be2f08149850d86.exe	30
PID 2108 wrote to memory of 2352	2108	94b6212bad83555bc84744166d25aaad98fbbbb8d759e96d1be2f08149850d86.exe	30
PID 2108 wrote to memory of 2352	2108	94b6212bad83555bc84744166d25aaad98fbbbb8d759e96d1be2f08149850d86.exe	30
PID 2352 wrote to memory of 2784	2352	WScript.exe	33
PID 2352 wrote to memory of 2784	2352	WScript.exe	33
PID 2352 wrote to memory of 2784	2352	WScript.exe	33
PID 2352 wrote to memory of 2784	2352	WScript.exe	33
PID 2784 wrote to memory of 2572	2784	svchcst.exe	34
PID 2784 wrote to memory of 2572	2784	svchcst.exe	34
PID 2784 wrote to memory of 2572	2784	svchcst.exe	34
PID 2784 wrote to memory of 2572	2784	svchcst.exe	34
PID 2572 wrote to memory of 2624	2572	WScript.exe	35
PID 2572 wrote to memory of 2624	2572	WScript.exe	35
PID 2572 wrote to memory of 2624	2572	WScript.exe	35
PID 2572 wrote to memory of 2624	2572	WScript.exe	35
PID 2624 wrote to memory of 1272	2624	svchcst.exe	36
PID 2624 wrote to memory of 1272	2624	svchcst.exe	36
PID 2624 wrote to memory of 1272	2624	svchcst.exe	36
PID 2624 wrote to memory of 1272	2624	svchcst.exe	36
PID 1272 wrote to memory of 2608	1272	WScript.exe	37
PID 1272 wrote to memory of 2608	1272	WScript.exe	37
PID 1272 wrote to memory of 2608	1272	WScript.exe	37
PID 1272 wrote to memory of 2608	1272	WScript.exe	37
PID 2608 wrote to memory of 2652	2608	svchcst.exe	38
PID 2608 wrote to memory of 2652	2608	svchcst.exe	38
PID 2608 wrote to memory of 2652	2608	svchcst.exe	38
PID 2608 wrote to memory of 2652	2608	svchcst.exe	38
PID 1272 wrote to memory of 2844	1272	WScript.exe	39
PID 1272 wrote to memory of 2844	1272	WScript.exe	39
PID 1272 wrote to memory of 2844	1272	WScript.exe	39
PID 1272 wrote to memory of 2844	1272	WScript.exe	39
PID 2652 wrote to memory of 2952	2652	WScript.exe	40
PID 2652 wrote to memory of 2952	2652	WScript.exe	40
PID 2652 wrote to memory of 2952	2652	WScript.exe	40
PID 2652 wrote to memory of 2952	2652	WScript.exe	40
PID 2844 wrote to memory of 1196	2844	svchcst.exe	41
PID 2844 wrote to memory of 1196	2844	svchcst.exe	41
PID 2844 wrote to memory of 1196	2844	svchcst.exe	41
PID 2844 wrote to memory of 1196	2844	svchcst.exe	41
PID 2844 wrote to memory of 1772	2844	svchcst.exe	42
PID 2844 wrote to memory of 1772	2844	svchcst.exe	42
PID 2844 wrote to memory of 1772	2844	svchcst.exe	42
PID 2844 wrote to memory of 1772	2844	svchcst.exe	42
PID 1196 wrote to memory of 1808	1196	WScript.exe	43
PID 1196 wrote to memory of 1808	1196	WScript.exe	43
PID 1196 wrote to memory of 1808	1196	WScript.exe	43
PID 1196 wrote to memory of 1808	1196	WScript.exe	43
PID 1808 wrote to memory of 1560	1808	svchcst.exe	44
PID 1808 wrote to memory of 1560	1808	svchcst.exe	44
PID 1808 wrote to memory of 1560	1808	svchcst.exe	44
PID 1808 wrote to memory of 1560	1808	svchcst.exe	44
PID 1808 wrote to memory of 2232	1808	svchcst.exe	45
PID 1808 wrote to memory of 2232	1808	svchcst.exe	45
PID 1808 wrote to memory of 2232	1808	svchcst.exe	45
PID 1808 wrote to memory of 2232	1808	svchcst.exe	45
PID 2232 wrote to memory of 364	2232	WScript.exe	46
PID 2232 wrote to memory of 364	2232	WScript.exe	46
PID 2232 wrote to memory of 364	2232	WScript.exe	46
PID 2232 wrote to memory of 364	2232	WScript.exe	46
PID 1560 wrote to memory of 2268	1560	WScript.exe	47
PID 1560 wrote to memory of 2268	1560	WScript.exe	47
PID 1560 wrote to memory of 2268	1560	WScript.exe	47
PID 1560 wrote to memory of 2268	1560	WScript.exe	47

C:\Users\Admin\AppData\Local\Temp\94b6212bad83555bc84744166d25aaad98fbbbb8d759e96d1be2f08149850d86.exe
"C:\Users\Admin\AppData\Local\Temp\94b6212bad83555bc84744166d25aaad98fbbbb8d759e96d1be2f08149850d86.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2108
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2352
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2784
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2572
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2624
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1272
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2608
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2652
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2952
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2844
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1196
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1808
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1560
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2268
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2232
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:364
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2636
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2068
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3052
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2184
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1876
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        
        PID:2524
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1884
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:1932
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        
        PID:2012
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        
        PID:1228
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        
        PID:1696
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        
        PID:2580
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        
        PID:2448
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        
        PID:1876
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        
        PID:1884
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        
        PID:2652
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        
        PID:392
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        
        PID:2516
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        
        PID:2852
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        
        PID:804
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        
        PID:1452
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        
        PID:920
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        
        PID:1336
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        
        PID:2348
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        
        PID:600
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        
        PID:2840
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        
        PID:1000
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2632
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2640
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3068
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
4433cc23fc280ad8dcff9966bac19fe4

SHA1
62cc2abfe6e2ee0fd6b5cbce20daff4ba787bff0

SHA256
ca7cfd972b03d0b30404c8233125adda1dacc81a2e43e919d70bf1c2700af55b

SHA512
6a5e7454dde98251a987bedc21e628550c469480cbe41f3b3644789da38e782c8b94660d4a076697cc7abf3fcc767650d00ac3639b11cfeba96ece8110920b4f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
cc97b0971440fb8965bda3bbf74d2664

SHA1
6c9bf89b7ab901f960ec73576e73c0ab188cf955

SHA256
c30d0fc601e5c7939d3c124c6f1576e197e68f858aee8462db471c0a1ac81c17

SHA512
1e11c00d5cf9fd1a4354a7a4df507c95898e54f76e0b40e4647c477370e2b2f9fe8d09d98bfddcdedc84573ee17bb87bf6981239e77e03349421ead865f479a3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
6491ffe6ef75436d9e660280f5c7fa8f

SHA1
aa563dfffa849153924e8a50f5b562663d1549b5

SHA256
61926578340a542bb64c6abd62437790f27fe9f3c91f6e7bc3268fe318333382

SHA512
7caf0a3528181a867f6a7d1e705531db6eb12a82faa881fde4693b6d1f57be05e589c9276fc6364204494cd9c65f355a35d1dafb0d02582346057b5c4b8c2193

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
bf8c66bc238068346f8bc94f6763b894

SHA1
43019b1b9d3d7e90719747856103a1af12d024ef

SHA256
de7fa3ae16d70f789b4d0aa427b017215cdb51f141038688ca5ba2cbb4060b5d

SHA512
a5d2d1662be29ceebb5d9441b537804722646c7ee3974d89d87bb37d1563bdbcac709f29e3251cf9d45845bdedd518bca99e203102b5c7f0e3657eca406277c6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
427acf0d31e4c051a5ecca486df18aaa

SHA1
66ed2e8e5533846366375ce855fb7b5d574d97fc

SHA256
397aa2536df328968f7006d3c5a2d0e7e53ab1e6d2deae8bb5bc7a242b4ba012

SHA512
aa2fe9a10550076d478762ed2043437460bfa1d81c3e6b793127d1235f8a6e75dc6002aad415f8086387faf7dc75a83f1790662cdfa58aa66596c640ed35b778

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
321085c6e57a8455a3e915906a6c160b

SHA1
9cd284183cd00b8ed9766cf5ba4433bd041c381e

SHA256
0d5abb9f989e8b184b17b159987cacb4be04d476a85a3c684e797cdbded810cb

SHA512
030c762c6548c28805fb3f9d97ed98ff958a379fb5142b7ba6c4cb2a8dd7a59051135e649abd6c16320361b10c374e4a1003c802560fcc244849089255fb7722

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
298f56408ef5bfe14b938d85e57c843d

SHA1
691d78c4c4887333b4679d3e340a7a04caad13a3

SHA256
b5738b726b24c9d220bd7256e4abb2e97215d50416bf67983cc82dc83b46298a

SHA512
227bf6d7e70568144112dc142ef60fa38f2b5f39196e3d3377a120b78fa86382726021f024bf5413548df0ce1734bb905d28e56de4dd80c6f21c05ab2a5ef83e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
16b9011648a577741b7fb4a55f1eeaac

SHA1
b0d86d1cf62b882bf28f0897ddb610e41cc6814c

SHA256
7bf3fbb9962c054e651caf4e49fa468d5892cb0bf88f4bbf3fd85b372a7d173c

SHA512
1d8631904aa2df5a90aef858d4369ed53d0075f97b42361a8e05c9a64f8e6a786897b625b1230d20415f3923db8aa5d8f5f619b7b9084202fecf4e7cead4366d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
3ed43de1cee96aaf1d64189d4482a672

SHA1
a346f6b3eca7b8442021d9878288d91084d00d79

SHA256
b2905e040a668759a3fbdc7f07ff57b3e197bbeec24099b65734e884c1e0bd98

SHA512
8f8536a36603c14a567034f0119212a6b3bf9dd52afcbe213b4e26c737394fe838baf0743440f62cd5d61d8d9c694279679e155920a9af3c2cac1549d43040dc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
b43cc190210c9c6b2742cc52bd8296bc

SHA1
5476b0b4ca6b80be460b3e183f51d50599750324

SHA256
0081c1fe196153e4e7651f0c4a3888bda7623ba8f76218b8df10dc5147d778c0

SHA512
dee2b38b2222020a8fdf2bb241461b3e58978761cfa4c2099184badfc7a98d4acdd0f75d9417a94928a62da7f7c10e9cc04546636e88004897dd3c73cabeed27

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
18daeaff7fc134fc2edabbaea7e7e9f0

SHA1
a6a3002f7828141bac042e08241df957ef348bb4

SHA256
56a26505482cb65715785a972070bd6b72ad56c09ec26f7a97d7b0ac5bf52303

SHA512
6a91ececa4ca5ffbd12c7ca83888a63a7baf2be281610d9b0d83ee9dfcb8f6d04c1466de5ac1b53abe3daaf2998ec40b4b3a1a1d6fc271f35d25523358bd3df0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
d32955f30e8aad52247ece470e41d5ad

SHA1
ac6775ee1d2cccafe3baeb722ca57bf16953f173

SHA256
bbd8749995b7f218975a3955fac72a16d1f5a3fd3826f7bb98d0b4fe537d6697

SHA512
1a00595cdfca51c9c95101a1d04a15089aded3fc687de721d882c6ef57697a943c0a99d917167e76d55040c5d8607e01fe5a206054112635a642f6364d3fdcaf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
8b412aa0b6687b4da946906a06c460fa

SHA1
180bb2d6f0645242e91d23e76043c0301916f7f5

SHA256
923ae6b14f6c2bebf34efcf9db8485390ca298cdb952df04bc457df9c45647b3

SHA512
73d949f5159a7c976e250d20b975fff6469d5c41b47488d9738a3466dfb372c7977846f6d8fbf676e07715a5fe284ca1597b74f090e0b55301314f71522ac143

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
4d8de8aafa7849de2f40f61eb205cc42

SHA1
67decea42f8c2ee805e859a898922c90ae105cdc

SHA256
44a2def2aab8221d4302282a111d1b9592b8828363736aa27a3343836817d2e2

SHA512
a44c1b2e8bc3b432daac94073c22e3b93ee412e345f4b2037586fc178fc7909f9360c2ba0817d7648d0739aabf51c6533e87226bffcd7109974e561d901610fc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
003156157c280e407b5292c7a5e3f852

SHA1
b145a396c39cb6eb54d4bc5f5e268243632994d6

SHA256
f486c66b2b98173197f82eb8cd953e58d86e53596561c27f00b00cdc131a452a

SHA512
63e6715e46035c39a735151eb2f01f7307b36d5cbb12e4763f6b5abbfab68ac11e663fe0f1f6309e740e34540d21cf6fefd1b20a80138bb7584c2d27fa197061

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
12cde5c48430277e5c5293e3f89c85c9

SHA1
48802cc4b37214eade8fdfa6f235f4224599ac95

SHA256
cff0aa5e25b48d5ebd37dd3a01df1e231a333010657c9804eb8307ff9e8422f6

SHA512
ae5f7ed3ad15911f733772eac35872c7a1adc80ba1063531cc13b502318a0e063143ee12707a9e11ac48efdece0aa9fd65dbddd85e2b978584ccbc85e2a52c65

Download Submit
memory/364-94-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/364-86-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/392-226-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/392-235-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/600-261-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/804-244-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/920-256-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1000-168-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1000-169-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1072-151-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1072-164-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1196-68-0x0000000003DC0000-0x0000000003F1F000-memory.dmp

Filesize
1.4MB

Download
memory/1228-171-0x0000000004FA0000-0x00000000050FF000-memory.dmp

Filesize
1.4MB

Download
memory/1272-50-0x0000000003C00000-0x0000000003D5F000-memory.dmp

Filesize
1.4MB

Download
memory/1272-49-0x0000000003C00000-0x0000000003D5F000-memory.dmp

Filesize
1.4MB

Download
memory/1272-35-0x0000000003B20000-0x0000000003C7F000-memory.dmp

Filesize
1.4MB

Download
memory/1336-259-0x00000000052C0000-0x000000000541F000-memory.dmp

Filesize
1.4MB

Download
memory/1336-258-0x00000000052C0000-0x000000000541F000-memory.dmp

Filesize
1.4MB

Download
memory/1696-180-0x0000000005160000-0x00000000052BF000-memory.dmp

Filesize
1.4MB

Download
memory/1696-181-0x0000000005160000-0x00000000052BF000-memory.dmp

Filesize
1.4MB

Download
memory/1800-172-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1800-179-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1808-69-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1808-79-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1876-214-0x0000000004F80000-0x00000000050DF000-memory.dmp

Filesize
1.4MB

Download
memory/1876-215-0x0000000004F80000-0x00000000050DF000-memory.dmp

Filesize
1.4MB

Download
memory/1876-143-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1884-138-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1884-216-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1884-223-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1884-147-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1932-159-0x0000000003A00000-0x0000000003B5F000-memory.dmp

Filesize
1.4MB

Download
memory/2012-161-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2012-160-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2068-107-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2068-106-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2076-198-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2076-201-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2108-10-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2108-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2184-141-0x0000000003E40000-0x0000000003F9F000-memory.dmp

Filesize
1.4MB

Download
memory/2184-165-0x0000000005360000-0x00000000054BF000-memory.dmp

Filesize
1.4MB

Download
memory/2232-116-0x0000000003E20000-0x0000000003F7F000-memory.dmp

Filesize
1.4MB

Download
memory/2232-96-0x0000000003E20000-0x0000000003F7F000-memory.dmp

Filesize
1.4MB

Download
memory/2232-98-0x0000000005300000-0x000000000545F000-memory.dmp

Filesize
1.4MB

Download
memory/2268-89-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2268-90-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2296-186-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2296-191-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2304-262-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2304-260-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2348-257-0x00000000050A0000-0x00000000051FF000-memory.dmp

Filesize
1.4MB

Download
memory/2524-170-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2524-166-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2580-203-0x0000000003E70000-0x0000000003FCF000-memory.dmp

Filesize
1.4MB

Download
memory/2580-202-0x0000000003E70000-0x0000000003FCF000-memory.dmp

Filesize
1.4MB

Download
memory/2580-192-0x00000000054E0000-0x000000000563F000-memory.dmp

Filesize
1.4MB

Download
memory/2580-193-0x00000000054E0000-0x000000000563F000-memory.dmp

Filesize
1.4MB

Download
memory/2608-36-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2608-44-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2624-32-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2632-111-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2632-99-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2636-134-0x0000000005120000-0x000000000527F000-memory.dmp

Filesize
1.4MB

Download
memory/2636-150-0x0000000005120000-0x000000000527F000-memory.dmp

Filesize
1.4MB

Download
memory/2636-152-0x0000000005120000-0x000000000527F000-memory.dmp

Filesize
1.4MB

Download
memory/2636-114-0x0000000005120000-0x000000000527F000-memory.dmp

Filesize
1.4MB

Download
memory/2636-105-0x0000000003BF0000-0x0000000003D4F000-memory.dmp

Filesize
1.4MB

Download
memory/2636-167-0x0000000005220000-0x000000000537F000-memory.dmp

Filesize
1.4MB

Download
memory/2636-129-0x0000000003BF0000-0x0000000003D4F000-memory.dmp

Filesize
1.4MB

Download
memory/2640-126-0x0000000005150000-0x00000000052AF000-memory.dmp

Filesize
1.4MB

Download
memory/2640-142-0x0000000005150000-0x00000000052AF000-memory.dmp

Filesize
1.4MB

Download
memory/2652-224-0x0000000003C90000-0x0000000003DEF000-memory.dmp

Filesize
1.4MB

Download
memory/2652-225-0x0000000003C90000-0x0000000003DEF000-memory.dmp

Filesize
1.4MB

Download
memory/2764-213-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2764-204-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2784-23-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2844-51-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2844-64-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2852-245-0x0000000005050000-0x00000000051AF000-memory.dmp

Filesize
1.4MB

Download
memory/2852-247-0x0000000005050000-0x00000000051AF000-memory.dmp

Filesize
1.4MB

Download
memory/2852-246-0x0000000005050000-0x00000000051AF000-memory.dmp

Filesize
1.4MB

Download
memory/2852-236-0x0000000005050000-0x00000000051AF000-memory.dmp

Filesize
1.4MB

Download
memory/2852-237-0x0000000005050000-0x00000000051AF000-memory.dmp

Filesize
1.4MB

Download
memory/2852-263-0x0000000005050000-0x00000000051AF000-memory.dmp

Filesize
1.4MB

Download
memory/2952-58-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3052-131-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3052-115-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3068-128-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3068-127-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download